Last updated 28 January 2025
Data Processing Agreement
This Data Processing Agreement (the “DPA”) forms part of, and is subject to, the Terms and Conditions hosted at https://servicechannel.com/terms-and-conditions (“Agreement”) between ServiceChannel.com, Inc. (hereinafter “ServiceChannel”) and Contractor (as defined in the Agreement). Each of the Customer and ServiceChannel is referred to as a “party” and jointly as the “parties”.
WHEREAS
(i) Contractor and ServiceChannel have entered into the Master Services Agreement under which ServiceChannel will provide Contractor with the Services.
(ii) ServiceChannel will process Contractor Content (which may contain Personal Data) in the course of providing the Services;
(iii) The parties now wish to enter into this DPA that governs ServiceChannel’s processing of such Personal Data contained in the Contractor Content.
NOW, THEREFORE, the parties agree as follows:
1. Definitions:
In this Processing Agreement, terms defined in the Agreement have the same meanings when used here. In addition, the following terms shall have the following meanings:
(a) “Administration Data” means: (i) contact details relating to, and the content of correspondence with the Organization’s main account holder or administrator; (ii) support enquiries submitted by the Organization’s authorized users in relation to the Service;
(b) “Affiliates” means any entity which is controlled by, controls or is in common control with ServiceChannel;
(c) “Anonymized Data” means data created using Contractor Personal Data that: (i) cannot be used to infer information about or otherwise be linked to an individual; (ii) does not otherwise relate to an identified or identifiable natural person;
(d) “CCPA” means the California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.100 et seq., including its implementing regulations and the California Privacy Rights Act of 2020;
(e) “Controller Purposes” means undertaking internal research and development to develop, test, improve and alter the functionality of ServiceChannel’s products and services; (b) creating Anonymized Data for training or evaluation of ServiceChannel’s products and services; (c) administering ServiceChannel’s relationship with the Contractor under the Agreement;
(f) “Contractor” means the Contractor that has executed the Master Services Agreement;
(g) “Contractor Personal Data” means Personal Data contained in the Contractor Content, as further described in Annex I to this DPA;
(h) “Data Protection Laws” means all applicable laws, rules, regulations and governmental requirements relating to the privacy, confidentiality, or security of Personal Data (as they may be amended or otherwise updated from time to time), including (without limitation) the GDPR and the US Data Protection Laws;
(i) “Data Subject” means: (i) a natural person to whom Personal Data relates; and (ii) an individual that is a “data subject”, “consumer” or any equivalent term under Data Protection Laws;
(j) “GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as defined in section 3(10) of the UK Data Protection Act 2018;
(k) “Personal Data” means any information that: (i) relates, is linked or reasonable linkable to an identified or identifiable natural person; or (ii) is otherwise “personal data”, “personal information”, “personally identifiable information” or similarly defined data or information under Data Protection Laws;
(l) “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning);
(m) “Sale” or “Sell” has the meaning given to it in the CCPA;
(n) “Share” has the meaning given to it in the CCPA;
(o) “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Contractor Personal Data;
(p) “Standard Contractual Clauses” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
(q) “Sub-processor” means any outside entity engaged by ServiceChannel to process Personal Information on behalf of Contractor or in order to provide the services specified in the Agreement;
(r) “UK Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) of the UK Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the UK Addendum;
(s) “US Data Protection Laws” means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the CCPA, the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled);
(t) “Usage Data” means diagnostic, usage and performance information collected by ServiceChannel in relation to the Contractor’s and its authorized users’ use of the Services; and
(u) The terms “Controller”, “Processor”, “Business” and “Service Provider” have the meanings given to them in the Data Protection Laws.
2. Relationship of the parties; Compliance with law
2.1 The Contractor:
(a) appoints ServiceChannel to Process the Contractor Personal Data as its Processor or Service Provider;
(b) acknowledges and agrees that ServiceChannel may:
(i) use Administration Data and Usage Data for the Controller Purposes and that, for the purposes of the GDPR, it does so as a Controller;
(ii) use Contractor Personal Data to create Anonymized Data and that, for the purposes of the GDPR, it does so as a Controller.
2.2 Each party shall comply with the obligations that apply to it under, and provide the same level of privacy protection as required by Data Protection Laws.
