1.1 Scope and Roles. This DPA applies when Service Recipient Data is processed by Service Provider. In this context, Service Provider will act as processor to Service Recipient, who can act either as controller or processor of Service Recipient Data.
1.2 Service Recipient Controls. Service Recipient can use the Service Controls to assist it with its obligations under Applicable Data Protection Law, including its obligations to respond to requests from data subjects. Taking into account the nature of the processing, Service Recipient agrees that it is unlikely that Service Provider would become aware that Service Recipient Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if Service Provider becomes aware that Service Recipient Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Service Provider without undue delay. Service Provider will cooperate with Service Recipient to erase or rectify inaccurate or outdated Service Recipient Data transferred under the Standard Contractual Clauses by providing the Service Controls that Service Recipient can use to erase or rectify Service Recipient Data.
1.3 Details of Data Processing.
1.3.1 Subject matter. The subject matter of the data processing under this DPA is Service Recipient Data.
1.3.2 Duration. As between Service Provider and Service Recipient, the duration of the data processing under this DPA is determined by Service Provider.
1.3.3 Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Service Recipient from time to time.
1.3.4 Nature of the processing. Compute, storage and such other Services as described in the Documentation and initiated by Service Recipient from time to time.
1.3.5 Type of Service Recipient Data. Service Recipient Data uploaded to the Services under Service Provider accounts.
1.3.6 Categories of data subjects. The data subjects could include Service Provider’s Service Recipients, employees, suppliers and End Users.
1.4 Compliance with Service Provider. Each party will comply with all Service Provider, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Law.
Service Recipient Instructions
The parties agree that this DPA and the Agreement (including Service Recipient providing instructions via configuration tools such as the Service Provider management console and APIs made available by for the Services) constitute Service Recipient’s documented instructions regarding Service Provider’s processing of Service Recipient Data (“Documented Instructions”). Service Provider will process Service Recipient Data only in accordance with Documented Instructions (which if Service Recipient is acting as a processor, could be based on the instructions of its controllers). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Service Provider and Service Recipient, including agreement on any additional fees payable by Service Recipient to Service Provider for carrying out such instructions. Service Recipient is entitled to terminate this DPA and the Agreement if Service Recipient declines to follow instructions requested by Service Provider that are outside the scope of, or changed from, those given or agreed to be given in this DPA. Taking into account the nature of the processing, Service Recipient agrees that it is unlikely Service Provider can form an opinion on whether Documented Instructions infringe Applicable Data Protection Law. If Service Provider forms such an opinion, it will immediately inform Service Recipient, in which case, Service Recipient is entitled to withdraw or modify its Documented Instructions.
Confidentiality of Service Recipient Data
Service Provider will not access or use, or disclose to any third party, any Service Recipient Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Service Provider a demand for Service Recipient Data, Service Provider will attempt to redirect the governmental body to request that data directly from Service Recipient. As part of this effort, Service Provider may provide Service Recipient’s basic contact information to the governmental body. If compelled to disclose Service Recipient Data to a governmental body, then Service Provider will give Service Recipient reasonable notice of the demand to allow Service Recipient to seek a protective order or other appropriate remedy unless Service Provider is legally prohibited from doing so.
Confidentiality Obligations of service provider Personnel
Service Provider restricts its personnel from processing Service Recipient Data without authorization by Service Provider as described in the Security Standards. Service Provider imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
Security of Data Processing
5.1 Service Provider has implemented and will maintain the technical and organizational measures for the service provider. Network as described in the Security Standards and this Section. In particular, Service Provider has implemented and will maintain the following technical and organizational measures:
Security of the Service Provider Network as set out in Section 1.1 of the Security Standards;
Physical security of the facilities as set out in Section 1.2 of the Security Standards;
Measures to control access rights for authorized personnel to the Service Provider Network as set out in Section 1.3 of the Security Standards; and
Processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Service Provider as described in Section 2 of the Security Standards.
5.2 Service Recipient can elect to implement technical and organizational measures to protect Service Recipient Data. Such technical and organizational measures include the following which can be obtained by Service Recipient from Service Provider as described in the Documentation, or directly from a third-party supplier:
Pseudonymization and encryption to ensure an appropriate level of security;
Measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are operated by Service Recipient; measures to allow Service Recipient to backup and archive appropriately in order to restore availability and access to Service Recipient Data in a timely manner in the event of a physical or technical incident; and
Processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Service Recipient.
6.1 Authorized Sub-processors. Service Recipient provides general authorization to service provider’s use of sub-processors to provide processing activities on Service Recipient Data on behalf of Service Recipient (“Sub-processors”) in accordance with this Section. The service provider website lists Sub-processors that are currently engaged by service provider. At least 30 days before service provider engages a Sub-processor, service provider will update the applicable website and provide Service Recipient with a mechanism to obtain notice of that update. To object to a Sub-processor, Service Recipient can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Service for which service provider has engaged the Sub-processor; or (iii) move the relevant Service Recipient Data to another Region where service provider has not engaged the Sub-processor.
