Data Processing Agreement
This Data Processing Addendum (“DPA“) shall be supplemental to the Agreement to which it is attached and apply to the extent of SecureLink’s Processing of Company Personal Data in connection with the provision of the Software or Services. To the extent of any direct conflict between any provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail. The terms defined in the Agreement shall have the same meaning in this DPA except as otherwise defined herein.
- In this DPA, the terms “Personal Data“, “Controller“, “Processor“, “Data Subject“, “Process” and “Supervisory Authority” shall have the same meaning as set out in the GDPR or other applicable Data Protection Laws with equivalent terms, and the following words and expressions shall have the following meanings unless the context otherwise requires:
- “Company Personal Data” means the personal data described in Appendix 1 of Exhibit 1, and any other Personal Data that SecureLink Processes on behalf of Company in connection with SecureLink’s provision of the Services.
- “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR“), any other European Union legislation relating to personal data and all other global legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Company Personal Data.
- “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Company Personal Data that compromises the security, confidentiality or integrity of such Company Personal Data.
- “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) approved by the European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will automatically apply); and which includes Exhibit 1 to this DPA.
- “Subprocessor” means any Processor engaged by SecureLink to Process Company Personal Data on SecureLink’s behalf.
- SecureLink will only Process Company Personal Data in accordance with:
- the Agreement and any Subscription Order, to the extent necessary to provide the Services to Company; and
- Company’s written instructions, unless Processing is required by applicable European Union or Member State law to which SecureLink is subject, in which case SecureLink shall, to the extent permitted by applicable law, inform Company of that legal requirement before so Processing that Company Personal Data.
- The Agreement and any Subscription Order (subject to any changes to the Services), and this DPA, shall be Company’s complete and final instructions to SecureLink in relation to the Processing of Company Personal Data.
- Processing outside the scope of this Agreement will require prior written agreement between Company and SecureLink on additional instructions for Processing.
- Company shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Company Personal Data by SecureLink in accordance with the Agreement. Company shall obtain and maintain throughout the term of the Agreement any required notices, consents and/or authorizations related to its provision of, and SecureLink’s processing of, Company Personal Data as part of the Services.
- Company acknowledges that SecureLink is reliant on Company for direction as to the extent to which SecureLink is entitled to use and Process Company Personal Data. Consequently, SecureLink will not be liable for any claim brought against Company by a Data Subject arising from any act or omission by SecureLink to the extent that such act or omission resulted from Company’s instructions or Company’s use of the Services.
- Unless set forth in a Subscription Order, Company Data may not include any sensitive or special data that imposes specific data security or data protection obligations on SecureLink in addition to or different from those specified in the Documentation or which are not provided as part of the Services.
- If applicable Data Protection Laws recognize the roles of “controller” and “processor” as applied to Company Personal Data then, as between Company and SecureLink, Company acts as controller and SecureLink acts as a processor (or subprocessor, as the case may be) of Company Personal Data and SecureLink is controller of Resultant Data and Benchmarking Statistics.
- As required by applicable Data Protection Laws, if SecureLink believes any Company instructions to Process Company Personal Data will violate applicable Data Protection Laws, or if applicable Data Protection Laws require SecureLink to process Company Personal Data relating to data subjects in the EEA or other applicable jurisdictions in a way that does not comply with Company’s documented instructions, SecureLink shall notify Company in writing, unless applicable Data Protection Laws prohibit such notification, and provided SecureLink is not responsible for performing legal research or providing legal advice to Company.
- SecureLink shall Process Company Personal Data for the duration of the provision of Services in accordance with the Agreement and thereafter only as set forth in the Agreement and this DPA.
- Each Party will comply with Data Protection Laws applicable to such Party in connection with the Agreement and this DPA.
- Consent to Subprocessor Engagement. Company generally authorizes the engagement of third parties as Subprocessors.
- Information about Subprocessors. A current list of Subprocessors is available here (“Subprocessor List”) and may be updated by SecureLink from time to time in accordance with this DPA. Company may sign up to receive notices of additions to the Subprocessor List by completing the email sign-up process on the Subprocess List web page referenced above.
- Requirements for Subprocessor Engagement. When engaging any Subprocessor, SecureLink will:
- execute with Subprocessors a written agreement providing:
- the Subprocessor only Processes Company Personal Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA; and
- the Subprocessor utilize the same level of data protection and security with regard to its Processing of Company Personal Data as are described in this DPA.
- remain responsible for the performance of the Subprocessors’ obligations in compliance with the terms of this DPA and Data Protection Laws.
- Opportunity to Object to Subprocessor Changes. Company may, on reasonable and objective grounds, object to SecureLink’s use of a new Subprocessor by providing SecureLink with written notice within fifteen (15) days after SecureLink has provided notice to Company as described herein with documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA or Data Protection Laws (“Objection”). In the event of an Objection, Company and SecureLink will work together in good faith to find a mutually acceptable resolution to address such Objection, including but not limited to reviewing additional documentation supporting the Subprocessor’s compliance with the DPA or Data Protection Laws. To the extent Company and SecureLink do not reach a mutually acceptable resolution within a reasonable timeframe, SecureLink will use reasonable endeavors to make available to Company a change in the Services, or will recommend a commercially reasonable change to the Services to prevent the applicable Subprocessor from Processing Company Personal Data. If SecureLink is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, Company shall have the right to terminate the relevant Services (i) in accordance with the termination provisions in the Agreement; (ii) without liability to Company or SecureLink, and (iii) without relieving Company from its payment obligations under the Agreement up to the date of termination.
- In accordance with Company’s instructions under Sections 2.1 and 2.2, SecureLink may access and Process Company Personal Data on a global basis as necessary to perform the Services, including for IT security purposes, maintenance and performance of the Services and related infrastructure, technical support, and change management.
- To the extent that the Processing of Company Personal Data by SecureLink involves the transfer of such Personal Data from the EEA to a country or territory outside the EEA, other than a country or territory that has received a binding adequacy decision as determined by the European Commission (an “EEA Transfer”), such EEA Transfer shall be governed by the Standard Contractual Clauses (with its applicable Appendices attached as Exhibit 1) where Company shall be deemed to have signed in its capacity of “data exporter” and SecureLink in its capacity as “data importer,” or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws. In the event of any conflict between any terms in the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail.
- To the extent that the Processing of Company Personal Data by SecureLink involves the transfer of such Personal Data from Argentina to a country or territory outside Argentina, other than a country or territory that has received a binding adequacy decision as determined by the National Directorate for Personal Data Protection (an “Argentina Transfer”), such Argentina Transfer shall be governed by the Argentinean Model Clauses incorporated herein by reference or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws. In the event of any conflict between any terms in the Argentinean Model Clauses and this DPA, the Argentinean Model Clauses shall prevail.
DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
- SecureLink Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SecureLink shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of the Processing, including the measures set out in Appendix 2 of Exhibit 1. To the extent SecureLink has completed a SOC 2 assessment, Company may request no more than once per year, and SecureLink shall provide, an attestation letter regarding the SOC 2 assessment.
- Security Audits.
- SecureLink will, upon Company’s written request, verify its compliance with its obligations in this DPA by first providing to Company for its review documentation regarding the same and, if such documentation is not reasonably sufficient to address Company’s inquiries, participate in and contribute to audits as set forth below.
- Company may, upon reasonable notice and at reasonable times, audit (either by itself or using independent third party auditors) SecureLink’s compliance with the security measures set out in this DPA (including the technical and organizational measures as set out in Appendix 2 of Exhibit 1). SecureLink shall assist with and contribute to any audits conducted in accordance with this Section 5.2. Such audits may be carried out once per year, or more often if required by Data Protection Law or Company’s applicable Supervisory Authority.
- Any third party engaged by Company to conduct an audit must be pre-approved by SecureLink (such approval not to be unreasonably withheld) and sign SecureLink’s confidentiality agreement. Company must provide SecureLink with a proposed audit plan at least two weeks in advance of the audit, after which Company and SecureLink shall discuss in good faith and finalize the audit plan prior to commencement of audit activities.
- Audits may be conducted only during regular business hours, in accordance with the finalized audit plan and SecureLink’s security and other policies, and may not unreasonably interfere with SecureLink’s regular business activities. Company shall reimburse SecureLink for any costs or expenses incurred by SecureLink in granting access to its data processing facilities.
- Information obtained or results produced in connection with an audit are SecureLink confidential information and may only be used by Company to confirm compliance with this DPA and for complying with its requirements under Data Protection Laws.
- In lieu of Company auditing any SecureLink Subprocessors, Company may request that SecureLink audit a Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Company in obtaining a third-party audit report concerning the Subprocessor’s operations) to verify compliance with the Subprocessor’s obligations. Company may additionally request in writing and SecureLink shall provide copies of the relevant privacy and security terms from SecureLink’s agreement with any applicable Subprocessors.
