Legal
Menu
Data Processing Agreement
Last Modified Date: July 25, 2023
This Groundswell Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Groundswell Giving Inc. (“Groundswell”) on behalf of an individual or legal entity (“Client”) in connection with a copy of the Enterprise Service Agreement Terms executed by and between Client and Groundswell or, in the absence of an executed agreement, the Groundswell Terms and Conditions available at https://groundswell.io/terms/ (referred to in this DPA as the “Agreement”). The term of this DPA will follow the term of the Agreement. This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified and referenced in the Agreement, an Order Form, or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. Groundswell updates these terms from time to time. If Client has an active Groundswell account, Groundswell will notify Client of the changes via email. Capitalized terms used, but not otherwise defined, herein shall have the same meanings assigned to those terms in the Agreement.
1. Definitions
1.1. "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced.
1.2. “CCPA” means the California Consumer Privacy Act of 2018
1.3. "Personal Data" means any information Processed by Groundswell on behalf of Client relating to an identified or identifiable natural person; see Article 4(1) GDPR.
1.4. "Personal Data Breach" means, according to Article 4(12) GDPR, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.5. “Process” or “Processing” means any operation or set of operations which is performed onPersonal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (see Article 4(2) GDPR).
1.6. “Subprocessors” has the meaning as being defined in section 5.1 of this DPA.
1.7. The terms “business”, “service provider”, “consumer” and “verifiable consumer request” shall each have their respective meanings under the CCPA.
1.8. "Third Country" means a country without a system of ensuring adequate protection within the meaning of Article 45 GDPR.
1.9 “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international data-transfer-addendum.pdf, as may be amended, superseded, or replaced.
1.2. “CCPA” means the California Consumer Privacy Act of 2018
1.3. "Personal Data" means any information Processed by Groundswell on behalf of Client relating to an identified or identifiable natural person; see Article 4(1) GDPR.
1.4. "Personal Data Breach" means, according to Article 4(12) GDPR, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.5. “Process” or “Processing” means any operation or set of operations which is performed onPersonal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (see Article 4(2) GDPR).
1.6. “Subprocessors” has the meaning as being defined in section 5.1 of this DPA.
1.7. The terms “business”, “service provider”, “consumer” and “verifiable consumer request” shall each have their respective meanings under the CCPA.
1.8. "Third Country" means a country without a system of ensuring adequate protection within the meaning of Article 45 GDPR.
1.9 “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international data-transfer-addendum.pdf, as may be amended, superseded, or replaced.
2. Scope of the DPA and Transfer Mechanisms for Data Transfers
Groundswell acts as a processor for Client, who acts as the controller. Personal Data may include the categories of Personal Data, the categories of data subjects and the purposes of the Processing set out in Annex 1.
Groundswell will not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
Client acknowledges that in connection with the performance of the Agreement, Groundswell Giving Inc. is a recipient in the United States of Personal Data originating in the European Union, the European Economic Area and/or their member states, Switzerland, or the United Kingdom. The parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows:
(a) EEA Transfers. In relation to Personal Data that is subject to the GDPR (i) Client is the "data exporter" and Groundswell Giving Inc. is the "data importer"; (ii) the Module Two terms apply to the extent the Client is a Controller of Personal Data and the Module Three terms apply to the extent the Client is a Processor of Personal Data; (iii) in Clause 7, the optional docking clause, does not apply; (iv) in Clause 9, Option 2 applies, and changes to Subprocessors will be notified in accordance with the Section 5 of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
(b) UK Transfers. In relation to Personal Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
(c) Swiss Transfers. In relation to Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland."
Client expressly authorizes Groundswell to transfer Personal Data to Groundswell-affiliated entities and/or other Subprocessors located in locations outside the European Economic Area, as is reasonably required to provide support, perform technical projects, or perform other types of services under the Agreement, provided that, to the extent applicable, either: (i) such locations are recognized by the European Commission as providing adequate data protection; or (ii) Groundswell has executed Processor to Processor EU Standard Contractual Clauses with such affiliates and/or other Subprocessors.
Groundswell will not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
Client acknowledges that in connection with the performance of the Agreement, Groundswell Giving Inc. is a recipient in the United States of Personal Data originating in the European Union, the European Economic Area and/or their member states, Switzerland, or the United Kingdom. The parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows:
(a) EEA Transfers. In relation to Personal Data that is subject to the GDPR (i) Client is the "data exporter" and Groundswell Giving Inc. is the "data importer"; (ii) the Module Two terms apply to the extent the Client is a Controller of Personal Data and the Module Three terms apply to the extent the Client is a Processor of Personal Data; (iii) in Clause 7, the optional docking clause, does not apply; (iv) in Clause 9, Option 2 applies, and changes to Subprocessors will be notified in accordance with the Section 5 of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
(b) UK Transfers. In relation to Personal Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
(c) Swiss Transfers. In relation to Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland."