2.3 Contractor shall ensure that its instructions for the Processing of Contractor Personal Data comply with the Data Protection Laws. Contractor shall have sole responsibility for the accuracy, quality, and legality of Contractor Personal Data and the means by which Contractor obtained the Contractor Personal Data.
2.4 ServiceChannel shall notify Contractor promptly if ServiceChannel determines that it can no longer meet its obligations under Data Protection Laws.
2.5 Contractor may take reasonable and appropriate steps to:
(a) ensure that ServiceChannel uses Contractor Personal Data in a manner consistent with Contractor’s obligations under Data Protection Laws; and
(b) upon reasonable notice, stop and remediate unauthorized use of Contractor Personal Data.
3. Processing of Contractor Personal Data
3.1 ServiceChannel shall only Process Contractor Personal Data on behalf of and in accordance with the Agreement, this DPA and (other than any Processing for the Controller Purposes) Contractor’s documented instructions. Contractor instructs ServiceChannel to Process Contractor Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable orders; and (ii) Processing to comply with other reasonable instructions provided by Contractor where such instructions are consistent with the terms of the Agreement. ServiceChannel shall immediately inform Contractor if it is unable to follow those instructions or if in its opinion, an instruction from Contractor infringes Data Protection Laws.
3.2 ServiceChannel shall not:
(a) Sell or Share Contractor Personal Data;
(b) retain, use, or disclose Contractor Personal Data for any purpose other than for the specific business purpose of performing the Services specified in the Agreement or as otherwise permitted by Data Protection Laws;
(c) retain, use or disclose Contractor Personal Data outside of the direct business relationship between the parties; and
(d) combine the Contractor Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, unless expressly permitted by and carried out in accordance with Data Protection Laws.
3.3 Contractor warrants and undertakes that the Contractor Personal Data shall not contain any of the following:
(a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and any other special categories of Personal Data identified in Article 9 of the GDPR or Personal Data that is otherwise sensitive Personal Data under Applicable Data Protection Laws;
(b) biometric identifiers or templates;
(c) financial information (including, without limitation, billing information and cardholder or sensitive authentication data, as those terms are defined under the Payment Card Industry Data Security Standard);
(d) personally identifiable financial information, as defined by and subject to the Gramm-Leach-Bliley Financial Modernization Act of 1999;
(e) national identification numbers (including, without limitation, Social Security Numbers, Social Insurance Numbers, driver’s license or passport numbers or other governmentally-issued identification numbers);
(f) information relating to individuals under the age of 13;
(g) education records, as defined under the Family Educational Rights and Privacy Act of 1974;
(h) protected health information as defined by, and subject to, the Health Insurance Portability and Accountability Act.
4. Confidentiality of processing/ServiceChannel personnel
4.1 ServiceChannel shall ensure that any person it authorizes to process the Contractor Personal Data (an “Authorized Person“) shall protect the Contractor Personal Data in accordance with ServiceChannel’s confidentiality obligations under this Agreement.
4.2 ServiceChannel shall ensure that its personnel engaged in the Processing of Contractor Personal Data are informed of the confidential nature of the Contractor Personal Data and are subject to obligations of confidentiality.
4.3 ServiceChannel shall ensure that access to Contractor Personal Data is limited to those personnel who require such access to perform the Services.
5. Security/Breach management and notification
5.1 ServiceChannel shall implement appropriate technical and organizational measures for the protection of the security, confidentiality and integrity of Contractor Personal Data as set out in Annex II.
5.2 If ServiceChannel becomes aware of any Security Breach, ServiceChannel will promptly: (i) notify Contractor of the Security Breach; (ii) investigate the Security Breach and provide Contractor with information about the Security Breach; and (iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
5.3 ServiceChannel shall, at Contractor’s request, provide Contractor with reasonable assistance with Contractor’s fulfilment of its obligations under Data Protection Laws in relation to a Security Breach notified to Contractor by Service Channel.
5.4 ServiceChannel shall not be under any obligation to notify Contractor of any unsuccessful attempts to obtain unauthorized access to Contractor Personal Data or to any of ServiceChannel’s equipment or facilities storing Contractor Personal Data, including, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
5.5 Notification(s) of Security Breaches, if any, will be delivered to one or more of Contractor’s business, technical or administrative contacts by any means ServiceChannel selects, including via email. It is Contractor’s sole responsibility to ensure it maintains accurate contact information on ServiceChannel’s support systems at all times.