- Without prejudice to the rights granted in Section (b) above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report or attestation letter issued by a qualified third party auditor within the prior twelve months and SecureLink provides such report or attestation letter to Company confirming there are no known material changes in the controls audited, Company agree to accept the findings presented in the third party audit report or attestation letter in lieu of requesting an audit of the same controls covered by the report.
- Upon Company’s written request, SecureLink shall make available all information reasonably necessary to demonstrate compliance with this DPA as required by Data Protection Laws.
- Personal Data Breach Notification.
- If SecureLink or any Subprocessor becomes aware of and determines a Personal Data Breach has occurred, SecureLink will:
- notify Company of the Personal Data Breach promptly, and at the latest within seventy-two (72) hours after such determination, at the contact information on file, where such notification shall describe (1) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (2) the reasonably anticipated consequence of the Personal Data Breach; (3) measures taken to mitigate any possible adverse effects; and (4) other information concerning the Personal Data Breach reasonably known or available to SecureLink that Company is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Laws; and
- investigate the Personal Data Breach and provide such reasonable assistance to the Client (and any law enforcement or regulatory official) as required to investigate the Personal Data Breach.
- Except as required by applicable Data Protection Laws, the obligations set out in Section 5.4 shall not apply to Personal Data Breaches caused by Company.
- Company and SecureLink shall work together in good faith within the timeframes for Company to provide Personal Data Breach notifications in accordance with Data Protection Laws to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Laws.
- SecureLink Employees and Personnel. SecureLink shall treat Company Personal Data as the Confidential Information of Company, and shall put procedures in place to ensure that:
- access to Company Personal Data is limited to those employees or other personnel who have a business need to have access to such Company Personal Data; and
- any employees or other personnel with access to Company Personal Data have committed themselves to confidentiality of Company Personal Data or are under an appropriate statutory obligation of confidentiality and do not Process such Company Personal Data other than in accordance with this DPA.
ACCESS REQUESTS AND DATA SUBJECT RIGHTS
- Data Subject Requests.
- Save as required (or where prohibited) under applicable law, SecureLink shall promptly notify Company of any request received by SecureLink or any Subprocessor from a Data Subject in respect of their Personal Data included in Company Personal Data, and shall not respond to the Data Subject, where the Data Subject identifies Company as its Data Controller. If a Data Subject does not identify a Data Controller, SecureLink will instruct the Data Subject to identify and contact the relevant Data Controller.
- SecureLink shall, where possible and provided Company follows SecureLink’s procedures for requesting such assistance including submitting a support ticket, and taking into account the nature of the processing, use reasonable endeavors to assist Company with its obligations in connection with handling Data Subject access requests under applicable Data Protection Laws by:
- providing Company with the ability to correct, delete, block, access or copy the Personal Data of a Data Subject, or
- if functionality or other means under (a) are not available, Company may submit a support request for SecureLink to correct, delete, block, access or copy Company Personal Data within SecureLink Services at Company’s request on its behalf.
- Government Disclosure. SecureLink shall promptly notify Company of any request for the disclosure of Company Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency and without responding to such request unless otherwise required by applicable law (including to provide acknowledgement of receipt of the request).
- Data Subject Rights. Where applicable, and taking into account the nature of the Processing, SecureLink shall use reasonable endeavors to assist Company by implementing other appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Company’s obligation to respond to Data Subject requests as required by the GDPR.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- To the extent required under applicable Data Protection Laws, SecureLink shall provide reasonable assistance to Company with any data protection impact assessments and with any prior consultations to any Supervisory Authority of Company, in each case solely in relation to Processing of Company Personal Data and taking into account the nature of the Processing and information available to SecureLink, including by providing Company with documentation regarding its Processing operations.
RETRIEVAL AND DELETION OF PERSONAL DATA
- Retrieval and Deletion of Personal Data. Subject to Section 8.2 below, SecureLink shall:
- make available to Company a complete copy of Company Personal Data then available in the Services in electronic format for ninety (90) days after termination or expiration of the Agreement (“Retrieval Period”); and
- after such Retrieval Period, delete and use all reasonable efforts to procure the deletion of all other copies of Company Personal Data Processed by SecureLink or any Subprocessors, and where deletion is not possible, sufficiently de-identify Company Personal Data such that it is no longer Personal Data, except if required or permitted by applicable law or for compliance, audit, or security purposes.
