Data Processing Addendum (Customers)
Delinea Data Processing Addendum (“DPA”) for provision of Cloud Services
Last updated: April 1, 2024
Archive
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Master Subscription and License Agreement (“MSLA”), End User License Agreement (together with attachments thereto, “EULA”) or other end user agreement or terms of service (“Agreement”) by and between Delinea Inc. (“Vendor”) and Customer (as defined in the Agreement) pursuant to which Customer purchases subscriptions to access and use Delinea Cloud Services (as defined below). This DPA sets out the requirements for processing of Personal Data by Vendor on behalf of Customer for the purposes of providing Cloud Services. For clarity, any regulatory requirements referenced herein shall apply to Customer only to the extent that Vendor’s processing of Customer’s Personal Data is subject to (and within the jurisdictional reach of) such regulatory requirements.
- Definitions
Adequate Country |
means a country or territory recognized as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (a) the Information Commissioner’s Office and/or under applicable UK law (including the UK GDPR), or (b) the European Commission under the EU GDPR, or (iii) the Swiss Federal Data Protection Authority under Swiss Data Protection Law. |
Controller |
has the meaning ascribed to it in the Data Protection Laws. The term “Controller” shall also include a “business” as defined in the CCPA and the CPRA and analogous terms in the applicable Data Protection Laws. |
Data Protection Laws |
Means all data protection and privacy laws, as may be amended, superseded or replaced from time to time, that are applicable to a party and its Processing of Personal Data under the Agreement, including, where applicable, and without limitation:
|
Data Subject |
has the meaning ascribed to it in the Data Protection Laws. |
Data Subject Request |
means a request from or on behalf of a data subject to exercise any rights in relation to their Personal Data under Data Protection Laws. |
Delinea Cloud Services |
refers to cloud-hosted solutions offered by Delinea for end user internal access and use in accordance with associated product documentation under one, two or three-year services subscriptions. Delinea Cloud Services includes the Fastpath Solutions. |
EEA |
means the European Economic Area. |
EU Clauses |
means the standard contractual clauses for international transfers of personal data to third countries set out in the European Commission's Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj) incorporating Module Two for Controller to Processor transfers and which form part of this DPA in accordance with Schedule 3. |
Fastpath Solutions |
means those cloud services offerings for separation of duties or identity governance and administration that Vendor references as a Fastpath Solutions service in order documentation. |
Personal Data |
has the meaning ascribed to it in the Data Protection Laws and, for the DPA, refers to Personal Data that is uploaded into the Cloud Services or in connection with support services by Customer and accessed, stored, or otherwise processed by Vendor as a processor. |
Processor |
has the meaning ascribed to it in the Data Protection Laws. The term “Processor” shall also include a “service provider” as defined in the CCPA and CPRA and analogous terms in the applicable Data Protection Laws. |
Security Breach |
means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of Vendor’s staff or sub-processors, or any other identified or unidentified third party. |
Supervisory Authority |
means in the UK, the Information Commissioner’s Office (“ICO”) (and, where applicable, the Secretary of State or the government), and in the EEA, an independent public authority established pursuant to the GDPR. |
Swiss Data Protection Law |
means the Swiss Federal Data Protection Act of 19 June 1992 and, when in force, the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances as amended, superseded or replaced from time to time. |
Swiss Addendum |
means the addendum set out in Schedule 3. |
UK |
means the United Kingdom. |
UK Approved Addendum |
means the template Addendum B.1.0 issued by the UK’s Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and expected to be in force on 21 March 2022. |
UK Mandatory Clauses |
means the Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any final version published by the Information Commissioner's Office. |
UK GDPR |
means the EU GDPR as implemented into the law of the United Kingdom by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018. |
- Roles & compliance with Data Protection Laws
- Customer is the controller of Personal Data, and Vendor is the processor of Personal Data. Each party will comply (and will procure that its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with Data Protection Laws applicable to such party in the processing of Personal Data. As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired.
- Description of Processing. The subject matter, nature, and specific purposes of the processing. duration, types of Personal Data and categories of Data Subject are as set out in Schedule 1.
