Data Processing Addendum (DPA)
Last updated: February 2023
1. Definitions
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(b) Applicable Data Protection Laws means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, as applicable, without limitation, GDPR and the CCPA.
(c) CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the "CPRA"), and any binding regulations promulgated thereunder.
(d) Customer Data means information provided or made available to Provider for Processing on Customer’s behalf to perform the Services.
(e) EEA means the European Economic Area.
(f) European Data Protection Laws means the GDPR and other data protection laws and regulations of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent applicable to the Processing of Personal Data under the Agreement.
(g) GDPR means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
(h) Information Security Incident means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(i) Personal Data means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby, except that Personal Data does not include such information pertaining to Customer’s personnel or representatives who are business contacts of Provider, where Provider acts as a controller of such information.
(j) Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(k) Restricted Transfer means the disclosure, grant of access or other transfer of Customer Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
(l) Security Measures has the meaning given in Section 4(a) (Provider Security Measures).
(m) Standard Contractual Clauses means the standard contractual clauses between controllers and processors or processors and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of June 4, 2021
(n) Subprocessors means third parties that Provider engages to Process Personal Data in relation to the Services.
(o) Supervisory Authority means (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
(p) Third Party Subprocessors has the meaning given in Section 6 (Subprocessors).
(q) The terms controller, data subject and processor as used in this DPA have the meanings given in the GDPR.
(r) UK Transfer Addendum means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under Section 18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
2. Duration and Scope of DPA
(a) This DPA will remain in effect so long as Provider Processes Personal Data, notwithstanding the expiration or termination of the Agreement.
3. Customer Instructions
(a) Provider will Process Personal Data only in accordance with Customer’s instructions to Provider and shall serve as a "processor" or "service provider" as defined under Applicable Data Protection Laws. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Provider only pursuant to an amendment to this DPA signed by both parties. Customer instructs Provider to Process Personal Data to provide the Services as contemplated by this Agreement. Each party shall comply with Applicable Data Protection Laws with respect to its Processing of Personal Data.
4. Security
(a) Provider Security Measures. Provider will implement and maintain reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (the “Security Measures”) as described in Annex 3 (Security Measures). Provider may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Personal Data.
(b) Security Compliance by Provider Staff. Provider will ensure that its personnel who are authorized to access Personal Data are subject to appropriate confidentiality obligations.
(c) Provider Security Assistance. Provider will (taking into account the nature of the Processing of Personal Data and the information available to Provider) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Personal Data under Applicable Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; and (b) complying with the terms of Section 4(d) (Information Security Incidents) of this DPA.
(d) Information Security Incidents. Provider will notify Customer without undue delay of any Information Security Incident of which Customer becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Information Security Incident. Provider will take all actions necessary to remediate and mitigate the Security Incident, and will provide reasonable assistance to Customer as necessary for Customer to address its obligations under Applicable Data Protection Laws. All associated costs will be borne by Provider.
(e) Deletion. Provider shall delete all the Personal Data on Provider’s systems on Customer’s request and after the end of the provision of Services, and shall delete existing copies unless continued storage of the Personal Data is required by (i) applicable laws of the European Union or its Member States, with respect to Personal Data subject to European Data Protection Laws or (ii) Applicable Data Protection Laws, with respect to all other Personal Data. Provider will comply with such instruction as soon as reasonably practicable and no later than 30 days after such expiration or termination, unless Applicable Data Protection Laws require storage. Customer may choose to request a copy of such Personal Data from Provider for an additional charge. Upon the parties’ agreement to such charge pursuant to a work order or other amendment to the Agreement, Provider will provide such copy of such Personal Data before it is deleted in accordance with this clause.
5. Data Subject Rights
(a) Provider’s Data Subject Request Assistance. Provider will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Provider’s possession or control.
(b) Customer’s Responsibility for Requests. If Provider receives a Data Subject Request, Provider will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request with assistance from Provider.
6. Subprocessors
(a) Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of Provider’s Affiliates as Subprocessors and generally authorizes the engagement of other third parties as Subprocessors (“Third Party Subprocessors”).
