This Data Protection Addendum including, its Schedules (the “DPA”) forms part of the EnterpriseDB Corporation (“EDB”, “we”, “our”, “us”) BigAnimal Terms (the “Terms”) entered into between the party identified as the “Customer” therein (“Customer”, “you”, “your”) and EDB (each a “Party” and together, the “Parties”) and as updated from time to time between the Parties.
This DPA has been entered into by the Parties to reflect their agreement with regard to the processing of Personal Data under or in connection with the Terms. This DPA only applies to the extent you are a corporate customer and the Personal Data processed by us in the course of our provision of Services to you, is subject to Applicable Data Protection Laws in the course of our provision of Services to you.
Customer enters into this DPA as of the date of acceptance by Customer of the DPA (“Effective Date”), on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates.
In the course of providing services to Customer pursuant to the Terms (the “Services”), EDB may process Personal Data of Customer and the Parties agree to comply with the following provisions with respect to any such processing.
HOW TO EXECUTE THIS DPA:
- This DPA consists of: (i) the main body of the DPA, (ii) Schedule 1 which includes the CCPA Addendum, (iii) Schedule 2 which contains the details of processing relevant to the Standard Contractual Clauses, and (iii) Schedule 3 which contains technical and organizational measures.
- This DPA has been pre-signed on behalf of EDB.
- By continuing to use of the Services you are deemed to have accepted and be bound by, as applicable, the terms of this DPA, the CCPA Addendum, and/or the Standard Contractual Clauses expressly incorporated herein. At this point this DPA will become legally binding. For the avoidance of doubt, acceptance of the DPA shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, as and to the extent applicable.
- By using the Services you confirm you are duly authorized by the Customer entity you represent to execute this DPA.
DATA PROTECTION TERMS:
1. DEFINITIONS; INTERPRETATION
1.1 The following terms shall have the following meanings:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
“Applicable Data Protection Laws” has the meaning given to it in the Terms.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Applicable Data Protection Laws, and (b) is permitted to use the Services pursuant to the Terms;
“Business,” “Business Purpose,” “Commercial Purpose,” “Sell,” “Selling,” “Sale,” “Sold,” “Service Provider,” and “Share,” “Shared,” or “Sharing” have the meaning given to them in the CCPA.
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act.
“CCPA Addendum” means the addendum attached as Schedule 2 hereto;
“Data Subject” means the natural person to whom any Personal Data processed by EDB through the Services relates.
“Data Subject Rights” means all rights granted to Data Subjects by the CCPA, the GDPR, or other Applicable Data Protection Laws (as the case may be) including the right to know/access, correct, delete, opt out, and limit the use and disclosure of sensitive personal data.
“EEA Restricted Transfer” means a transfer of Personal Data from or which originated in the EEA to a Third Country that is not considered to provide an “adequate level” of data protection by the European Commission and where such transfer is subject to the EU GDPR;
“GDPR” means the EU General Data Protection Regulation 2016/679 (“EU GDPR”) as implemented by countries within the EEA and the EU GDPR as retained as UK law by the European Union (Withdrawal) Act 2018 (“UK GDPR”) (as applicable to the processing);
“Personal Data” means any information that relates to a natural person that is identified or reasonably identifiable and which is protected as “personal data”, “personal information,” or “personally identifiable information” or similar terms under Applicable Data Protection Laws;
“Restricted Transfer” means either an EEA Restricted Transfer, a Swiss Restricted Transfer or a UK Restricted Transfer, in each case where an alternative mechanism under Applicable Data Protection Laws is not in place, including reliance on a derogation or the consent of Data Subjects;
“Security Requirements” means the security standards located at Schedule 3 of this DPA;
“Standard Contractual Clauses” means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679, as updated, amended, replaced or superseded from time to time by the European Commission;
“Subprocessor” means a third party engaged by EDB to assist it in processing Personal Data, including for a Business Purpose (in respect of processing subject to the CCPA), on behalf of Customer;
“Swiss Restricted Transfer” means a transfer of Personal Data from or which originated in Switzerland to a Third Country that is not considered to provide an “adequate level” of data protection by the Federal Data Protection and Information Commissioner (“FDPIC”);
“Third Country” means a country outside of the EEA, Switzerland and the UK;
“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by Information Commissioner’s Office under section 119(A) of the UK Data Protection Act 2018, as updated or amended from time to time;
“UK Restricted Transfer” means a transfer of Personal Data from or which originated in the UK to a Third Country that is not considered to provide an “adequate level” of data protection by the UK Government under Section 17A of the UK Data Protection Act 2018 and where such transfer is subject to the UK GDPR; and
The terms “controller”, “personal data breach” “processor”, “processing”, “sensitive personal data”, “supervisory authority” shall have the same meanings ascribed to them or their analogous terms under the GDPR.
