This Data Processing Policy (“DPP”) shall be applicable between the Parties and shall be considered as automatically incorporated to the Agreement. All capitalized terms used in this DPP have the same meanings given to them in the Agreement, unless defined below. Terms defined below are applicable to the DPP only.
Definitions
“Adequate Country” means a country or territory that is recognized under applicable Data Protection Laws as providing adequate protection for personal data.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is directly or indirectly Controlled by Customer, (b) is subject to Data Protection Laws and (c) is permitted to use the Services pursuant to the Agreement, but has not signed the Agreement.
“CCPA” means the California Consumer Privacy Act of 2018, including all amendments thereto.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union (including GDPR), the European Economic Area, their member states, Switzerland, the United Kingdom and/or federal, state or local government authorities of the United States of America, applicable to the processing of Personal Data under the Agreement.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data” means any data that is processed by CybelAngel as part of the Services that is also “personal data” as defined under GDPR and/or defined as “personal information” under CCPA.
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to, Personal Data in CybelAngel’s possession or under its control, where such breach originated is documented as having originated only from CybelAngel’s own systems and is unrelated to any breach which may have been detected in connection with the Services or CybelAngel’s day-to-day business activities.
“Standard Contractual Clauses” or (“SCCs”) means the standard contractual clauses approved by the European Commission (4 June 2021) for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” have the meanings ascribed to them in the GDPR.
- Status of The Parties
The Parties acknowledge and agree that Customer is the data controller and CybelAngel is the data processor with respect to Personal Data. Each Party agrees to comply with, and shall ensure that each of its Affiliates complies with, Data Protection Laws applicable in relation to Personal Data. As between the Parties, Customer is solely responsible for obtaining, and has obtained or will obtain, all necessary consents, licenses and approvals for the processing of Personal Data in connection with use of the Services.
- Description of processing
2.1. CybelAngel shall only process Personal Data in order to provide the Services or for business purposes related to the Services as defined in the Agreement (e.g. creating credentials for new Authorized Users). If the Data Protection Laws require CybelAngel to process Personal Data other than as permitted by the Agreement, CybelAngel will notify Customer prior to processing, unless prohibited from doing so by applicable law.
2.2. The type of Personal Data processed pursuant to the Agreement and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects shall be as follow:
2.2.2. Nature of the processing
Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission to controller, dissemination or otherwise making available to controller, alignment or combination, restriction, erasure or destruction.
2.2.3. Purpose(s) of the data processing
The purpose of processing is to ensure the IT of controller and its affiliates, by working to prevent and detect data leaks on the Internet.
2.2.4. Duration of the data processing
The data processing shall be performed during the term of the Agreement.
2.2.5. Data retention period
Personal Data will be retained by the data processor for a maximum duration of six (6) months following the termination of all contracts for services provided to controller by processor.
2.2.6. Categories of data subjects
Controller’s employees, clients and prospects, providers as well as any person connected with the controller’s company or its activity.
- Processor’s rights and obligations
3.1. The processor shall process Personal Data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of Personal Data. These instructions shall always be documented.
For the purpose of the hereinabove paragraph, the Agreement, this DPP, and Customer’s use of the Services, are Customer’s written instructions to CybelAngel in relation to the processing of Personal Data.
3.2. Taking into account the nature of processing and the information available to CybelAngel, CybelAngel will assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to (i) data protection impact assessments (as such term is defined in the GDPR), (ii) notifications to the supervisory authority under Data Protection Laws and (iii) prior consultations with supervisory authorities.
3.3. CybelAngel will use commercially reasonable efforts to assist Customer in responding to data subject requests made by data subjects seeking to exercise their rights under Data Protection Law and whose Personal Data is in CybelAngel’s possession or under its control. CybelAngel will notify Customer of data subject requests relevant to Customer after they are received by CybelAngel no later than five (5) business days, unless otherwise required by applicable law.
- Technical and Organizational Measures
Taking into consideration (i) standard industry practice, (ii) the costs of implementation and (iii) the nature, scope, context and purposes of processing, CybelAngel shall implement appropriate technical and organizational measures as set forth in Annex 1, to ensure a level of security appropriate to the risks that are presented by processing Personal Data, including in relation to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in CybelAngel’s possession or under its control.
