Appenate Data Processing Addendum
Helping you be compliant with European data processing laws
DATA PROCESSING ADDENDUM
Version 2.0 (November 2022)
This Data Processing Addendum (“DPA”) forms part of the Enterprise Customer Agreement, Vendor Agreement, Appenate Terms of Use (available at www.appenate.com/terms-conditions), or other written or electronic agreement, by and between Appenate Pty Ltd (“Appenate”) and the undersigned customer of Appenate (“Customer”) for certain optimization, security, application and/or other software services provided by Appenate (the “Main Agreement”). All capitalized terms not defined herein shall have the meanings set forth in the Main Agreement. Each of the Customer and Appenate may be referred to herein as a “party” and together as the “parties”. If the Customer entity identified by this DPA is not a party to the Main Agreement directly with Appenate, but is instead a customer indirectly via an authorized vendor of the Service, this DPA is not valid and is not legally binding. Such entity should contact the authorized vendor to discuss whether any amendment to its agreement with that vendor may be required.
Appenate operates self-contained Service deployments within
several geographic regions worldwide (“Service Nodes”). Appenate commits
to hosting all Customer data exclusively within the Customer’s chosen Service
Node, however Appenate personnel residing outside the chosen Service Node
region may require access to certain Personal Data from time to time for testing,
support and maintenance of the Service. Therefore, the parties anticipate that Appenate
may process, outside of the chosen Service Node, certain Personal Data in
respect of which the Customer, or any member of the Customer Group, may be a Controller
(or Processor, as the case may be) under Applicable Data Protection Laws.
DATA PROCESSING TERMS
In the course of providing the Service to the Customer pursuant to the Main Agreement, Appenate may process Personal Data as a Processor (or Controller or sub-Processor as applicable) on behalf of Customer and such Personal Data is subject to Applicable Data Protection Laws (as defined below).
The parties have agreed to enter into this DPA in order to ensure that appropriate safeguards are in place to protect such Personal Data in accordance with Applicable Data Protection Laws. Accordingly, Appenate agrees to comply with the following provisions with respect to any Personal Data that it processes as a Processor (or Controller or sub-Processor as applicable) on behalf of Customer.
1. Definitions
1.1. The following definitions are used in this DPA:
a) “Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists);
b) “Appenate Group” means Appenate and any of its Affiliates;
c) “Applicable Data Protection Laws” means (i) the European Data Protection Laws; (ii) the CCPA; and (iii) the laws of other states and territories that create and regulate substantially similar concepts and legal principles as are contained in the European Data Protection Laws in relation to the processing of Personal Data.
d) “CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 – 1798.199, 2018);
e) “Controller” means an entity that determines the purposes and means of the processing of Personal Data;
f) “Customer Group” means the Customer and any of its Affiliates;
g) “European Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and the United Kingdom applicable to the processing of Personal Data under the Main Agreement, including, where applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the UK Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii);
h) “Personal Data” means all data which is defined as ‘personal data’, ‘personal information’, or ‘personally identifiable information’ (or analogous term) under Applicable Data Protection Laws;
i) “processing”, “data subject”, and “supervisory authority” shall have the meanings ascribed to them in European Data Protection Laws;
j) “Processor” means an entity which processes Personal Data on behalf of the Controller, including an entity to which another entity discloses a natural individual’s personal information for a business purpose pursuant to a written contract that requires the entity receiving the information to only retain, use, or disclose Personal Data information for the purpose of providing the Service;
k) “Restricted Transfer” means: (i) where the EU GDPR or Swiss Federal Act on Data Protection applies, a transfer of Personal Data from the European Economic Area or Switzerland (as applicable) to a country outside of the European Economic Area or Switzerland (as applicable) which is not subject to an adequacy determination by the European Commission or Swiss Federal Data Protection and Information Commissioner (as applicable); and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to section 17A of the United Kingdom Data Protection Act 2018;
l) “Service” shall refer to all products, websites, app technology, application programming interfaces (“APIs”) and services (collectively the ‘Appenate Service’ and ‘Appenate Software’ as defined in the Main Agreement) offered, marketed or sold by Appenate or its authorized partners;
m) “SCCs” means: (i) where the EU GDPR or Swiss Federal Act on Data Protection applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”);
1.2 An entity “Controls” another entity if
it: (a) holds a majority of the voting rights in it; (b) is a member or
shareholder of it and has the right to remove a majority of its board of
directors or equivalent managing body; (c) is a member or shareholder of it and
controls alone or pursuant to an agreement with other shareholders or members,
a majority of the voting rights in it; or (d) has the right to exercise a
dominant influence over it pursuant to its constitutional documents or pursuant
to a contract; and two entities are treated as being in “Common Control” if
either controls the other (directly or indirectly) or both are controlled (directly
or indirectly) by the same entity.
