1. Privacy notice
1.1. Who are we?
We are ERP.net, a British corporation. We are a social ERP platform, providing solutions for various industry needs.
Our Data Protection Officer and Data Protection Representative can be contacted directly here:
For our Data Protection Representative:
- ERP Bulgaria
For our Data Protection Officer:
- Gospodinov & Genchev Law Firm
The personal data we would like to collect and process on you is:
|Personal data type:||Source (where ERP.net obtained the personal data from if it has not been collected directly from you, the data subject. Note if the personal data has been accessed from publicly accessible sources):|
|Geolocation data||A third party|
|Data regarding you organisation||You, or a third party|
|Other contact information||You, a third party, or publicly available sources|
|Personal data relating to the issuing or reissuing of invoices||You, a third party, or publicly available sources|
|Personal data from third-party advertising services||A third party|
The personal data we collect will be used for the following purposes:
- Managing client relations;
- Market research;
- Direct marketing;
- Executing contracts;
- Customer support;
- Customer engagement;
- Product research.
Our legal basis for processing for the personal data:
- Contract obligation;
- Legitimate interest.
Any legitimate interests pursued by us, or third parties we use, are as follows:
- Web analytics.
We will not process special categories of personal data.
By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified for which we rely on consent to process your personal data.
You may withdraw consent at any time by contacting us at firstname.lastname@example.org.
ERP.net will pass on your personal data to the following third parties:
- Zendesk, Inc.;
- Microsoft Corporation;
- Google LLC;
- Facebook, Inc.
1.4 Transfers of data in third country:
ERP.net will pass on your personal data to third countries. The following third countries will receive your personal data with the following legal basis for transfer.
|Third country||Legal ground for transfer|
|United States||Standard Contractual Clauses|
1.5 Retention period
ERP.net will store and process your personal data, depending on the legal grounds:
- For consent, until you withdraw it;
- For legitimate interest, until the legitimate interest persists;
- For contract performance, 5 years after termination of the obligations under the contract. The purpose of this term is to cover any potential legal disputes relating to the contract which may arise.
1.6 Your rights as a data subject
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that ERP.net refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 3.6 below.
All of the above requests will be forwarded on should there be a third party involved (as stated in 3.4 above) in the processing of your personal data.
In the event that you wish to make a complaint about how your personal data is being processed by ERP.net, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and ERP.net’s Data Protection Officer.
The details for each of these contacts are:
|Supervisory authority contact details||Data Protection Officer (DPO) contact details|
|Contact Name:||Information Commissioner's Office||Gospodinov & Genchev Law Firm|
|Address line:||Wycliffe House
SK9 5AF 3
|Tsar Ivan Shishman str., entr. 1
|Telephone:||0303 123 1113|
2. More information on how we process your personal data.
Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as: “any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
How we use your information
This privacy notice tells you how we, ERP.net, will collect and use your personal data in order to:
- fulfil our contractual obligations to you as a customer;
- improve the operations of our website and our business in general;
- analyse and address any objections you may have in relations to how we process your personal data;
- forward any complaints you may have to the Data Protection Officer and the competent Data Protection Authority;
- serve cookies.
Why does ERP.net need to collect and store personal data?
In order for us to provide you with our services, namely the non-exclusive, worldwide, limited right to use the Cloud Service, Support Services and Professional Services, we need to collect personal data for correspondence purposes and detailed service provision. In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy. In terms of being contacted for marketing purposes ERP.net would contact you for additional consent.
Will ERP.net share my personal data with anyone else
We may pass your personal data on to third-party service providers contracted to ERP.net in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only for product registration and support; providing business and consumer services; supporting, enabling and improving sales and analytics, including website analytics . When they no longer need your data to fulfil these services, they will dispose of the details in line with ERP.net’s procedures. If we wish to pass your sensitive personal data onto a third party we will only do so once we have obtained your consent, unless we are legally required to do otherwise.
How will ERP.net use the personal data it collects about me?
ERP.net will process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR). We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. ERP.net is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.
Under what circumstances will ERP.net contact me?
Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
Can I find out the personal data that the organisation holds about me?
ERP.net at your request, can confirm what information we hold about you and how it is processed. If ERP.net does hold personal data about you, you can request the following information:
- Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the EU.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of ERP.net or a third party, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
- How long the data will be stored.