- Processing by Vendor. As a processor, Vendor will only process Personal Data (i) to provide the Cloud Services and related support services to Customer or (ii) per Customer’s instructions in writing or via the Cloud Services and related support services. In providing the Cloud Services and related support services to Customer, Vendor will not process Customer Personal Data in a manner that is prohibited by applicable Data Protection laws or outside the direct business relationship between the parties. In addition, Vendor will not sell or share Customer Personal Data as the terms are defined in applicable Data Protection Laws. Vendor will notify Customer (unless prohibited by applicable law) if it is required under applicable law to process Personal Data other than pursuant to Customer’s instructions. As soon as reasonably practicable upon becoming aware, Vendor will notify the Customer if, in Vendor’s opinion, any instructions provided by the Customer under this Clause 3 infringe applicable Data Protection Laws, or it can no longer meet its obligations under applicable Data Protection Laws. Upon termination of the Agreement and upon written request of the Customer, Vendor will return or delete the Personal Data, unless required by law to continue to store a copy of the Personal Data.
- Technical and Organisational Security Measures
- Vendor will implement appropriate technical and organizational measures of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or use of, or access to Personal Data as set out in Annex II of Schedule 4.
- Vendor will take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under obligations of confidentiality.
- Security Breaches, Data Subject Requests & Further Assistance
- Security Breaches. In the event of a Security Breach concerning Personal Data processed by Vendor on behalf of Customer, Vendor shall take appropriate measures to address the Security Breach, including measures to mitigate its adverse effects. Vendor will notify Customer of any Security Breach without undue delay and within forty-eight (48) hours after becoming aware of the Security Breach.
- Data Subject Requests. To the extent legally permitted, Vendor will promptly notify Customer if it receives a Data Subject Request that is identified as or determined to be related to Customer. Vendor will not respond to a Data Subject Request, provided that Customer agrees Vendor may at its discretion respond to confirm that such request relates to Customer. Customer acknowledges and agrees that the Cloud Services and related support services may include features which will allow Customer to manage Data Subject Requests directly through the Cloud Services without additional assistance from Vendor. If Customer does not have the ability to address a Data Subject Request, Vendor will, upon Customer’s written request, provide reasonable assistance to facilitate Customer’s response to the Data Subject Request to the extent such assistance is consistent with applicable law.
- Further Assistance. Taking into account the nature of processing and the information available to Vendor, Vendor will provide such assistance as Customer reasonably requests in relation to Customer’s obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Customer in response to a Security Breach, or (iii) Customer’s compliance with its obligations under Data Protection Laws (as applicable) with respect to the security of processing.
- Sub-processing
- Customer grants a general authorization to Vendor (i) to appoint one or more of its Affiliates as sub-processors and (ii) to appoint third party data center operators, outsourced support providers, and/or third-party technology providers as sub-processors to support the performance of the Cloud Services and support services, subject to the terms herein. As used herein, the term “Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with Vendor.
- Vendor will maintain a list of sub-processors at the following URL: https://delinea.com/sub-processors/, and will add the names of new and replacement sub-processors to the list prior to their starting sub-processing of Personal Data. Customer can subscribe to updates as instructed at https://delinea.com/privacy-notifications. If the Customer has a reasonable legal objection to any new or replacement sub-processor, it shall notify Vendor of such objections in writing setting forth the legal requirements that form the basis of the objection within ten (10) days of Vendor’s notice of any new or replacement sub-processor and the parties will seek to resolve the matter in good faith. If Vendor is able to provide Cloud Services and support services to Customer in accordance with the Agreement and applicable legal requirements and decides in its discretion to do so, then Customer will have no further rights under this Clause 6.b in respect of the proposed use of the sub-processor.
- Sub-processors engaged by Vendor to process Personal Data in connection with the Cloud Services or support services must have entered into contractual terms which impose on such sub-processor terms substantially no less protective of Personal Data than those imposed on Vendor in this DPA, and Vendor shall remain responsible and liable for such sub-processor’s processing of Personal Data in accordance with such terms.
