(Updated on April 26, 2024)
This Data Processing Addendum (“DPA”), including all appendices, forms a part of the Master Services Agreement (“Agreement”) between “Company” (DataEndure) and “Customer” (As defined in the Agreement). The parties agree that this DPA sets forth their obligations with respect to the processing and security of Customer Data in connection with Customer’s use of the Solutions. Capitalized terms defined in this DPA shall apply to this DPA, and any terms not defined in this DPA shall have their meaning as defined in the Agreement.
Capitalized terms will have the meaning assigned to such terms where defined throughout these Terms. Each of Company or Customer is sometimes described in these Terms as a “Party” and together, “Parties,” which Parties agree as follows:
1. DEFINITIONS.
1.1. “Adequate Country” means:
1.1.1. For data processed subject to the EU GDPR: the EEA, or a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the GDPR;
1.1.2. For data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018;
1.1.3. For data processed subject to the Swiss FDPA: Switzerland, or a country or territory that (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPA.
1.2. “Data Privacy Laws” include:
1.2.1. California Consumer Privacy Act of 2018, Cal. Civil Code Sec. 1798.100 et seq. and its implementing regulations, as amended by the California Privacy Rights Act of 2020 (“CCPA”);
1.2.2. EU General Data Protection Regulation 2016/679 (“GDPR”) and EU Directives 2002/58/EC and 2009/136/EC (each as implemented into the national laws of EU Member States);
1.2.3. Other equivalent laws and regulations in other jurisdictions, each as amended, consolidated, or replaced from time to time herein (collectively, Data Privacy Laws).
1.3. “Alternative Transfer Mechanism” means a mechanism, other than the SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Laws.
1.4. “Customer Personal Data” means the personal data contained within the Customer Data;
1.5. “Contracted Processor” means Company or a Company Sub-processor.
1.6. “European Data Protection Laws” means, as applicable: (i) the GDPR; (ii) the UK GDPR; and/or (iii) the Swiss FDPA.
1.7. “Non-European Data Protection Laws” means all laws and regulations that apply to Company processing Customer Personal Data under the Agreement that are in force outside the European Economic Area, the UK, and Switzerland.
1.8. “Security Breach” means a breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed or otherwise controlled by Company.
1.9. “SCCs” means the SCCs (EU Controller-to-Processor), SCCs (EU Processor-to-Processor), and SCCs (UK Controller-to-Processor).
1.10. “Sub-processor” means other processors used by Company to process Customer Data, as described in Article 28 of the GDPR.
1.11. “Swiss FDPA” means the Federal Data Protection Act of June 19, 1992 (Switzerland).
1.12. “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under the same.
1.13. The terms “personal data”, “data subject”, “processing”, “controller”, and “processor” as used in this DPA have the meanings given in the GDPR irrespective of whether European Data Protection Laws apply.
1.14. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. PROCESSING OF CUSTOMER PERSONAL DATA.
2.1. If European Data Protection Laws apply to the processing of Customer Personal Data:
2.1.1. the subject matter and details of the processing are described in Appendix 1;
2.1.2. Company is a processor of that Customer Personal Data under European Data Protection Laws;
2.1.3. Customer is a controller or processor of that Customer Personal Data under European Data Protection Laws;
2.1.4. Each party will comply with the obligations applicable to it under the European Data Protection Laws with respect to the processing of that Customer Personal Data.
2.2. If Non-European Data Protection Laws apply to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.
2.2.1. For California Residents, please see the Privacy Notice for California Residents.
2.3. Company shall:
2.3.1. Not process Customer Personal Data other than to provide the Solutions in accordance with the Agreement (including as set forth in this DPA and as described in Appendix 1 to this DPA), unless processing is required by applicable law to which the relevant Contracted Processor is subject (the** “Permitted Purpose”**), in which case Company shall to the extent permitted by applicable law inform the Customer of that legal requirement before the relevant processing of that Customer Personal Data;
2.3.2. Immediately notify Customer if, in Company’s opinion, European Data Protection Laws prohibit Company from complying with the Permitted Purpose or Company is otherwise unable to comply with the Permitted Purpose. This Section does not reduce either party’s rights or obligations elsewhere in the Agreement.