(b) Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: rilldata.com/legal/sub-processors (as may be updated by Provider from time to time) or such other website address as Provider may provide to Customer from time to time (the “Subprocessor Site”).
(c) Requirements for Subprocessor Engagement. When engaging any Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Provider shall be liable for all obligations under the Agreement subcontracted to the Subprocessor and its actions and omissions related thereto.
(d) Opportunity to Object to Subprocessor Changes. When Provider engages any new Third Party Subprocessor after the effective date of the Agreement, Provider will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means. If Customer objects to such engagement in a written notice to Provider within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Provider and Provider shall reimburse Customer a pro-rata amount as of the date of such termination.
7. Reviews and Audits of Compliance
Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws, including where mandated by Customer’s Supervisory Authority. Provider will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 7 shall require Provider to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, where permitted by law, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer will promptly notify Provider of any non-compliance discovered during the course of an audit and provide Provider any audit reports generated in connection with any audit under this Section 7, unless prohibited by Applicable Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense.
8. Customer Responsibilities
(a) Customer Compliance. Customer shall comply with its obligations under Applicable Data Protection Laws. Customer shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Customer has given all notices to, and has obtained all such from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Customer to Process Personal Data as contemplated by the Agreement.
(b) Prohibited Data. Customer represents and warrants to Provider that Customer Data does not and will not, without Provider’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).
9. Miscellaneous
Except as expressly modified by this DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. In the event of any conflict between any SCC's or the UK Transfer Addendum (as applicable) and this DPA, the SCC's or UK Transfer Addendum (as applicable) shall prevail. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Provider’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
10. Processing of Data
(a) Subject Matter and Details of Processing. The parties acknowledge and agree that (i) the subject matter of the Processing under the Agreement is Provider’s provision of the Services; (ii) the duration of the Processing is from Provider’s receipt of Personal Data until deletion of all Personal Data by Provider in accordance with the Agreement; (iii) the nature and purpose of the Processing is to provide the Services; (iv) the data subjects to whom the Personal Data pertains are end users of Customer’s service or end users of services aggregated by Customer; and (v) the categories of personal data are information about usage of Customer’s services by the data subjects.
(b) Roles and Regulatory Compliance; Authorization. The parties acknowledge and agree that (i) Provider is a processor of that Personal Data ; (ii) Customer is a controller (or a processor acting on the instructions of a controller) of that Personal Data ; and (iii) each party will comply with the obligations applicable to it in such role under the Applicable Data Protection Laws with respect to the Processing of that Personal Data. If Customer is a processor, Customer represents and warrants to Provider that Customer’s instructions and actions with respect to Personal Data, including its appointment of Provider as another processor, have been authorized by the relevant controller.
(c) Provider’s Compliance with Instructions. Provider will Process Personal Data only in accordance with Customer’s instructions stated in this DPA unless Applicable Data Protection Laws require otherwise, in which case Provider will notify Customer (unless that law prohibits Provider from doing so on important grounds of public interest).
11. Impact Assessments and Consultations
Provider will (taking into account the nature of the Processing and the information available to Provider) reasonably assist Customer in complying with its obligations under Applicable Data Protection Law, including, by (a) making available documentation describing relevant aspects of Provider’s information security program and the security measures applied in connection therewith and (b) providing the other information contained in the Agreement, including this DPA.
12. Data Transfers
(a) EU Restricted Transfers. To the extent that any processing of Customer Data under this DPA involves an EU Restricted Transfer from Customer to Provider, such transfer will be governed by the SCC's and the parties shall comply with their respective obligations set out in the SCC's, which are hereby deemed to be: (I) populate in accordance with Part 1 of Attachment 2 to Annex 1; and (II) entered into by the parties and incorporated by reference into this DPA.
(b) UK Restricted Transfers. To the extent that any processing of Customer Data under this DPA involves a UK Restricted Transfer from Customer to Provider, the parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (I) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 2 to Annex 1; and (II) entered into by the parties and incorporated by reference into this DPA.