2. Status of the parties
2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are described in Annex 1.
2.2 Each party warrants in relation to Personal Data that it will comply with Applicable Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
2.3 In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties acknowledge and agree that the Customer is the Controller (or a Processor processing Personal Data on behalf of a third-party Controller) and Appenate is a Processor (or sub-Processor, as applicable).
2.4 If Customer is a Processor, Customer warrants to Appenate that Customer’s instructions and actions with respect to the Personal Data, including its appointment of Appenate as another Processor and, where applicable, concluding the SCCs, have been (and will, for the duration of this DPA, continue to be) authorised by the relevant third-party Controller.
2.5. The parties acknowledge and agree that with
respect to Customer registration data and Customer usage data, Appenate is an
independent Controller, not a joint Controller with Customer. Appenate will
process Customer registration Data and Customer usage Data as a Controller (i)
to manage the relationship with Customer; (ii) to carry out Appenate’s core
business operations, such as accounting, audits, tax preparation and compliance
purposes; (iii) to monitor, investigate, prevent and detect fraud, security
incidents and other misuse of the Service, and to prevent harm to Customer; (iv)
for identity verification purposes; (v) to comply with legal or regulatory
obligations applicable to the processing and retention of Personal Data to
which Appenate is subject; and (vi) as otherwise permitted under Applicable Data
Protection Laws and in accordance with this Addendum and the Main Agreement.
Appenate may also process Customer usage data as a Controller to provide,
optimize, and maintain the Service, to the extent permitted by Applicable Data
Protection Laws. Any processing by the Appenate as a Controller shall be in
accordance with the Appenate’s privacy policy set forth at https://www.appenate.com/privacy-policy.
3. Appenate obligations
3.1 With respect to all Personal Data it processes in its role as a Controller, Processor or sub-Processor, Appenate warrants that it shall:
(a) only process Personal Data in order to provide the Service and in accordance with: (i) the Customer’s written instructions as set out in the Main Agreement and this DPA, unless required to do so by applicable Union or Member State law to which Appenate is subject, and (ii) the requirements of Applicable Data Protection Laws. In the event Appenate is required to process Personal Data under Applicable Data Protection Laws, Appenate shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) not sell, retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Service, including for a commercial purpose other than providing the Service. Appenate shall not use the Personal Data for the purposes of marketing or advertising. Appenate’s performance of the Service may include disclosing Personal Data to sub-Processors where this is in accordance with section 4 of this DPA;
(c) inform Customer if, in Appenate’s opinion, any instructions provided by the Customer under clause 3.1(a) infringe Applicable Data Protection Laws;
(d) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out in Annex 2 (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Appenate may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Service;
(e) ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under contractual or statutory obligations of confidentiality;
(f) without undue delay notify the Customer upon becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed for the purpose of providing the Service to Customer by Appenate, its sub-Processors, or any other identified or unidentified third party (a “Personal Data Breach”) and provide the Customer with reasonable cooperation and assistance in respect of that Personal Data Breach, including all reasonable information in Appenate’s possession concerning such Personal Data Breach insofar as it affects the Personal Data;
(g) not make any public announcement about a Personal Data Breach (a “Breach Notice”) without the prior written consent of the Customer, unless required by applicable law;
(h) to the extent Appenate is able to verify that a data subject is associated with the Customer, promptly notify the Customer if it receives a request from a data subject to exercise any data protection rights (including rights of access, rectification or erasure) in respect of that data subject’s Personal Data (a “Data Subject Request”). Appenate shall not respond to a Data Subject Request without the Customer’s prior written consent except to confirm that such request relates to the Customer, to which the Customer hereby agrees;