- International Transfers
- Customer agrees that its use of the Cloud Services and related support services will involve the transfer of Personal Data to, and processing of Personal Data in, the countries in which Vendor and Vendor’s sub-processors are based. Vendor may process and permit the processing of Personal Data in another country outside the EEA or the UK (except if in an Adequate Country) in conformity with this Section 7.
- UK transfers:
-
- To the extent Personal Data is transferred to Vendor and processed by or on behalf of Vendor outside the UK (except if in an Adequate Country) in circumstances where such transfer would be prohibited by UK GDPR in the absence of a transfer mechanism, the parties agree that the EU Clauses subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this DPA.
- Schedule 2 references the information required by Tables 1 to 4 inclusive of the UK Approved Addendum.
-
- EU transfers:
-
- To the extent Personal Data is transferred to Vendor and processed by or on behalf of Vendor outside the EEA (except if in an Adequate Country) in circumstances where such transfer would be prohibited by EU GDPR in the absence of a transfer mechanism, the parties agree that the EU Clauses will apply in respect of that processing and are incorporated into this DPA in accordance with Schedule 3.
- Schedule 3 contains the information required by the EU Clauses.
-
- Swiss transfers
-
- To the extent Personal Data is transferred to Vendor and processed by or on behalf of Vendor outside Switzerland (except if in an Adequate Country) in circumstances where such transfer would be prohibited by Swiss Data Protection Laws in the absence of a transfer mechanism, the parties agree that the EU Clauses subject to the Swiss Addendum will apply in respect of that processing. The Swiss Addendum is incorporated into this DPA.
- Schedule 3 contains the information required by the EU Clauses, including for the purposes of transfers to which this clause d applies.
-
- Vendor may (i) replace the EU Clauses, the Swiss Addendum and/or the UK Approved Addendum generally or in respect of the EEA, Switzerland and/or the UK (as appropriate) with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any further or alternative standard contractual clauses approved from time to time and (ii) make reasonably necessary changes to this DPA for new or revised transfer mechanisms or new standard contractual clauses, provided their content is in compliance with the Data Protection Laws. Customer may request notification of such changes by following the instructions described under the “Legal” section of Delinea’s website (www.delinea.com).
- Audit and Records
- Customer may take reasonable and appropriate steps to verify Vendor’s compliance with applicable Data Protection Laws and this DPA as described in this Clause 8. Vendor shall maintain such business records and information in Vendor’s possession or control with a view to demonstrating Vendor’s compliance with the obligations of data processors under applicable Data Protection Law in relation to its processing of Personal Data. Whenever required by an audit or inspection request of any Supervisory Authority or otherwise under applicable Data Protection Laws (an “Audit Request”), Vendor shall make available those business records and information reasonably determined by Vendor to be legally required and necessary to meet the Audit Request. Customer shall ensure Vendor receives reasonable prior notice of at least thirty (30) days as to any Audit Request and provide Vendor with all relevant excerpts of the formal Audit Request that may be relevant to the records Vendor may be required to produce. Vendor shall be entitled to make legal objections to Audit Requests to protect sensitive materials and may exercise all available legal rights to protect its business records and information in connection with any Audit Request, including without limitation to redact records, require confidential treatment, require non-disclosure agreements, require verification of audit requirements and limit access to records. Vendor will take reasonable and appropriate steps to remediate findings of non-compliance of applicable Data Protection Law or this DPA.
- Customer may take reasonable and appropriate steps to verify Vendor’s compliance with applicable Data Protection Laws and this DPA as described in this Clause 8. Vendor shall maintain such business records and information in Vendor’s possession or control with a view to demonstrating Vendor’s compliance with the obligations of data processors under applicable Data Protection Law in relation to its processing of Personal Data. Whenever required by an audit or inspection request of any Supervisory Authority or otherwise under applicable Data Protection Laws (an “Audit Request”), Vendor shall make available those business records and information reasonably determined by Vendor to be legally required and necessary to meet the Audit Request. Customer shall ensure Vendor receives reasonable prior notice of at least thirty (30) days as to any Audit Request and provide Vendor with all relevant excerpts of the formal Audit Request that may be relevant to the records Vendor may be required to produce. Vendor shall be entitled to make legal objections to Audit Requests to protect sensitive materials and may exercise all available legal rights to protect its business records and information in connection with any Audit Request, including without limitation to redact records, require confidential treatment, require non-disclosure agreements, require verification of audit requirements and limit access to records. Vendor will take reasonable and appropriate steps to remediate findings of non-compliance of applicable Data Protection Law or this DPA.