(c) Adoption of new transfer mechanism. Provider may on notice vary this DPA and replace the relevant SCC's with: (I) any new form of the relevant SCC's or any replacement thereof prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or (II) another transfer mechanism, other than the SCC’s; which enables the lawful transfer of Customer Data to Provider under this DPA in compliance with Chapter V of the GDPR.
(d) Provision of full-form SCC’s. In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further controller (where applicable) – on specific written request (made to the contact details set out in Attachment 1 to Annex 1); accompanied by suitable supporting evidence of the relevant request, Provider shall provide Customer with an executed version of the relevant set(s) of SCC's responsive to the request made of Customer (amended and populated in accordance with Attachment 2 of Annex 1 in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.
ANNEX 1 to DPA
ATTACHMENT 1
Population of SCC's
Part 1 - Population of the SCC's
1. SIGNATURE OF THE SCCs
Where the SCCs apply in accordance with clause 12(a) to the DPA each of the parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
2. MODULES
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 1 to the DPA):
(a) Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Data in respect of which Customer is a Controller in its own right; and/or
(b) Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Data in respect of which Customer is itself acting as a Processor on behalf of any other person.
3. POPULATION OF THE BODY OF THE SCCs
3.1 For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
(a) The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
(b) In Clause 9:
(i) OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in clause 6(d) to the DPA.
(c) In Clause 11, the optional language is not used and is deleted.
(d) In Clause 13, all square brackets are removed and all text therein is retained.
(e) In Clause 17: OPTION 1 applies, and the parties agree that the SCC's shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
(f) For the purposes of Clause 18, the parties agree that any dispute arising from the SCC's in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
3.2 In this Paragraph 3, references to "Clauses" are references to the Clauses of the SCCs.
4. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
4.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Attachment 1 to Annex 1 to the DPA, with: Customer being ‘data exporter’; and Provider being ‘data importer’.
4.2 Part C of Annex I to the Appendix to the SCCs is populated as below:Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
4.3 Annex II to the Appendix to the SCCs is populated as below:
General:
Please refer to Section 4 of the DPA and Annex 3 (Security Measures) to the DPA.
In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Provider, Customer should email Provider’s contact point for data protection identified in Attachment 1 to Annex 1 to the DPA.
Sub-Processors: When Provider engages a Sub-Processor under these Clauses, Provider shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA, including in respect of:
- applicable information security measures;
- notification of Personal Data Breaches to Provider;
- return or deletion of Customer Data as and where required; and
- engagement of further Sub-Processors.
PART 2 – UK RESTRICTED TRANSFERS
1. UK TRANSFER ADDENDUM
4.4 Where relevant in accordance with clause 12(b) to the DPA, the SCC's also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below
(a) Part 1 to the UK Transfer Addendum. The parties agree:
(i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Attachment 1 to Annex 1 to the DPA and the foregoing provisions of this Attachment 2 (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
(ii) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
(b) Part 2 to the UK Transfer Addendum. The parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
4.5 As permitted by Section 17 of the UK Mandatory Clauses, the parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1.1 of this Part 2; provided that the parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
4.6 In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
ANNEX 2 to DPA
CALIFORNIA ANNEX
1. For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information governed by the CCPA.
2. It is the parties’ intent that with respect to any personal information, Provider is a service provider. Provider shall not (a) Sell or Share any personal information; (b) retain, use or disclose any Personal Information for any Commercial Purpose other than for the Business Purpose of providing the Services specified in the Agreement, or as otherwise permitted by the CPRA, (c) retain, use or disclose the personal information outside of the direct business relationship between Provider and Customer, or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from Provider's own interaction with any Consumer to whom such Personal Information pertains. Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them
3. The parties acknowledge that Provider’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Provider’s provision of the Services and the business relationship between the parties.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 6 of the DPA shall satisfy Provider's obligation under the CPRA to given notice of such engagements.
5. Obligations under this California Annex that are not required to be imposed on Provider for Provider to qualify as a Service Provider under the CCPA before the CPRA takes effect on January 1, 2023 shall apply to Provider only on and after January 1, 2023.
ANNEX 3 to DPA
SECURITY MEASURES
Cloud Security
Cloud resource access logs for cloud resources known to contain Personal Data shall be ingested into a centralized security incident and event monitoring system for aggregation and event processing.Access to cloud resources containing Personal Data shall only be allowed from Provider office locations or through the required use of a virtual private network (VPN).Cloud resource key pairs for cloud resources containing Personal Data shall be rotated every 180 days.Provider shall not allow shared SSH keys for access to virtual machines containing Personal Data.
Network Security
All network traffic between clients and Provider shall require user authentication, be encrypted, and include appropriate firewalls.Firewalls shall be configured to not allow external access to Provider networks without VPN connectivity.
Code Version Control
All Provider code resides in Github. Provider shall employ multi-factor authentication for all employees to access Github.
Virtual Private Network
Provider’s virtual private network shall be configured to use Google SSO and multi-factor authentication.
Monitoring/Logging
Provider currently uses Datadog for monitoring and logging, and shall continue to use Datadog or another logging system going forward. All Provider logs shall be sent to Datadog using HTTPS/SSL.Access to Provider logs shall be restricted to Provider engineering and development groups, and controlled by Google SSO with multi-factor authentication.
Antivirus
Provider shall enable virus-scanning and file integrity monitoring for all computer systems containing Personal Data.
Corporate Email Systems
Provider shall disable POP/IMAP access for Gmail.Provider shall not allow distribution of documents containing Personal Data outside of the Provider organization.
Password Management
Provider shall store all passwords for computer systems containing Personal Data in 1Password, Vault or a similar password vault program.PatchingProvider shall install security patches within commercially reasonable timeframes.
Recovery
Provider computer systems containing Personal Data shall be configured to automatically recover in the case of unexpected failures.Provider shall maintain secure backups for all computer systems containing Personal Data in deep storage.Provider backups containing Personal Data shall be stored in encrypted form.Provider shall employ regularly scheduled backups for computer systems holding Personal Data.Provider users/engineers shall not be permitted to install software on workspace pods.
Incident Response
Provider shall implement and maintain incident management procedures designed to allow Provider to investigate, respond to, mitigate and notify of events related to the Provider’s technology and information assets. Provider shall also comply with the obligations in the Agreement and the DPA.
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(b) Applicable Data Protection Laws means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, as applicable, without limitation, GDPR and the CCPA.
(c) CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the "CPRA"), and any binding regulations promulgated thereunder.
(d) Customer Data means information provided or made available to Provider for Processing on Customer’s behalf to perform the Services.
(e) EEA means the European Economic Area.
(f) European Data Protection Laws means the GDPR and other data protection laws and regulations of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent applicable to the Processing of Personal Data under the Agreement.
(g) GDPR means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
(h) Information Security Incident means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(i) Personal Data means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby, except that Personal Data does not include such information pertaining to Customer’s personnel or representatives who are business contacts of Provider, where Provider acts as a controller of such information.
(j) Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(k) Restricted Transfer means the disclosure, grant of access or other transfer of Customer Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
(l) Security Measures has the meaning given in Section 4(a) (Provider Security Measures).
(m) Standard Contractual Clauses means the standard contractual clauses between controllers and processors or processors and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of June 4, 2021
(n) Subprocessors means third parties that Provider engages to Process Personal Data in relation to the Services.
(o) Supervisory Authority means (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
(p) Third Party Subprocessors has the meaning given in Section 6 (Subprocessors).
(q) The terms controller, data subject and processor as used in this DPA have the meanings given in the GDPR.
(r) UK Transfer Addendum means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under Section 18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
2. Duration and Scope of DPA
(a) This DPA will remain in effect so long as Provider Processes Personal Data, notwithstanding the expiration or termination of the Agreement.
3. Customer Instructions
(a) Provider will Process Personal Data only in accordance with Customer’s instructions to Provider and shall serve as a "processor" or "service provider" as defined under Applicable Data Protection Laws. This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Provider only pursuant to an amendment to this DPA signed by both parties. Customer instructs Provider to Process Personal Data to provide the Services as contemplated by this Agreement. Each party shall comply with Applicable Data Protection Laws with respect to its Processing of Personal Data.