(i) to the extent Appenate is able, and in line with applicable law, provide reasonable assistance to Customer in responding to a Data Subject Request to exercise any data protection rights (including rights of access, rectification or erasure) in respect of that data subject’s Personal Data if the Customer does not have the ability to address a Data Subject Request without Appenate’s assistance. The Customer is responsible for verifying that the requestor is the data subject in respect of whose Personal Data the request is made. Appenate bears no responsibility for information provided in good faith to Customer in reliance on this subsection. Customer shall cover all costs incurred by Appenate in connection with its provision of such assistance;
(j) other than to the extent required to comply with applicable law, as soon as reasonably practicable following termination or expiry of the Main Agreement or completion of the Service, delete all Personal Data (including copies thereof) processed pursuant to this DPA;
(k) considering the nature of processing and the information available to Appenate, provide such assistance to the Customer as the Customer reasonably requests in relation to Appenate’s obligations under Applicable Data Protection Laws with respect to:
(i) data protection impact assessments and prior consultations (as such terms are defined in Applicable Data Protection Laws);
(ii) notifications to the supervisory authority under Applicable Data Protection Laws and/or Customer communications to data subjects in response to any Personal Data Breach; and
(iii) the Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to the security of processing;
provided that the Customer shall cover all costs incurred by
Appenate in connection with its provision of such assistance;
4. Sub-processing
4.1 Appenate will only disclose Personal Data to sub-Processors for the specific purposes of carrying out the Service. Appenate does not sell or disclose Personal Data to third parties for commercial purposes.
4.2 The Customer grants a general written authorization: (a) to Appenate to appoint other members of the Appenate Group as sub-Processors, and (b) to Appenate and other members of the Appenate Group to appoint third party data center operators, and business, engineering and customer support providers as sub-Processors to support the performance of the Service.
4.3 Appenate will maintain a list of current sub-processors for the Service, including a history of revisions, the identities of those sub-processors and their country of location at https://www.appenate.com/sub-processors. Appenate will add the names of new and replacement sub-Processors to the list at least thirty (30) days prior to the date on which those sub-Processors commence processing of Personal Data. If Customer objects to any new or replacement sub-Processor on reasonable grounds related to data protection, it shall notify Appenate of such objections in writing within ten (10) days of the sub-Processors list update and the parties will seek to resolve the matter in good faith. If Appenate is reasonably able to provide the Service to the Customer in accordance with the Main Agreement without using the sub-Processor and decides in its discretion to do so, then Customer will have no further rights under this clause 4.3 in respect of the proposed use of the sub-Processor. If Appenate, in its discretion, requires use of the sub-Processor and is unable to satisfy Customer’s objection regarding the proposed use of the new or replacement sub-Processor, then Customer may terminate the applicable Service subscription(s) effective upon the date Appenate begins use of such new or replacement sub-Processor solely with respect to the Service(s) that will use the proposed new sub-Processor for the processing of Personal Data. If Customer does not provide a timely objection to any new or replacement sub-Processor in accordance with this clause 4.3, Customer will be deemed to have consented to the sub-Processor and waived its right to object.
4.4 Appenate will ensure that any sub-processor it
engages to provide an aspect of the Service on its behalf in connection with
this DPA does so only on the basis of a written contract which imposes on such
sub-Processor terms (i.e., data protection obligations) that are no less protective
of Personal Data than those imposed on Appenate in this DPA (the “Relevant
Terms”).
5. Audit and records
5.1 Appenate shall, in accordance with Applicable Data Protection Laws, make available to the Customer such information in Appenate’s possession or control as the Customer may reasonably request with a view to demonstrating Appenate’s compliance with the obligations of Processors under Applicable Data Protection Laws in relation to its processing of Personal Data.
