DATA PROTECTION AGREEMENT
This Data Protection Agreement (“DPA”) governs AxeRoy’s processing of Company Data and is incorporated by reference into the AxeRoy Agreement. At all times during the term of the AxeRoy Agreement, or after the term if AxeRoy has access to or retains Company Data, AxeRoy shall, and shall cause its Representatives to, comply with this DPA. In the event of a conflict between the DPA, the NDA and/or the AxeRoy Agreement, this DPA shall prevail.
Terms not defined herein have the meanings set forth in the AxeRoy Agreement.
1.1. “Applicable Law” means any and all applicable laws, statutes, and ordinances, rules, regulations, directives, edicts and similar governmental requirements of all international, federal, provincial, state, county, city, and borough departments, bureaus, boards, agencies, offices, commissions and other subdivisions thereof, or any other governmental, public, or quasi-public authority.
1.2. “Data Breach” means any accidental, unlawful, or unauthorized destruction, alteration, disclosure, misuse, loss, theft, copying, use, modification, disposal, compromise, or access to Company Data or any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by AxeRoy in processing Company Data or otherwise providing Solutions.
1.3. “Company Data” means any and all data provided by Company, its customers, authorized agents and/or subcontractors to AxeRoy, or otherwise processed by AxeRoy in connection with the provision of Solutions, including (a) all non-public information and data provided to or accessed by AxeRoy through Company’s network or provided to or accessed by AxeRoy for hosting or outsourcing services, (b) Highly Restricted Data, (c) Personal Data, and/or (d) User Tracking Data.
1.4. “Data Protection Impact Assessment” means an assessment of the impact of proposed data processing operations to ensure the protection of personal data, and includes an assessment of the likelihood and severity of risks related to the rights of individuals, related to processing activities.
“Directive” means the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended or superseded from time to time.
1.6. “GDPR” means the General Data Protection Regulation (EU) 2016/679, which
lays down rules relating to the protection of natural persons in the EU, with regard to the processing of personal data and rules relating to the free movement of personal data and repeals the “D
irective” on May 25th, 2018
1.7. “EEA” mean the Member States of the European Union plus Norway, Iceland and Liechtenstein.
1.8. “Highly Restricted Data” means Social Security or other government-issued identification numbers, medical or health information, biometrics, account security information, individual financial account information, credit/debit/gift or other payment card information, account passwords, individual credit and income information, intellectual property, proprietary business models, pricing, customer infrastructure/system information or data flows, and sensitive or special category personal data as defined under Privacy Laws.
1.9. “Including” means including without limitation or prejudice to the generality of any description, definition, term or phrase preceding that word, and “include” and its derivatives shall be construed accordingly.
1.10. “AxeRoy” means the party from which Company is purchasing Solutions under the AxeRoy Agreement and its Representatives.
1.11. “AxeRoyAgreement” means the agreement or agreements between Company and AxeRoy pursuant to which Company is purchasing Solutions from AxeRoy.
1.12. “Personal Data” means any information or data that alone or together with any other information relates to an identified or identifiable natural person, or data considered to be personal data as defined under Privacy Laws.
1.13. “Privacy Laws” means any law, statute, directive, or regulation, including any and all legislative and/or regulatory amendments or successors thereto, regarding privacy, data protection, information security obligations and/or the processing of Personal Data (including the Directive and GDPR).
1.14. “processing”, “processed” or “process” means any operation or set of operations performed upon Company Data irrespective of the purposes and means applied, including access, receipt, collection, recording, organization, adaptation, alteration, retrieval, consultation, retention, storage, transfer, disclosure, including disclosure by transmission, dissemination or otherwise making available, alignment, combination, use, blocking, erasure and destruction.
1.15. “Representatives” means AxeRoy and/or any employee, officer, agent, consultant, auditor, Subcontractor, outsourcer or other third party acting on behalf of AxeRoy or under the apparent authority of AxeRoy in connection with providing Solutions. References to “AxeRoy” herein include Representatives.
1.16. “Subcontractors” means any third person or entity, including all subcontractors or subprocessors, acting for or on behalf of AxeRoy, providing Solutions to Company, or to whom AxeRoy has assigned or delegated its contractual obligations to Company. “Subcontractors” does not include employees of AxeRoy.
1.17. “Solutions” means any hardware, software (including third party components), software-as-a-service, services, or hosting services provided to Company or a Company customer pursuant to the AxeRoy Agreement.
1.18. “User Tracking Data” means data associated with online or mobile users that records user information, interactions or behavior, user clicks or reaction to or interaction with content, advertising or any other activity, or in connection with tracking activities related to behavioral advertising.
All Company Data is “Confidential Information” as defined in (a) the NDA; or (b) if AxeRoy and Company have not entered into an NDA, the AxeRoy Agreement. Any exclusions to the definition of “Confidential Information” in the NDA or the AxeRoy Agreement shall not apply to the definition of Company Data. AxeRoy shall treat Company Data as Confidential Information for as long as such Company Data is in AxeRoy’s possession or control, including when the Company Data is held in archive, backup or business continuity/disaster recovery systems.
. Company instructs and authorizes AxeRoy to process Company Data for the sole and exclusive purpose of performing AxeRoy’s obligations to Company under and in accordance with (a) the AxeRoy Agreement; (b) Company’s and its agents written instructions; (c) Privacy Laws; and (d) this DPA (collectively, the “ApplicableAgreements”). Where AxeRoy tracks users’ online or mobile activities, the obligations and requirements set out in this DPA in relation to Personal Data extend to User Tracking Data.