- General
- Effective Date. This DPA is effective as of the later of April 01, 2024 or the effective date of the Agreement.
- Incorporation of Updates to DPA. This DPA may from time to time be updated by Vendor to reflect regulatory and compliance changes, Vendor process enhancements, and similar changes (“DPA Updates”) that Vendor deems necessary and advisable. DPA Updates shall be deemed automatically incorporated into and made a part of this DPA upon Vendor’s publication of this DPA on its website incorporating the DPA Update. Customer shall not dispute any DPA Updates which Vendor deems are necessary or advisable to comply with applicable law; provided, no DPA Update that will materially adversely impact Customer’s rights under this DPA shall become effective as to Customer without an opportunity for Customer to review and discuss such DPA Update with Vendor. Customer can subscribe to DPA Updates at https://delinea.com/privacy-notifications.
- Conflicts. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms (including definitions) of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data; provided, however, in the event Customer and Vendor have a separate executed data processing addendum effective prior to April 20, 2023, such other data processing addendum shall prevail to the extent of any provision that directly conflicts with this DPA. This DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
- Limitation of Liability. Vendor’s maximum aggregate liability to Customer under or in connection with this DPA shall not under any circumstances exceed the maximum aggregate liability of Vendor to the Customer as set out in the Agreement. Nothing in this DPA will limit Vendor’s liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under applicable law.
- Governing Law; Venue. Without prejudice to the provisions of the EU Clauses, Swiss Addendum and the UK Approved Addendum addressing the law which governs them, this DPA shall be governed by and construed in accordance with the laws which govern the Agreement and the venue and dispute resolution provisions under the Agreement shall also apply to disputes and claims under this DPA.
Schedules to DPA Follow
SCHEDULE 1
Data Processing Details
For the purposes of Clause 3 of the DPA and Schedules 2 and 3 to the DPA, the parties set out below a description of the Personal Data being processed by Vendor under the Agreement and further details required pursuant to the Data Protection Laws.
Delinea Cloud Services (excluding Fastpath Solutions)
Subject Matter of the Processing |
Vendor’s provision of the Cloud Services and related support services to Customer. |
Nature and purpose of Processing |
The collection and storage of Personal Data pursuant to providing the Cloud Services and related support services to Customer. |
Types of Personal Data |
Personal Data that Customer in its discretion uploads into the Cloud Services and submits in using the support services, consisting of the following types at Customer’s discretion:
|
Sensitive Personal Data and applied restrictions |
None |
Categories of Data Subject |
Data Subjects may include any end users (including without limitation Customer’s employees, contractors, or other personnel) about whom Personal Data is provided to Vendor via the Cloud Services and related support services by, or at the direction of, Customer. |
Duration of Processing |
For the duration of the Agreement, or until the processing is no longer necessary for the purposes. |
Fastpath Solutions:
Subject Matter of the Processing |
Vendor’s provision of the Fastpath Solutions and related support services to Customer. |
Nature and purpose of Processing |
The collection and storage of Personal Data pursuant to providing the Fastpath Solutions and related support services to Customer. |
Types of Personal Data |
Personal Data that Customer in its discretion uploads into the Fastpath Solutions and submits in using the support services, consisting of the following types at Customer’s discretion: · User name · System ID and device data · Email address · Phone number and business address · Job title · Descriptions associated with job title · Other personal data types uploaded or designated by Customer for use of the Fastpath Solutions.