1.2 To the extent the terms contained in this DPA conflict with those contained in the Terms, the terms in this DPA shall prevail to the extent such conflict relates to the processing of Personal Data. To the extent the terms contained in this DPA conflict with those contained in the Standard Contractual Clauses, where incorporated by reference, or Schedule 1 (CCPA Addendum), where applicable, the terms in the Standard Contractual Clauses and Schedule 1 (CCPA Addendum) shall respectively prevail to the extent of such conflict.
2. GENERAL
2.1 Each Party shall comply with its respective obligations under Applicable Data Protection Laws and the terms of this DPA. Schedule 2 describes the subject matter, duration, nature and purpose of the processing, the Personal Data categories and Data Subject types in respect of which EDB may process the Personal Data when performing the Services.
2.2 The Parties acknowledge that if EDB processes Personal Data of California residents, the terms of Schedule 1 hereto shall apply.
2.3 The Parties acknowledge that if a Customer (“Data Exporter”) undertakes a Restricted Transfer of Personal Data to EDB (“Data Importer”) the Parties shall process Personal Data which is subject to the Restricted Transfer (“Transferred Data”) in accordance with the terms of clause 3 below and Schedule 2 hereto.
3. RESTRICTED TRANSFERS
3.1 Where either Party carries out an EEA Restricted Transfer, Swiss Restricted Transfer, or UK Restricted Transfer, the Parties hereby enter into, solely to the extent applicable, Module One and/or Module Two of the Standard Contractual Clauses, as the context requires, which are hereby incorporated by reference into this DPA, and which shall come into effect upon the commencement of the Restricted Transfer. Annex 1 to the Standard Contractual Clauses shall be deemed to be prepopulated with Schedule 2 of this DPA and Annex 2 to the Standard Contractual Clauses shall be deemed to be prepopulated with Schedule 3 of this DPA. The Standard Contractual Clauses shall be governed by the laws of the Netherlands, except as described in clause 3.2.
3.2 Where either Party carries out a UK Restricted Transfer, the Parties hereby enter into the UK Addendum, which is incorporated by reference into this DPA, and which shall come into effect upon the commencement of the UK Restricted Transfer. The Parties make the following selections for the purposes of the UK Addendum: (i) Table 1 – refer to the Schedules to this DPA; (ii) Table 2 – the first box shall be selected; (iii) Table 3 – refer to the Schedules to this DPA; and (iv) Table 4: the first and second boxes shall be selected.
3.4 Where any other Restricted Transfer not covered by clauses 3.1 – 3.2 above is carried out under this DPA, unless another valid transfer mechanism exists for transfer of Personal Data from the applicable country to the applicable country, and until such valid transfer mechanism is established in relation to such, the Parties shall enter into the Standard Contractual Clauses except that (i) references to the EU Regulations and the Articles or requirements thereof, shall instead refer to the applicable data legislation in that country, (ii) the term “sensitive personal data” will be construed to match the definitions under the such legislation, and (iii) any disputes arising from the Standard Contractual Clauses shall be resolved by the applicable territory’s courts.
3.5 Where the Data Exporter carries out a Swiss Restricted Transfer, the Standard Contractual Clauses shall be deemed amended as follows:
(a) the term “personal data” shall be deemed to include information relating to an identified or identifiable legal entity. The list of Data Subjects and categories of data indicated in Annex I(B) to the Standard Contractual Clauses shall not be deemed to restrict the application of the Standard Contractual Clauses to personal data which is subject to this clause 3.5;
(b) references to (articles in) the EU General Data Protection Regulation 2016/679 shall be deemed to refer to (respective articles in) the FADP;
(c) reference to the competent supervisory authority in Annex I(C) under Clause 13 shall be deemed to refer to the FDPIC;
(d) references to Member State(s)/EU Member State(s) shall be deemed to include Switzerland;
(e) references to the exporter in the EU shall be deemed to include the exporter in Switzerland;
(f) references to the European Union in Clause 8.8 of Module 2 and in Annex I (A) shall be deemed to include Switzerland; and
(g) where the Clauses use terms that are defined in the EU General Data Protection Regulation 2016/679, those terms shall be deemed to have the meaning as the equivalent terms are defined in the FADP.
