Last updated on March 21, 2023
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union4 (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
15.2 Review of legality and data minimisation
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can [be] achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Role (controller/processor): controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: Secubytes LLC
Role (controller/processor): processor
Categories of data subjects whose personal data is transferred
Categories of personal data transferred
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Customer data may include sensitive data
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis until it is erased.
Nature of the processing
The data importer will process customer data to provide services.
Purpose(s) of the data transfer and further processing
The data importer will process customer data to provide services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The data importer will retain Transferred Personal Data until its deletion.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
Identify the competent supervisory authority/ies in accordance with Clause 13
The authority identified by the data exporter as its competent supervisory
The data importer will implement and maintain the security standards as mentioned below:
- Data is encrypted in transit using transport layer security (TLS). Where applicable, personally identifiable information in the database is encrypted using a key that is stored in a separate key-value store. All data is encrypted at rest within Amazon Web Services (AWS).
- We use vulnerability assessment, patch management, threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code. The infrastructure is deployed into multiple AWS availability zones and backups are taken at regular intervals. Every component and service is continuously monitored using industry-standard monitoring tools.
- Disaster recovery procedures are in place, as appropriate, and are designed to maintain service and/or recovery from foreseeable emergencies or disasters. The disaster recovery exercises are performed biyearly.
- Various vulnerability scans, penetration tests, and assessments are conducted when code changes occur or during post-production deployments along with regular automated scans. Additionally, we perform annual third-party industry audits to ensure compliance with ISO 27001-2013, SOC 2 Type II, GDPR, etc.
- To minimize the risk of data exposure, we follow the principles of least privilege through a role-based-access-control model wherever it's possible. Our personnel is authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. To access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. Our policy is to use longer passwords that require special characters for employee accounts, with multi-factor authentication enabled.
- Data is encrypted in transit using TLS.
- Encryption at rest is enabled for all database systems.
- All production infrastructure is hosted in AWS. Hence, physical and environmental controls are inherited from AWS.
- We have system audit and event logging and related monitoring procedures in place to record user access and system activity.
- We use configuration management tools to enforce basic system configurations and to perform deployments.
- Our security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Vulnerability Management, and Security Monitoring and Incident Response.
- We regularly review our processes on an annual or as-needed basis. Additionally, ISO 27001 and SOC2 Type II audits are conducted annually to ensure the effectiveness of controls relevant to security.
- The company policy is to collect only the minimum information necessary to satisfy the business need. At present, name, and email are the minimum information required to use our service, and payment details are collected only when a user need to make a purchase.
- The customer is responsible for data quality and accuracy since the data is provided by the Customer but form validations are made to validate some fields.
- We ensure that the personal data is permanently deleted after 180 days of the subscription termination. Before 180 days, the data can be deleted or returned upon request.
- We employ multiple controls to ensure high visibility and enforcement of change management policies to ensure accountability, including comprehensive system logs, code reviews, and customer requests handled through a centralized ticketing solution.
- Customers may delete user data directly through the Application Services. Additionally, we delete the customer data at the customer’s request following the data protection addendum in place with its customers.
The controller has authorised the use of the following sub-processors: