Skip to content

DATA PROCESSING AGREEMENT (“AGREEMENT”)

You (“Customer”) are entering into a business relationship with

zkipster AG, with registered office at, Grossmünsterplatz 8, 8001 Zurich, Switzerland (company number CHE-345.444.895) (“Supplier”)

BACKGROUND

A. Customer has engaged (or proposes to engage) Supplier to provide the services (“Services”) described in an agreement (terms of service) between Customer and the Supplier (the "Services Agreement").

B. In the course of providing the Services, Supplier will be processing Customer Personal Data (as defined below) on behalf of Customer. This Agreement sets out the terms on which Supplier will be processing that Customer Personal Data. Customer’s Affiliates shall have the same rights as Customer under this Agreement when such affiliate is a controller. Supplier may also act as a processor on behalf of another processor acting on its client’s behalf, and is a service provider to the extent applicable under Data Protection Laws.

AGREED TERMS

1. DEFINITIONS

1.1.

In this Agreement:

  1. “Customer Personal Data” means any Personal Data for which Customer is a controller.

  2. “Customer Personal Data Breach” means any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to, use of, or encryption of Customer Personal Data.

  3. “Data Protection Laws” means all laws and regulations applicable to privacy and the processing of Personal Data, including as the case may be and without limitation the GDPR, the Swiss Federal Act on Data Protection, the UK Data Protection Laws (“DPA 2018 ”), US Data Protection Laws, other laws and regulations of the European Union, the EEA and their Member States relating to data protection, and guidance or opinions issued by any Regulator, and any other federal, state, or local privacy, data protection, information security, or related laws or regulations (together, including any similar, analogous or successor laws, regulations, or other standards).

  4. “Data Subject Request” means: (i) a request by or on behalf of a Data Subject to exercise that Data Subject’s rights under Data Protection Laws in respect of that Data Subject’s Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the processing of, block or delete such Personal Data; or (ii) a complaint from a Data Subject in relation to Customer, the Personal Data, the Services or the Agreement.

  5. “EEA ” means the European Economic Area.

  6. “EU GDPR ” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

  7. “GDPR” means UK GDPR or EU GDPR, as applicable.

  8. “Personal Data” means any information relating to identified or identifiable natural persons (“Data Subjects”); that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or household; or that is defined as “personal data,” “personal information,” “personally identifiable information” or similar term under applicable Data Protection Laws (as defined herein), and shall include any IP addresses, cookies or other identifiers for individual users. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person.

  9. “Regulator” means any data protection authority or other regulatory, governmental or supervisory authority with authority over all or any part of: (a) the provision or receipt of the Services; (b) the Processing of Customer Personal Data in connection with the Services; or (c) Supplier’s or Customer’s business or personnel relating to the Services.

  10. “Security Measures” means technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data.

  11. “Standard Contractual Clauses” means any or all of the following:

    1. the standard contractual clauses for the transfer of personal data to processors set out in European Commission Decision 2021/914;

    2. the international data transfer agreement issued by the UK Information Commissioner under section 119A of the DPA 2018;

    3. the standard contractual clauses for the transfer of personal data to processors set out in European Commission Decision 2021/914, as amended by the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner under section 119A of the DPA 2018; or

    4. such standard contractual provisions issued by the UK Information Commissioner or European Commission as may replace any of the above from time to time.

  12. “UK GDPR” means (i) the retained version of the EU GDPR as in force in UK, (ii) the DPA 2018, (iii) or similar legislation as implemented under English law in each case in force in England from time to time.

  13. “US Data Protection Laws” means all applicable US federal and/or state security, confidentiality, and/or privacy laws, standards, guidelines, policies, regulations, and procedures that are applicable to the Processing of Personal Data under the Agreement, including but not limited to the California Consumer Privacy Act of 2018 (California Civil Code § 1798.100 et seq.), as amended (including, without limitation, by the California Privacy Rights Act of 2020 (“CCPA”), Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Utah Consumer Privacy Act (Utah Code Annotated 1953, § 13-61-101, et seq.), Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (Public Act No. 22-15); and all laws implementing, supplementing or amending the foregoing, including any regulations promulgated thereunder.