- Legally Required Retention of Personal Data. SecureLink and its Subprocessors may retain Company Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that SecureLink shall protect the confidentiality of all such Company Personal Data and shall Process such Company Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”)
- Generally, SecureLink processes Personal Data as a service provider for customers who are typically the organization with the direct relationship with individual end users using the Services. Therefore, in addition to other exceptions under the CCPA that may apply (including for employees, contractors and business contacts), SecureLink’s processing of Personal Data as a service provider may not involve a “sale” of Personal Data of a consumer as defined by the CCPA.
- To the extent that SecureLink processes any Personal Data of any consumer covered by the CCPA under the Agreement, and that such processing is not otherwise exempt under the CCPA, SecureLink confirms it is generally acting as a service provider under the Agreement. Except to the extent permitted under the CCPA, or otherwise required by applicable laws or regulations, to protect SecureLink’s legal rights, to protect security, or to improve the Services, including other products and services, of SecureLink, SecureLink is prohibited from:
- “selling” (as such term is defined in the CCPA) Personal Data received by SecureLink in connection with the processing of Personal Data under the Agreement;
- retaining, using or disclosing Personal Data received by SecureLink under the Agreement for any purpose other than:
- providing Services under the Agreement;
- retaining and employing another service provider as a Subprocessor;
- for internal use in building products or services or improving the quality of products or services;
- detecting data security incidents, or protecting against fraudulent or illegal activity; or
- purposes enumerated in Civil Code section 1798.145, subsections (a)(1) through (a)(4), and
- retaining, using or disclosing such Personal Data outside of the direct business relationship between SecureLink and Company.
- Pursuant to the CCPA, SecureLink certifies that it understands these restrictions and will comply with them with respect to any Personal Data of any consumer covered by the CCPA that is processed by SecureLink under the Agreement, where such processing is not otherwise exempt under the CCPA.
DETAILS OF THE TRANSFER FORMING PART OF THE STANDARD CONTRACTUAL CLAUSES
The data exporter is Company.
The data importer is SecureLink, Inc.
The personal data transferred concern the following categories of data subjects: Employees, contractors, and other personnel of Data Importer and its vendors, suppliers, partners, and affiliates.
Categories of data
The personal data transferred concern the following categories of data:
- First and last name
- IP address
- Information contained in any screen captures or recorded user sessions for users using the Service (optional)
The personal data transferred will be subject to the following basic processing activities: transmitting, collecting, storing and using data in order to provide the Service to Company, and any other activities related to the provision of the Service or specified in the Agreement. The subject matter of the processing includes providing software-as-a-service for remote computer access and support (“SaaS Application”).
Special categories of data (if appropriate):
The Personal Data transferred concern the following special categories of data: Data Importer does not require any special categories of data in order to provide the Services. Unless otherwise specified in the Agreement, Data Exporter shall not provide and must receive prior written consent of Data Importer before transferring any special categories of data or sensitive data to Data Importer.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
- Data Importer maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
- (a) secure any Personal Data Processed by Data Importer against accidental or unlawful loss, access or disclosure;
- (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Personal Data Processed by Data Importer;
- (c) minimize security risks, including through risk assessment and regular testing.
- Data Importer’s security measures include, for example:
- Use of Linux-based minimal hardened operating systems in the Appliance.
- SaaS Application utilizes hardened SSH services including ephemeral 2048-bit SSH keys, ACLs, mutual authentication, and strong encryption
- Session source validation such as rotating RSA keys and validation of incoming IPs
- Whitelisted shell access to the Appliance
- Stateful Traffic Inspecting (SPI) Firewall utilized to control inbound and outbound traffic to the Appliance
- IP connection limitations provide Denial of Service protection for the Appliance
- Inline Intrusion Prevention Systems for the Appliance
- Static (and regularly updated) IP Blacklists limit traffic into and out of the Appliance
- Dynamic IP Blacklist detects malicious traffic to the Appliance
- Appliance accesses SaaS Application through a Web Application Firewall (WAF)
- In addition to the WAF, the SaaS Application has a web security filter
- Antivirus software embedded into the Appliance
- Files on the Appliance are hashed and logged to a local database
- Appliance employs MACL controls via SELinux
- All above security services on the Appliance log to its local syslog
- Data Importer server, user, and client agents all employ FIPS-validated cryptographic modules for all encryption activity
Additional detail regarding Data Importer’s technical and organizational security measures may be found at via the Data Importer intranet site available to customers.