5.6 ServiceChannel’s notification of or response to a Security Breach under this Section 5 shall not be construed as an acknowledgement by ServiceChannel of any fault or liability with respect to the Security Breach.
6. Subprocessing
6.1 Contractor acknowledges and agrees that (i) ServiceChannel may appoint Affiliates as its Sub-processors; and (ii) ServiceChannel may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Contractor Personal Data only to deliver the services ServiceChannel has retained them to provide, and are prohibited from using Contractor Personal Data for any other purpose. ServiceChannel will enter into a written agreement that imposes upon the Sub-processor data protection obligations that are substantially similar to those imposed on ServiceChannel by this Agreement. ServiceChannel shall remain fully responsible to the Contractor for the performance of the Sub-processor’s obligations under its contract with ServiceChannel.
6.2 ServiceChannel may continue to use those Sub-processors already engaged by ServiceChannel or any ServiceChannel Affiliate as at the date of this Agreement, as listed at https://bit.ly/SC_Subprocessors.
6.3 ServiceChannel shall give Contractor prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 10 days of receipt of that notice, Contractor notifies ServiceChannel in writing of any objections (on reasonable grounds) to the proposed appointment, ServiceChannel shall not appoint that proposed Sub-processor until reasonable steps have been taken to address the objections raised by the Contractor and the Contractor has been provided with a reasonable written explanation of the steps taken.
7. Restricted transfers
7.1 The Standard Contractual Clauses shall, as further set out in this Section 7, be incorporated into this DPA by reference and shall apply to any transfers of Contractor Personal Data from Contractor (as data exporter) to ServiceChannel (as data importer) to the extent that:
(a) the GDPR applies to Contractor’s Processing of such Contractor Personal Data when making the transfer;
(b) Data Protection Laws that apply to Contractor’s Processing of Contractor Personal Data when making the transfer (the “Exporter Data Protection Laws“) prohibit the transfer of Contractor Personal Data to ServiceChannel under this DPA in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Contractor Personal Data, and any one or more of the following applies:
(i) the relevant authority with jurisdiction over Contractor’s transfer of Contractor Personal Data under this DPA has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws and established market practice in relation to transfers subject to the Exporter Data Protection Laws is to enter into standard contractual clauses approved by the European Commission to satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
(ii) entering into standard contractual clauses approved by the European Commission would otherwise reasonably satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
(c) the transfer is an “onward transfer” (as defined in the applicable module of the Standard Contractual Clauses).
7.2 With respect to any transfers referred to in Section 7.1, the Standard Contractual Clauses shall be deemed completed as follows:
(a) Module Two will apply;
(b) in Clause 7, the optional docking clause does not apply;
(c) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Section 6.3 of this Agreement;
(d) in Clause 11, the optional language will not apply;
(e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(f) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(g) Annex I shall be deemed completed with the information set out in Annex I to this Agreement;
(h) Annex II shall be deemed completed with the information set out in Annex II to this Agreement.
7.3 To the extent that the UK GDPR applies to Contractor when it makes a transfers referred to in Section 7.1, or such transfer is an “onward transfer” as defined in the UK Addendum, the UK Addendum will form part of this DPA and apply to such transfers and be deemed completed as follows:
(a) the “Addendum EU SCCs” shall refer to the Standard Contractual Clauses as they are incorporated into this DPA in accordance with Sections 7.1 and 7.2;
(b) the “Appendix Information” shall refer to the information set out in Annex I and Annex II to this DPA; and
(c) Tables 1 to 3 of the UK Addendum shall be deemed completed as set out in Section 7.2 above, and the option “neither party” shall be deemed checked in Table 4.
7.4 In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
7.5 The parties agree that execution of this DPA shall have the same effect as signing the Standard Contractual Clauses and UK Addendum.
8. Cooperation and Data Subjects’ rights
8.1 ServiceChannel shall, to the extent legally permitted, promptly notify Contractor if it receives a request from a Data Subject to exercise their rights under Data Protection Laws. ServiceChannel shall not respond to any such Data Subject request without Contractor’s prior written consent except to confirm that the request relates to Contractor.
8.2 To the extent Contractor, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Contractor Personal Data, as required by Data Protection Laws, ServiceChannel will use commercially reasonable efforts to comply with reasonable requests by Contractor to facilitate such actions to the extent ServiceChannel is legally permitted to do so.