- Details of your rights to correct, erase, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
What forms of ID will I need to provide in order to access this?
ERP.net might need the following forms of ID when information on your personal data is requested:
- ID card;
- driving licence.
Contact details of the Data Protection Officer:
|Data Protection Officer|
|Contact Name:||Dimo Gospodinov|
|Address line:||3 Tsar Ivan Shishman str., entr. 1
Data Processing Agreement
And ERP.net Corporation Ltd, together with its wholly owned subsidiaries (collectively "ERP.net") hereinafter will be referred to as: the “Data Processor”.
HEREBY AGREE AS FOLLOWS:
1. Subject matter of this Data Processing Agreement
1.2. The term EU Data Protection Law shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
1.3. Any capitalized terms not otherwise defined in this Data Processing Agreement shall have the meaning given to them in the Service Agreement. Except as modified below, the terms of the Service Agreement shall remain in full force and effect. Other terms used in this Data Processing Agreement that have meanings ascribed to them in the EU Data Protection law, including but not limited to “Processing”, “Personal Data”, “Data Controller” and “Processor,” shall carry the meanings set forth under EU Data Protection Law.
1.4. Insofar as the Data Processor will be processing Personal Data subject to EU Data Protection Law on behalf of the Data Controller in the course of the performance of the Service Agreement with the Data Controller, the terms of this Data Processing Agreement shall apply. In the event of a conflict between any provisions of the Service Agreement and the provisions of this Data Processing Agreement, the provisions of this Data Processing Agreement shall govern and control. An overview of the categories of Personal Data, the categories of Data Subjects, and the nature and purposes for which the Personal Data are being processed is provided in Appendix 2.
2. The Data Controller and the Data Processor
2.1. Subject to the provisions of the Service Agreement, to the extent that the Data Processor’s data processing activities are not adequately described in the Service Agreement, the Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Data Processor. The Data Processor will process the Personal Data only as set forth in Data Controller’s written instructions and no Personal Data will be processed unless explicitly instructed by the Controller.
2.2. The Data Processor will only process the Personal Data on documented instructions of the Data Controller to the extent that this is required for the provision of the Services. Should the Data Processor reasonably believe that a specific processing activity beyond the scope of the Data Controller’s instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal obligation and seek explicit authorization from the Data Controller before undertaking such processing. The Data Processor shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall immediately notify the Data Controller if, in its opinion, any instruction infringes this Regulation or other Union or Member State data protection provisions. Such notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.
2.3. The Parties have entered into a Service Agreement in order to benefit from the capabilities of the Processor in securing and processing the Personal Data for the purposes set out in Annex 2. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this Data Processing Agreement, in particular the Data Controller’s written instructions.
2.4. The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in EU Data Protection Law support the lawfulness of the Processing. To the extent required by EU Data Protection Law, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in EU Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a data subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the Data Processor remains responsible for implementing Data Controller’s instruction with respect to the processing of that Personal Data.
3.1. Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as confidential and it shall inform all its employees, agents and/ or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality. 3.2. Except where Applicable Data Protection Law provides otherwise, Processor shall keep a record of any Disclosure that is made for a minimum period of six months, including, but not limited to: (a) the name and address of the Third Party to which Personal Data were disclosed; (b) Personal Data which were disclosed; (c) date and time on which Personal Data were disclosed; and (d) the purpose of the disclosure. 3.3. Processor shall provide its employees access to Personal Data only to the extent necessary to perform the Processing. Processor shall ensure that any employee it authorises to have access to Personal Data Processed on behalf of Processor respects and maintains the confidentiality and security of the Personal Data.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include, at a minimum, the security measures agreed upon by the Parties in Annex 3.
4.2. Both the Data Controller and the Data Processor shall maintain written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the Personal Data, conducting appropriate background checks, requiring employees, vendors and others with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the Processing.
4.3. Processor shall make available to Data Controller all information necessary to demonstrate compliance with the provisions of this Annex. Such information will in any case include necessary information on (i) the security measures as described in Appendix 3 of this Annex, (ii) any Sub-Processor (including copies of the agreements with those Sub-Processors), (iii) Data Security Breaches, (iv) return or deletion of Personal Data, (v) international data transfers and the safeguards taken to address transfer restrictions and (vi) measures in place to allow Data Controller to comply with its obligations under this Agreement.