Limitations on Disclosure and Use
. AxeRoy shall not transfer or otherwise disclose Company Data to, or permit Processing by, its Representatives or any Third Party except (a) on a need-to-know-basis related to the provision of the Solutions; (b) to the extent necessary to provide the Solutions; (c) as permitted under the Applicable Agreements; or (d) if required by Applicable Law. If AxeRoy is required by Applicable Law to transfer, disclose or permit processing of Company Data by a third party, AxeRoy will promptly notify Company in advance of such requirement and cooperate with Company to limit the extent and scope of such transfer, disclosure or processing.
Return and Destruction
. Upon termination of the AxeRoy Agreement or upon written request from Company, whichever comes first, AxeRoy shall, and shall ensure that its Subcontractors, immediately cease all use of and return to Company or, at the direction of Company, dispose of, destroy, or render permanently anonymous all such Personal Data, in each case using the security measures set out herein and notify Company in writing once the action is complete. If Applicable Law does not permit AxeRoy to destroy the Company Data, AxeRoy shall not use the Company Data for any purpose other than as required by the Applicable Agreements and shall remain bound at all times by the provisions of the Applicable Agreements.
Notifications and Assistance
. If AxeRoy is contacted by a person with a request, inquiry or complaint regarding their Personal Data in connection with the Solutions, AxeRoy shall promptly and in any event within two calendar days provide Company with: (a) written notice of such request, inquiry or complaint; and (b) any and all reasonable cooperation, assistance, information and access to Personal Data in its possession, custody or control, including requests for erasure or providing personal information in a structured, commonly used format that is machine-readable,as is necessary for Company to respond to such request, inquiry or complaint promptly and within any timeframe required by Privacy Laws. AxeRoy shall not respond to such request, inquiry or complaint unless so instructed in writing by Company. AxeRoy shall assist Company, if requested, in completing a Data Protection Impact Assessment related to personal data processed by the AxeRoy on behalf of Company.
AxeRoy may transfer Personal Data from EEA countries to countries outside the EEA with the prior written consent of Company, provided that such transfer is required in connection with the Solutions, is subject to the terms set out in the EU Standard Contractual Clauses (controller to processors) , AxeRoy complies with all obligations imposed on a “data importer” set out in such Clauses and AxeRoy has determined a legitimate transfer mechanism, such as Model Clauses, Binding Corporate Rules or other methods as prescribed by Privacy Laws . For countries located within the Asia Pacific region, AxeRoy shall obtain Company’s prior written consent where Personal Data will be transmitted by the AxeRoy outside the country from which it was originally collected unless otherwise required by the Applicable Agreements.
AxeRoy shall have and maintain a security program that incorporates appropriate and industry-standard physical, organizational and technical processes, security standards, guidelines, controls and procedures (“Policies”) to protect against any Data Breach (“Appropriate Safeguards”). AxeRoy shall regularly, but in no event less than annually, evaluate, test and monitor the effectiveness of their Appropriate Safeguards and shall promptly adjust and update Appropriate Safeguards as reasonably warranted by such results. AxeRoy shall, upon request, provide Company with a written description of the Appropriate Safeguards. AxeRoy shall provide Company with access to relevant documentation and reporting on the implementation, certification, effectiveness and remediation of the Appropriate Safeguards. AxeRoy represents, warrants and covenants that AxeRoy and its Subcontractors do and shall implement and maintain Policies which:
Roles and Responsibilities.
Assign security roles and responsibilities to named individuals within the AxeRoy's organization.
. Evaluate organizational and administrative risks no less than annually, and system and technical risks no less than quarterly.
. (a) Identify all equipment and media used in the processing of Company Data; (b) assign responsibility for all equipment and media to one or more custodians; and (c) require regular reviews of the asset inventory for accuracy and to identify missing equipment and media.
Access Control and Identity Management Policies
. Prior to access to Company Data, (a) assign data and system access rights to individuals according only to their documented responsibilities and the principle of least privilege; (b) assign all user and administrator accounts only to individuals, and with a requirement of strong passwords, password rotation, failed authentication locks and session timeouts; and (c) require the issuance of any privileged access accounts only after management approval, and with strict security standards.
Awareness and Training Policies
. Address (a) information security threats and best practices; (b) information security policies, procedures, and controls in place to protect Company Data; and (c) each Representative’s roles and responsibilities in the protection of Company Data.
. Ensure, through appropriate audit log configuration and retention, that (a) all account actions can be traced to the individual using the account, (b) the time, date and type of action is recorded for all privileged account actions and all account actions affecting Company Data, (c) all recorded account actions are actively monitored and can be easily retrieved for analysis, and (d) consequences for policy violations are established, communicated and acted upon.
Contingency Planning Policies
. Define roles and responsibilities and provide clear guidance and training on the proper handling of contingency events including (a) natural threat events such as floods, tornadoes, earthquakes, hurricanes and ice storms; (ii) accidental threat events such as chemical spills and mechanical or electrical failures; and (iii) intentional acts such as privacy and security breaches, bomb threats, assaults and theft.
System Maintenance Policies
. Are related to (a) structured vulnerability management, including regular scanning, penetration testing, risk analysis and timely patching; (b) change management, including documentation of the purpose, security impact analysis, testing plan and results, and authorization for all changes; (c) configuration management, including secure baseline configurations; (d) monitoring to detect and generate alerts for unauthorized changes.