8.3 ServiceChannel shall provide reasonable cooperation to Contractor (at Contractor’s expense) in connection with any data protection impact assessment that may be required under Data Protection Law.
9. Deidentified Data
9.1 With respect to any Anonymized Data created by ServiceChannel, ServiceChannel shall:
(a) take reasonable measures to ensure the information cannot be associated with a Data Subject;
(b) publicly commit to Process such Anonymized Data solely in deidentified form and not to attempt to reidentify the information; and
(c) contractually obligate any recipients of the Anonymized Data to comply with the foregoing requirements under Data Protection Laws.
10. Termination; deletion or return of Data
10.1 This Agreement shall terminate automatically on ServiceChannel’s deletion or anonymization of all Contractor Personal Data.
10.2 Upon termination or expiry of the Agreement, ServiceChannel shall
(a) if requested to do so by Contractor within thirty (30) days of expiry of the Agreement (the “Retention Period“) provide a copy of all Contractor Personal Data in such commonly used format as requested by Contractor, or provide a self-service functionality allowing Contractor to download such Contractor Personal Data;
(b) on expiry of the Retention Period, delete all copies of Contractor Personal Data Processed by ServiceChannel or any of its Sub-processors, other than:
(i) any Administration Data or Usage Data Processed for the Controller Purposes or any Contractor Personal Data which ServiceChannel is required to retain under applicable law; or
(ii) Contractor Personal Data archived on back-up systems, which ServiceChannel shall securely isolate and protect from any further Processing except to the extent required by such law until deletion is possible.
11. Audit
11.1 Contractor may audit ServiceChannel’s compliance with this DPA. The parties agree that all such audits shall be conducted:
(a) not more than annually, unless more frequent audits are required to comply with Data Protection Laws or required by a supervisory authority with jurisdiction over the Processing of Contractor Personal Data;
(b) upon reasonable notice to ServiceChannel;
(c) only during ServiceChannel’s normal business hours; and
(d) in a manner that does not materially disrupt ServiceChannel’s business or operations.
11.2 With respect to any audits conducted under Section 10.1:
(a) Contractor may engage a third-party auditor to conduct the audit on its behalf, save that ServiceChannel may reasonably object to the engagement of the third-party auditor if such third-party auditor is a competitor of ServiceChannel;
(b) ServiceChannel shall not be required to facilitate or assist with any audit unless and until the parties have agreed in writing the scope and timing of such audit and the reimbursement rates under Section 10.3.
11.3 Contractor shall reimburse ServiceChannel for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Contractor and ServiceChannel shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Contractor shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by ServiceChannel. Contractor shall promptly notify ServiceChannel with information regarding any non-compliance discovered during the course of an audit.
11.4 Contractor acknowledges that ServiceChannel is regularly audited against SSAE 18 SOC 1 standard by independent third-party auditors. ServiceChannel shall supply to Contractor on request, or may supply to Contractor in response to any audit request, a summary copy of its audit report(s) to Contractor, which shall be subject to the confidentiality provisions of the Agreement. If an audit requested by Contractor is addressed in the audit report provided by ServiceChannel, Contractor agrees to accept such report in place of conducting a physical audit of the controls covered by the relevant report.
12. Limitation of Liability
This DPA is subject to the limitations of liability and disclaimers in the Agreement.
13. Parties to this Agreement
Save as set out in the Standard Contractual Clauses, nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
14. Legal effect
This DPA supplements and forms part of the Agreement.
15. General
15.1 This DPA shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions in the Agreement, provided that, in the event of a conflict between the Agreement and this DPA with regards to the processing of Personal Data, this DPA shall control.
15.2 This Agreement may be executed in any number of counterparts, each of which is an original and all of which evidence the same agreement between the parties.