The terms “controller”, “processor”, “data subject”, “service provider” and “process” / “processing” / processed” have the meanings given to them in GDPR. Capitalized terms used but not defined in this DPA shall have the meanings provided elsewhere in the Agreement.

1.2.

In this Agreement, the following rules apply:

  1. a “person ” includes a natural person, corporate or unincorporated body (whether or not having separate legal personality);

  2. a reference to a party includes its personal representatives, successors or permitted assigns;

  3. a reference to a statute or statutory provision is a reference to such statute or statutory provision as amended or re-enacted. A reference to a statute or statutory provision includes any subordinate legislation made under that statute or statutory provision, as amended or re-enacted;

  4. any phrase introduced by the terms “including ”, “include ”, “in particular ” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms; and

  5. a reference to “writing ” or “written ” includes emails but not faxes.

2. AGREEMENT

2.1.

In consideration of Customer engaging Supplier to process Customer Personal Data and Customer agreeing to comply with Customer’s obligations under this Agreement, Supplier undertakes to comply with Supplier’s obligations set out in this Agreement.

2.2.

This Agreement shall form part of the Services Agreement and the terms of the Services Agreement will apply to this Agreement.

3. DATA PROCESSING PARTICULARS

3.1.

Each of the parties acknowledges and agrees that Annex 1 specifies the subject-matter, nature, and purpose of the processing, the types of Customer Personal Data, and categories of Data Subjects, for the purpose of complying with applicable Data Protection Laws.

3.2.

Any updates to the table set out in Annex 1 require the express written agreement of both parties to ensure it remains an accurate description.

4. DATA PROCESSING

4.1.

Supplier acknowledges that it acts as a processor in respect of any Customer Personal Data processed by it in connection with this Agreement.

4.2.

Subject to clause 4, Supplier will:

  1. process Customer Personal Data only on Customer’s behalf and throughout the term of the Agreement, only to the extent, and in such a manner, as is necessary for the provision of the Services in accordance with the Services Agreement, in accordance with Customer's written instructions as set out in this Agreement;

  2. not process Customer Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Laws; and

  3. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in relation to the Customer Personal Data, implement appropriate Security Measures; and

  4. comply with Data Protection Laws applicable to Supplier's Processing of Customer Personal Data from time to time.

4.3.

Supplier will promptly notify Customer if:

  1. in Supplier’s opinion, any Customer instruction would not comply with the Data Protection Laws; or

  2. if it is required under applicable law to process any Customer Personal Data other than as stated in clause 4.2, except where those laws prohibit Supplier notifying Customer on important grounds of public interest.

5. Compliance with Data Protection Laws

5.1.

Customer represents and warrants that it has all rights to appoint the Supplier to process the Customer Personal Data in compliance with all Data Protection Laws and that the processing of the Customer Personal Data by the Supplier or any of its Subprocessors will not put the Supplier in breach of the Data Protection Laws.

5.2.

Supplier will reasonably assist Customer with meeting Customer’s compliance obligations under the Data Protection Laws, sufficiently and promptly enough to enable Customer to meet any deadlines imposed by Data Protection Laws, taking into account the nature of Supplier’s processing and the information available to Supplier. Supplier shall promptly notify third parties of their obligations to assist Customer in relation to Data Subject Requests, to the extent required under Data Protection Laws. Supplier shall cooperate with Customer and the relevant Regulator in any investigation or litigation concerning Customer Personal Data and shall abide by the advice of the relevant Regulator regarding the processing of such Personal Data.

5.3.

Without prejudice to Supplier’s other obligations under this Agreement, Supplier shall provide at least the same level of protection for Customer Personal Data as is required of Customer under Data Protection Laws.

5.4.