4. Security
(a) Provider Security Measures. Provider will implement and maintain reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (the “Security Measures”) as described in Annex 3 (Security Measures). Provider may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Personal Data.
(b) Security Compliance by Provider Staff. Provider will ensure that its personnel who are authorized to access Personal Data are subject to appropriate confidentiality obligations.
(c) Provider Security Assistance. Provider will (taking into account the nature of the Processing of Personal Data and the information available to Provider) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Personal Data under Applicable Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; and (b) complying with the terms of Section 4(d) (Information Security Incidents) of this DPA.
(d) Information Security Incidents. Provider will notify Customer without undue delay of any Information Security Incident of which Customer becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Information Security Incident. Provider will take all actions necessary to remediate and mitigate the Security Incident, and will provide reasonable assistance to Customer as necessary for Customer to address its obligations under Applicable Data Protection Laws. All associated costs will be borne by Provider.
(e) Deletion. Provider shall delete all the Personal Data on Provider’s systems on Customer’s request and after the end of the provision of Services, and shall delete existing copies unless continued storage of the Personal Data is required by (i) applicable laws of the European Union or its Member States, with respect to Personal Data subject to European Data Protection Laws or (ii) Applicable Data Protection Laws, with respect to all other Personal Data. Provider will comply with such instruction as soon as reasonably practicable and no later than 30 days after such expiration or termination, unless Applicable Data Protection Laws require storage. Customer may choose to request a copy of such Personal Data from Provider for an additional charge. Upon the parties’ agreement to such charge pursuant to a work order or other amendment to the Agreement, Provider will provide such copy of such Personal Data before it is deleted in accordance with this clause.
5. Data Subject Rights
(a) Provider’s Data Subject Request Assistance. Provider will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Provider’s possession or control.
(b) Customer’s Responsibility for Requests. If Provider receives a Data Subject Request, Provider will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request with assistance from Provider.
6. Subprocessors
(a) Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of Provider’s Affiliates as Subprocessors and generally authorizes the engagement of other third parties as Subprocessors (“Third Party Subprocessors”).
(b) Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: rilldata.com/legal/sub-processors (as may be updated by Provider from time to time) or such other website address as Provider may provide to Customer from time to time (the “Subprocessor Site”).
(c) Requirements for Subprocessor Engagement. When engaging any Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Provider shall be liable for all obligations under the Agreement subcontracted to the Subprocessor and its actions and omissions related thereto.
(d) Opportunity to Object to Subprocessor Changes. When Provider engages any new Third Party Subprocessor after the effective date of the Agreement, Provider will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means. If Customer objects to such engagement in a written notice to Provider within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Provider and Provider shall reimburse Customer a pro-rata amount as of the date of such termination.
7. Reviews and Audits of Compliance
Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws, including where mandated by Customer’s Supervisory Authority. Provider will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 7 shall require Provider to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, where permitted by law, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer will promptly notify Provider of any non-compliance discovered during the course of an audit and provide Provider any audit reports generated in connection with any audit under this Section 7, unless prohibited by Applicable Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense.
8. Customer Responsibilities
(a) Customer Compliance. Customer shall comply with its obligations under Applicable Data Protection Laws. Customer shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Customer has given all notices to, and has obtained all such from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Customer to Process Personal Data as contemplated by the Agreement.
(b) Prohibited Data. Customer represents and warrants to Provider that Customer Data does not and will not, without Provider’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).
9. Miscellaneous
Except as expressly modified by this DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. In the event of any conflict between any SCC's or the UK Transfer Addendum (as applicable) and this DPA, the SCC's or UK Transfer Addendum (as applicable) shall prevail. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Provider’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
10. Processing of Data
(a) Subject Matter and Details of Processing. The parties acknowledge and agree that (i) the subject matter of the Processing under the Agreement is Provider’s provision of the Services; (ii) the duration of the Processing is from Provider’s receipt of Personal Data until deletion of all Personal Data by Provider in accordance with the Agreement; (iii) the nature and purpose of the Processing is to provide the Services; (iv) the data subjects to whom the Personal Data pertains are end users of Customer’s service or end users of services aggregated by Customer; and (v) the categories of personal data are information about usage of Customer’s services by the data subjects.