System and Communications Protection Policies
. Preserve the confidentiality, integrity and availability of Company Data, including (a) physical controls that restrict and monitor access to systems that process Company Data; (b) technical and administrative controls that monitor for and protect against malicious software and malicious actors; (c) strong encryption of data in transit across untrusted and public networks and, in the case of Highly Restricted Data, at rest in all locations where it is stored; (d) periodic encryption key rotation and management; (e) prohibition of Highly Restricted Data and Personal Data being processed in non-production environments; (f) regular security control reviews and effectiveness testing; (g) backup controls and disaster recovery procedures, including secure off-site storage, and regular testing of data restoration procedures; and (h) strong technical and administrative controls regarding remote access and mobile devices.
Media Protection Policies
. Ensure that media containing Company Data is securely handled, including (a) strong encryption of Company Data on all mobile devices and removable storage; (b) requirement for secure sanitization and destruction methods for media that at any time held Company Data; and (c) requirement that all media, including paper, containing unencrypted Company Data be stored in a secure location.
Provide strong network protections through industry best-practices, including (a) prevention of lateral movement through internal network segmentation; (b) use of modern network firewalls; (c) prohibition of and active monitoring for unauthorized wireless access points; and active monitoring for unauthorized network activity. Any connection and mechanism to transmit Company Data between AxeRoy and Company shall be through a Company IT-approved secure solution. Duration of access shall be restricted to only when access is required. AxeRoy shall use Appropriate Safeguards to protect against any compromise, unauthorized access or other damage to Company’s network and to secure the AxeRoy’s networks and IT environments associated with the Solutions. Upon request, AxeRoy shall provide Company with a high-level network diagram that outlines AxeRoy’s IT network supporting the Solutions.
Protect AxeRoy's physical assets through (a) locating AxeRoy's systems and other resources intended for use by multiple individuals in secured facilities; (b) limiting access to AxeRoy's facilities and data centers to only identified and authorized individuals, through badge readers, biometric scanners, and/or manual inspection of identification; (c) continuous monitoring, as appropriate and permitted by local law, of access to AxeRoy's facilities and data centers, through video evidence; and (d) revoking physical access to AxeRoy's premises immediately upon termination.
Address preparation for, detection of, and response to security incidents, through technical and operational controls, including (a) documented response procedures; (b) assigned roles for monitoring, response, and forensics; (c) escalation paths for significant incidents; and (d) retainer agreement with an expert third-party for large incidents.
Evaluate the security posture of the AxeRoy's environment as relevant to the Solutions, through (a) independent penetration tests performed not less frequently than once year; and (b) security vulnerability scans performed not less frequently than quarterly. AxeRoy commits to remediate all vulnerabilities identified in a timeframe commensurate with the risk, or as agreed upon with Company.
Have been assessed within the past year through a controls audit report and remediation effort, such as a SSAE 16 or information security audit, as applicable to the Solutions. The audit shall include an assessment of AxeRoy’s applicable general controls and security processes and procedures to ensure compliance with Privacy Laws and industry standards. The audit shall be at AxeRoy’s expense as part of AxeRoy’s ongoing information security program to evaluate AxeRoy’s general security controls.
PAYMENT CARD INFORMATION.
Prior to processing any payment card information in connection with a AxeRoy Agreement, AxeRoy must comply, and remain in compliance, at their own expense, with the Payment Card Industry Data Security Standards (“PCI DSS”). Prior to processing any payment card information and annually thereafter, AxeRoy must submit an attestation to Company stating that they are current in their PCI Report on Compliance/Self Assessment Questionnaire and PCI Quarterly Network Scan filings and that they remain PCI-compliant, as well as any documentation supporting such attestation as reasonably requested by Company. If at any point AxeRoy is not in compliance with the PCI DSS or is unable or unwilling to produce adequate evidence of compliance, AxeRoy shall be in breach of the AxeRoy Agreement and Company may immediately terminate the AxeRoy Agreement without liability to Company.
INFRASTRUCTURE SECURITY & CONNECTIVITY.
If AxeRoy will store, process, or transmit Company Data, the following requirements shall apply:
. The connection and mechanism to transmit Company Data between AxeRoy and Company shall be through a Company IT-approved secure solution. Duration of access shall be restricted to only when access is required. AxeRoy shall use Appropriate Safeguards to protect against any compromise, unauthorized access or other damage to Company’s network and to secure the AxeRoy’s networks and IT environments associated with the Solutions. Upon request, AxeRoy shall provide Company with a high level network diagram that outlines AxeRoy’s IT network supporting the Solutions.
. During the term of the DPA, AxeRoy shall maintain, at its own expense, applicable certifications or a controls audit report and remediation effort, such as a SSAE 16 or other standards-based information security audit performed within the past year, as applicable to the Solutions. The audit shall include an assessment of AxeRoy’s applicable general controls and security processes and procedures to ensure appropriate program design and effectiveness. AxeRoy engages an internationally recognized third party auditor to review these measures in place to protect the Solutions. Through such auditors, AxeRoy performs audits of the Solutions on a regular recurring basis, and the results of such audits are available in technical documents available upon request by Company.
. In addition to AxeRoy’s internal control programs, AxeRoy will have independent penetration tests performed on its environment as relevant to this DPA not less than once year, and will perform security vulnerability scans not less frequently than quarterly. AxeRoy commits to remediate all vulnerabilities identified in a timeframe commensurate with the risk, or as agreed upon with Company. AxeRoy will also provide copies of such penetration test results to Company upon request.