In particular, Supplier will at the request of the Customer and in respect of the Customer Personal Data in so far as which the Supplier is acting as processor:

  1. promptly comply with any reasonable Customer request or instruction requiring Supplier to amend, transfer, delete or otherwise process Customer Personal Data, or to stop, mitigate or remedy any unauthorised processing; and Customer shall have the right to take all reasonable and appropriate steps to ensure that the Customer Personal Data is used by Supplier in accordance with Data Protection Law and to stop and remediate any unauthorized use by Supplier of Customer Personal Data, with Supplier agreeing to co-operate reasonably with Customer in exercising these rights.

  2. promptly (and in any event within 48 hours of receipt) notify Customer if Supplier receives any complaint, notice or communication from any Regulator that relates directly or indirectly to the processing of Customer Personal Data by the Supplier as processor. Customer will handle all communications and correspondence with Regulators relating to Customer Personal Data;

  3. promptly (and in any event within 48 hours of receipt) notify Customer if it receives a Data Subject Request, which means: (i) a request by or on behalf of a Data Subject to exercise that data subject’s rights under Data Protection Laws in respect of that Data Subject’s Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the processing of, block or delete such Personal Data; or (ii) a complaint from a Data Subject in relation to Customer, the Personal Data, the Services or the Agreement;

  4. promptly provide reasonable assistance to the Customer with all notices, requests or other enquiries in respect of the Customer Personal Data relating to the Data Protection Laws which may be received whether by Customer or Supplier, including requests from data subjects and consumers;

  5. promptly provide reasonable assistance to the Customer in fulfilling any obligation to respond to requests by data subjects or consumers, including Customer’s obligation to respond to requests for exercising the data subject’s or consumer’s rights laid down in Data Protection Laws;

  6. not respond to any Data Subject Request without Customer’s prior written instructions, except where required by Data Protection Laws, and to the extent permitted by law, inform Customer of any legal requirement to respond before doing so.

  7. not disclose any Customer Personal Data to a third party except at the specific request of Customer or where obliged to do so under any requirements of law (in which case where permissible it will advise Customer in advance of such disclosure);

  8. promptly provide reasonable assistance to the Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of GDPR and equivalent obligations under other applicable Data Protection Laws;

  9. promptly provide any information reasonably requested by Customer and in the Customer’s possession concerning Supplier’s systems and processes relating to the processing of Customer Personal Data under this Agreement and Supplier’s compliance with its obligations under this Agreement; and

  10. allow its data processing facilities, procedures and documentation to be audited by Customer or an independent auditor mandated by Customer, provided that such audits (i) require at least thirty (30) days’ prior written notice, (ii) occur no more than once in any twelve (12) month period except following a confirmed personal data breach, (iii) are conducted during normal business hours in a manner that minimizes disruption, and (iv) first take into account Supplier’s current independent third-party certifications or audit reports (e.g. ISO, SOC). Customer shall bear its own audit costs and reimburse Supplier for any reasonable time and resources incurred.

5.5.

Supplier certifies that it understands and will comply with Data Protection Laws and its obligations under this DPA. Supplier shall promptly notify Customer if Supplier reasonably determines that it can no longer meet its obligations under this DPA.

5.6.

All of the Supplier’s undertakings according to above clause 5.4 are subject to the extent reasonably possible and subject to reimbursement according to below clause 5.6.

5.7.

Customer shall reimburse Supplier for any third-party costs, expenses and any time reasonably incurred (including internal overhead) by Supplier in connection with the fulfilment of the Supplier's obligations under clause 5.4.

6. CONFIDENTIALITY

6.1.

Supplier will maintain the confidentiality of all Customer Personal Data and will not disclose Customer Personal Data to third parties unless Customer or this Agreement specifically authorises the disclosure, or as required by law. Any exclusions from the definition or protection of Confidential Information in the Agreement do not apply to Customer Personal Data. If a law, court, regulator or supervisory authority requires Supplier to process or disclose Customer Personal Data, Supplier will promptly redirect the third party to request the data directly from Customer and notify Customer, unless prohibited under applicable law or by the relevant authority. Supplier will use all lawful efforts to waive any prohibition on notice, use all lawful efforts to challenge requests or orders for disclosure, suspend or cease processing upon Customer request without penalty, and prohibit transfers in breach of Data Protection Laws or the Agreement unless required by law.