5.2 Appenate may fulfil Customer’s right of audit under Applicable Data Protection Laws in relation to Personal Data, by providing:
(a) an audit report not older than thirteen (13) months, prepared by an independent external auditor demonstrating that Appenate’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard;
(b) additional information in Appenate’s possession or control to a data protection supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by Appenate under this DPA; and
(c) to the extent that Customer’s Personal Data is subject to SCCs and the information made available pursuant to this clause 5.2 is insufficient, in Customer’s reasonable judgment, to confirm Appenate’s compliance with its obligations under this DPA or Applicable Data Protection Laws, then Appenate shall enable Customer to request one onsite audit per annual period during the Term (as defined in the Main Agreement) to verify Appenate’s compliance with its obligations under this DPA in accordance with clause 5.3.
5.3 The following additional terms shall apply to audits the Customer requests:
(a) Customer must send any requests for reviews of Appenate’s audit reports to security@appenate.com
(b) Following receipt by Appenate of a request for audit under clause 5.2(c), Appenate and Customer will discuss and agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under clause 5.2(c). Whenever possible, evidence for such an audit will be limited to the evidence collected for Appenate’s most recent third-party audit.
(c) Appenate may charge a fee (based on Appenate’s reasonable costs) for any audit under clause 5.2(c). Appenate will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
(d) Appenate may object in writing to an auditor
appointed by Customer to conduct any audit under clause 5.2(c) if the auditor
is, in Appenate’s reasonable opinion, not suitably qualified or independent, a
competitor of Appenate, or otherwise manifestly unsuitable (i.e. an auditor
whose engagement may have a harmful impact on Appenate’s business comparable to
the aforementioned aspects). Any such objection by Appenate will require
Customer to appoint another auditor or conduct the audit itself. If the SCCs
apply, nothing in this clause 5.3 varies or modifies the SCCs nor affects any
supervisory authority’s or data subject’s rights under the SCCs.
6. Data transfers from the EEA, Switzerland, and the UK
6.1 In connection with the Service, the parties anticipate that Appenate (and its sub-Processors) may process outside of the European Economic Area (“EEA”), Switzerland, and the United Kingdom, certain Personal Data protected by European Data Protection Laws in respect of which Customer or a member of the Customer Group may be a Controller (or Processor on behalf of a third-party Controller, as applicable).
6.2 The parties agree that when the transfer of Personal Data protected by European Data Protection Laws from Customer or any member of the Customer Group to Appenate is a Restricted Transfer then it shall be subject to the appropriate SCCs as follows:
(a) in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module One (Controller to Controller) will apply where Appenate is processing Personal Data as a Controller pursuant to clause 2.5 of this DPA.
(ii) Module Two (Controller to Processor) will apply where Customer (or the relevant member of the Customer Group) is a Controller.
(iii) Module Three (Processor to Processor) will apply where Customer (or the relevant member of the Customer Group) is a Processor.
For each Module above, where applicable, the following applies:
(iv) in Clause 7, the optional docking clause will not apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-Processor changes shall be as set out in clause 4.3 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply and the EU SCCs will be governed by Ireland law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of the jurisdiction governing the Main Agreement between the parties or, if that jurisdiction is not an EU Member State, then the courts in Ireland. In any event, Clause 17 and 18 (b) shall be consistent in that the choice of forum and jurisdiction shall fall on the country of the governing law;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA;
(b) in relation to Personal Data that is protected by the UK GDPR, the EU SCCs shall apply, completed as set out about in clause 6.2(a) of this DPA, subject to the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under S119A(1) of the Data Protection Act 2018. The UK Addendum shall be deemed executed between the Customer (or the relevant member of the Customer Group) and Appenate, incorporating the information below:
(i) the party details as set out in section A of Annex 1 to this DPA, inserted in Table 1 (Parties) of such UK Addendum;
(ii) the first option set out in Table 2 of such UK Addendum;
(iii) the list of parties and the description of the transfer of personal data, each as set out in section A of Annex 1, inserted in Table 3 (Appendix Information) of such UK Addendum;
(iv) the description of the technical and organisational security measures as set out in Annex 2 inserted in Table 3 (Appendix Information) of such UK Addendum;
(v) the list of sub-processors available pursuant to clause 4.3 of this DPA, inserted in Table 3 (Appendix Information) of such UK Addendum; and
(vi) the option ‘neither Party’ set out in Table 4 of such UK Addendum.