|
Sensitive Personal Data and applied restrictions |
None |
Categories of Data Subject |
Data Subjects may include any end users (including without limitation Customer’s employees, contractors, or other personnel) about whom Personal Data is provided to Vendor via the Fastpath Solutions and related support services by, or at the direction of, Customer. |
Duration of Processing |
For the duration of the Agreement, or until the processing is no longer necessary for the purposes. |
SCHEDULE 2
UK Transfers
For the purposes of the UK Approved Addendum,
- the information required for Table 1 is contained in Schedule 1 of this DPA and the start date shall be deemed dated the same date as the EU Clauses;
- in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor;
- in relation to Table 3, the list of parties and description of the transfer are as set out in Annex 1 of Schedule 4 of this DPA, Vendor's technical and organisational measures are set in Annex II of Schedule 4 of this DPA, and the list of Vendor's sub-processors shall be provided pursuant to Clause 6 of this DPA; and
- in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.
SCHEDULE 3
Swiss Addendum
In respect of transfers otherwise prohibited by Swiss Personal Data:
- The FDPIC will be the competent supervisory authority;
- Data subjects in Switzerland may enforce their rights in Switzerland under clause 18c of the EU SCCs, and
- References in the EU SCCs to the EU GDPR should be understood as references to Swiss Data Protection Law insofar as the data transfers are subject to Swiss Data Protection Law.
SCHEDULE 4
EU Clauses
- For the purposes of this Schedule 4, the EU Clauses (Module II), available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, shall be incorporated by reference to this Schedule 4 and the DPA and shall be considered an integral part thereof, and the parties’ signatures in the Agreement (to which this DPA is attached as an Exhibit) shall be construed as the parties’ signature to the EU Clauses. In the event of an inconsistency between the DPA and the EU Clauses, the latter will prevail.
- For the purposes of the EU Clauses, the following shall apply:
-
- Customer is the exporter and Vendor is the importer. Each party agrees to be bound by and comply with its obligations in its role as exporter and importer respectively as set out in the EU Clauses.
- Clause 7 (Docking clause) shall be deemed as included.
- Clause 9 (Use of sub-processors): OPTION 2 – GENERAL WRITTEN AUTHORISATION shall apply. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors as set out in Clause 6 of the DPA.
- Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included.
- Clause 13 (a) (Supervision).
Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, shall act as competent supervisory authority.
Clause 17 (Governing law): These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The parties agree that this shall be the law of Ireland.
Clause 18 (b) (Choice of forum and jurisdiction): The parties agree that any dispute between them arising from the EU Clauses shall be resolved by the courts of Ireland. -
- Any provision in the EU Clauses relating to liability of the parties with respect to each other shall be subject to the limitations and exclusions of the Agreement.
- Any provision in the EU Clauses relating to the right to audit shall be interpreted in accordance with Clause 8 of the DPA and the Agreement.
ANNEX I to Schedule 4
- LIST OF PARTIES
Data exporter(s):
Name: Customer name as set forth in the preamble of the Agreement.
Address: Customer address as set forth in the preamble of the Agreement.
Contact person’s name, position and contact details: Customer privacy contact details as notified to Delinea at dpo@delinea.com or in accordance with the “Notices” provision of the Agreement, or if no privacy contact is so notified, the Customer name for general notices, as set forth under “Notices” in the Agreement.
Activities relevant to the data transferred under these Clauses: Data exporter will transfer Personal Data to the data importer as required for the provision of Cloud Services and related support services by the data importer under the Agreement and as set out in the DPA.
Signature and date: The Effective Date of the DPA (Clause 9.a.)
Role (controller/processor):
☒ Controller
☐ Processor
Data importer(s):
Name: Delinea Inc.
Address: 221 Main Street, Suite 1300, San Francisco, CA, 94105
Contact person’s name, position and contact details: Legal Department, Attention: Karen Server, Delinea Europe Ltd., 5 New Street Square, London, EC4A 3TW, United Kingdom; dpo@delinea.com.
Activities relevant to the data transferred under these Clauses: data importer will process personal data as required for the provision of Cloud Services and related support services under the Agreement and as set out in the DPA.
Signature and date: The Effective Date of the DPA (Clause 9.a.)