4.4. The Data Processor’s adherence to either an approved code of conduct or to an approved certification mechanism recognized under EU Data Protection Law may be used as an element by which the Data Processor may demonstrate compliance with the requirements set out in Article 4.1, provided that the requirements contained in Annex 3 are also addressed by such code of conduct or certification mechanism.
5. Improvements to Security
5.1. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in EU Data Protection Law or by data protection authorities of competent jurisdiction.
5.2. Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in EU Data Protection Law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith.
6. Data Transfers
6.2. Where a transfer of Personal data, subject to this Agreement, to a third country is necessary, the Data Processor shall be deemed to provide appropriate safeguards to protect the Personal data, including by virtue of making available Standard Contractual Clauses or equivalent as a transfer mechanism.
6.3. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
7. Information Obligations and Incident Management
7.1. When the Data Processor becomes aware of an incident that has a material impact on the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
7.2. The term “incident” used in Article 7.1 shall be understood to mean in any case: • a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; • an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; • any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; • any breach of the security and/or confidentiality as set out in Articles 3 and 4 of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; • where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject.
7.3. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller without undue delay after the Data Processor becomes aware of such an incident.
7.4. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1 of this Data Processing Agreement and, in order to assist the Data Controller in fulfilling its obligations under EU Data Protection Law, should contain:
• a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; • the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; • a description of the likely consequences of the incident; and • a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
8. Contracting with Sub-Processors
8.1. The Data Processor shall not subcontract any of its Service-related activities consisting (partly) of the processing of the Personal Data or requiring Personal Data to be processed by any third party without the prior written authorisation of the Data Controller.
8.2. The Data Controller authorises the Data Processor to engage the sub-processors listed in the List of Sub-processors for the service-related Data Processing activities described in Annex 2. The Data Controller is obliged to provide the Data Controller with the List of Sub-processors upon the written request of the Data Controller. Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes. If the Data Controller timely sends the Processor a written objection notice, setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve Data Controller’s objection. In the absence of a resolution, the Data Processor will make commercially reasonable efforts to provide Data Controller with the same level of service described in the Service Agreement, without using the sub-processor to process Data Controller’s Personal Data. If the Data Processor’s efforts are not successful within a reasonable time, each Party may terminate the portion of the service which cannot be provided without the sub-processor, and the Data Controller will be entitled to a pro-rated refund of the applicable service fees.
8.3. Notwithstanding any authorisation by the Data Controller within the meaning of the preceding paragraph, the Data Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such sub-processor that fails to fulfil its data protection obligations.
8.4. The Data Processor shall ensure that the sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Data Processing Agreement, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of EU Data Protection Law.
8.5. The Data Controller may request that the Data Processor audit a Third Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Sub-processor’s operations) to ensure compliance with its obligations imposed by the Data Processor in conformity with this Agreement.
9. Returning or Destruction of Personal Data
10. Assistance to Data Controller
10.1. The Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the EU Data Protection Law.
10.2. Taking into account the nature of processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in ensuring compliance with obligations pursuant to Section 4 (Security), as well as other Data Controller obligations under EU Data Protection Law that are relevant to the Data Processing described in Annex 2, including notifications to a supervisory authority or to Data Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities.
10.3. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
11. Liability and Indemnity
11.1. The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Controller arising out of a breach of this Data Processing Agreement and/or the EU Data Protection Law by the Data Processor. The Data Controller indemnifies the Data Processor and holds the Data Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Processor arising out of a breach of this Data Processing Agreement and/or the EU Data Law by the Data Controller.
12. Duration and Termination
12.1. This Data Processing Agreement shall come into effect on the effective date of the Service Agreement.
12.2. Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 3.
12.3. The Data Processor shall process Personal Data until the date of expiration or termination of the Service Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.
13.1. In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Service Agreement, the provisions of this Data Processing Agreement shall prevail.
13.2. This Agreement will be governed by and construed in accordance with the applicable laws of the England and Wales.
Contact information of the data protection officer of the Data Processor.