- Personal Data Breaches
CybelAngel shall notify Customer of any Personal Data Breach no later than seventy-two (72) hours after becoming aware of it. CybelAngel shall provide Customer with commercially reasonable cooperation, assistance and information in connection with such Personal Data Breach, including, to the extent known by CybelAngel, (i) the nature of the Personal Data Breach, (ii) the categories and approximate number of data subjects concerned, (iii) the categories and approximate number of Personal Data records affected, and (iv) the measures already taken or planned to be taken by CybelAngel to address the Personal Data Breach, including, where appropriate, measures to mitigate possible adverse effects. Unless required to disclose information about a Personal Data Breach by applicable law, CybelAngel shall not disclose any information about a Personal Data Breach and treat all such information as Confidential Information.
- Sub-processing
6.1 Customer consents to CybelAngel’s use of the sub-processors included in the Subprocessor’s List (provided to the controller upon request) to provide the Services, and to CybelAngel’s disclosure and provision of Personal Data to such sub-processors. The sub-processor list as of the date of execution of the Agreement is hereby authorized by Customer. Customer’s main points of contact shall be notified in writing by CybelAngel in advance of any new sub-processors being appointed by changes to the sub-processor list. In any event, the updated sub-processor list shall be deemed authorized by Customer unless it provides a written reasonable objection to [email protected] for reasons related to the GDPR within thirty (30) business days following the notification of the change in the sub-processor list. In this event, if the parties do not find a solution in good faith to the issue in question, then Customer may, as a sole remedy, terminate the applicable Agreement with respect only to those Services which cannot be provided by CybelAngel without the use of the objected-to sub-processor by providing written notice to CybelAngel provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to CybelAngel. Customer will have no further claims against CybelAngel due to (i) past use of approved sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) in the situation described in this paragraph.
6.2 CybelAngel will require its sub-processors to comply with terms that are substantially no less protective of Personal Data than those imposed on CybelAngel hereto, to the extent reasonably applicable to the services such sub-processor provides. CybelAngel will be liable for any breach of its obligations under this DPP that is caused by an act or omission of a sub-processor.
- Audits
Customer may exercise its right of audit under the Data Protection Laws; provided, that (i) Customer may conduct one (1) audit per year on its own behalf and at its own expense only, (ii) Customer provides CybelAngel with fifteen (15) business days’ prior written notice of any audit, (iii) the maximum duration for any audit is five (5) business days (as defined in France), (iv) each audit is conducted only during CybelAngel’s business hours and (v) CybelAngel approves of the choice of a third-party auditor appointed by Customer in case Customer does not conduct the audit by itself. No audit may interfere with the operation of CybelAngel’s tools or infrastructure.
- Data transfers
This Section 8 applies to any processing by CybelAngel or its sub-processors of any Personal Data subject to the GDPR.
8.1 CybelAngel will not disclose or transfer Personal Data to a third party (i) without the prior written permission of Customer, (ii) as permitted by the Agreement, (iii) where such disclosure or transfer is required by any applicable law, regulation, or public authority or (iv) pursuant to Section 6.1.
8.2 Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA. If CybelAngel transfers any Personal Data to a sub-processor (including any CybelAngel Affiliate that acts as a sub-processor) where such sub-processor will process Personal Data outside the EEA (other than exclusively in an Adequate Country), then CybelAngel will ensure that a mechanism to achieve adequacy in respect of that processing is in place, such as (i) the execution of Standard Contractual Clauses (based on Module 2 Transfer Controller to Processor) between CybelAngel and a sub-processor or (ii) any other approved safeguard for data transfers (as recognized under the Data Protection Laws).
8.3 CybelAngel will not disclose or transfer Personal Data to a third party (i) without the prior written permission of Customer, (ii) as permitted by the Agreement, (iii) where such disclosure or transfer is required by any applicable law, regulation, or public authority or (iv) pursuant to Section 6.1.
- Authorized Affiliates
9.1 By executing the Agreement, Customer hereby agrees to the DPP on behalf of itself and in the name and on behalf of its Authorized Affiliates. Each Authorized Affiliate agrees to be bound by the obligations of Customer under this DPP and, to the extent applicable, the Agreement.
9.2 The Customer that is the contracting party to the Agreement will remain responsible for coordinating all communication related to Personal Data, with CybelAngel and will be entitled to make and will receive any communication in relation to Personal Data on behalf of its Authorized Affiliates.
9.3 Where an Authorized Affiliate becomes a party to the Agreement with CybelAngel it will, to the extent required under applicable Data Protection Laws and pursuant to the provisions hereto, be entitled to exercise the rights and seek remedies as subject to the following:
9.3.1 Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy against CybelAngel directly by itself, pursuant to the provisions hereto, the parties agree that (i) solely the Customer that is the contracting party to the Agreement will exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement will exercise any such rights under the provisions hereto, not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together.