3.6 Where the Restricted Transfer is made pursuant to Module 2 of the Standard Contractual Clauses, the Data Importer shall, taking into account the nature of processing and the information available to the Data Importer, provide assistance to the Data Exporter to enable the Data Exporter to carry out data protection impact assessments in relation to the Transferred Data. The Data Exporter agrees to consult with the supervisory authority prior to processing where a data protection impact assessment indicates that the processing of Transferred Data would result in a high risk to relevant data subjects.
3.7 Where the Restricted Transfer is made pursuant to Module 1 of the Standard Contractual Clauses, the Data Importer shall make available to the Data Exporter all information necessary to demonstrate compliance with the obligations set out in the Standard Contractual Clauses and at the Data Exporter’s request, allow for and contribute to audits of the processing activities covered by the Standard Contractual Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the Data Exporter may take into account relevant certifications held by the Data Importer. The Data Exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the Data Importer and shall, where appropriate, be carried out with reasonable notice.
3.8 Where the Data Exporter carries out a Restricted Transfer it shall ensure that Transferred Data is accurate and limited to what is necessary for the receipt of services from the Data Importer.
3.9 Where Data Importer receives a valid and binding order from any governmental body (“Requesting Party”) for a disclosure of Transferred Data, Data Importer will use every reasonable effort to redirect the Requesting Party to request Transferred Data directly from Data Exporter.
3.10 For the purposes of clause 8.5(a) of Module 1 and clause 8.6(a) of Module 2, Data Exporter is solely responsible for making an independent determination as to whether the Security Requirements meet Data Exporter’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of Transferred Data as well as the risks to Data Subjects) the security measures and policies implemented and maintained by Data Importer provide a level of security appropriate to the risk with respect to its Transferred Data.
4. PROCESSOR OBLIGATIONS
4.1 The provisions of this clause 4 shall apply in all cases where the processing of Personal Data by EDB under this DPA is subject to the provisions UK GDPR and/or the GDPR (as the case may be). The subject matter, scope, nature and purpose of the processing, the categories of Personal Data and Data Subjects are further specified in Schedule 2 of this DPA. In such circumstances, EBD shall:
(a) only process Personal Data in accordance with the Customer’s written instructions, unless required to do so by law, in such a case EDB will notify the Customer of that legal requirement before processing unless prohibited by law;
(b) maintain the confidentiality of the Personal Data and take reasonable steps to limit access to only those who are subject to written confidentiality and data security obligations;
(c) reasonably assist the Customer with meeting the Customer's compliance obligations under Applicable Data Protection Laws, taking into account the nature of EDB's processing and the information available to EDB, including in relation to Data Subject Rights, data protection impact assessments and reporting to and consulting with the relevant regulator under Applicable Data Protection Laws;
(d) not engage Subprocessors without the prior written consent of the Customer, and if any Subprocessors are engaged they must agree to be bound by at least the same obligations as set out in this DPA. EDB remains fully liable to the Customer for the performance of it’s obligations under this DPA;
(e) allow Customer, or an auditor acting on behalf of the Customer, to audit EDB’s compliance with its obligations under this DPA;
(f) take appropriate technical and organizational measures to provide cooperation and assistance in responding to a Data Subject Rights Request received under the GDPR or UK GDPR (as applicable) in relation to the processing under this DPA;
(g) implement and maintain reasonable measures designed to prevent unauthorized or unlawful processing of, or accidental loss, destruction or damage to the Personal Data, as further specified in Schedule 3; and
(g) on termination or expiry of the DPA, delete or destroy, at Customer’s request, all or any of the Personal Data processed under this DPA in its possession.
5. SECURITY
5.1 EDB has implemented appropriate technical and organizational measures to protect the Personal Data processed under this DPA from any form of unauthorized access or loss, including those set out in Schedule 3 to this DPA.
5.2 All events that may affect the availability, integrity or confidentiality of the Personal Data and/or sensitive personal data, including, without limitation, a personal data breach, that affect or may affect the Data Subject(s) will be reported to Customer within 48 hours of discovery of the incident, such report to include all of the information contained in Articles 33(3) of the GDPR and the UK GDPR or specified in the CCPA and the LGPD (as the case may be).