2.4. Customer hereby:
2.4.1. Instructs Company to process Customer Personal Data for the Permitted Purpose;
2.4.2. Warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out herein on behalf of each relevant Customer Affiliate.
3. SECURITY.
3.1. Company will implement and maintain the technical and organizational measures set forth in Appendix 2 (the “Security Measures”). Company may update the Security Measures from time to time provided that such updates do not result in a reduction of the security of the Solutions.
3.2. Without prejudice to Company’s obligations under Section 3.1 above and elsewhere in the Agreement, Customer is responsible for its use of the Solutions and its storage of any copies of Customer Data outside Company’s or Company’s Sub-processors’ systems, including: (i) using the Solutions to ensure a level of security appropriate to the risk to the Customer Data; (ii) securing the authentication credentials, systems, and devices Customer uses to access the Solutions; and (iii) backing up its Customer Data as appropriate.
3.3. Customer agrees that the Solutions and Security Measures implemented and maintained by Company provide a level of security appropriate to the risk to Customer Data.
4. SUBPROCESSING.
4.1. Customer specifically authorizes Company to engage as Sub-processors those entities listed as of the effective date of this DPA in Section 4.2. In addition, and without prejudice to Section 4.4, Customer generally authorizes the engagement as Sub-processors of any other third parties (“New Sub-processors”).
4.2. Information about Sub-processors, including their functions and locations, is available upon request (as may be updated by Company from time to time in accordance with this DPA).
4.3. When any New Sub-processor is engaged while this DPA is in effect, Company shall provide Customer at least thirty days’ prior written notice of the engagement of any New Sub-processor, including details of the processing to be undertaken by the New Sub-processor. If, within thirty days of receipt of that notice, Customer notifies Company in writing of any objections to the proposed appointment, and further provides commercially reasonable justifications to such objections based on that New Sub-processor’s inability to adequately safeguard Customer Data, then (i) Company shall work with Customer in good faith to address Customer’s objections regarding the New Sub-processor; and (ii) where Customer’s concerns cannot be resolved within thirty days from Company’s receipt of Customer’s notice, notwithstanding anything in the Agreement, Customer may, by providing Company with a written notice with immediate effect, terminate the Agreement and Company shall forgo any unpaid fees for the Services attributable to the subscription term (as outlined in the applicable Purchase Order under the Agreement) following the termination of the Agreement.
4.4. With respect to each Sub-processor, Company shall:
4.4.1. before the Sub-processor first processes Customer Data, carry out adequate due diligence to ensure that the Sub-processor is capable of performing the obligations subcontracted to it in accordance with the Agreement (including this DPA);
4.4.2. ensure that the processing of Customer Data by the Sub-processor is governed by a written contract including terms no less protective of Customer Data than those set out in this DPA and, if the processing of Customer Personal Data is subject to European Data Protection Laws, ensure that the data protection obligations in this DPA are imposed on the Sub-processor; and
4.4.3. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.
5. INDIVIDUAL RIGHTS.
5.1. Taking into account the nature of the processing, Company shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Individual rights under the Data Protection Laws.
5.2. Company shall:
5.2.1. promptly notify Customer if any Contracted Processor receives a request form an Individual under any Data Protection Law with respect to Customer Personal Data to the extent that Company recognizes the request as relating to Customer; and
5.2.2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which the Contracted Processor is subject, in which case Company shall to the extent permitted by applicable laws inform Customer of that legal requirement before the Contracted Processor responds to the request.
6. SECURITY BREACHES.
6.1. Company shall notify Customer promptly and without undue delay upon becoming aware of a Security Breach for which notification to a supervisory authority or data subject is required under applicable European or Non-European Data Protection Laws, and promptly take reasonable steps to minimize harm and secure Customer Data.
6.2. Company’s notification of a Security Breach will describe: the nature of the Security Breach including the Customer resources impacted; the measures Company has taken, or plans to take, to address the Security Breach and mitigate its potential risk; the measures, if any, Company recommends that Customer take to address the Security Breach; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Company’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
6.3. As it pertains to any Security Breach, Company has no obligation to assess Customer Data in order to identify information subject to any specific legal requirements pertaining to notification or otherwise.
