Data Processing Agreement
1. Scope and Applicability.
-
- This DPA applies to Action1’s Processing of Personal Data on Customer’s behalf as a Processor for the provision of the Services specified in the Agreement. Unless otherwise expressly stated in the Agreement, this version of the Data Processing Agreement shall be effective and remain in force for the term of the Agreement. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail and control, but only with respect to the subject matter of this DPA.
- For the purposes of the GDPR (as defined in Section 12 below), for the transfer of personal data to Processors established in third countries outside the European Economic Area (“EEA”) that are not recognized by the European Commission or applicable governing body as ensuring an adequate level of data protection for personal data (“Third Country Recipients”), those entities of Customer who are transferring Personal Data outside of the EEA and Action1 (if Action1 is or becomes a Third Country Recipient) hereby agree that Module 2: Transfer controller to processor of the Standard Contractual Clauses (the “Clauses”) incorporated into this DPA by reference (as supplemented in the next paragraphs below), shall apply to such transfers. Notwithstanding the foregoing, pursuant to the terms of the Agreement, where Customer is an authorized reseller of the Services specified in the Agreement and subject to the GDPR, the Customer and ACTION1 (if ACTION1 is or becomes a Third Country Recipient) hereby agree that Module 3: Transfer processor to processor of the Clauses, incorporated into this DPA by reference (as supplemented in the next paragraphs below), shall apply to such transfers.
With respect to Module 2 and Module 3 of the Clauses, Clause 7, the ‘Docking Clause – Optional’, shall not be deemed incorporated. In clause 9(a) of the Clauses, the parties choose Option 2 (General Written Authorization). With respect to Option 2 the Customer consents to the use of Sub-processors found in Annex III below and in accordance with Section 4 of this DPA. ACTION1 will inform Customer of changes to Sub-processors and, if there is no objection by Customer within fifteen (15) days, this will be deemed as acceptance by Customer to the use of the proposed Sub-processors. If Customer objects, ACTION1 will use commercially reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to Sub-processor. The optional wording in clause 11 of the Clauses shall not be deemed incorporated. In clause 17 of the Clauses, the Parties agree that the Clauses shall be governed by the laws of the EU Member State in which the data exporter is established. In clause 18 of the Clauses, the Parties agree that any dispute arising from the Clauses shall be resolved by the courts of the EU Member State in which the data exporter is established.
Solely for purposes of the GDPR, Annex I.A, Annex I.B, and Annex I.C of the Clauses shall be deemed completed with the information set out in Appendix 1, attached hereto. Annex II of the Clauses shall be deemed completed with the information set out in Appendix 2, attached hereto. Annex III of the Clauses shall be deemed completed with the information set forth in Appendix 3.
2. Processing of Personal Data by ACTION1 and Customer Obligations.
-
- ACTION1 will Process data provided by Customer, including Personal Data, on documented instructions from Customer given in accordance with this DPA and the Agreement, including with regard to transfers of Personal Data to a third country or a third party, and in such manner as is necessary for the provision of Services under the Agreement, except as required to comply with a legal obligation to which ACTION1 is subject. ACTION1 shall inform Customer if, in its opinion, the execution of an instruction relating to the Processing of Personal Data could infringe on any Applicable Data Protection Law. For the avoidance of doubt, except for basic account and user information including, but not limited to, contact information used to gain access to or sign up for the Services, Customer is solely responsible for determining how and where data, to include Personal Data, is Processed as part of the Customer’s configuration options in the Services.
- In addition to Customer instructions, Customer may provide additional instructions in writing to ACTION1 with regard to Processing of Personal Data in accordance with Applicable Data Protection Law. ACTION1 will promptly comply with all such instructions to the extent necessary for ACTION1 to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist Customer in complying with obligations under Applicable Data Protection Law relevant to use of the Services.