(b) Roles and Regulatory Compliance; Authorization. The parties acknowledge and agree that (i) Provider is a processor of that Personal Data ; (ii) Customer is a controller (or a processor acting on the instructions of a controller) of that Personal Data ; and (iii) each party will comply with the obligations applicable to it in such role under the Applicable Data Protection Laws with respect to the Processing of that Personal Data. If Customer is a processor, Customer represents and warrants to Provider that Customer’s instructions and actions with respect to Personal Data, including its appointment of Provider as another processor, have been authorized by the relevant controller.
(c) Provider’s Compliance with Instructions. Provider will Process Personal Data only in accordance with Customer’s instructions stated in this DPA unless Applicable Data Protection Laws require otherwise, in which case Provider will notify Customer (unless that law prohibits Provider from doing so on important grounds of public interest).
11. Impact Assessments and Consultations
Provider will (taking into account the nature of the Processing and the information available to Provider) reasonably assist Customer in complying with its obligations under Applicable Data Protection Law, including, by (a) making available documentation describing relevant aspects of Provider’s information security program and the security measures applied in connection therewith and (b) providing the other information contained in the Agreement, including this DPA.
12. Data Transfers
(a) EU Restricted Transfers. To the extent that any processing of Customer Data under this DPA involves an EU Restricted Transfer from Customer to Provider, such transfer will be governed by the SCC's and the parties shall comply with their respective obligations set out in the SCC's, which are hereby deemed to be: (I) populate in accordance with Part 1 of Attachment 2 to Annex 1; and (II) entered into by the parties and incorporated by reference into this DPA.
(b) UK Restricted Transfers. To the extent that any processing of Customer Data under this DPA involves a UK Restricted Transfer from Customer to Provider, the parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (I) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 2 to Annex 1; and (II) entered into by the parties and incorporated by reference into this DPA.
(c) Adoption of new transfer mechanism. Provider may on notice vary this DPA and replace the relevant SCC's with: (I) any new form of the relevant SCC's or any replacement thereof prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or (II) another transfer mechanism, other than the SCC’s; which enables the lawful transfer of Customer Data to Provider under this DPA in compliance with Chapter V of the GDPR.
(d) Provision of full-form SCC’s. In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further controller (where applicable) – on specific written request (made to the contact details set out in Attachment 1 to Annex 1); accompanied by suitable supporting evidence of the relevant request, Provider shall provide Customer with an executed version of the relevant set(s) of SCC's responsive to the request made of Customer (amended and populated in accordance with Attachment 2 of Annex 1 in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.
ANNEX 1 to DPA
ATTACHMENT 1
Population of SCC's
Part 1 - Population of the SCC's
1. SIGNATURE OF THE SCCs
Where the SCCs apply in accordance with clause 12(a) to the DPA each of the parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
2. MODULES
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 1 to the DPA):
(a) Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Data in respect of which Customer is a Controller in its own right; and/or
(b) Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Data in respect of which Customer is itself acting as a Processor on behalf of any other person.
3. POPULATION OF THE BODY OF THE SCCs
3.1 For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
(a) The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
(b) In Clause 9:
(i) OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in clause 6(d) to the DPA.
(c) In Clause 11, the optional language is not used and is deleted.
(d) In Clause 13, all square brackets are removed and all text therein is retained.
(e) In Clause 17: OPTION 1 applies, and the parties agree that the SCC's shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
(f) For the purposes of Clause 18, the parties agree that any dispute arising from the SCC's in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
3.2 In this Paragraph 3, references to "Clauses" are references to the Clauses of the SCCs.
4. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
4.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Attachment 1 to Annex 1 to the DPA, with: Customer being ‘data exporter’; and Provider being ‘data importer’.
4.2 Part C of Annex I to the Appendix to the SCCs is populated as below:Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
4.3 Annex II to the Appendix to the SCCs is populated as below:
General:
Please refer to Section 4 of the DPA and Annex 3 (Security Measures) to the DPA.
In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Provider, Customer should email Provider’s contact point for data protection identified in Attachment 1 to Annex 1 to the DPA.