(c) in relation to Personal Data that is protected by the Swiss Federal Act on Data Protection (as amended or replaced), the EU SCCs, completed as set out about in clause 6.2(a) of this DPA, shall apply to transfers of such Personal Data, except that:
(i) the competent supervisory authority in respect of such Personal Data shall be the Swiss Federal Data Protection and Information Commissioner;
(ii) in Clause 17, the governing law shall be the laws of Switzerland;
(iii) references to “Member State(s)” in the EU SCCs shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the EU SCCs in Switzerland; and
(iv) references to the “General Data Protection Regulation”, “Regulation 2016/679” or “GDPR” in the SCCs shall be understood to be references to the Swiss Federal Act on Data Protection (as amended or replaced).
(d) the following terms shall apply to the SCCs:
(i) Customer may exercise its right of audit under the SCCs as set out in, and subject to the requirements of, clause 5 of this DPA; and
(ii) Appenate may appoint sub-Processors as set out in, and subject to the requirements of, clauses 4 and 6.3 of this DPA, and Customer may exercise its right to object to sub-Processors under the SCCs in the manner set out in clause 4.3 of this DPA; and
(e) in the event that any provision of this DPA contradicts, directly or indirectly, the SCCs, the SCCs shall prevail.
6.3 In respect of Restricted Transfers made to Appenate under clause 6.2, Appenate shall not participate in (nor permit any sub-Processor to participate in) any further Restricted Transfers of Personal Data (whether as an “exporter” or an “importer” of the Personal Data) unless such further Restricted Transfer is made in full compliance with European Data Protection Laws and pursuant to SCCs implemented between the exporter and importer of the Personal Data.
6.4 In the event Customer seeks to conduct any
assessment of the adequacy of the SCCs for transfers to any particular
countries or regions, Appenate shall, to the extent it is able, provide
reasonable assistance to Customer for the purpose of any such assessment,
provided Customer shall cover all costs incurred by Appenate in connection with
its provision of such assistance.
7. Third Party Data Access Requests
7.1 If Appenate becomes aware of any third party legal process requesting Personal Data that Appenate processes on behalf of Customer in its role as Processor or sub-Processor (as applicable) then Appenate will:
(a) immediately notify Customer of the request unless such notification is legally prohibited;
(b) inform the third party that it is a Processor or sub-Processor (as applicable) of the Personal Data and is not authorized to disclose the Personal Data without Customer’s consent;
(c) disclose to the third party the minimum necessary Customer contact details to allow the third party to contact the Customer and instruct the third party to direct its data request to Customer; and
(d) to the extent Appenate provides access to or discloses Personal Data in response to third party legal process either with Customer authorization or due to a mandatory legal compulsion, then Appenate will disclose the minimum amount of Personal Data to the extent it is legally required to do so and in accordance with the applicable legal process.
7.2 Clause 7.1 shall not apply in the event that Appenate has a good-faith belief a third party government request is necessary due to an emergency involving the danger of death or serious physical injury to an individual. In such event, Appenate shall notify Customer of the data disclosure as soon as possible following the disclosure and provide Customer with full details of the same, unless such disclosure is legally prohibited.
7.3 As of the date Customer entered into this DPA with Appenate, Appenate makes the commitments listed below.
(a) Appenate has never turned over our encryption or authentication keys or our customers’ encryption or authentication keys to anyone.
(b) Appenate has never installed any law enforcement software or equipment anywhere on our network.
(c) Appenate has never provided any law enforcement organization a feed of our customers’ content transiting our network.
(d) Appenate has never weakened, compromised, or
subverted any of its encryption at the request of law enforcement or another
third party.
8. General
8.1 This DPA is without prejudice to the rights and obligations of the parties under the Main Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
8.2 Appenate’s liability under or in connection with this DPA, including under the SCCs, is subject to the exclusions and limitations on liability contained in the Main Agreement. In no event does Appenate limit or exclude its liability towards data subjects or competent data protection authorities.
8.3 Except where and to the extent expressly provided in the SCCs or required as a matter of Applicable Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
8.4 This DPA and any action related thereto shall be governed by and construed in accordance with the laws as specified in the Main Agreement, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the Main Agreement.