. AxeRoy shall have controls in place to identify any security vulnerabilities in the Solutions during development and after release. AxeRoy shall provide Company written notice of (a) publicly-acknowledged vulnerabilities/zero day exploits within five business days of the public acknowledgement; and (b) internally-known yet publicly-undisclosed vulnerabilities/zero day exploits within ten business days of their discovery. AxeRoy commits to remediate all vulnerabilities identified in the Solutions at AxeRoy’s expense, and to remediate vulnerabilities with a base score above 4 as defined by Common Vulnerability Scoring System in a timeframe commensurate with the risk or as agreed upon with Company. AxeRoy’s use of open source code shall not alter AxeRoy’s responsibility to identify and remediate vulnerabilities as described here.
. AxeRoy agrees (a) to use industry secure-coding practices (for example, Microsoft’s Software Development Lifecycle, Cigital Software Security Touchpoints, OWASP standards or Sans Top 25); (b) the Solutions are designed based on industry secure-coding practices; and (c) information security is addressed throughout the development life-cycle. The Solutions’ processes, direct capabilities, and other necessary actions shall comply with all PCI standards and Privacy Laws.
. AxeRoy shall submit the results and remediation efforts of an independent security assessment for all Solutions that (a) are customer facing, including websites, shipped with or installed on customer systems; or (b) process Highly Restricted Data. The assessment scope and remediation efforts must be agreed upon by Company and addressed to Company’s satisfaction prior to acceptance of such Solutions.
AxeRoy shall notify Company without undue delay, not later than 24 hours after becoming aware of an actual or reasonably suspected Data Breach. Such notification must be provided, at a minimum, by email with a read receipt to privacy@Company.io and with a copy to AxeRoy’s primary business contact within Company. In facilitating investigation and remediation of a Data Breach, AxeRoy shall cooperate fully with Company. AxeRoy shall not inform any third party of any Data Breach without first obtaining Company’s written consent except as may be strictly required by Privacy Laws in which case AxeRoy will, unless prohibited by law, notify Company in advance of informing any such third party and cooperate with Company to limit the scope of the information disclosed to what is required by Privacy Laws. Details of any complaint received by AxeRoy related to processing of Highly Restricted, Personal Data or User Tracking Data shall be promptly sent to a AxeRoy’s Company business contact. AxeRoy shall reimburse Company for costs Company incurs in responding to, remediating, and/or mitigating damages caused by a Data Breach or in following up a complaint by an individual data subject or a regulator. AxeRoy shall take all necessary and appropriate corrective actions, including as may be instructed by Company and Privacy Laws, to remedy or mitigate any Data Breach.
REPRESENTATIVES AND SUBCONTRACTORS
. Unless expressly permitted by the AxeRoy Agreement, AxeRoy shall not (a) transfer; (b) disclose; (c) subcontract the processing of; or (d) permit the processing of, Company Data by or to any Subcontractors, without written permission from Company.
Requirements for Subcontractors and Representatives
. AxeRoy shall take all reasonable steps to ensure the reliability of Representatives and Subcontractors that have access to the Company Data, including carrying out appropriate background checks. AxeRoy shall ensure Representatives and Subcontractors are appropriately trained in the handling and secure processing of Company Data under Privacy Laws. If AxeRoy is permitted by Company to transfer Company Data to a Subcontractor, Subcontractor shall comply with Section 4 “International Transfers” of this DPA as if AxeRoy were Company and the Subcontractor was the AxeRoy.
. Agreements by and between AxeRoy and the Representatives and Subcontractors authorized to Process Company Data (“Subcontractor Contracts”) shall include substantially equivalent restrictions and conditions as this DPA. AxeRoy shall have sole liability for all acts or omissions of Representatives and Subcontractors. AxeRoy shall provide Company with a copy of Subcontractor Contracts upon request, and AxeRoy will inform Company by email within two weeks of Company’s request about the name, address and role of each Subcontractor it uses to provide the Service.
AxeRoy undertakes to have a selection process by which it evaluates the security, privacy and confidentiality practices of a Subcontractor in regard to data handling on a scheduled basis (alternatively, the Subcontractor shall possess a security certification that evidences appropriate security measures are in place with regard to the Subcontractor’s services to be provided to AxeRoy). AxeRoy shall audit each of its Subcontractors that process Company Data at least once every twelve months and more frequently in the event of a Data Breach. If the audit reveals any compliance deficiencies, breaches and/or failures by the Subcontractor, AxeRoy shall use all reasonable efforts to work with the Subcontractor to remedy the same promptly. If, within Company’s reasonable discretion, a satisfactory remedy cannot be implemented within a reasonable time, AxeRoy shall not be permitted to use the Subcontractor to provide Solutions to Company, in which case AxeRoy shall be required, as instructed by Company, to promptly return or delete any Company Data.
. If AxeRoy processes call recordings, AxeRoy shall establish strong controls for processing call recordings containing Highly Restricted Data or Personal Data that include consent requirements, as required by Applicable Laws. Access to and processing of call recordings shall be limited only to Representatives necessary to provide the Solutions and in compliance with Applicable Law. AxeRoy shall keep a recorded log of all access made to call recordings. AxeRoy shall delete all call recordings containing Personal Data as soon as reasonably possible after the recordings have served their purpose and within such time frames as are set down by Privacy Laws and applicable security standards, but in any event, no later than 90 days (21 days in EMEA), unless otherwise approved in writing by Company’s Office of the General Counsel. AxeRoy shall record only a small sample of the call volume and within such time frames required by Privacy Laws. For recordings containing payment card or other Highly Restricted Data, AxeRoy shall store the call recordings in voice stream format (and not as data files), unless all payment card data is removed from the recordings or rendered unreadable/inaudible at the time of recording.