6. DATA SUBJECTS AND ENFORCEMENT
6.1 Except to the extent set out in clause 4.2, it is the express intent of the Parties that any person who is not a party to this DPA has no right, as third party beneficiary, under local legal principle or law, to enforce any term of this DPA, and accordingly nothing contained in this DPA will entitle any person (including, Data Subjects) other than the parties to this DPA, to any claim, cause of action, remedy or right of any kind whatsoever.
6.2 Notwithstanding the provisions of clause 4.1 above, the Parties agree that a Data Subject may enforce the terms of the Standard Contractual Clauses as provided therein and the Parties acknowledge that nothing in this DPA restricts Data Subjects from exercising their rights under Applicable Data Protections Laws, including their rights to compensation from Data Importer for material or non-material damage.
7. TERM AND TERMINATION
7.1 This DPA enters into force as of the Effective Date for an indefinite term unless and until terminated as stated herein below.
7.2 Subject at all times to the termination provisions in the Standard Contractual Clauses, in the event that:
(a) Data Importer gives notice to Data Exporter that it is unable to comply with its obligations under Applicable Data Protection Laws, the Standard Contractual Clauses, the UK Addendum or the CCPA Addendum (as applicable); or
(b) Data Importer is in material breach of any of its obligations under this DPA (including, the Standard Contractual Clauses, UK Addendum or the CCPA Addendum, as applicable) and such breach is incapable of being remedied or has not been remedied within 90 days of receipt of written notice to cure from any Party; or
(c) a supervisory authority, or a tribunal or court rules that there has been a breach of any relevant laws in its jurisdiction by virtue of a Data Importer’s processing of Personal Data under or in connection with this DPA, the Data Exporter, without prejudice to any other rights that it may have against the Data Importer, shall be entitled to:
(d) require the Data Importer to cease its processing of the Personal Data; or
(e) terminate this DPA.
7.3 In the event that Data Exporter is in material breach of any of its obligations under this DPA and such breach is incapable of being remedied or has not been remedied within 90 days of receipt of written notice to cure from any Party, the Data Importer, without prejudice to any other rights that it may have against the Data Exporter, shall be entitled to:
(a) cease its processing of the relevant Personal Data; or
(b) terminate this DPA.
7.4 Notwithstanding anything else in this clause 7 or the Standard Contractual Clauses, the Parties agree that the termination of this DPA at any time, in respect of any Party in any circumstances and for whatever reason, does not exempt the relevant terminated Party from the obligations and/or conditions under this DPA as regards the processing of Personal Data.
8. AMENDMENTS
8.1 EDB shall notify the Customer of any proposed amendment to this DPA. Each proposed amendment to this DPA shall be deemed accepted by the Customer and this DPA shall be deemed so amended 30 days from the date such notification is sent to the Customer. If the Customer signifies its non-acceptance of such proposed amendment within said 30-day period EDB shall promptly commence discussions with the Customer in order to reach an outcome satisfactory to all Parties.
8.2 Notwithstanding the foregoing, the Parties acknowledge that should the UK Government publish new standard contractual clauses (or amendments to the existing standard contractual clauses) to address UK Restricted Transfers, such new standard contractual clauses will be automatically incorporated into this DPA where EDB provides notice of this to the Customer and all UK Restricted Transfers will be thereafter made pursuant to such new or amended standard contractual clauses.
9. MISCELLANEOUS
9.1 Failure by any Party to enforce any of its rights under this DPA shall not be taken as or deemed to be a waiver of such right.
9.2 If any part, term or provision under this DPA is held to be illegal or unenforceable, the validity or enforceability of the remainder of this DPA will not be affected.
9.3 This DPA shall be interpreted according to and governed by the laws of the Commonwealth of Massachusetts, without regard to the conflicts of law provisions therein, except for those provisions or clauses that dictate the application of another law. Each Party irrevocably agrees that the courts of Middlesex County, Massachusetts shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this DPA or its subject matter or formation. Notwithstanding the foregoing, the provisions set out in Schedule 2 of this DPA shall be governed by, and subject to the jurisdiction of, the relevant law and courts as set forth in Schedule 2.
IN WITNESS WHEREOF, the Parties hereto have caused this DPA to be executed as of the Effective Date.