Role (controller/processor):
☐ Controller
☒ Processor
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
See Schedule 1 to the DPA
Categories of personal data transferred
See Schedule 1 to the DPA
Sensitive data transferred (if applicable) and applied restrictions or safeguards
See Schedule 1 to the DPA
Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Transfers will occur from time to time as required during the course of the performance of the Cloud Services and related support services under the Agreement.
Nature of the processing
See Schedule 1 to the DPA
Purpose(s) of the data transfer and further processing
See Schedule 1 to the DPA
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Schedule 1 to the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Schedule 1 to the DPA
- COMPETENT SUPERVISORY AUTHORITY
See Schedule 4 to the DPA
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL
See Schedule 4 to the DPA
ANNEX III – LIST OF SUB-PROCESSORS
Annex II of Schedule 4
Security Measures
With respect to Personal Data processed by Vendor in delivery of Delinea Cloud Services (excluding Fastpath Solutions):
Information security policy: Vendor maintains a comprehensive information security program (ISP) utilizing frameworks from ISO, and NIST, to maintain confidentiality, integrity, and availability of Personal Data within the Cloud Services. Vendor has received ISO 27001 certification and maintains a SOC2 for the Cloud Services. The ISP includes the summarized measures below. Additional information is available upon request through your Vendor business representative.
Data separation: Vendor operates a multitenant architecture and Personal Data processed on behalf of the Customer is kept logically and/or physically separated from other customers. Vendor encrypts Customer Personal Data while in transit and, depending on the service provided, Personal Data stored at rest (e.g., passwords, Secrets) using industry standard encryption.
Infrastructure Security: Vendor implements appropriate technical and organizational measures, including (a) access controls based on least-privilege principles and logs to monitor access, (b) unique confidential (username/passwords), (c ) multi-factor authentication, (d) firewalls, anti-virus/anti-malware software, (e) threat monitoring, (f) end-point protection, and (g) vulnerability scanning.
Back-up: Vendor performs secure back-ups of the databases containing Customer Personal Data.
Disaster recovery / business continuity: Vendor maintains high availability, disaster recovery, and business continuity plans and procedures to protect against business interruption.
Change management: Vendor manages changes to production systems, applications, and databases, through a formal change management process.
Secure development: Vendor applies secure application development policies and procedures based on industry accepted standards and practices (e.g., NIST, ISO, and CIS).
Incident management: Vendor maintains a security incident response plan to identify, respond, and mitigate unauthorized disclosure of Personal Data. Notification procedures are described in the DPA.
Physical Security: Vendor utilizes the following cloud services which maintain certifications for their data centers that include physical security controls and testing of such controls.
- Microsoft Azure ßlink https://docs.microsoft.com/en-us/azure/compliance/
- Amazon Web Services (AWS) ßlink https://aws.amazon.com/compliance/programs/
Program monitoring: Vendor routinely monitors its information security program and compliance with this DPA.
With respect to Personal Data processed by Vendor in delivery of Fastpath Solutions:
- Vendor maintains an information security program (ISP) to maintain confidentiality, integrity, and availability of Personal Data within the Fastpath Solution. Vendor maintains SOC1 and SOC2 reports for the Fastpath Solutions.
- Vendor has annual examinations conducted to review the suitability of the design and the operating effectiveness of the controls in place around personnel security, system resiliency, system monitoring, information security, application change control, and data communications. Controls include:
- Use of firewalls and monitoring.
- Secure configuration of hardware, devices, and software.
- Corporate policies and training ensure requirements are communicated throughout organization.
- Control and segregation of access to data and services.
- Change control and monitoring, including testing.
- Malware and virus protection.
- Maintenance and update of software, hardware, and related systems.
- Regular backups of data.
- Vendor utilizes Microsoft Azure and Amazon Web Services to host the software solution and Customer Data. Vendor reviews annual Microsoft Azure and Amazon Web Services SOC1 and SOC2 reports to ensure controls in place around personal security, system resiliency, system monitoring, information security, application change control, and data communications are operating as designed.
- Vendor has an incident response policy and program in place to address personal data breaches.
***