Privacy Law Compliance
. If AxeRoy processes Personal Data concerning persons located in Canada in the course of providing Solutions, AxeRoy and Company agree to the additional obligations and requirements in this Section 12. AxeRoy shall not take any actions or make any omissions that will cause Company to be in contravention of the Personal Information Protection and Electronic Documents Act (Canada), as amended or supplemented from time to time, and any other Canadian federal or provincial Privacy Laws governing the processing of Personal Data. AxeRoy shall keep all data, databases or other records containing Personal Data processed in connection with the Solutions logically isolated and separate from any information, data, databases or other records processed by AxeRoy for itself or for third parties. AxeRoy shall designate and identify to Company an individual responsible for the oversight of the Personal Data. Company may be required to disclose, without advance notice or consent, Confidential Information of AxeRoy to authorities in connection with any investigation, audit or inquiry in connection with the Solutions. AxeRoy shall not move, remove, or transmit any Personal Data from AxeRoy's facilities without the express consent of Company and without using appropriately secure technology to protect such information while in transit. If AxeRoy is contacted by a person with a request, inquiry or complaint regarding their Personal Data in connection with the Solutions, AxeRoy shall promptly refer such person to Company.
. If, in connection with this DPA, AxeRoy sends, or causes or permits to be sent, any Commercial Electronic Message or installs or causes to be installed any Computer Program on any other Person’s Computer System, as each of those terms are defined in CASL, AxeRoy will ensure such actions are performed in compliance with CASL and in a manner that will enable Company to comply with CASL. “CASL” means An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23, or any successor thereof as amended from time to time, and includes any regulations and practice guidelines issued by any Governmental or Regulatory Authority in respect thereof.
SUPPLEMENTAL AGREEMENTS TO THE DPA.
EU Standard Contractual Clauses
. If AxeRoy processes Personal Data concerning persons located in the European Union in the course of providing Solutions, AxeRoy and Company hereby agree to and AxeRoy shall comply with the EU Standard Contractual Clauses, including Appendices 1 and 2 attached hereto.
. AXEROY REPRESENTS AND COVENANTS TO COMPANY THAT AXEROY, INCLUDING ANY REPRESENTATIVE OF AXEROY ACCEPTING THIS DPA ON ITS BEHALF, IS AUTHORIZED TO BIND AXEROY TO THE EU STANDARD CONTRACTUAL CLAUSES INCLUDING APPENDIX 1 AND APPENDIX 2.
COMPANY SUBSIDIARY RIGHTS
. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA. Where the Solutions include the Processing by AxeRoy Personnel of Company Data on behalf of Company direct and indirect subsidiaries, each such Company direct and indirect subsidiary may enforce the terms of this DPA as a third party beneficiary against AxeRoy in respect of its Company Data as if it were a party to this DPA and/or any AxeRoy Agreements.
. AxeRoy shall contribute to and assist Company or its designee to (a) audit AxeRoy’s compliance with this DPA; (b) inspect any Personal Data in the custody or possession of AxeRoy; and (c) promptly respond to all inquiries from Company with respect to AxeRoy’s handling of Personal Data.
AxeRoy shall defend, indemnify and hold harmless Company and Company’s directors, officers, employees, representatives, and agents from and against any and all claims, actions, demands, and legal proceedings and all liabilities, damages, losses, judgments, authorized settlements, costs, fines, penalties and expenses including reasonable attorneys’ fees arising out of or in connection with (a) AxeRoy’s breach of this DPA; (b) AxeRoy’s failure to comply with the PCI DSS; or (c) violation by the AxeRoy of any Privacy Laws.
AxeRoy’s obligations under this DPA shall survive the termination or expiration of the DPA, NDA, and the AxeRoy Agreement. Legal notices shall be made in writing to the Notice Address set forth in the AxeRoy Agreement and/or this DPA. Written notice made by facsimile, overnight courier, registered mail or certified mail and sent to the Company Notice Address or AxeRoy Notice Address (or to successor individuals and addresses that have been properly noticed to the other party) are deemed to be effective upon sending. All other written communications, deliveries or business notices between AxeRoy and Company required by, permitted by or pertaining to this DPA shall be effective when received. AxeRoy may not assign or transfer this DPA, in whole or in part, whether voluntarily, by contract or by merger (whether that party is the surviving or disappearing entity), stock or asset sale, consolidation, dissolution, through government action or order, or otherwise without the prior written consent of Company. Any attempt to assign or transfer this DPA other than in accordance with this Section will be null and void. Company may assign the DPA without AxeRoy consent. No waiver of any term or condition is valid unless in writing and signed by authorized representatives of both parties, and shall be limited to the specific situation for which it is given. No amendment or modification to this DPA shall be valid unless set forth in writing specifically referencing this DPA and signed by authorized representatives of both parties. No other action or failure to act shall constitute a waiver of any rights. This DPA sets forth the entire agreement and understanding of the parties relating to the subject matter herein, and replaces all prior or contemporaneous discussions and agreements between the parties, both oral and written. In performing AxeRoy's responsibilities pursuant to this DPA, it is understood and agreed that AxeRoy is at all times acting as an independent contractor and that AxeRoy is not a partner, joint venturer, or employee of Company. It is expressly agreed that AxeRoy will not for any purpose be deemed to be an agent, ostensible or apparent agent, or servant of Company, and the parties agree to take any and all such action as may be reasonably requested by Company to inform the public and others utilizing the professional services of AxeRoy of such fact. Each of the parties hereto agrees to execute any document or documents that may be requested from time to time by the other party to implement or complete such party's obligations pursuant to this DPA, Privacy Law or Applicable Law. The parties agree to take such reasonable actions as are necessary to amend this DPA from time to time as is necessary for Company to comply with Privacy Law and Applicable Law. Interpretation. Any ambiguity in this DPA will be resolved in favor of a meaning that permits Company to comply with Privacy Law and Applicable Law.