- ACTION1 will follow Customer’s reasonable instructions. To the extent ACTION1 expects to incur additional charges or fees not covered by the Fees for Services payable under the Agreement, it will promptly inform Customer thereof upon receipt of Customer’s instructions. Without prejudice to ACTION1’s obligation to comply with Customer instructions, the parties will negotiate in good faith with respect to any such charges or fees.
- Except as otherwise specified in the Agreement or in writing between the parties, Customer may not provide ACTION1 with any sensitive or special categories Personal Data that imposes specific data security or data protection obligations on ACTION1 in addition to or different from those specified in the DPA or Agreement.
- Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data that it provides to ACTION1 for Processing under the Agreement. Customer is responsible for providing any notice to the Individuals and for obtaining and demonstrating evidence that it has obtained any necessary consents, authorizations, and permissions from the Individuals in a valid manner for ACTION1 to perform the Services. Customer will provide ACTION1 with such evidence of this as ACTION1 may reasonably request if ACTION1 needs this information to comply with Data Protection Laws or the request of any Regulator. Customer understands that custom fields and other text fields provided as a part of the Services (such as “notes” fields) are not designed for the Processing of Special Categories of Personal Data and warrants that it will not enter such data in such fields or otherwise when using the Covered Services.
3. Individual Inquiries and Requests.
-
- If Customer receives a request or inquiry from an Individual related to Personal Data processed by ACTION1 for the provision of Services, Customer can either (a) securely access account information via the Services to address the request or inquiry or (ii) to the extent such access or the requested information is not available via Customer’s account, contact ACTION1 with detailed written instructions to ACTION1 on how to assist with such Individual’s request.
- If ACTION1 directly receives any requests or inquiries from Individuals that identify Customer, ACTION1 will promptly pass on such requests to Customer without responding to the Individual. Otherwise, ACTION1 will advise the Individual to identify and contact the relevant Customer(s) or controller(s), as applicable.
4. Sub-processors.
Except as required by Applicable Data Protection Law, ACTION1 is not responsible for Third Party Sub-processors, provided, however such entities shall be subject to at least the same level of data protection and security as ACTION1.
5. Cross-border Transfers.
ACTION1 and its service providers may Process Personal Data globally to perform the Services. To the extent such processing involves a transfer of Personal Data subject to cross-border transfer restrictions under Applicable Data Protection Law, such transfers shall be subject to security and data privacy requirements consistent with the relevant requirements of this DPA and Applicable Data Protection Law.
6. Security and Confidentiality.
-
- ACTION1 has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These security measures govern all areas of security applicable to the Services, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures.
- All ACTION1 employees, are subject to appropriate written confidentiality arrangements, including confidentiality agreements and compliance with ACTION1 policies concerning protection of confidential information.
7. Audit Rights.
-
- Customer may audit ACTION1’s compliance with its obligations under this DPA up to once per year and only for the purposes of meeting its regulatory audit requirements.
- If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and ACTION1 (except if such third party is a Regulator). ACTION1 will not unreasonably withhold its consent to a third party auditor. The third party must execute a written confidentiality agreement acceptable to ACTION1 or otherwise be bound by a statutory or legal confidentiality obligations.
- To request an audit, Customer must submit a detailed proposed audit plan to ACTION1 at least sixty (60) days in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. ACTION1 will review the proposed audit plan and provide Customer with any concerns or questions. ACTION1 will work cooperatively with Customer to agree on a final audit plan.
- The audit must be conducted during regular business hours, subject to the agreed final audit plan and ACTION1’s relevant policies, and may not unreasonably interfere with ACTION1 business activities. Upon completion of the audit, Customer will provide ACTION1 with a copy of the audit report, which is subject to the confidentiality terms of the Agreement.
- Each party will bear its own costs in relation to the audit, unless ACTION1 informs Customer upon reviewing Customer’s audit plan that it expects to incur additional charges or fees in the performance of the audit that are not covered by the Fees payable under the Agreement, such as additional license or third party contractor fees. The parties will negotiate in good faith with respect to any such charges or fees.
- Without prejudice to the rights granted in Section 7.1 above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI-DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and ACTION1 provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.