15.3 Other than as set out in this DPA, the Agreement shall remain in full force and effect.
ANNEX I
A. LIST OF PARTIES
|
Name |
Address |
Contact person’s name, position and contact details |
Activities relevant to the data transferred |
Role |
|
|
Data exporter |
Contractor (as provided during registration for the Services) |
As provided during registration for the Services |
As provided during registration for the Services |
Receipt of the Services |
Controller |
|
Data importer |
ServiceChannel.com, Inc. |
30 Patewood Dr Building 2, Suite 350, Greenville, SC 29615 |
Brian Chase, General Counsel, [email protected] |
Provision of the Services |
Processor |
B. DESCRIPTION OF TRANSFER
|
Data subjects |
Categories of personal data |
Sensitive personal data |
Frequency of transfer |
Nature and purpose of the processing |
Retention period |
|
Contractor’s End Users |
Name, email address, role at Contractor, Credentials. |
None |
Continuous |
Granting access to the Services to End Users. |
For as long as Contractor authorizes the End User to access the Services. |
|
Contractor’s End Users |
Name, phone number, facility management services to be provided. |
None |
Continuous |
Facilitating contact between End Users and Customers for the fulfilment of Purchase Contracts. |
For as long as Contractor authorizes the End User to access the Services. |
|
Contractor’s End Users |
Name, precise geolocation, check in time, check out time. |
None |
Continuous |
Providing information to the Customer regarding the provision of facilities management services under a Purchase Contract. |
For the term of the Agreement. |
|
Contractor’s End Users |
Name, facilities management services provided by End User, date and location of services provided. |
None |
Continuous |
Facilitating the calculation of amounts due under the Purchase Contract. |
For the term of the Agreement. |
|
Contractor’s End Users Customers’ authorized users requesting facilities management services |
Name, facilities management services provided by End User, date and location of services provided. |
None |
Continuous |
Submission of invoices under Purchase Contracts to Customer. |
For the term of the Agreement. |
|
Contractor’s End Users Customers’ authorized users requesting facilities management services |
Name, facilities management services provided by End User, date and location of services provided. |
None |
Continuous |
Maintaining transaction records of services provided by Contractor under Purchase Contracts. |
For the term of the Agreement. |
|
Contractor’s End Users |
Name, facilities management services provided by End User, date and location of services provided, precise geolocation. |
None |
Continuous |
Facilitating the management of Contractor’s End Users, including scheduling and staffing. |
For the term of the Agreement. |
|
Key contact points at Contractor |
Name, email address, phone number. |
None |
Continuous |
Promoting Contractor’s services through the Catalog. |
For as long as the individual remains a key contact point, and in any event no longer than the term of the Agreement. |
|
Contractor’s End Users |
Support queries submitted by End User. |
None |
Continuous |
Providing technical support. |
For the term of the Agreement. |
|
Contractor’s End Users |
Log data relating to End User’s use of the Services. |
None |
Continuous |
Providing access to the Services. |
For the duration of the End User’s browsing session. |
Subprocessors
As described at https://bit.ly/SC_Subprocessors
C. COMPETENT SUPERVISORY AUTHORITY
Irish Data Protection CommissionerANNEX II
Security Measures
ServiceChannel will at all times remain responsible and liable for the following commercially reasonable transfer security measures:
|
TRANSFER SECURITY MEASURES |
IMPLEMENTED MEASURES |
|
Measures of pseudonymization and encryption of personal data |
Pseudonymization • character masking • swapping • k-anonymity Encryption • HTTPS encryption for data in transit (using TLS 1.2 or greater) on every login interface, using industry standard algorithms and certificates. • Encryption of data at rest using the industry standard AES-256 algorithm |
|
Measures for ensuring ongoing confidentiality, integrity, availabilty and resilience of processing systems and services |
Confidentiality • Virtual Private Network (VPN) • Multi-Factor Authentication (MFA) • Differentiated rights system based on security groups and access control lists. • Secure transmission of credentials using TLS 1.2 (or greater) • Passwords require a defined minimum complexity. Initial passwords must be changed after the first login. • Automatic account locking • Guidelines for handling of passwords • Access controls to infrastructure that is hosted by cloud service provider • Access right management including authorization concept, implementation of access restrictions, implementation of the “need-to-know” principle, managing of individual access rights. • Training and confidentiality agreements for internal staff and external staff • Network separation • Segregation of responsibilities and duties • Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles. Integrity • Secure network interconnections ensured by firewalls etc. • Logging of transmissions of data from IT system that stores or processes personal data • Logging authentication and monitored logical system access • Logging of data access including, but not limited to access, modification, entry and deletion of data • Documentation of data entry rights and logging security related entries • Web Application Firewall (WAF) Availability and Resilience • Contractor data is backed up to multiple durable data stores and replicated across multiple availability zones. • Protection of stored backup media |