SCHEDULE 1
CALIFORNIA CONSUMER PRIVACY ACT ADDENDUM
This CCPA Addendum specifies certain data protection obligations of EDB when processing the personal information of California residents in accordance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”). Any capitalized terms or other terms not defined herein or in the DPA shall have the meaning ascribed to them in the CCPA.
1. Data Use.
1.1. With respect to the Processing of Personal Data pursuant to the Terms and this DPA (“Covered Personal Data”), as between the Parties, Customer is the Business and appoints EDB as its Service Provider. The Parties shall Process all Personal Data subject to the Terms in compliance with the CCPA.
1.2. As a Service Provider, EDB shall process Personal Data of California residents only as necessary for the purposes listed in Schedule 2 or as permitted by Applicable Data Protection Law.
2. Data Subject Requests.
2.1. With respect to Covered Personal Data, EDB shall (and shall ensure that any Subprocessors):
(a) Not (i) Sell or Share the Covered Personal Data; or (ii) retain, use, disclose Covered Personal Data outside of the direct business relationship between EDB and the Customer, such as by combining or updating Covered Personal Data with Personal Data that it receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject. Consistent with the above, EDB may use Covered Personal Data as reasonably necessary to detect data security incidents and to protect against fraudulent or illegal activity.
(b) Implement the security procedures described in Schedule 3.
(c) Ensure that its employees processing Covered Personal Data are bound by confidentiality obligations and use restrictions in respect of the Covered Personal Data.
(d) Cooperate with Customer in responding to and complying with Data Subject Rights. EDB shall promptly inform Customer if it receives a Data Subject Rights request respecting Covered Personal Data and shall act on such request as instructed by Customer or as required by law. Customer will inform EDB of any Data Subject Rights request made that EDB must comply with under the CCPA and will provide the information necessary for EDB to comply with the request.
(f) Notify Customer if EDB makes a determination that it can no longer meet its obligations under the CCPA. EDB shall take reasonable and appropriate steps in consultation with the Customer to stop and remediate any unauthorized use of Personal Data, including where appropriate by returning or deleting such Personal Data.
SCHEDULE 2
DETAILS OF PROCESSING
MODULE 1 TRANSFERS
A. LIST OF PARTIES
Data exporter(s):
Name: Details as provided in Customer’s EDB account.
Address: Details as provided in Customer’s EDB account.
Contact person’s name, position and contact details: Details as provided in Customer’s EDB account.
Activities relevant to the data transferred under these Clauses: Customer account management purposes in connection with the provision of Services by data importer to data exporter.
Signature and date: Through continued use of the Services under the Terms, the data exporter will be deemed to have signed this Annex I.
Role (controller/processor): Controller
Data importer(s):
Name: EnterpriseDB Corporation
Address: 34 Crosby Drive, Suite 201, Bedford, MA 01730 (USA)
Contact person’s name, position and contact details: Details as provided in the Terms
Activities relevant to the data transferred under these Clauses: Customer account management purposes in connection with the provision of Services by data importer to data exporter.
Signature and date:
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is transferred
- Data exporter personnel,
Categories of Personal Data transferred
- Name
- Username
- Email address
- Telephone number
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None, except if data exporter chooses to transfer sensitive personal data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
One-off
Nature of the processing
Personal Data will be subject to automated and manual processing operations including, collection, use, analysis, transfer, storage and erasure.
Purpose(s) of the data transfer and further processing
- To provide the Services under the Terms including, e.g., account creation and management
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
For as long as necessary to fulfil the purposes for which it was transferred, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period, the amount, nature and sensitivity of the Personal Data are considered, together with the necessity and purposes for the processing (including, whether such purposes can be achieved through other means) and the potential risk of harm from unauthorized use or disclosure of the Personal Data.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Deliberately left blank
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
Pursuant to Clause 13, the supervisory authority of the EEA country where (i) the data exporter is established; or where (ii) the EU representative of the data exporter is established; or where (iii) the Data Subjects whose Personal Data are transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
MODULE 2 TRANSFERS
A. LIST OF PARTIES
Data exporter(s):
Name: Details as provided in Customer’s EDB account.
Address: Details as provided in Customer’s EDB account.
Contact person’s name, position and contact details: Details as provided in Customer’s EDB account.
Activities relevant to the data transferred under these Clauses: Provision of Services by data importer to data exporter.
Signature and date: Through continued use of the Services under the Terms, the data exporter will be deemed to have signed this Annex I.