Dimo Gospodinov, Gospodinov@gglaw.bg
The Data Controller and Data Processor recognise that the Data Controller may order a wide variety of personal data relating to Enterprise Resource Planning to be processed. As such, it would not be feasible to outline beforehand all the Data Subjects and categories of Personal Data of said Data Subjects which will be processed. Below are listed most of the types of personal data which will be processed by the Data Processor, and the relevant Data Subjects.
Types of Personal Data that will be processed in the scope of the Service Agreement:
- Personal contact information, including names, company name, e-mail addresses, physical addresses, and telephone numbers;
- HR data, such as employer’s name, title, salary, work obligations, and additional social benefits where applicable;
- Personal Data required for carrying out legal obligations to the social security system, and other employment data;
- Personal Data relating to education and professional qualifications.
The Data Controller and Data Processor acknowledge that the special categories of Personal Data will be processed only if and to the extent that they are set out in the Agreement.
Categories of Data Subjects:
- Customers of the Data Controller;
- Representatives of the Data Controller;
- Employees of the Data Controller;
- Suppliers of the Data Controller;
- Partners, collaborators, and other affiliates of the Data Controller.
Nature and purpose of the Data Processing:
- storing Personal Data pertaining to customers, representatives, employees, suppliers, partners, collaborators, and other affiliates of the Data Controller;
- retrieving and making such data available to the Data Controller;
- carrying out the instructions of the Data Controller and performing computing operations on the Personal Data;
- where applicable, transferring said Personal Data to other EEA Member-States and third countries; and
- under the conditions of this Agreement, deleting said Personal Data.
Appendix 3: Security Measures
Data Processor shall:
- ensure that the Personal Data can be accessed only by authorized personnel for the purposes set forth in Annex 2 of this Data Processing Agreement;
- take all reasonable measures to prevent unauthorized access to the Personal Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;
- build in system and audit trails;
- use secure passwords, network intrusion detection technology, encryption and authentication technology, secure logon procedures and virus protection;
- account for all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;
- ensure pseudonymisation and/or encryption of Personal Data, where appropriate;
- maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data;
- monitor compliance on an ongoing basis;
- implement measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller;
- provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.
Personnel and Confidentiality
Data Processor shall take reasonable steps to ensure that no person shall be appointed by Data Processor to process Personal Data unless that person:
- is competent and qualified to perform the specific tasks assigned to him by Data Processor;
- has been authorised by Data Processor; and
- has been instructed by Data Processor in the requirements relevant to the performance of the obligations of Data Processor under these Clauses, in particular the limited purpose of the data processing.
Data Processor personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Data Processor conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Data Processor’s confidentiality and privacy policies. They are provided with training and personnel handling Customer Data are required to complete additional requirements appropriate to their role.
Data Processor uses geographically distributed data centers and stores all production data in physically secure data centers. Data Processor Sub-processor’s production data centres employ measures to secure the access to data processing systems. They have an access system that controls access to the data center. This system permits only authorised personnel to have access to secure areas. The facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, CCTV monitoring, access screening and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.
The data center electrical power systems are designed to be redundant and maintainable without impact to continuous 24/7 operations. In most cases, a primary as well as an alternate power source is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries or diesel generators which are capable to provide emergency electrical power supply or reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions.
Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Data Processor Sub-processor’s production equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.
System Access Control
Data Processor servers use a Linux based implementation customized for the Services. Data Processor employs a review process to increase the security of the operating systems used to provide the Services and enhance the security products in production environments.
Data Processor has, and maintains, a security policy for the personnel. Data Processor infrastructure, development and support personnel are responsible for the ongoing monitoring of Data Processor’s security of the infrastructure, the review of the Services, and responding to security incidents.
Data Processor’s internal access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process customer data, including personal data. Data Processor aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. Data Processor employs an access management system to control personnel access to production servers, and only provides access to authorized personnel. The following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and/or two-factor authentication, SSH keys, authorization processes, change management processes, logical access to the data centers is restricted and protected by firewall/VLAN and logging of access on several levels. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Data Processor’s internal data access policies.
Services Access Control
Customer and End Users must authenticate themselves via an authentication system in order to use the Services. Each application checks credentials in order to allow the display of data to an authorized End User.