8.5 If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable. Without limiting the generality of the foregoing, Customer agrees that section 8.2 (Limitation of Liability) will remain in effect notwithstanding the unenforceability of any provision of this DPA.
8.6 This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.
Annex 1 – Description of Data Processing
This Annex 1 forms part of the DPA and describes the processing that Appenate will perform on behalf of Customer.
A. LIST OF PARTIES
Data Exporter(s):
Name: Customer and any Customer Affiliates |
As stated in the Main Agreement |
Address: Addresses of Customer and any Customer Affiliates described in the Main Agreement (or otherwise notified by Customer to Appenate). |
As stated in the Main Agreement |
Contact person’s name, position and contact details: |
As stated in the Main Agreement |
Activities relevant to the data transferred under this DPA and SCCs: |
Use of the Service pursuant to the Main Agreement |
Signature and date: |
This Annex 1 shall be deemed executed upon execution of the DPA |
Role (controller/processor): |
Controller (or Processor on behalf of a third-party Controller) |
Data Importer(s):
Name: |
Appenate Pty Ltd |
Address: |
Level 14, 167 Eagle Street Brisbane, Australia 4000 |
Contact person’s name, position and contact details: |
Paul Du Bois Data Protection Officer compliance@appenate.com |
Activities relevant to the data transferred under this DPA and SCCs: |
Processing necessary to provide the Service to Customer, pursuant to the Main Agreement. |
Signature and date: |
This Annex 1 shall be deemed executed upon execution of the DPA |
Role (controller/processor): |
Processor (or sub-Processor) |
B. DETAILS OF DATA PROCESSING AND TRANSFER
Categories of data subjects whose Personal Data is transferred: |
Natural persons with login credentials for an Appenate account and/or those who administer any of the Service for a Customer (“Administrators”). Natural persons that are employees, agents, advisors, and contractors of the Customer. Natural persons that are employees, agents, contractors or contact persons of the Customer’s prospective and existing customers, resellers, referrers, subcontractors, business partners, and vendors. |
Categories of Personal Data transferred: |
In relation to End Users: Any Personal Data processed in Service Logs, such as IP addresses, end user names and email addresses. “Service Logs” means any logs of End Users’ interactions with the Service that are made available to Customer via the Service or are internally used for operation and maintenance of the Service during the Term by Appenate. Any Personal Data processed in Customer Content, the extent of which is determined and controlled by the Customer in its sole discretion. “Customer Content” means any files, software, multimedia images, graphics, audio, video, text, data, or other objects originating or transmitted from or processed by any devices owned, controlled or granted access to the Service by Customer or uploaded by Customer through the Service. In relation to Administrative Users: Any Personal Data processed in Administrative User audit logs, such as IP addresses and email addresses. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: |
Customer, its End Users, Administrators, and/or other partners may upload content to the Service which may include special categories of data, the extent of which is determined and controlled by the Customer in its sole discretion. Such special categories of data include, but may not be limited to, information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning an individual’s health or sex life. Any such special categories of data shall be protected by applying the security measures described in Annex 2. |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): |
Continuous for the duration of the Main Agreement. |
Nature of the processing: |
Processing necessary to provide the Service to Customer, pursuant to the Main Agreement. |
Purpose(s) of the data transfer and further processing: |
Processing necessary for the provision of the Service. |
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: |
Until the earliest of (i) expiry/termination of the Main Agreement, or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Main Agreement (to the extent applicable). |
For transfers to (sub-) Processors, also specify subject matter, nature and duration of the processing: |
The subject matter, nature and duration of the processing shall be as specified in the Main Agreement. |
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 of the SCCs): |
In respect of the EU SCCs, means the competent supervisory authority determined in accordance with Clause 13 of the EU SCCs. In respect of the UK SCCs, means the UK Information Commissioner’s Office. |
Annex 2 – Technical and Organisational Security Measures
Appenate currently observes the security practices described in this Annex 2. Notwithstanding any provision to the contrary otherwise agreed to by the Customer, Appenate may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. Further information is available at https://www.appenate.com/security-infrastructure.
Measures of pseudonymisation and encryption of Personal Data
Appenate provides functionality to mark data as protected, which in turn applies automatic pseudonymisation to said data values on export from Appenate systems.