EU STANDARD CONTRACTUAL CLAUSES
These Clauses are attached to and made a part of the Data Protection Agreement (“DPA”) between Company and AxeRoy.
For the purpose of EU Standard Contractual Clauses the name of data exporting organization is Company Software International, a company organized under the laws of Ireland with registered number 521517 and whose registered office is at Ovens, County Cork, Ireland together with all other Company group entities (as defined below), each such Company entity having the right to enforce the terms of these Standard Contractual Clauses as a third party beneficiary against the data importer in respect of any personal data which are processed by such Company entity as a controller, as if such Company entity were entering into its own separate set of Standard Contractual Clauses with the data importer.
Company group entity means a party or any business entity at any time controlling, controlled by or under common control with Company Products. “Control” means in respect of a company, the power of a person to directly or indirectly secure that the affairs of the company are conducted in accordance with the wishes or directions of that person. “Controlling”, “controlled by” and “under common control” shall be construed accordingly.
. For the purposes of the Clauses:
, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
"the data exporter"
shall mean the controller who transfers the personal data;
"the data importer"
shall mean the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of these Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
"the applicable data protection law"
means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
"technical and organizational security measures"
means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
DETAILS OF THE TRANSFER.
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
THIRD-PARTY BENEFICIARY CLAUSE
The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
OBLIGATIONS OF THE DATA EXPORTER.
The data exporter agrees and warrants:
that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to these Clauses;
that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
that it will ensure compliance with the security measures;
that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
that it will ensure compliance with Clause 4(a) to (i).
OBLIGATIONS OF THE DATA IMPORTER.
The data importer agrees and warrants:
to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
that it will promptly notify the data exporter about:
any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
any accidental or unauthorized access; and
any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
that the processing services by the sub-processor will be carried out in accordance with Clause 11 (Sub-processing);
to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
MEDIATION AND JURISDICTION
The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
to refer the dispute to the courts in the Member State in which the data exporter is established.
The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
COOPERATION WITH SUPERVISORY AUTHORITIES
The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
VARIATION OF THE CONTRACT.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.
The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
OBLIGATION AFTER THE TERMINATION OF PERSONAL DATA-PROCESSING SERVICES
The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
The data importer and the sub-processor warrant that upon the request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
These Clauses are attached to and made a part of the Data Protection Agreement (“DPA”) between Company and AxeRoy. This Appendix forms part of the Clauses. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
. The data exporter is identified at the start of the Clauses and is a AxeRoy of IT products and services. The data exporter has appointed the data importer to provide certain products and/or services as specified in the AxeRoy Agreement. To facilitate the provision of these products and services, the data exporter may provide to the data importer access to the personal data described below.
. The data importer is a signatory to the Clauses and a AxeRoy of products and/or services. The data importer will be the recipient of personal data which is exported by the data exporter to the data importer as described below.
. The personal data transferred may concern the following categories of data subjects:
Past, present and prospective employees and partners;
Past, present and prospective clients;
Past, present and prospective advisors, consultants, suppliers, contractors, subcontractors and agents;
Complainants, correspondents and enquirers
Beneficiaries, parents, guardians.
CATEGORIES OF DATA
. The data subjects’ personal data transferred may concern the following categories of data:
1. Contact details (which may include name, address, email address, phone and fax contact details and associated local time zone information);
2. Employment details (which may include company name, job title, grade, demographic and location data);
3. IT systems information (which may include user ID and password, computer name, domain name, IP address, and software usage pattern tracking information i.e. cookies);
4. Data subject's e-mail content and transmission data which is available on an incidental basis for the provision of information technology consultancy, support and services (incidental access may include accessing the content of email communications and data relating to the sending, routing and delivery of e-mails);
5. Details of goods or services provided to or for the benefit of data subjects;
6. Financial details (e.g. credit, payment and bank details).
SPECIAL CATEGORIES OF DATA (IF APPROPRIATE)
. Personal data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union opinions, memberships or activities, social security files, and data concerning health (including physical or mental health or condition), sexual life and information regarding criminal offences or alleged offences and any related court proceedings and shall include special categories of data as defined in Article 8 of the Directive 95/46/EC and Article 9 of the GDPR 2016/679 .
The personal data transferred may be subject to the following processing activities: Any operation with regard to personal data irrespective of the means applied and procedures, in particular the obtaining, collecting, recording, organizing, storage, holding, use, amendment, adaptation, alteration, disclosure, dissemination or otherwise making available, aligning, combining, retrieval, consultation, archiving, transmission, blocking, erasing, or destruction of data, the operation and maintenance of systems, management and management reporting, financial reporting, risk management, compliance, legal and audit functions and shall include “processing” which shall have the meaning given to such term in the Directive and the GDPR. Company may modify processing instructions at any time in the future via an amendment to this DPA or in additional contracts.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Data Importer Information Security Overview
These Clauses are attached to and made a part of the Data Protection Agreement (“DPA”) between Company and AxeRoy. This Appendix 2 sets out a description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c). Data importer takes information security seriously and this approach is followed through in its processing and transfers of personal data. This information security overview applies to data importer’s corporate controls for safeguarding personal data which is processed and transferred amongst the data importer’s group companies. Data importer’s information security program enables the workforce to understand their responsibilities. Some customer solutions may have alternate safeguards outlined in the applicable statement of work as agreed with each customer.