8. Incident Management and Breach Notification.
-
- ACTION1 has implemented controls designed to detect and respond to incidents that create suspicion of or indicate unauthorized destruction, loss, alteration, disclosure, or access to Personal Data to the extent Processed by ACTION1 (a “Security Incident”). To the extent within the reasonable control of ACTION1 and subject to the limitations on liability found in the Agreement, ACTION1 will take reasonable measures designed to identify cause(s), mitigate any possible adverse effects and prevent a recurrence of Security Incidents. Customer agrees to coordinate with ACTION1 on the content of any of intended public statements or required notices for the affected Individuals and/or notices to the relevant Regulators regarding any Security Incident involving ACTION1.
- ACTION1 shall notify Customer without undue delay after ACTION1 becomes aware of a Security Incident involving ACTION1 or its applicable Sub-processors that impacts Personal Data provided to ACTION1 pursuant to this DPA and the Agreement. Such notification may be by any means ACTION1 has established for such notification, including notification by email.
9. Return or Deletion of Personal Data.
-
- Except as otherwise stated in the Agreement or any documentation or link incorporated therein, and to the extent ACTION1 has possession, upon termination of the Services, ACTION1 will at its sole discretion return or delete any remaining copies of Personal Data on ACTION1 systems.
- Customer is solely responsible for any Personal Data held or processed on Customer’s systems or environments, including those systems controlled or directed by Customer. Customer is advised to take appropriate action to back up or otherwise store and separately protection any Personal Data.
10. Legal Requirements.
ACTION1 may be required by law to provide access to Personal Information, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement purposes. ACTION1 will promptly inform Customer of requests to provide access to Personal Data and comply with Customer’s reasonable instructions with respect to such requests, unless otherwise required by law.
11. Miscellaneous.
-
- Liability and Indemnity. Subject to Clause 12 of the Clauses, if applicable, any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Agreement.
- Dispute Resolution. Subject to the Agreement, in the event of a dispute between Customer and ACTION1 related to the subject matter of this DPA, such dispute shall be referred to the individuals responsible for data protection issues for each organization, who shall endeavour to resolve the dispute within thirty (30) days.
- Changes in Applicable Data Protection Laws and Regulations. The Parties agree to negotiate modifications to this DPA if changes are required to continue to comply with Applicable Data Protection Law or the legal interpretation of Applicable Data Protection Law.
- Severability. If any provision of this DPA shall be found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect the other provisions of this DPA. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.
12. Definitions.
“Applicable Data Protection Law” means data privacy or data protection laws or regulations that apply to the Processing of Personal Data under this DPA, which may include the EU General Data Protection Regulation (“GDPR”), as supplemented by applicable EU Member State law and as incorporated into the Agreement.
“Individual” shall have the same meaning as the term “data subject” or the equivalent term under Applicable Data Protection Law.
“Process” or “Processing”, “Controller”, “Processor” and (or the equivalent terms) have the meaning set forth under Applicable Data Protection Law.
“Personal Data” shall have the same meaning as the term “personal information”, “personally identifiable information (PII)” or the equivalent term under Applicable Data Protection Law.
“Regulator” shall have the same meaning as the term “supervisory authority”, “data protection authority” or the equivalent term under Applicable Data Protection Law.
“Services” or equivalent terms, mean the services as more fully detailed in the Agreement.
“Sub-processor” means a third party, other than ACTION1 which ACTION1 contracts with to provide the Services and which may Process Personal Data.
APPENDIX 1
A. LIST OF PARTIES
DATA EXPORTER
The data exporter is Customer. Data exporter’s name, address, contact person’s name, position and contact details are indicated in the table on page 1 of this DPA. The role of data exporter is: Controller (or, where the Customer is a reseller as contemplated by the Agreement and Section 1.2 of this DPA, Processor).
The activities relevant to the data transferred are specified under the heading ‘NATURE OF THE PROCESSING’ and ‘PURPOSES OF THE DATA TRANSFER AND FURTHER PROCESSING’ in point B of this Appendix 1.