9.3.2 The Customer that is the contracting party to the Agreement will, when carrying out any audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on CybelAngel and its sub-processors by combining, to the extent possible, all audit requests of itself and all of its Authorized Affiliates in one single audit.
- Limitation of Liability
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to the provisions hereto whether in contract, tort or under any other theory of liability, is subject to Section 10 (Limitation of Liability) of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement. For the avoidance of doubt, CybelAngel’s and its Affiliates’ total liability for all claims from Customer and all Authorized Affiliates will not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPP.
- Order of Precedence
This DPP is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms hereto and the terms of the Agreement, the terms of this DPP will prevail insofar as the subject matter concerns the processing of Personal Data.
- Miscellaneous
All communications and notices pursuant to the provisions hereto shall be sent by the controller to the processor’s data protection officer at :
Name: CybelAngel
Address: 51 rue Le Peletier, 75009 Paris, France
Contact person’s name, position and contact details:
Heather Kuch
Data Protection Officer
ANNEX I
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
A. Physical Access Control
Unauthorised persons are to be denied access to data processing equipment, with which Personal Data is processed or used.
The processor shall take the following physical access control measures, insofar as Personal Data is processed in the premises/buildings of the processor. Access to such Personal Data outside of these premises/buildings is not permitted:
- Restriction of access rights to office buildings, data centres and server rooms to the minimum necessary.
- Effective control of access rights through an adequate locking system (for example, security key with documented key management, electronic locking systems with documented management of authorization).
- Comprehensive and fully documented processes must be in place for attainment, change and withdrawal of access authorization.
- Regular and documented review of access authorizations granted to date.
- Reasonable measures for the prevention and detection of unauthorized access and access attempts (e.g. regular review of burglary protection of the doors, gates and windows, alarm systems, video surveillance, security guards, security patrol).
- Written regulations for employees and visitors for dealing with technical access security measures.
B. Logical Access Control to Systems
Use by unauthorized persons of Personal Data processing systems must be prevented.
The processor shall take the following measures to control access to systems and networks in which Personal Data is processed or via which admission to access Personal Data is possible:
- Restriction of admission rights to IT systems and non-public networks to the minimum necessary.
- Effective control of Authentication, Authorization and Accounting through personalized and unique user identifications and secure authentication process.
- When using passwords for authentication, rules shall be adopted to ensure the quality of passwords in terms of length, complexity and change frequency. Technical testing methods shall be implemented in order to ensure password quality.
- When using asymmetric key methods (e.g. certificates, private-public-key-methods) for authentication, it shall be ensured that secret (private) keys are always protected with a password (passphrase). The requirements in accordance with above paragraph 3 are to be observed.
- Full reviews of all accounts must be regularly undertaken and access removed if not required on a regular basis.
- Regular and documented review of the logical access authorizations granted to date.
- Appropriate measures to secure the network infrastructure must be undertaken (e.g. network port security IEEE 802.1X, Intrusion Detection Systems, use of 2-factor authentication for remote access, separation of networks, content filtering, encrypted network protocols, etc.).
- Written regulations for employees when dealing with the above security measures and safe use of passwords.
- Ensuring the immediate installation of critical/ or important security-updates/patches:
- in controller’s operating systems,
- in server operating systems, which are accessible via public networks (e.g. web server);
- in application programs (including browser, plugins, PDF reader, etc.); and
- in security infrastructure (virus scanners, firewalls, IDS systems, content filters, routers, etc.) within 48 hours after publication by the manufacturer as well as in server operating systems of internal server within 1 week after publication by the manufacturer.
C. Access Control to Personal Data
Only persons authorized to use a Personal Data processing system can access the Personal Data, subject to their access authorization, and that Personal Data cannot be read, copied, changed or removed without authorization during processing, use and after storage.
Where the processor is responsible for the access authorization to access Personal Data, the processor shall take the following measures for access control:
- Restriction of access authorization to Personal Data to the minimum required.
- Effective control of access authorization through an adequate rights and role concept.
- A comprehensive and fully documented process for authorizing access, changing, copying and withdrawal of Personal Data must be in place.
- Regular and documented reviews of the assigned access authorizations to date.
- Reasonable measures for the protection of terminal equipment, servers and other infrastructure elements against unauthorized access (e.g. multi-level virus protection concept, content filtering, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption) must be undertaken.
- Personal Data media encryption – aligned to the current state of the art technology – algorithms to be enforced for the protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and Personal Data media (external hard drives, USB sticks, memory cards, etc.).
- Logging of accesses, to Personal Data by all users including administrators.