The following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and/or two-factor authentication, SSH keys, authorization processes, change management processes, and logging of access on several levels. Depending upon the particular Services ordered the following controls may also apply: unique identifiers are attributed to the responsible individual, revoke access mechanisms on consecutive failed login attempts and lockout time periods, password expiry and reset mechanisms, password complexity requirements.
Data Access Control
Data Processor stores data in a multi-tenant environment, meaning that multiple customers’ deployments are stored on the same physical hardware. Data Processor uses logical isolation to segregate each Customer’s data and logically separates each Customer’s data from that of others. This provides the scale while rigorously preventing customers from accessing one another’s data.
Customer is given control over specific controls for sharing access to the data to End Users for specific purposes in accordance with the functionality of the Services. Customer may choose to make use of these controls. Data Processor makes available certain logging capability.
Direct access to customer data is restricted and in case such is required access rights are established and enforced only to properly authorized staff in addition to the access control rules set forth in the previous Sections.
Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media or exchanged within the data center.
For data in transit, Data Processor uses industry standard transport protocols such as SSL and TLS between Customer devices and Data Processor’s Services and data centers, and within data centers themselves. Except as otherwise specified for the Services (including within the Order, the applicable Agreement or the User documentation of the Services), transmissions of data outside the Service environment are encrypted. Some functionalities of the Services may enable the Customer to choose unencrypted communications in their use of the Service. Customer is solely responsible for the results of its decision to use such unencrypted communications or transmissions.
The Personal Data source is under the control of the Customer, and Personal Data integration into the system, is managed by secured file transfer, via web services or entered into the application from the Customer. As set forth in Section Transmission Control above, some functionalities of the Services permit Customers to use unencrypted file transfer protocols. In such cases, Customer is solely responsible for its decision to use such unencrypted field transfer protocols.
The Services will not introduce any viruses to Customer Data; however, the Services do not scan for viruses that could be included in attachments or other Personal Data uploaded into the Services by Customer. Any such uploaded attachments will not be executed in the Services and therefore will not damage or compromise the Service.
Data Processor blocks unauthorized traffic to and within the data centers using a variety of technologies such as firewalls, NATs, partitioned Local Area Networks and physical separation of back-end servers from public-facing interfaces.
Data Processor employs multiple layers of network devices and intrusion detection to protect its external attack surface. Data Processor considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.
Data Processor and authorized personnel will monitor the Services for unauthorised intrusions using network-based intrusion detection mechanisms. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Data Processor’s intrusion detection involves tightly controlling the network communication attack surface through preventative measures such as firewalls, employing intelligent detection controls at data entry points and employing technologies that automatically remedy certain dangerous situations.
Data Processor maintains security incident management policies and procedures and monitors a variety of communication channels for security incidents. Data Processor personnel will react promptly to known incidents and will promptly notify Customer in the event Data Processor becomes aware of an actual or reasonably suspected unauthorised disclosure of Personal Data.
Data Processor ensures that processing systems used to store Customer Data log information to their respective system log facility. Log entries are maintained in case there is suspicion of inappropriate access and an analysis is required. Logging is kept securely to prevent tampering.
Reliability and Backup
For the Services, Data Processor ensures that backups are taken on a regular basis. Backups are secured using a combination of technical and physical controls.
Data Processor ensures that the systems where Customer Data is stored have a disaster recovery facility and are governed under disaster recovery plan. In the event production facilities are to be rendered unavailable, Data Processor will execute recovery plans to restore operation in timely manner. Data Processor has designed and regularly plans and tests its disaster recovery plans.
When customers delete data or leave the Service, Data Processor ensures the data is deleted as per the terms in the applicable Agreement. For certain disks Data Processor follows strict rigorous standards that call for overwriting storage resources before reuse, as well as physically disposing of decommissioned hardware. Data Processor Sub-processor’s production data centres employs strict procedures for reuse, redeployment, data destruction and decommission of disks and hardware.
Before onboarding Sub-processors, Data Processor conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. The Sub-processor is required to enter into appropriate security, confidentiality and privacy contract terms.
System Changes and Enhancements
Data Processor may enhance and implement changes in the Services during the term of the Agreement. Security controls, procedures, policies and features may change or be added. Data Processor will provide security controls that deliver a level of security protection that is not materially lower than that provided as of the Effective Date.