Data importer has implemented corporate information security practices and standards that are designed to safeguard data importer’s corporate environment and to address business objectives across the following areas: (1) information security, (2) system and asset management, (3) development, and (4) governance. These practices and standards are approved by the data importer’s executive management and are periodically reviewed and updated where necessary. Data importer shall maintain an appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle. Key policies should be reviewed at least annually.
It is the responsibility of the individuals across the data importer’s organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, data importer’s Information Security (“IS”) function is responsible for the following activities:
– the IS function drives data importer’s security direction. The IS function works to ensure compliance with security related policies, standards and regulations, and to raise awareness and provide education to users. The IS function also carries out risk assessments and risk management activities, and manages contract security requirements.
– the IS function manages testing, design and implementation of security solutions to enable adoption of security controls across the environment.
– the IS function manages support of implemented security solutions, monitors and scans the environment and assets, and manages incident response.
– the IS function works with Security Operations, Legal, Global Privacy Office and Human Resources to carry out investigations, including eDiscovery and eForensics.
Security consulting and testing
– the IS function works with software developers on developing security best practices, consults on application development and architecture for software projects, and carries out assurance testing.
ASSET CLASSIFICATION AND CONTROL.
Data importer’s practice is to track and manage key information and physical, software and logical assets. Examples of the assets that data importer might track include:
information assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information
software assets, such as identified applications and system software
physical assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These safeguards may include controls such as access management, encryption, logging and monitoring, and data destruction.
EMPLOYEE SCREENING, TRAINING AND SECURITY
Where reasonably practicable and appropriate, as part of the employment/recruitment process, data importer shall perform screening/background checks on employees (which shall vary from country to country based on local laws and regulations), where such employees will have access to data importer’s networks, systems or facilities.
Data importer shall require all employees to provide proof of identification and any additional documentation that may be required based on the country of hire or if required by other data importer entities or customers for whom the employee is providing services.
Data importer’s annual compliance training program includes a requirement for employees to complete a data protection and information security awareness course and pass an assessment at the end of the course. The security awareness course may also provide materials specific to certain job functions.
Data importer shall ensure its employees are legally bound to protect and maintain the confidentiality of any personal data they handle pursuant to standard agreements.
PHYSICAL ACCESS CONTROLS AND ENVIRONMENTAL SECURITY
Physical Security Program:
Data importer shall use a number of technological and operational approaches in its physical security program to mitigate security risks to the extent reasonably practicable. Data importer’s security team works closely with each site to determine appropriate measures are in place to prevent unauthorized persons from gaining access to systems within which personal data is processed and continually monitor any changes to the physical infrastructure, business and known threats. They also monitor best practice measures used by others in the industry and carefully select approaches that meet both uniqueness in business practice and expectations of data importer. Data importer balances its approach towards security by considering elements of control that include architecture, operations and systems.
Physical Access controls:
Physical access controls/security measures at data importer’s facilities/premises are designed to meet the following requirements:
access to data importer’s buildings, facilities and other physical premises shall be controlled and based upon business necessity, sensitivity of assets and the individual’s role and relationship to the data importer. Only personnel associated with data importer are provided access to data importer’s facilities and physical resources in a manner consistent with their role and responsibilities in the organization;
relevant data importer facilities are secured by an access control system. Access to such facilities is granted with an activated card only;
all persons requiring access to facilities and/or resources are issued with appropriate and unique physical access credentials (e.g. a badge or keycard assigned to one individual) by the IS function. Individuals issued with unique physical access credentials are instructed not to allow or enable other individuals to access the data importer’s facilities or resources using their unique credentials (e.g. no “tailgating”). Temporary (up to 14 days) credentials may be issued to individuals who do not have active identities where this is necessary (i) for access to a specific facility and (ii) for valid business needs. Unique credentials are non-transferable and if an individual cannot produce their credentials upon request they may be denied entry to data importer’s facilities or escorted off the premises. At staffed entrances, individuals are required to present a valid photo identification or valid credentials to the security representative upon entering. Individuals who have lost or misplaced their credentials or other identification are required to enter through a staffed entrance and be issued a temporary badge by a security representative;
employees are regularly trained and reminded to always carry their credentials, store their laptops, portable devices and documents in a secure location (especially while traveling) and log out or shut down their computers when away from their desk;
visitors who require access to data importer’s facilities must enter through a staffed and/or main facility entrance. Visitors must register their date and time of arrival, time of leaving the building and the name of the person they are visiting. Visitors must produce a current, government issued form of identification to validate their identity. To prevent access to, or disclosure of, company proprietary information visitors are not allowed un-escorted access to restricted or controlled areas;
select data importer facilities use CCTV monitoring, security guards and other physical measures where appropriate and legally permitted;
locked shred bins are provided on most sites to enable secure destruction of confidential information/personal data;
for data importer’s major data centres, security guards, UPS and generators, and change control standards are available;
for software development and infrastructure deployment projects, the IS function uses a risk evaluation process and a data classification program to manage risk arising from such activities.
The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include testing, business impact analysis and management approval where appropriate. All relevant application and systems developments adhere to an approved change management process.