6.4. Company’s notification of or response to a Security Breach under this Section will not be construed as an acknowledgement by Company of any fault or liability with respect to the Security Breach.
7. IMPACT ASSESSMENTS AND PRIOR CONSULTATION.
- To the extent Company is required by Data Protection Laws, Company shall (taking into account the nature of the processing and the information available to Company) provide reasonable assistance to Customer with any impact assessments or prior consultations with data protection regulators by providing information in accordance with § 9 (AUDITS AND RECORDS).
8. DATA DELETION.
8.1. Company shall promptly and in any event within sixty days of the date of cessation of providing any Solutions involving the processing of Customer Data (the “Cessation Date”), delete all copies of Customer Data, unless applicable law requires storage.
8.2. Company shall provide written certification to Customer that it has complied with this Section within ten days of receiving Customer’s written request to receive such certification.
9. AUDITS AND RECORDS.
9.1. Company shall allow for, and contribute to, audits, including inspections, conducted by the Customer (or an independent auditor appointed by Customer) in accordance with the following procedures:
9.1.1. Upon Customer’s request, Company will provide Customer or its appointed auditor with the most recent certifications and/or summary audit report(s), which Company has procured to regularly test, assess, and evaluate the effectiveness of the Security Measures.
9.1.2. Company will reasonably cooperate with Customer by providing available additional information concerning the Security Measures to help Customer better understand such Security Measures.
9.1.3. If further information is needed by Customer to comply with its own or other controller’s audit obligations or a competent supervisory authority’s request, Customer will inform Company to enable Company to provide such information or to grant access to it.
9.2. Company need not give access to its premises for the purposes of such an audit or inspection:
9.2.1. To any individual unless he or she produces reasonable evidence of their identity and authority;
9.2.2. To any auditor whom Company has not given its prior written approval to (not to be unreasonably withheld);
9.2.3. Unless the auditor enters into a non-disclosure agreement with Company on terms acceptable to Company;
9.2.4. Where, and to the extent that, Company considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Company’s other customers or the availability of Company’s services to such other customers;
9.2.5. Outside normal business hours at those premises;
9.2.6. On more than one (1) occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which you are required to carry out under Data Protection Laws or by a Supervisory Authority, where you have identified the relevant requirement in its notice to Company of the audit or inspection.
9.3. The Parties shall discuss and agree the costs of any inspection or audit to be carried out by you or on your behalf in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, you shall bear any third party costs in connection with such inspection or audit (other than audits performed by regulatory agencies) and reimburse Company for all costs incurred by Company and time spent by Company (at Company’s then-current professional services rates) in connection with any such inspection or audit.
9.4. All requests under this Section 9 shall be made in writing to Company at legal@dataendure.com.
10. RESTRICTED TRANSFERS.
10.1. The parties acknowledge that European Data Protection Laws do not require SCCs or an Alternative Transfer Mechanism in order for Customer Personal Data to be processed in or transferred to an Adequate Country (“Permitted Transfers”).
10.2. If the processing of Customer Personal Data involves any transfers that are not Permitted Transfers, and European Data Protection Laws apply to those transfers (“Restricted Transfers”), then:
10.2.1. if Company announces its adoption of an Alternative Transfer Solution for any Restricted Transfers, Company will ensure that such Restricted Transfers are made in accordance with that Alternative Transfer Solution; or
10.2.2. if Company has not adopted an Alternative Transfer Solution for any Restricted Transfers, then:
10.2.2.1. the SCCs (EU Controller-to-Processor) and/or (EU Processor-to-Processor) will apply (according to whether Customer is a controller and/or processor) with respect to Restricted Transfers between Company and Customer that are subject to the EU GDPR and/or the Swiss FDPA; and
10.2.2.2. the SCCs (UK Controller-to-Processor) will apply with respect to Restricted Transfers between Company and Customer that are subject to the UK GDPR.
11. GENERAL TERMS.
11.1. Without prejudice to the Standard Contractual Clauses, (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of it nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
11.2. Nothing in this DPA reduces Company’s obligations under the Agreement in relation to the protection of Customer Data or permits Company to process (or permit the processing of) Customer Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
11.3. Subject to § 11.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
11.4. Any liability associated with failure to comply with this DPA will be subject to the limitations of liability provisions stated in the Agreement.
11.5. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
APPENDIX 1:
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
Subject matter and duration of processing
Company will process Customer Personal Data as necessary to provide the Solutions pursuant to the Agreement. The duration of the processing will be until 60 days after the Cessation Date.
Nature and purpose of processing
Company will process Customer Personal Data only to the extent reasonably necessary to provide Customer the Solutions and associated Support. In the event that Company or any of its affiliates or subcontractors receive Personal Information, Company shall (i) not use such Personal Information for any purpose outside of its direct relationship with Customer; (ii) not sell, use, retain, disclose or otherwise process such Personal Information for any purpose other than the specific purpose of performing under this Agreement; (iii) shall implement appropriate technical and organizational security measures to keep all Personal Information secure and protected against unauthorized processing, theft, or accidental loss, damage or destruction; (iv) comply with all applicable Data Privacy Laws in relation to the processing of Personal Information; (v) process Personal Information only to the extent strictly necessary for the performance of its obligations, having regard to the provisions of applicable Data Privacy Laws; (vi) not transfer Personal Information to any location outside the UK or the EEA without first implementing a lawful data transfer mechanism in accordance with applicable Data Privacy Laws; and (vii) to the maximum extent permitted under applicable law, promptly, and in no later than 72 hours, notify Customer on becoming aware of any actual, suspected or alleged personal data breach including loss, leak or unauthorized processing of any Personal Information, or any other breach of this paragraph.
Company shall assist and cooperate with Customer in complying with its obligations under Privacy Laws, in particular with regard to Customer’s obligation to implement appropriate security measures, to carry out a data protection impact assessment, and to consult the competent data protection authority. During the time that Personal Information is in Company’s possession, Customer has no knowledge or reason to believe that Company is unable to comply with the provisions of this paragraph.
Categories of Data
Company processes the Customer Personal Data described below in relation to the Solution(s) a Customer contracts for:
Company may process the following categories of Customer Personal Data in connection with the Services:
- user and endpoint data: agent ID, endpoint name, customer active directory user ID, user name, installed applications – installation time, size, publisher and version, SMTP user name, configuration data related to active directory integration;
- full file path: will include personal data only if file name as named by Customer includes data;
- in cases of suspected threats, the Company agent(s) collects for each process (file metadata, hash, file type, certificate, command line arguments, network access metadata (IP address, protocol), registry (created keys, deleted keys, modified key names);
- network data (internal network IP address, public IP address (if running cloud-based Management Console);
- threat information (file path, agent IDs, SMS messages content (which may include user names, IP addresses, file names);
- live network monitoring (URLs, URL headers, time stamps); and
- where Customer utilizes Company’s File Fetching feature: any Data contained in files fetched by Customer’s administrators.
Company may process the following categories of Customer Personal Data in connection with Services providing event or log aggregation:
- data relating to individuals provided to Company by (or at the direction of) Customer in any data ingested by Customer to the Services.
Special categories of data
Customer Personal Data does not include special categories of personal data or data relating to criminal convictions or offenses, except where such data is uploaded by Customer in connection with the Services or accessed by Customer using the File Fetching feature of the Solutions.
Data subjects
Data subjects include the individuals about whom data is provided to Company via the Solutions by (or at the direction of) Customer.
APPENDIX 2:
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Company maintains an information security program that is designed to protect the confidentiality, integrity, and availability of Customer Data (the “Company Information Security Program”). The Company Information Security Program will be implemented on an organization-wide basis and will be designed to ensure Company’s compliance with data protection laws and regulations applicable to Company’s performance under the Agreement. The Company Information Security Program shall include the safeguards set forth below.
| Domain | Practices |
| Organization of Information Security | Security Ownership. Company has appointed a senior security officer responsible for coordinating and monitoring the Company Information Security Program.Security Roles and Responsibilities. Company personnel with access to Customer Data are subject to confidentiality obligations.Risk Management Program. Company has implemented a security risk management program that is based on the trust services principles of security and availability. The Program defines a systematic and consistent process to ensure that security risks to Customer Data are identified, analyzed, evaluated, and treated. Risk treatment and the risk remaining after treatment (i.e., residual risk) is communicated to risk owners, who decide on acceptable levels of risk, authorize exceptions to this threshold, and drive corrective action when unacceptable risks are discovered. |
| Human Resource Security | Background Checks. Company takes reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Customer Data, including by conducting background checks on all new employees to the extent permitted by applicable law in the jurisdiction where the employee is located.Security Training. Company informs its personnel about the Company Information Security Program and applicable data privacy laws upon hire and annually thereafter. Company also informs its personnel of possible consequences – up to and including termination – of breaching the Company Information Security Program. |
| Asset Management | Inventory Maintenance. Assets utilized to process Customer Data are identified and an inventory of these assets is listed and maintained. Assets maintained in the inventory are assigned an owner. Company-provided assets are governed by Company’s acceptable use policy.Return. All employees and external party users are required to return organizational assets in their possession upon termination of their employment, contract, or agreement. |
| Access Control | Internal Data Access. Company’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Customer Data. Company employs a centralized access management system to control personnel access to production servers and only provides access to a limited number of authorized personnel. Company requires the use of unique user IDs, strong passwords, two-factor authentication, and monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on the authorized personnel’s job responsibilities, job duty requirements necessary to perform authorized tasks, and a need-to-know basis. The granting or modification of access rights must also be in accordance with Company’s internal data access policies and training. Access to systems is logged to create an audit trail for accountability.Zero Trust. Employees must be in a Company office or connected via zero trust network (authenticated with user id + password + pin/token + device trust) before connecting to any system storing Customer Data. |
| Cryptography | Encryption Practices. Customer Data is encrypted in transit using TLS and at rest using a minimum of AES-256-bit ciphers where applicable. |
| Physical Security | Datacenter Security. The standard physical security controls at each geographically distributed data center utilized to host Customer Data are comprised of reliable, well-tested technologies that follow generally accepted industry best practices: custom-designed electronic card access control systems, alarm systems, biometric identification systems, interior and exterior cameras, and a 24x7x365 presence of security guards.Office Access. Access to Company offices is protected via card access control systems, including individually assigned keycards, access logging, and interior and exterior surveillance and alarm systems. |
| Operations and Communications Security | Operational Policy. Company maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.Network Security. Customer management console servers are isolated to help ensure that no access is possible among servers of different customers. Company network is protected by redundant firewalls, commercial-class router technology, micro-segmentation, and a host intrusion detection system on the firewall, host, and network that monitors malicious traffic and network attacks.Vulnerability Assessment and Penetration Testing. Company conducts annual, comprehensive penetration testing. This includes testing of the management console and agents (black and grey box), corporate infrastructure penetration testing and socially targeted attacks, and public website automatic testing for open vulnerabilities. Continuous network vulnerability assessments are conducted on all servers in the corporate network and the production environment, both internally and externally.Event Logging. Company logs access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.Data Deletion. Customer Data is deleted upon request or contract termination in accordance with the DPA. |
| Supplier Relationships | Approval Process. Before onboarding any supplier to process Customer Data, Company conducts an audit of the security and privacy practices of the supplier to ensure the supplier provides a level of security and privacy appropriate to their proposed access to Customer Data and the scope of the services they are engaged to provide. Once Company has assessed the risks presented by the supplier, the supplier is required to enter into appropriate security, confidentiality, and privacy terms prior to processing any Customer Data in accordance with the DPA. |
| Information Security Incident Management | Incident Response Process. Company has implemented a security incident management process for managing security incidents that may affect the confidentiality, integrity, or availability of its systems or data, including Customer Data. The process specifies courses of action, procedures for notification, escalation, mitigation, post-mortem investigations after each incident, response actions, periodic testing, and documentation.Security Operations Center. Company has a dedicated SOC function that manages and monitors a Security Information & Event Management (SIEM) solution deployed across the organization. |
| Business Continuity Management | Customer Data Backups. Company conducts a daily backup of all Customer Data in the data center location chosen by the Customer to host Customer Data. Where available, backups are physically located in a different availability zone from where Customer Data is hosted (but within the same region). A monitoring process is in place to ensure successful ongoing backups within a defined RTO and RPO. |