Sub-Processors: When Provider engages a Sub-Processor under these Clauses, Provider shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA, including in respect of:
- applicable information security measures;
- notification of Personal Data Breaches to Provider;
- return or deletion of Customer Data as and where required; and
- engagement of further Sub-Processors.
PART 2 – UK RESTRICTED TRANSFERS
1. UK TRANSFER ADDENDUM
4.4 Where relevant in accordance with clause 12(b) to the DPA, the SCC's also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below
(a) Part 1 to the UK Transfer Addendum. The parties agree:
(i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Attachment 1 to Annex 1 to the DPA and the foregoing provisions of this Attachment 2 (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
(ii) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
(b) Part 2 to the UK Transfer Addendum. The parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
4.5 As permitted by Section 17 of the UK Mandatory Clauses, the parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1.1 of this Part 2; provided that the parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
4.6 In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
ANNEX 2 to DPA
CALIFORNIA ANNEX
1. For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information governed by the CCPA.
2. It is the parties’ intent that with respect to any personal information, Provider is a service provider. Provider shall not (a) Sell or Share any personal information; (b) retain, use or disclose any Personal Information for any Commercial Purpose other than for the Business Purpose of providing the Services specified in the Agreement, or as otherwise permitted by the CPRA, (c) retain, use or disclose the personal information outside of the direct business relationship between Provider and Customer, or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from Provider's own interaction with any Consumer to whom such Personal Information pertains. Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them
3. The parties acknowledge that Provider’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Provider’s provision of the Services and the business relationship between the parties.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 6 of the DPA shall satisfy Provider's obligation under the CPRA to given notice of such engagements.
5. Obligations under this California Annex that are not required to be imposed on Provider for Provider to qualify as a Service Provider under the CCPA before the CPRA takes effect on January 1, 2023 shall apply to Provider only on and after January 1, 2023.
ANNEX 3 to DPA
SECURITY MEASURES
Cloud Security
Cloud resource access logs for cloud resources known to contain Personal Data shall be ingested into a centralized security incident and event monitoring system for aggregation and event processing.Access to cloud resources containing Personal Data shall only be allowed from Provider office locations or through the required use of a virtual private network (VPN).Cloud resource key pairs for cloud resources containing Personal Data shall be rotated every 180 days.Provider shall not allow shared SSH keys for access to virtual machines containing Personal Data.
Network Security
All network traffic between clients and Provider shall require user authentication, be encrypted, and include appropriate firewalls.Firewalls shall be configured to not allow external access to Provider networks without VPN connectivity.
Code Version Control
All Provider code resides in Github. Provider shall employ multi-factor authentication for all employees to access Github.
Virtual Private Network
Provider’s virtual private network shall be configured to use Google SSO and multi-factor authentication.
Monitoring/Logging
Provider currently uses Datadog for monitoring and logging, and shall continue to use Datadog or another logging system going forward. All Provider logs shall be sent to Datadog using HTTPS/SSL.Access to Provider logs shall be restricted to Provider engineering and development groups, and controlled by Google SSO with multi-factor authentication.
Antivirus
Provider shall enable virus-scanning and file integrity monitoring for all computer systems containing Personal Data.
Corporate Email Systems
Provider shall disable POP/IMAP access for Gmail.Provider shall not allow distribution of documents containing Personal Data outside of the Provider organization.
Password Management
Provider shall store all passwords for computer systems containing Personal Data in 1Password, Vault or a similar password vault program.PatchingProvider shall install security patches within commercially reasonable timeframes.
Recovery
Provider computer systems containing Personal Data shall be configured to automatically recover in the case of unexpected failures.Provider shall maintain secure backups for all computer systems containing Personal Data in deep storage.Provider backups containing Personal Data shall be stored in encrypted form.Provider shall employ regularly scheduled backups for computer systems holding Personal Data.Provider users/engineers shall not be permitted to install software on workspace pods.
Incident Response
Provider shall implement and maintain incident management procedures designed to allow Provider to investigate, respond to, mitigate and notify of events related to the Provider’s technology and information assets. Provider shall also comply with the obligations in the Agreement and the DPA.