Role (controller/processor): Controller
Data importer(s):
Name: EnterpriseDB Corporation
Address: 34 Crosby Drive, Suite 201, Bedford, MA 01730
Contact person’s name, position and contact details: Details as provided in the Terms
Activities relevant to the data transferred under these Clauses: Provision of Services by data importer to data exporter.
Signature and date:
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is transferred
- Individuals whose Personal Data are collected and processed by data exporter – including, for example, data exporter personnel, clients, end-users, vendors.
Categories of Personal Data transferred
- Personal Data included in content or data provided by or on behalf of Customer via the Services
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous.
Nature of the processing
Personal Data will be subject to automated and manual processing operations including, collection, use, analysis, transfer, storage and erasure.
Purpose(s) of the data transfer and further processing
- Provision of Services to the data exporter by the data importer
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the data exporter’s subscription period and thereafter deleted or returned to Customer unless otherwise agreed and instructed by Customer.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Deliberately left blank
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Pursuant to Clause 13, the supervisory authority of the EEA country where (i) the data exporter is established; or where (ii) the EU representative of the data exporter is established; or where (iii) the Data Subjects whose Personal Data are transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
SCHEDULE 3
Security Requirements
EDB will implement and maintain the following administrative, technical, physical, and organizational security measures for the protection of Customer Content (as defied in the Terms), consistent with the nature, scope, context, and purpose of any processing of Customer Content and the risks the processing presents for the rights and freedoms of natural persons:
Pseudonymisation and Encryption: Encryption is enabled for data stores housing sensitive data. Company-issued laptop hard drives are encrypted using full disk encryption.
Vulnerability Management: EDB has in place a vulnerability monitoring and management policy which remediates vulnerabilities based on prescribed timelines.
Data Availability: EDB has implemented a secure backup system infrastructure to provide backup, retention, and restoration of data in the production environment. The data importer also has a business continuity program (BCP) and a disaster recovery plan (DRP) which are tested annually.
Risk Assessments: An internal risk assessment is performed at least annually. As part of this process, threats and changes to service commitments are identified and the risks are formally assessed. Data importer also conducts annual third-party audits.
User Identification and Authorization: EDB takes measures to provide that any Customer Content is accessible and manageable only by properly authorized staff. Direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to Personal Data to which they have access privileges and that Personal Data cannot be read, copied, modified or removed without authorization in the course of processing.
Input Control: EDB takes measures to provide that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed.
System Access Controls: EDB takes measures to prevent unauthorized use of the systems used for processing Customer Content. These controls vary based on the nature of the processing undertaken and may include, among other controls, strong authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
Logical separation: Customer Content in EDB’s control is logically segregated on systems managed by EDB to prevent unauthorized access.
Data Transmission and Storage: Customer Content cannot be read, copied, modified or removed without authorization during electronic transmission or transport. EDB uses industry standard firewall and encryption technologies to protect data in transit and at rest. Any transfer of Customer Content to a third-party service provider is made via a secure transmission.
Physical Security: EDB stores Customer Content using Microsoft Azure. The physical security and information security standards for Microsoft Azure’s data centers are detailed at: https://docs.microsoft.com/en-us/azure/security/.
Events Logging: EDB has implemented agent-based monitoring infrastructure or custom script-based monitoring within the environment to provide automated logging and alerting capabilities. The logging solutions are enabled on all production systems. The monitoring system detects potential unauthorized activity and security events. The monitoring agents are responsible for monitoring a defined set of user and administrator events, aggregating log events, and sending the aggregated abnormal log information to a centralized log repository either at regular intervals or in real time.
System Configuration: EDB has in place a password policy which requires an 8-character minimum, and complexity enabled. Remote access to production systems is restricted to authorized employees with valid multi-factor authentication (MFA) tokens.
IT Security Governance and Management: EDB has an executive management team that meets semi-annually with operational management to assess the effectiveness and performance of internal controls within the environment. Employees complete training courses covering information security practices upon hire and annual thereafter. EDB conducts a SOC 2 Type 1 audit on at least an annual basis and annual third-party cybersecurity audits.
Data Retention: Formal data retention and disposal procedures are documented to guide the secure retention and disposal of personal data, including a Data Classification Policy.
Measures for ensuring accountability: Data importer maintains an Article 30 GDPR/UK GDPR (as applicable) record of processing.