Client expressly authorizes Groundswell to transfer Personal Data to Groundswell-affiliated entities and/or other Subprocessors located in locations outside the European Economic Area, as is reasonably required to provide support, perform technical projects, or perform other types of services under the Agreement, provided that, to the extent applicable, either: (i) such locations are recognized by the European Commission as providing adequate data protection; or (ii) Groundswell has executed Processor to Processor EU Standard Contractual Clauses with such affiliates and/or other Subprocessors.
3. Processing of Personal Data
3.1. Groundswell shall Process Personal Data for the purposes of providing services under the Agreement only in accordance with the Agreement and this DPA, and in accordance with documented instructions listed in this DPA and the Agreement. Client may issue further documented instructions consistent with and in the scope of this DPA and the Agreement. Groundswell shall promptly inform Client if, in Groundswell’s opinion, an instruction infringes GDPR or other Union or Member State data protection provisions. In case Groundswell is required to Process Personal Data by Union or Member State law to which Groundswell is subject, Groundswell shall inform the Client of that legal requirement before Processing, unless that law prohibits such informing on grounds of important public interest.
3.2. Groundswell must limit the access to Personal Data to its employees and Subprocessors for whom access to said data is reasonably necessary to fulfill Groundswell's obligations to Client. Groundswell must ensure that persons authorized to Process Personal Data are bound by the same or equivalent confidentiality obligations as Groundswell and/or are under an appropriate statutory obligation of confidentiality.
3.3. Groundswell shall implement and maintain appropriate technical and organizational measures in line with Article 32 GDPR. For this purpose, the parties agree on the security measures set forth in Annex 2 for the Processing of Personal Data.
3.4. The appropriate technical and organizational security measures must be determined with due regard to: (i) the state of the art, (ii) the cost of their implementation, and (iii) the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5. Groundswell shall make available to Client upon request information necessary to demonstrate compliance with Groundswell’s obligations set forth in Article 28 GDPR, and allow for and reasonably assist with audits, including inspections, conducted by Client or an independent third party auditor appointed by Client, as follows: (i) Groundswell shall at its own cost obtain and make available upon Client’s request an audit report from an independent auditor regarding Groundswell's compliance with the data security requirements of the controls defined in SOC 2 Type 2 Security Trust Service Criteria (or equivalent standard). Such audit report must be issued on the basis of a recognized standard for such reports. (ii) In addition, Client is entitled, at a time and scope to be agreed by the parties, to conduct or have conducted an annual audit, including an inspection, if and to the extent the audit report set forth in the preceding paragraph does not meet the requirements set forth in Article 28 GDPR. Any third party auditor shall not be a competitor of Groundswell, and shall, upon Groundswell's request, sign a customary non-disclosure agreement to treat all information obtained or received from Groundswell confidentially, and may share any such information obtained or received only with Client and Groundswell. Client shall be responsible for costs of the audit, and agrees to pay Groundswell a reasonable fee per audit to be mutually agreed by the parties to cover Groundswell assistance with the audit. An additional audit may take place: (i) if required by a competent legal supervisory authority of Client; or (ii) following a Personal Data Breach.
3.6. Groundswell shall without undue delay, unless such notification is prohibited under applicable law, notify Client about any:(i) request by a legal authority for disclosure of Personal Data Processed under the Agreement; or (ii) request for access to Personal Data received regarding an identified data subject.
3.7. Groundswell shall notify Client without undue delay after becoming aware of a Personal Data Breach. The notification shall at least describe the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned) and the measures taken or proposed by Groundswell to address the Personal Data Breach.
3.8. Groundswell shall provide reasonable and timely assistance to Client to help enable Client to respond to: (i) any request from a data subject to exercise any of the data subject’s rights under applicable data protection laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Groundswell, Groundswell shall promptly inform Client and provide full details of the same, except to the extent prohibited by law.
3.9. Groundswell shall, upon Client’s request, reasonably assist Client in ensuring compliance with Client’s obligations pursuant to Articles 32 to 36 GDPR (including security of Processing, notification of Personal Data breach, data protection impact assessment and prior consultation), based on the nature of Processing and the information available to Groundswell.
3.10. In the event Client’s designated account manager at Groundswell cannot assist with a data privacy enquiry, Client may contact support@groundswell.io.