Data exporter’s signature and date: by executing the Agreement for Services provided by ACTION1.
DATA IMPORTER
The data importer is ACTION1. The role of data importer is: Processor.
Contact person’s name, position and contact details: Alex Vovk, CEO of Action1, contact details
The activities relevant to the data transferred are specified under the headings ‘NATURE OF THE PROCESSING’ and ‘PURPOSES OF THE DATA TRANSFER AND FURTHER PROCESSING’ in point B of this Appendix 1.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
• The categories shall be determined by the Customer and may include, without limitation Customer staff, employees, contractors, or administrators.
Categories of personal data transferred
• Contact information, including names, telephone number, or email addresses.
• Usernames and passwords.
• Other data such as usage information for maintenance purposes, application integration data, and other electronic data specifically submitted, stored, or sent by end users via the Services to ACTION1.
Sensitive data transferred (if applicable)
• The Personal Data transferred will not include special categories of data or other categories of personal data that could be considered sensitive.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
• The frequency of data transfers is at the option of the Customer.
Nature of the processing
• Personal Data will be processed for the purpose of subscription of Customer to services provided by ACTION1 that allow for Customer: (1) back-up of data to a destination of their choice; (2) utilization of remote desktop connectivity to catalogue devices into a directory which can be used to connect to those devices; and (3) remotely monitor the status of firewalls, functionality, memory usage, and general performance, as well as management of anti-virus applications, and prevention of unwanted intrusions and malware.
Purpose(s) of the data transfer and further processing
• Personal data will be processed for purposes of providing the Services as detailed above under the heading ‘NATURE OF THE PROCESSING’.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
• For the duration of the Agreement governing the Services. The Agreement is ongoing and subject to termination by either Party.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
• Transfers to sub-processors are limited to that which is necessary for the provision of Services to the Customer under Customer’s instructions. A listing of and description Sub-processors is found in the link under Appendix III.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
• The EU Member State in which the data exporter is established.
APPENDIX 2
TECHNICAL AND ORGANISATIONAL MEASURES FOR THE SECURITY OF THE DATA
ACTION1 currently observes the security practices described in this Appendix 2. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, ACTION1 may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
A. Access Control
i. Preventing Unauthorized Product Access
Outsourced processing: ACTION1 hosts its Services with outsourced cloud infrastructure providers. Additionally, ACTION1 maintains contractual relationships with vendors in order to provide the Services in accordance with the Standard Contractual Clauses. ACTION1 relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: ACTION1 hosts its product infrastructure with multitenant, outsourced infrastructure providers. The providers, as listed in Annex III, are certified according to SOC2 and other industry compliance standards.
Authentication: ACTION1 implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of ACTION1’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
ii. Preventing Unauthorized Product Use
ACTION1 implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Static code analysis: Security reviews of code stored in ACTION1’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Security assessment: ACTION1’s products are designed to be resilient to external attackers. ACTION1 performs regular vulnerability scans to assess and prepare defenses from cyber-attack and data loss.
iii. Limitations of Privilege & Authorization Requirements
Product access: A subset of ACTION1’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: All ACTION1 employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
B. Transmission Control
In-transit: ACTION1 makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the ACTION1 products. ACTION1’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: ACTION1 stores hashes of user passwords and user passwords following policies that follow industry standard practices for security. ACTION1 has implemented technologies to ensure that stored data is encrypted at rest.
C. Input Control
Detection: ACTION1 designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. ACTION1 personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: ACTION1 maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, ACTION1 will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If ACTION1 becomes aware of unlawful access to Customer data stored within its products, ACTION1 will: 1) notify the affected Customers of the incident; 2) provide a description of the steps ACTION1 is taking to resolve the incident; and 3) provide status updates to the Customer contact, as ACTION1 deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form ACTION1 selects, which may include via email or telephone.
D. Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods. ACTION1’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists ACTION1 operations in maintaining and updating the product applications and backend while limiting downtime.