Appenate implements encryption to protect Personal Data using:
· industry standard encryption protocols along with trustworthy public-key certification authorities and infrastructure;
·
effective encryption algorithms and parameterization, such as minimum
256-bit key lengths
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Appenate enhances the security of processing systems and services in production environments by:
· employing a code review process to increase the security of the code used to provide the Service; and testing code and systems for vulnerabilities before and during use;
· employing preventative and reactive intrusion detection such as weekly automated penetration tests executed by a third-party security provider
Appenate deploys high-availability systems across geographically-distributed data centers and implements measures to protect and maintain the confidentiality of Personal Data including:
· authenticating authorized personnel using unique authentication credentials (passwords) and requiring the use of time-based one-time password (“TOTP”) tokens;
· automatically signing-out user sessions after a period of inactivity;
· protecting the input of data, as well as the reading, alteration and deletion of stored data;
·
requiring that devices performing data processing utilise drive
encryption and are kept updated with current vendor software patches.
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
Appenate implements measures to ensure that Personal Data is protected from accidental destruction or loss, including by maintaining:
· disaster-recovery and business continuity plans and procedures;
· backup and replication strategies designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across geographically-distributed data centers;
· relationships only with infrastructure providers that use commercially reasonable efforts to ensure a minimum of 99.9% uptime. These providers maintain a minimum of N+1 redundancy to power, network, and HVAC services;
·
incident management procedures that are regularly tested.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Appenate’s technical and organisational measures are
assessed internally and by external third-party auditors according to SOC 2
Type II certification. Appenate also employs preventative and reactive
intrusion detection such as weekly automated penetration tests executed by a third-party
security provider. All Service infrastructure is deployed using multi-tenant cloud
infrastructure providers, primarily Microsoft Azure. These infrastructure
providers implement rigorous security measures which are audited for SOC 2 Type
II and ISO 27001 compliance, among other certifications.
Measures for user identification and authorisation
Appenate implements effective measures for user authentication and privilege management by:
· applying a mandatory access permission and authentication policy;
· authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of TOTP tokens;
· providing access permissions within the Service for the Customer to use in ensuring only appropriately assigned individuals can access relevant features, views, and customization options;
· allocating and managing appropriate privileges according to role, approvals, and exception management;
·
applying the principle of least privilege access where possible.
Measures for the protection of data during transmission
Appenate implements effective measures to protect Personal Data from being read, altered or deleted by unauthorized parties during transmission, including by using:
· industry standard transport encryption protocols, trustworthy public-key certification authorities and infrastructure;
· effective encryption algorithms and parameterization, such as minimum 256-bit key lengths;
·
correctly implemented and properly maintained software, covered
under a vulnerability management program where possible;
Measures for the protection of data during storage
Appenate implements effective measures to protect Personal Data during storage, controlling and limiting access to data processing systems, and by using:
· industry standard encryption protocols, trustworthy public-key certification authorities and infrastructure;
· effective encryption algorithms and parameterization, such as minimum 256-bit key lengths;
· correctly implemented and properly maintained software, covered under a vulnerability management program where possible;
· identifying and authorizing systems and users with access to data processing systems; and
· automatically signing-out users after a period of inactivity;
Appenate implements access controls to specific areas of data processing systems to ensure only authorized users are able to access the Personal Data within the scope and to the extent covered by their respective access permission and that Personal Data cannot be read, copied or modified or removed without said access permission. This is accomplished by various measures including:
· employee policies and training in respect of each employee’s access to the Personal Data;
· authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of TOTP tokens;
·
releasing data only to authorized persons, including the
allocation of differentiated access rights and roles;
Measures for ensuring physical security of locations at which Personal Data are processed
Appenate hosts the Service with cloud infrastructure providers, primarily Microsoft Azure. These providers maintain and implement effective physical access control policies and measures (as affirmed by their contractual commitments, privacy policies, compliance programs and audits for SOC 2 Type II and ISO 27001, among other certifications) in order to prevent unauthorized persons from gaining access to the data processing equipment (namely database and application servers, and related hardware) where the Personal Data are processed or used, including by:
· establishing secure areas, as well as protecting and restricting access paths;
· establishing access authorizations for employees and third parties;
· logging and monitoring all physical access to data centers where Personal Data is hosted;
·
securing data centers where Personal Data is hosted using
security alarm systems and other appropriate measures.