6.2 Sub-processor Obligations. Where service provider authorizes a Sub-processor as described in Section 6.1:
Service provider will restrict the Sub-processor’s access to Service Recipient Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and service provider will prohibit the Sub-processor from accessing Service Recipient Data for any other purpose;
Service provider will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by service provider under this DPA, service provider will impose on the Sub-processor the same contractual obligations that service provider has under this DPA; and
Service provider will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause service provider to breach any of service provider’s obligations under this DPA.
Taking into account the nature of the processing, the Service Controls are the technical and organizational measures by which service provider will assist Service Recipient in fulfilling Service Recipient’s obligations to respond to data subjects’ requests under Applicable Data Protection Law. If a data subject makes a request to service provider, service provider will promptly forward such request to Service Recipient once service provider has identified that the request is from a data subject for whom Service Recipient is responsible. Service Recipient authorizes on its behalf and on behalf of its controllers when Service Recipient is acting as a processor, service provider to respond to any data subject who makes a request to service provider, to confirm that service provider has forwarded the request to Service Recipient. The parties agree that Service Recipient’s use of the Service Controls and service provider forwarding data subjects’ requests to Service Recipient in accordance with this Section, represent the scope and extent of Service Recipient’s required assistance. (d) Optional Security Features. Service provider makes available many Service Controls that Service Recipient can elect to use. Service Recipient is responsible for (a) implementing the measures described in Section 5.2, as appropriate, (b) properly configuring the Services, (c) using the Service Controls to allow Service Recipient to restore the availability and access to Service Recipient Data in a timely manner in the event of a physical or technical incident (for example backups and routine archiving of Service Recipient Data), and taking such steps as Service Recipient considers adequate to maintain appropriate security, protection, and deletion of Service Recipient Data, which includes use of encryption technology to protect Service Recipient Data from unauthorized access and measures to control access rights to Service Recipient Data.
8.1 Security Incident. Service provider will (a) notify service recipient of a security incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
8.2 Service provider Assistance. To enable Service Recipient to notify a Security Incident to supervisory authorities or data subjects (as applicable), service provider will cooperate with and assist Service Recipient by including in the notification under Section 9.1(a) such information about the Security Incident as service provider is able to disclose to Service Recipient, taking into account the nature of the processing, the information available to service provider, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Service Recipient agrees that it is best able to determine the likely consequences of a Security Incident.
8.3 Unsuccessful Security Incidents. Service Recipient agrees that:
(i) An unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorized access to Service Recipient Data or to any of service provider’s equipment or facilities storing Service Recipient Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
(ii) Service provider’s obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgement by service provider of any fault or liability of service provider with respect to the Security Incident.
8.4 Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Service Recipient’s administrators by any mean service provider selects, including via email. It is Service Recipient’s sole responsibility to ensure Service Recipient’s administrators maintain accurate contact information on the service provider management console and secure transmission at all times.
8.5 Notification Obligations. If service provider notifies Service Recipient of a Security Incident, or Service Recipient otherwise becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Service Recipient Data, Service Recipient will be responsible for (a) determining if there is any resulting notification or other obligation under Applicable Data Protection Law and (b) taking necessary action to comply with those obligations. This does not limit service provider’s obligations under this Section 9.
9.1 Service provider ISO-Certification and SOC Reports. In addition to the information contained in this DPA, upon Service Recipient’s request, and provided that the parties have an applicable NDA in place, service provider will make available the following documents and information:
(i) the certificates issued for the ISO 27001 certification, the ISO 27017 certification, the ISO 27018 certification, and the ISO 27701 certification (or the certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to ISO 27001, ISO 27017, ISO 27018, and ISO 27701); and the System and Organization Controls (SOC) 1 Report, the System and Organization Controls (SOC) 2 Report and the System and Organization Controls (SOC) 3 Report (or the reports or other documentation describing the controls implemented by service provider that replace or are substantially equivalent to the SOC 1, SOC 2 and SOC 3).
9.2 Service provider audits. Service provider uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers from which service provider provides the services. this audit: (a) will be performed at least annually; (b) will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent third-party security professionals at service provider’s selection and expense; and (d) will result in the generation of an audit report (“report”), which will be service provider’s confidential information.
9.3 Audit Reports. At Service Recipient’s written request, and provided that the parties have an applicable NDA in place, service provider will provide Service Recipient with a copy of the Report so that Service Recipient can reasonably verify service provider’s compliance with its obligations under this DPA.