- Technical security measures for export and import interfaces (hardware and application related).
Where the processor is not responsible for the access authorization to access Personal Data the processor shall have the following obligations to cooperate with access control:
- A comprehensive and fully documented process for application, change and withdrawal of access authorizations in their area of responsibility.
- Regular and documented review of the assigned access authorizations to date as far as is possible.
- Immediate notification to controller if the existing access authorizations are no longer required.
D. Transmission Control
The processor shall provide the Personal Data to be processed in a transmission procedure to be defined in a contract/order. The results of the processing will also be transmitted back to controller in a defined transmission procedure. The method of transmission as well as the security measures of the transmission (transmission control) is to be set according to requirements; in particular the use of state-of-the-art encryption technology is to be provided for.
It shall be guaranteed that Personal Data is not read, copied, changed or removed without authorization during electronic transfer or during transportation or storage on Personal Data carriers, and that it can be checked and established at which locations a transfer of Personal Data by means of equipment for data transmission is provided for.
The processor shall take the following measures for transmission control, insofar as Personal Data is received, transferred or transported by the processor:
- Appropriate measures to secure the network infrastructure (e.g. network port security IEEE 802.1X, Intrusion Detection Systems, use of 2-factor authentication for remote access, separation of networks, content filtering, encrypted network protocols, etc.) must be applied.
- Personal Data media encryption with – according to the current state of the art technology – algorithms to be classified as safe for protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.).
- Use of encrypted communication protocols (such as TLS-based protocols).
- Inspection mechanisms to identify remote terminals during transmissions.
- Checksums adjustment with received Personal Data.
- Written regulations for employees for the handling and security of mobile devices and data carriers.
E. Data Entry Control
It shall be ensured that it can be subsequently checked and verified whether and by whom Personal Data can be accessed, modified in or removed from data processing systems.
The processor shall take the following measures to control entry onto its systems that serve the processing of data or enable or provide access to such systems:
- Creation and revision-secure storage of process protocols.
- Securing of backup log files against tampering.
- Logging and analysis of failed login attempts.
- Ensuring that no group accounts (also administrators or root) can be used.
F. Data Processing Control
It is necessary to ensure that any Personal Data that is processed can only be processed in accordance with the instructions of controller.
The processor shall implement Data Processing implement processes and documentation for:
- the selection of (sub)processors under Data Protection Legislation and technical aspects;
- ensuring prescribed statutory preliminary inspection of (sub)processors in accordance with the Data Protection Legislation;
- ensuring the timely instruction of operational data protection officers upon introduction of new or changes to existing procedures for processing Personal Data;
- obligations of all persons responsible for processing of Personal Data to maintain data secrecy pursuant to the Data Protection Legislation;
- regular verification of the correctness of the application of data processing programs by which Personal Data is processed;
- ensuring the familiarization of the persons entrusted with data processing subject with the relevant Data Protection Legislation;
- maintenance of the qualification of the operational data protection officer (if appointed);
- ensuring the notification of controller without undue delay in the event of an unlawful acquisition of knowledge of Personal Data; and
- ensuring the immediate correction, blocking and deletion of Personal Data upon instruction by controller.
G. Availability Control
It shall be ensured that Personal Data is protected against accidental destruction or loss.
The processor shall implement the following measures to control availability:
- Operation and regular maintenance of fire alarm systems in server rooms, data centres and critical infrastructure spaces.
- Creating daily backups and ensure a robust and resilient disaster recovery capability is implemented
- Ensuring backup storage in a separate fire compartment.
- Regular review and testing of backup integrity.
- Processes and documentation for the recovery of systems and Personal Data.
H. Appropriation Control
It shall be ensured that Personal Data collected for different purposes can be processed separately.
The processor shall take the following measures for the separation of Personal Data, provided that they lie in their area of responsibility:
- Logical and/or physical separation of test, development and production systems.
- Controller separation within the processing systems and at interfaces.
- Ensuring continued identifiability of the Personal Data.
I. Retention and Deletion of Personal Data
Personal Data shall be retained only for as long as required and deleted when the processing fulfilment is complete.
The processor shall take the following measures to ensure the deletion of Personal Data, provided that they lie within their area of responsibility:
- Ensure continued erasability of data upon request of controller.
- Processes, tools and documentation for secure deletion in such a way that recovery of the data is not possible using current state of the art technology.
3. Guidelines for employees on how and when which data should be deleted.
G. Certifications
CybelAngel is the holder of a SOC 2 TYPE I certification. Proof of such certificate can be provided to controller upon request.