Measures for ensuring events logging
Appenate utilises audit logging functionality within Microsoft Azure, the Service, and other infrastructure providers to track login and access to Customer data, including by system administrators and to ensure data is processed in accordance with instructions received. This is accomplished by various measures, including:
· authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of TOTP tokens;
· maintaining updated lists of system administrators’ identification details;
· adopting measures to detect, assess, and respond to high-risk anomalies;
· keeping secure, accurate, and unmodified access logs to the processing infrastructure for 3 months;
·
testing the logging configuration, monitoring system, alerting
and incident response process at least once annually.
Measures for ensuring system configuration, including default configuration
Appenate targets configurations to use the principle of
least privilege for all systems supporting the production data processing
environment. Automated mechanisms are used to enforce baseline configurations
on production systems, and to prevent unauthorized changes. Changes to
baselines are limited to a small number of authorized Appenate personnel, and
must follow change control processes. Changes are checked regularly to detect
deviations from baseline configurations.
Measures for internal IT and IT security governance and management
Appenate maintains internal policies on the acceptable use
of IT systems and general information security. These policies are shared with
all Appenate personnel and reviewed regularly to incorporate new approaches
and/or industry standard practices. Security is viewed as a collective
responsibility of everyone at Appenate, with annual security awareness training
provided to all personnel. Other measures to maintain security awareness
include automated cybersecurity tests such as faux phishing attempts.
Measures for certification/assurance of processes and products
Appenate’s information security and related security risk
management processes are implemented according to SOC 2 Type II certification.
Details of this and other certifications that Appenate may undertake in the
future will be published on Appenate’s website. Appenate hosts the Service
exclusively with SOC 2 Type II and ISO 27001 accredited cloud infrastructure
providers, primarily Microsoft Azure.
Measures for ensuring data minimisation
Appenate aims to collect the bare minimum of anonymized
technical information for reliably operating our service. The Customer (as
Controller) decides the Personal Data to be stored on the Service and is
responsible for defining its own policies for minimising data collection and
storage. If Personal Data is no longer required, the Customer can delete it
from the Service as outlined in “Measures for ensuring limited data retention”
below.
Measures for ensuring data quality
Appenate do not assess the quality of the data provided by
the Customer, primarily because Appenate personnel do not have the Customer’s
business context. We provide tools within the Service to help the Customer
understand and validate the data that is stored.
Measures for ensuring limited data retention
The Customer is responsible for defining its own retention
policies and using the tools provided by the Service to delete Personal Data.
If Personal Data is no longer required, the Customer can delete it from the Service.
It should be noted that with each deletion the data is in the first instance
locked and then permanently deleted from the production systems after a certain
delay. This is done in order to prevent accidental deletions, but may be
overridden by the Customer using the purge action within the “Trash” feature of
the Service. Cancellation or Termination of the Service will also automatically
result in permanent deletion of Personal Data after a certain recovery period. Following
permanent deletion from the Service, partial data resides on Appenate’s backup
archives and is removed over time in line with our data retention policy.
Measures for ensuring accountability
Security is viewed as a collective responsibility of
everyone at Appenate, with annual security awareness training provided to all
personnel. Security training and required reading of Appenate information
security policies forms key aspects of all Appenate personnel onboarding. A
disciplinary policy is in place for personnel that do not adhere to Appenate information
security policies. Appenate also actively tests data protection measures using
automated third-party tools, and promptly actioning any problematic findings of
these tools. Appenate has appointed a Data Protection Officer and maintains
documentation of all Service disruptions and incidents.
Measures for allowing data portability and ensuring erasure
The Service has built-in tools that allow the Customer to
export and permanently erase data.
Technical and organizational measures of sub-processors
Appenate only contracts with sub-Processors that have data protection obligations substantially similar to, and in accordance with, those contained in this DPA. Appenate seeks to minimise the use of sub-Processors wherever possible and restricts access to Customer data to only that which strictly required for operation of the Service.