9.4 Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to service provider, service provider will assist Service Recipient in complying with Service Recipient’s obligations in respect of data protection impact assessments and prior consultation, by providing the information service provider makes available under this Section 10.
Service Recipient chooses to conduct any audit, including any inspection, it has the right to request or mandate on its own behalf, and on behalf of its controllers when Service Recipient is acting as a processor, under Applicable Data Protection Law or the Standard Contractual Clauses, by instructing service provider to carry out the audit described in Section 10. If Service Recipient wishes to change this instruction regarding the audit, then Service Recipient has the right to request a change to this instruction by sending service provider written notice as provided for in the Agreement. If service provider declines to follow any instruction requested by Service Recipient regarding audits, including inspections, Service Recipient is entitled to terminate the Agreement in accordance with its terms.
11.1 Regions. Service Recipient can specify the location(s) where Service Recipient Data will be processed within the service provider Network (each a “Region”), including Regions in the EEA. Once Service Recipient has made its choice, service provider will not transfer Service Recipient Data from Service Recipient’s selected Region(s) except as necessary to provide the Services initiated by Service Recipient, or as necessary to comply with the law or valid and binding order of a governmental body.
11.2 Application of Standard Contractual Clauses. Subject to Section 12.3, the Standard Contractual Clauses will only apply to Service Recipient Data subject to the GDPR that is transferred, either directly or via onward transfer, to any Third Country (each a “Data Transfer”).
11.2.1 When Service Recipient is acting as a controller, the Controller-to-Processor Clauses will apply to a Data Transfer.
11.2.2 When Service Recipient is acting as a processor, the Processor-to-Processor Clauses will apply to a Data Transfer. Taking into account the nature of the processing, Service Recipient agrees that it is unlikely that service provider will know the identity of Service Recipient’s controllers because service provider has no direct relationship with Service Recipient’s controllers and therefore, Service Recipient will fulfill service provider’s obligations to Service Recipient’s controllers under the Processor-to-Processor Clauses.
11.3 Alternative Transfer Mechanism. The Standard Contractual Clauses will not apply to a Data Transfer if service provider has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for lawful Data Transfers.
This DPA will continue in force until the termination of the Agreement (the “Termination Date”).
At any time up to the Termination Date, and for 90 days following the Termination Date, subject to the terms and conditions of the Agreement, service provider will return or delete Service Recipient Data when Service Recipient uses the Service Controls to request such return or deletion. No later than the end of this 90-day period, Service Recipient will close all service provider accounts containing Service Recipient Data.
Where Service Recipient Data becomes subject to confiscation during bankruptcy or insolvency proceedings or similar measures by third parties while being processed by service provider, service provider will inform Service Recipient without undue delay. service provider will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Service Recipient Data subjected to those proceedings is Service Recipient’s property and area of responsibility and that Service Recipient Data is at Service Recipient’s sole disposition.
This DPA incorporates the Standard Contractual Clauses by reference. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control, except that the Service Terms will control over this DPA. Nothing in this document varies or modifies the Standard Contractual Clauses.
Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
“API” means an application program interface.
“Applicable Data Protection Law” means all Service Provider and regulations applicable to and binding on the processing of Service Recipient Data by a party, including, as applicable, the GDPR.
“Service provider Network” means the servers, networking equipment, and host software systems (for example, virtual firewalls) that are within service provider’s control and are used to provide the Services.
“Binding Corporate Rules” has the meaning given to it in the GDPR.
“Controller” has the meaning given to it in the GDPR.
“Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU).
“Service Recipient Data” means the Personal Data that is uploaded to the Services under Service Recipient’s Service provider accounts.
“EEA” means the European Economic Area.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means personal data, personal information, personally identifiable information or other equivalent term (each as defined in Applicable Data Protection Law).
“processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
“processor” has the meaning given to it in the GDPR.
“Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers, as approved by the European Commission Implementing Decision (EU).
“Region” has the meaning given to it in Section 12.1 of this DPA.
“Security Incident” means a breach of service provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Service Recipient Data.
“Security Standards” means the security standards attached to this DPA as Annex 1.
“Service Controls” means the controls, including security features and functionalities, that the Services provide, as described in the Documentation.
“Standard Contractual Clauses” means (i) the Controller-to-Processor Clauses, or (ii) the Processor- to-Processor Clauses, as applicable in accordance with Sections 12.2.1 and 12.2.2. an adequate
“Third Country” means a country outside the EEA not recognized by the European Commission as providing level of protection for personal data (as described in the GDPR).
Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Agreement.