6.2.

Supplier will ensure that only those individuals who need to know/access the Customer Personal Data, only to the extent strictly necessary for the purposes of the Agreement, will have access to it and that all employees’ use of it will be subject to written contractual obligations which are no less onerous than those imposed on Supplier by this Agreement, including contractual or statutory obligations of confidentiality no less onerous than those set out in clause 6.1.

7. SUBPROCESSORS

7.1.

Supplier will not engage another processor (“Subprocessor“), meaning another processor engaged by or on behalf of Supplier (including a third party or affiliate of Supplier but excluding an employee of Supplier) that will process Customer Personal Data as part of the performance of the Services, including by assignment, delegation or novation, without following the procedure laid out by this clause 7. Customer authorises Supplier to engage the Subprocessors set out in Annex 2 (if any).

7.2.

Supplier shall provide at least 14 days’ prior notice by email to Customer before any addition or replacement of Subprocessors. Customer may request and promptly receive a current list of Subprocessors at any time.

7.3.

If Customer objects on reasonable, documented grounds to any change under clause 7.2, Supplier will not permit the objected-to Subprocessor to process Customer Personal Data and will take steps to prevent such processing. Customer will have the right to terminate the Services Agreement by notice in writing to Supplier, without penalty or liability (other than for fees due and owing for Services performed prior to such termination), given within 90 days of Customer’s receiving notice under clause 7.2, and Supplier will promptly provide a pro rata refund of prepaid fees upon that termination taking effect.

7.4.

Supplier will ensure that any Subprocessor is bound by obligations no less onerous than those set out in this Agreement. In particular, any Subprocessor will enter into a written agreement that:

  1. imposes obligations to implement appropriate technical and organisational measures to ensure that the processing will meet the requirements of Data Protection Laws;

  2. requires Subprocessor to access, retain, process, and use Customer Personal Data solely as necessary to provide services to Customer or Supplier acting on either entity’s behalf; and

  3. prohibits the Subprocessor from selling Customer Personal Data.

7.5.

Supplier will be responsible and liable for the acts or omissions of any Subprocessor according to the provisions of applicable Data Protection Laws.

8. SECURITY

8.1.

Supplier will at all times implement and maintain appropriate Security Measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of Data Subjects. Such measures are documented in Annex 3.

8.2.

Supplier will implement such Security Measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  1. the pseudonymisation and encryption of personal data;

  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

  4. a process for regularly testing, assessing and evaluating the effectiveness of security measures.

8.3.

The parties acknowledge that the Security Measures are subject to technical progress and further development. Accordingly, the Supplier may implement alternative or additional measures from time to time, provided that the level of security is not materially reduced. The Supplier shall document any such changes and make updated information (e.g. an amended Annex 3) available to the Customer upon request.

8.4.

Notwithstanding the foregoing, the Supplier shall at all times maintain safeguards that at least comply with the requirements of applicable Data Protection Laws.

8.5.

The Customer may, on reasonable notice, request information necessary to verify the implementation of the Security Measures. The Supplier shall cooperate in good faith and provide sufficient detail to demonstrate compliance, without being required to disclose sensitive security information that would compromise the integrity of its systems.

9. Customer PERSONAL DATA BREACH

9.1.

Supplier will notify Customer without undue delay if any Customer Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Supplier will restore that Customer Personal Data at its own expense.

9.2.

Supplier will notify Customer without undue delay and, in any event, within 48 hours of Supplier or any Sub-Processor becoming aware of or suspecting (with a reasonable degree of certainty) a Customer Personal Data Breach.

9.3.