3.11. Assistance contemplated by this Section 3 shall be provided to Client at no charge if the request can be fulfilled by supplying readily available documentation in Groundswell’s possession.
3.12. If Processing is subject to CCPA, Groundswell may not sell, use, retain, collect, or disclose personal information, outside of the direct business relationship between Groundswell and Client, for any purpose other than to provide services to Client under and in accordance with the Agreement. Groundswell confirms that it understands the CCPA’s restrictions and prohibitions on selling personal information and retaining, using, or disclosing personal information outside of the parties’ direct business relationship, and it will comply with the CCPA.
3.2. Groundswell must limit the access to Personal Data to its employees and Subprocessors for whom access to said data is reasonably necessary to fulfill Groundswell's obligations to Client. Groundswell must ensure that persons authorized to Process Personal Data are bound by the same or equivalent confidentiality obligations as Groundswell and/or are under an appropriate statutory obligation of confidentiality.
3.3. Groundswell shall implement and maintain appropriate technical and organizational measures in line with Article 32 GDPR. For this purpose, the parties agree on the security measures set forth in Annex 2 for the Processing of Personal Data.
3.4. The appropriate technical and organizational security measures must be determined with due regard to: (i) the state of the art, (ii) the cost of their implementation, and (iii) the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5. Groundswell shall make available to Client upon request information necessary to demonstrate compliance with Groundswell’s obligations set forth in Article 28 GDPR, and allow for and reasonably assist with audits, including inspections, conducted by Client or an independent third party auditor appointed by Client, as follows: (i) Groundswell shall at its own cost obtain and make available upon Client’s request an audit report from an independent auditor regarding Groundswell's compliance with the data security requirements of the controls defined in SOC 2 Type 2 Security Trust Service Criteria (or equivalent standard). Such audit report must be issued on the basis of a recognized standard for such reports. (ii) In addition, Client is entitled, at a time and scope to be agreed by the parties, to conduct or have conducted an annual audit, including an inspection, if and to the extent the audit report set forth in the preceding paragraph does not meet the requirements set forth in Article 28 GDPR. Any third party auditor shall not be a competitor of Groundswell, and shall, upon Groundswell's request, sign a customary non-disclosure agreement to treat all information obtained or received from Groundswell confidentially, and may share any such information obtained or received only with Client and Groundswell. Client shall be responsible for costs of the audit, and agrees to pay Groundswell a reasonable fee per audit to be mutually agreed by the parties to cover Groundswell assistance with the audit. An additional audit may take place: (i) if required by a competent legal supervisory authority of Client; or (ii) following a Personal Data Breach.
3.6. Groundswell shall without undue delay, unless such notification is prohibited under applicable law, notify Client about any:(i) request by a legal authority for disclosure of Personal Data Processed under the Agreement; or (ii) request for access to Personal Data received regarding an identified data subject.
3.7. Groundswell shall notify Client without undue delay after becoming aware of a Personal Data Breach. The notification shall at least describe the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned) and the measures taken or proposed by Groundswell to address the Personal Data Breach.
3.8. Groundswell shall provide reasonable and timely assistance to Client to help enable Client to respond to: (i) any request from a data subject to exercise any of the data subject’s rights under applicable data protection laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Groundswell, Groundswell shall promptly inform Client and provide full details of the same, except to the extent prohibited by law.
3.9. Groundswell shall, upon Client’s request, reasonably assist Client in ensuring compliance with Client’s obligations pursuant to Articles 32 to 36 GDPR (including security of Processing, notification of Personal Data breach, data protection impact assessment and prior consultation), based on the nature of Processing and the information available to Groundswell.
3.10. In the event Client’s designated account manager at Groundswell cannot assist with a data privacy enquiry, Client may contact support@groundswell.io.
3.11. Assistance contemplated by this Section 3 shall be provided to Client at no charge if the request can be fulfilled by supplying readily available documentation in Groundswell’s possession.
3.12. If Processing is subject to CCPA, Groundswell may not sell, use, retain, collect, or disclose personal information, outside of the direct business relationship between Groundswell and Client, for any purpose other than to provide services to Client under and in accordance with the Agreement. Groundswell confirms that it understands the CCPA’s restrictions and prohibitions on selling personal information and retaining, using, or disclosing personal information outside of the parties’ direct business relationship, and it will comply with the CCPA.
4. Client's General Obligations
Client will comply with all its obligations under applicable data protection laws and regulations.
5. Other Data Processors
5.1. Groundswell may engage other processors (“Subprocessors”) for the Processing of Personal Data under this DPA, provided Groundswell ensures such Subprocessors’ compliance with the terms of this DPA.