|
Measures for ensuring the ability to restore the availability and access to personal Data in a timely manner in the event of a physical or technical incident |
• Continuity Planning and Disaster Recovery Plan• Disaster recovery processes to restore data and processes
• Recovery Time Objective (RTO) • Recovery Point Objective (RPO) • Maximum Tolerable Downtime (MTD) • Capacity management measures to monitor resource consumption of systems as well as planning of future resource requirements. • Procedures for handling and reporting incidents (incident management) including the detection and reaction to possible security incidents. • Productive data is backed up hourly in incremental form and daily as a full backup. All backups are kept redundant and in encrypted form (AES-256). |
|
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing |
• Testing of emergency equipment• Documentation of interfaces and personal data fields
• Internal and external audits • Security checks (e.g. penetration tests) conducted by external parties • SOC 1 and 2 audits • Regular benchmarking and testing with industry standards, e.g. SANS Top 20 Controls for Internet Security, NIST guidelines, etc. |
|
Measures for user identification and authorization |
• Secure network interconnections ensured by VPN, MFA, firewalls etc.• Logging of transmissions of data from IT system that stores or processes personal data
• Logging authentication and monitored system access • Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept in accordance to the “need-to-know” principle. • Web Application Firewall (WAF) |
|
Measures for the protection of Data during transmission |
• Remote access to the network via VPN tunnel and end-to-end encryption• HTTPS encryption for data in transit (using TLS 1.2 or greater) |
|
Measures for the protection of Data during storage |
• System inputs recorded via log files• Access Control Lists (ACL)
• Multi-factor Authentication (MFA) |
|
Measures for ensuring physical security of locations at which personal Data are processed |
• Subdivision of the facility into individual zones with different access authorizations;• Physical access protection (e.g. steel doors, windowless rooms or secured windows);
• Electronic access control system to protect security areas; • Monitoring of the facility by security services and access logging to the facility; • Video surveillance of all security-relevant security areas, such as entrances, emergency exits and server rooms; • Central assignment and revocation of access authorizations; • Identification of all visitors by verification of their identity card and registration (a log of visitors is kept); • Mandatory identification within the security areas for all employees and visitors; • Visitors must be accompanied by employees at all times. |
|
Measures for ensuring events logging |
• Remote logging• Hash chaining
• Replication • Central Security Event and Information Management (SIEM) system |
|
Measures for ensuring system configuration, including default configuration |
• Access Control Policy and Procedures• Baseline configuration identification
• Configuration Planning and Management • Configuration Change Management • Configuration Status Accounting • Configuration Verification and Audits • Mobile device management |
|
Measures for internal IT and IT security governance and management |
• Dedicated and identified person to oversee the company’s information security and compliance program• SOC 1 and 2 audit |
|
Measures for certification/assurance of Processes and products |
• Information security or quality management certifications such as SSAE 18 Type 2 SOC 1 and SSAE18 Type 2 SOC2 |
|
Measures for ensuring Data minimization |
• Technological barriers to the unauthorized linking of independent sources of data.• Limitation to the level of detail used in personal data processing: for example, through techniques such as k-anonymity and obfuscation.
• Deletion of metadata generated during certain processes that are not necessary for the pursued goal. |
|
Measures for ensuring Data quality |
• Process for the exercise of data protection rights (right to amend and update information)• Clear documentation of requirements for all data conditions and scenarios
• Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles. Rigorous data profiling and control of incoming data • Data pipeline design to avoid duplicate data • Quality Assurance team • Enforcement of data integrity |
|
Measures for ensuring limited data retention |
• The existence of clear retention schedules and policies• Testing of effectiveness |
|
Measures for ensuring accountability |
• Assign responsibility to ensure end-user privacy throughout the product lifecycle and through applicable business processes.• Data protection impact assessments as an integral part of any new processing initiative.
• Document all decisions that are adopted within the organization from a “privacy design thinking” perspective. |
|
Measures for allowing Data portability and ensuring erasure |
• Documented processes in relation to the exercise by users of their privacy rights (e.g. right of erasure or right to data portability)• Use of open formats such as CSV, XML or JSON. |
|
Applied restrictions or safeguards for sensitive data (if applicable) |
• Encrypting or hashing special category data, although not an explicit legal requirement, should be the norm |
English Deutsch Español Français (France) 中文(简体) Slovenščina Italiano Magyar