SECURITY INCIDENTS AND RESPONSE PLAN
Security incident response plan:
Data importer maintains a security incident response policy and related plan and procedures which address the measures that data importer will take in the event of loss of control, theft, unauthorized disclosure, unauthorized access, or unauthorized acquisition of personal data. These measures may include incident analysis, containment, response, remediation, reporting and the return to normal operations.
Controls are in place to protect against, and support the detection of, malicious use of assets and malicious software and to report potential incidents to the data importer’s IS function or Service Desk for appropriate action. Controls may include, but are not limited to: information security policies and standards; restricted access; designated development and test environments; virus detection on servers, desktop and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; firewall rules; logging and alerting on key events; information handling procedures based on data type; e-commerce application and network security; and system and application vulnerability scanning. Additional controls may be implemented based on risk.
DATA TRANSMISSION CONTROL AND ENCRYPTION.
Data importer shall, to the extent it has control over any electronic transmission or transfer of personal data, take all reasonable steps to ensure that such transmission or transfer cannot be read, copied, altered or removed without proper authority during its transmission or transfer. In particular, data importer shall:
1. implement industry-standard encryption practices in its transmission of personal data. Industry-standard encryption methods used by data importer includes Secure Sockets Layer (SSL), Transport Layer Security (TLS), a secure shell program such as SSH, and/or Internet Protocol Security (IPSec);
2. if technically feasible, encrypt all personal data, including, in particular any sensitive personal data or confidential information, when transmitting or transferring that data over any public network, or over any network not owned and maintained by data importer. The data importer’s policy recognizes that encryption is ineffective unless the encryption key is inaccessible to unauthorized individuals and instructs personnel never to provide an encryption key via the same channel as the encrypted document;
3. for Internet-facing applications that may handle sensitive personal data and/or provide real-time integration with systems on a network that contains such information (including data importer’s core network), a Web Application Firewall (WAF) may be used to provide an additional layer of input checking and attack mitigation. The WAF will be configured to mitigate potential vulnerabilities such as injection attacks, buffer overflows, cookie manipulation and other common attack methods.
SYSTEM ACCESS CONTROLS.
Access to data importer’s systems is restricted to authorized users. Access is granted based on formal procedures designed to ensure appropriate approvals are granted so as to prevent access from unauthorised individuals. Such procedures include:
1. admission controls (i.e. measures to prevent unauthorized persons from using data processing systems):
(a) access is provided based on segregation of duties and least privileges in order to reduce the risk of misuse, intention or otherwise;
(b) access to IT systems will be granted only when a user is registered under a valid username and password;
(c) data importer has a password policy in place which requires strong passwords for user login to issued laptops, prohibits the sharing of passwords, prohibits the use of passwords that are also used for non-work functions, and advises users on what to do in the event their password or other login credentials are lost, stolen or compromised;
(d) mandatory password changes on a regular basis;
(e) automatic computer lock, renewed access to the PC only after new registration with a valid username and password;
(f) data and user classification determines the type of authentication that must be used by each system;
(g) remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place as well as user authentication.
2. access controls (i.e. measures to prevent unauthorised access to systems):
(a) access authorization is issued in respect of the specific area of work the individual is assigned to (i.e. work role);
(b) adjustment of access authorizations in case of changes to the working area, or in case an employee’s employment is terminated for any reason;
(c) granting, removing and reviewing administrator privileges with the appropriate additional controls and only as needed to support the system(s) in question;
(d) event logs from key devices and systems are centrally collected and reported on an exceptions basis to enable incident response and forensic investigations.
DATA ACCESS CONTROL.
Data importer applies the controls set out below regarding the access and use of personal data:
1. personnel are instructed to only use the minimum amount of personal data necessary in order to achieve the data importer’s relevant business purposes
2. personnel are instructed not to read, copy, modify or remove personal data unless necessary in order to carry out their work duties;
3. third party use of personal data is governed through contractual terms and conditions between the third party and data importer which impose limits on the third party’s use of personal data and restricts such use to what is necessary for the third party to provide services;
Where legally required, data importer will ensure that personal data collected for different purposes can be processed separately. Data importer shall also ensure there is separation between test and production systems.
Data importer protects personal data against accidental destruction or loss by following these controls:
1. personal data is retained in accordance with customer contract or, in its absence, data importer’s record management policy and practices, as well as legal retention requirements;
2. hard copy personal data is disposed of in a secure disposal bin or a crosscut shredder such that the information is no longer decipherable;
3. electronic personal data is given to data importer’s IT Asset Management team for proper disposal;
4. appropriate technical measures are in place, including (without limitation): anti-virus software is installed on all systems; network protection is provided via firewall; network segmentation; user of content filter/proxies; interruption-free power supply; regular generation of back-ups; hard disk mirroring where required; fire safety system; water protection systems where appropriate; emergency plans; and air-conditioned server rooms.
DATA INPUT CONTROL.
Data importer has, where appropriate, measures designed to check whether and by whom personal data have been input into data processing systems, or whether such data has been modified or removed. Access to relevant applications is recorded.
SYSTEM DEVELOPMENT AND MAINTENANCE.
Publicly released third party vulnerabilities are reviewed for applicability in the data importer environment. Based on risk to data importer’s business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.
The information security, legal, privacy and compliance departments work to identify regional laws and regulations that may be applicable to data importer. These requirements cover areas such as, intellectual property of the data importer and its customers, software licenses, protection of employee and customer personal information, data protection and data handling procedures, transborder data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements. Mechanisms such as the information security program, the executive privacy council, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.