5.2. Prior to the engagement of another Subprocessor, Groundswell shall inform Client’s administrator and Client’s contact of the intended subprocessing at least 30 days prior thereto, thereby giving the Client the opportunity to object to such change on reasonable grounds, as set forth in Article 28 GDPR.
5.3. Groundswell shall remain fully liable to the Client for the performance of its Subprocessors’ obligations hereunder.
5.2. Prior to the engagement of another Subprocessor, Groundswell shall inform Client’s administrator and Client’s contact of the intended subprocessing at least 30 days prior thereto, thereby giving the Client the opportunity to object to such change on reasonable grounds, as set forth in Article 28 GDPR.
5.3. Groundswell shall remain fully liable to the Client for the performance of its Subprocessors’ obligations hereunder.
6. Data Retrieval and Deletion
6.1. Client may retrieve its Personal Data at any time prior to termination of the Agreement as set forth therein.
6.2. Promptly upon the expiration or earlier termination of the Agreement, or earlier upon Client’s request, Groundswell shall securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in Groundswell’s possession, custody or control.
6.3. Notwithstanding section 6.2, backups of Personal Data are to be deleted according to and in compliance with Groundswell’s general backup cycle, which means that backups will be deleted at the latest within approximately six (6) months from the decommissioning of Client’s portal.
6.4. Groundswell shall provide to Client, upon Client’s request, written confirmation that deletion has occurred in accordance with this section 6. In the event applicable law does not permit Groundswell to comply with delivery or destruction of Personal Data as set forth herein, Groundswell shall ensure the privacy, confidentiality and security of Personal Data in accordance with the standards agreed in this DPA and shall not use or disclose any Personal Data after termination of the Agreement.
6.2. Promptly upon the expiration or earlier termination of the Agreement, or earlier upon Client’s request, Groundswell shall securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in Groundswell’s possession, custody or control.
6.3. Notwithstanding section 6.2, backups of Personal Data are to be deleted according to and in compliance with Groundswell’s general backup cycle, which means that backups will be deleted at the latest within approximately six (6) months from the decommissioning of Client’s portal.
6.4. Groundswell shall provide to Client, upon Client’s request, written confirmation that deletion has occurred in accordance with this section 6. In the event applicable law does not permit Groundswell to comply with delivery or destruction of Personal Data as set forth herein, Groundswell shall ensure the privacy, confidentiality and security of Personal Data in accordance with the standards agreed in this DPA and shall not use or disclose any Personal Data after termination of the Agreement.
ANNEX 1
Categories of data, categories of data subjects and purposes of the Processing
a) Categories of Personal Data
The Personal Data being Processed by Processor may concern the following categories of data:
a) Categories of Personal Data
The Personal Data being Processed by Processor may concern the following categories of data:
- Name and Surname
- Mobile phone number
- Email addresses
- Mobile device ID
- Contribution transactions
- Donation transactions
- Credit card numbers
- Bank account numbers
- A cookie ID
- Internet Protocol (IP) address
- Location data (for example, from a data subject’s mobile phone)
- Advertising identifier on a data subject’s mobile phone
b) Categories of data subjects: The Personal Data Processed by Processor may concern the following categories of data subjects:
- Name Employees, contractors, agents, directors, officers, and students, of the Controller and/or its affiliates Surname
c) Purpose and nature of the Processing operations: Personal Data may be Processed by Processor for the following purposes:
d) Special categories of data:
- Donation transactions
ANNEX 2
Security measures
(1) Processor shall Process Personal Data in accordance with applicable law to which Processor is subject and in accordance with the data security requirements of the controls defined by latest available SOC 2 Type 2 implemented controls (or equivalent standard).
(2) Processor shall appoint a fixed contact point for Client to carry out any matters in relation to the Processing of Personal Data.
(3) Processor shall ensure that Processor's employees receive adequate training and instructions, including, but not limited to, education on general safety awareness, relevant security policies and procedures, and Personal Data Processing.
(4) Processor shall maintain organizational and technical measures to ensure separation of data between clients and systems.
(5) Access Control of Processing Areas Processor shall maintain suitable measures in order to prevent unauthorized persons from gaining access to the data Processing equipment (namely telephones, database and application servers and related hardware) where the Personal Data is Processed or used. This is accomplished by measures such as:
(1) Processor shall Process Personal Data in accordance with applicable law to which Processor is subject and in accordance with the data security requirements of the controls defined by latest available SOC 2 Type 2 implemented controls (or equivalent standard).
(2) Processor shall appoint a fixed contact point for Client to carry out any matters in relation to the Processing of Personal Data.