Information Security Program
Service provider will maintain an information security program designed to (a) enable Service Recipient to secure Service Recipient Data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable risks to the security and availability of the service provider Network, and (c) minimize physical and logical security risks to the SERVICE PROVIDER Network, including through regular risk assessment and testing. Service provider will designate one or more employees to coordinate and be accountable for the information security program. SERVICE PROVIDER’s information security program will include the following measures:
1.1 Logical Security
A. Access Controls. Service provider will make the service provider network accessible only to authorized personnel, and only as necessary to maintain and provide the Services. Service provider will maintain access controls and policies to manage authorizations for access to the service provider Network from each network connection and user, including through the use of firewalls or functionally equivalent technology and authentication controls. Service provider will maintain access controls designed to (i) restrict unauthorized access to data, and (ii) Segregate each Service Recipient’s data from other Service Recipients’ data.
B. Restricted User Access. Service provider will (i) provision and restrict user access to the service provider Network in accordance with least privilege principles based on personnel job functions, (ii) require review and approval prior to provisioning access to the service provider network above least privileged principles, including administrator accounts; (iii) require at least quarterly review of service provider network access privileges and, where necessary, revoke service provider network access privileges in a timely manner, and (iv) require two- factor authentication for access to the service provider Network from remote locations.
C. Vulnerability Assessments. Service provider will perform regular external vulnerability assessments and penetration testing of the service provider Network, and will investigate identified issues and track them to resolution in a timely manner.
D. Application Security. Before publicly launching new Services or significant new features of Services, service provider will perform application security reviews designed to identify, mitigate and remediate security risks.
E. Change Management. Service provider will maintain controls designed to log, authorize, test, approve and document changes to existing service provider network resources, and will document change details within its change management or deployment tools. Service provider will test changes according to its change management standards prior to migration to production. Service provider will maintain processes designed to detect unauthorized changes to the service provider Network and track identified issues to a resolution.
F. Data Integrity. Service provider will maintain controls designed to provide data integrity during transmission, storage and processing within the service provider Network. Service provider will provide Service Recipient the ability to delete Service Recipient Data from the service provider network.
G. Business Continuity and Disaster Recovery. Service provider will maintain a formal risk management program designed to support the continuity of its critical business functions (“Business Continuity Program”). The Business Continuity Program includes processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair service provider’s provision of the Services (a“BCP Event”). The Business Continuity Program includes a three-phased approach that service provider will follow to manage BCP Events:
(i) Activation & Notification Phase. As service provider identifies issues likely to result in a BCP Event, service provider will escalate, validate and investigate those issues. During this phase, service provider will analyze the root cause of the BCP Event.
(ii) Recovery Phase. Service provider assigns responsibility to the appropriate teams to take steps to restore normal system functionality or stabilize the affected Services.
(iii) Reconstitution Phase. Service provider leadership reviews actions taken and confirms that the recovery effort is complete and the affected portions of the Services and service provider network have been restored. Following such confirmation, service provider conducts a post-mortem analysis of the BCP event.
H. Incident Management. Service provider will maintain corrective action plans and incident response plans to respond to potential security threats to the service provider Network. service provider incident response plans will have defined processes to detect, mitigate, investigate, and report security incidents. The service provider incident response plans include incident verification, attack analysis, containment, data collection, and problem remediation.
I. Storage Media Decommissioning. Service provider will maintain a media decommissioning process that is conducted prior to final disposal of storage media used to store Service Recipient Data. Prior to final disposal, storage media that was used to store Service Recipient Data will be degaussed, erased, purged, physically destroyed, or otherwise sanitized in accordance with industry standard practices designed to ensure that the Service Recipient Data cannot be retrieved from the applicable type of storage media.
1.2 Physical Security
A. Access Controls. Service provider will (i) implement and maintain physical safeguards designed to prevent unauthorized physical access, damage, or interference to the service provider network, (ii) use appropriate control devices to restrict physical access to the service provider Network to only authorized personnel who have a legitimate business need for such access, (iii) monitor physical access to the service provider network using intrusion detection systems designed to monitor, detect, and alert appropriate personnel of security incidents, (iv) log and regularly audit physical access to the service provider Network, and (v) perform periodic reviews to validate adherence with these standards.
B. Availability. Service provider will (i) implement redundant systems for the service provider network designed to minimize the effect of a malfunction on the service provider network, (ii) design the service provider network to anticipate and tolerate hardware failures, and (iii) implement automated processes designed to move Service Recipient data traffic away from the affected area in the case of hardware failure.
1.3 Service provider employees
Employee security training. Service provider will implement and maintain employee security training programs regarding service provider information security requirements. the security awareness training programs will be reviewed and updated at least annually.
Background checks. Where permitted by law and to the extent available from applicable governmental authorities, service provider will require that each employee undergo a background investigation that is reasonable and appropriate for that employee’s position and level of access to the service provider network.
Continued evaluation
Service provider will conduct periodic reviews of the information security program for the service provider network. Service provider will update or alter its information security program as necessary to respond to new security risks and to take advantage of new technologies.