(3) Processor shall ensure that Processor's employees receive adequate training and instructions, including, but not limited to, education on general safety awareness, relevant security policies and procedures, and Personal Data Processing.
(4) Processor shall maintain organizational and technical measures to ensure separation of data between clients and systems.
(5) Access Control of Processing Areas Processor shall maintain suitable measures in order to prevent unauthorized persons from gaining access to the data Processing equipment (namely telephones, database and application servers and related hardware) where the Personal Data is Processed or used. This is accomplished by measures such as:
- establishing security areas;
- protection and restriction of access paths;
- securing the decentralized telephones, data Processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- regulations on card-keys;
- restriction on card-keys;
- all access to the data center where Personal Data is hosted is logged, monitored, and tracked; - the data center where Personal Data is hosted is secured by a security alarm system; and - other appropriate security measures.
(6) Access Control to Data Processing Systems Processor shall maintain suitable measures to prevent its Personal Data Processing systems from being used by unauthorized persons. This is accomplished by measures like:
- identification of the terminal and/or the terminal user to the Processor systems;
- automatic time-out of user terminal if left idle, with identification and password required to reopen;
- automatic turn-off of the user ID when several erroneous passwords are entered;
- log file of events (monitoring of break-in-attempts);
- issuing and safeguarding of identification codes;
- dedication of individual terminals and/or terminal users, and identification characteristics exclusive to specific functions;
- employee policies and training with respect to each employee's access rights to Personal Data (if any), including informing employees about their obligations and the consequences of any violations ofsuch obligations, to ensure that employees will only access Personal Data and resources required to perform their job duties; and
- all access to data content is logged and monitored.
(7) Access Control to Use Specific Areas of Data Processing Systems Processor commits that the persons entitled to use its Personal Data Processing system are only able to access the data within the scope and to the extent covered by its access permission (role or authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This shall be accomplished by:
- establishing security areas;
- protection and restriction of access paths;
- securing the decentralized telephones, data Processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- regulations on card-keys;
- restriction on card-keys;
- all access to the data center where Personal Data is hosted is logged, monitored, and tracked; - the data center where Personal Data is hosted is secured by a security alarm system; and - other appropriate security measures.
(8) Availability Control Processor shall maintain suitable measures to ensure that Personal Data are protected from accidental destruction or loss. This is accomplished by:
- establishing security areas;
- protection and restriction of access paths;
- securing the decentralized telephones, data Processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- regulations on card-keys;
- restriction on card-keys;
- all access to the data center where Personal Data is hosted is logged, monitored, and tracked; - the data center where Personal Data is hosted is secured by a security alarm system; and - other appropriate security measures.
(9) Transmission Control Processor shall maintain suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- establishing security areas;
- protection and restriction of access paths;
- securing the decentralized telephones, data Processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- regulations on card-keys;
- restriction on card-keys;
- all access to the data center where Personal Data is hosted is logged, monitored, and tracked; - the data center where Personal Data is hosted is secured by a security alarm system; and - other appropriate security measures.
(10) Input Control Processor implements suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data has been input into Personal Data Processing systems or removed. This is accomplished by:
- an authorization policy for the input of data into memory, as well as for the reading, alteration and disposal of stored Personal Data;
- authentication of the authorized personnel;
- protective measures for the data input into memory, as well as for the reading, alteration and disposal of stored Personal Data;
- utilization of user codes (passwords);
- following a policy according to which all employees of Processor who have access to Personal Data Processed for Client shall reset their passwords at a minimum once in a 180 day period, or as defined in Processor’s IT Security Policy and in line with potential multi-factors of authentication;
- providing that entries to Data Processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked;
- automatic log-off of user IDs that have not been used for a substantial period of time;
- proof established within Processor’s organization of the input authorization; and
- electronic recording of entries.
(11) Processor system administrators (if any)
Processor shall maintain measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by:
Processor shall maintain measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by:
- individual appointment of system administrators;
- adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months;
- yearly audits of system administrators’ activity to assess compliance with assigned tasks, the instructions received by importer and applicable laws;
- keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organizational area) and tasks assigned.
(12) Separation of Processing for different Purposes
Processor shall maintain suitable measures to ensure that Personal Data collected for different purposes can be Processed separately. This is accomplished by:
Processor shall maintain suitable measures to ensure that Personal Data collected for different purposes can be Processed separately. This is accomplished by:
- access to Personal Data is separated through application security for the appropriate users; and
- modules within Processor’s database separate which data is used for which purpose, i.e., by functionality and function.
Client acknowledges and agrees that Processor may change its security policies and related security measures, provided that Processor maintains, at all times, an overall level of security as least as stringent as the one set forth in this DPA.