Where Supplier becomes aware of a Customer Personal Data Breach, it will, promptly and, in any event, within 48 hours, also provide Customer with sufficient information to allow Customer and its Affiliates to meet any obligations to report to Regulators or inform Data Subjects of the Customer Personal Data Breach under Data Protection Laws, including the following information:

  1. a description of the nature of the Customer Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned;

  2. the likely consequences; and

  3. a description of the measures taken, or proposed to be taken to address the Customer Personal Data Breach, including measures to mitigate its possible adverse effects.

9.4.

Without undue delay upon becoming aware of any suspected or actual Customer Personal Data Breach, Supplier will cooperate with Customer and its affiliates to investigate, mitigate, and remediate the matter. Supplier will provide all reasonable cooperation with Customer in Customer’s handling of the matter and take reasonable commercial steps as directed by Customer, including:

  1. assisting with any investigation;

  2. providing Customer with physical access to any facilities and operations affected;

  3. facilitating interviews with Supplier’s employees, former employees and others involved in the matter;

  4. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by Customer; and

  5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Customer Personal Data Breach.

9.5.

Supplier will not inform any third party of any Customer Personal Data Breach without first obtaining Customer’s prior written consent, except when required to do so under the Data Protection Laws.

9.6.

Supplier agrees that Customer has the sole right to determine:

  1. whether to provide notice of a Customer Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Customer’s discretion, including the contents and delivery method of the notice; and

  2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

10. DATA TRANSFERS

10.1.

Supplier will not permit Customer Personal Data to be processed in any jurisdiction without ensuring compliance with Data Protection Laws. Customer hereby consents to the transfer of Customer Personal Data to the Sub-processors set out in Annex 2, subject to the Supplier’s compliance with this DPA and in particular this Clause 10.

10.2.

Where such consent is granted, Supplier will only process Customer Personal Data outside of the United Kingdom or EEA or Switzerland in compliance with appropriate safeguards (as set out in Article 46 of GDPR or UK GDPR and the Swiss Federal Act on Data Protection), including entering into and complying with any required Standard Contractual Clauses with any Sub-processor and (promptly upon Customer’s written request) with Customer. Supplier acknowledges that transfers of Customer Personal Data may require entering into additional data transfer agreements or terms with Customer to achieve compliance with Data Protection Laws. If so required by Data Protection Laws, the parties shall execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Customer Personal Data in such manner as may be required by Data Protection Laws. Module Two (Controller to Processor) of the Standard Contractual Clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj shall apply to any transfers of Customer Personal Data from the European Economic Area, the United Kingdom (subject to the UK Addendum) and Switzerland (subject to the Switzerland Addendum) completed as follows: (a) Clause 7 shall not apply; (b) Clause 9 is completed with Option 2 with a time period of thirty days; (c) the optional language in Clause 11 shall not apply; (d) Clause 17 is completed with Option 2 and the law of the EU Member State is specified as being of Ireland; (e) Clause 18 is completed by specifying the courts of the EU Member State as being of Ireland; and (f) Annex II shall be completed with the technical and organisational measures described in the Agreement.

10.3.

If at any time the United Kingdom is (for the purposes of EU GDPR and/or the Swiss Federal Act on Data Protection) a third country which the European Commission or the Swiss Federal Data Protection and Information Commissioner has not decided offers an adequate level of protection (as defined in EU GDPR and in the Swiss Federal Act on Data Protection), then the parties will cooperate to implement such measures as Customer may reasonably request (including the signing of standard contractual clauses) in order to ensure that any transfers of Customer Personal Data to or from the United Kingdom comply with the requirements of the Data Protection Laws.

10.4.

Supplier warrants that, where applicable, it relies on a valid and subsisting adequacy finding made or otherwise endorsed by the relevant Regulator or has entered into an international data transfer agreement (as referred to in (i) of the definition of Standard Contractual Clauses) or international data transfer addendum (as referred to in (ii) of the definition of Standard Contractual Clauses) with each Sub-processor outside the UK, EEA or Switzerland.

11. TERMINATION OF THE SERVICES AGREEMENT

11.1.

This Agreement will terminate immediately upon termination of the Services Agreement.

11.2.

On termination of this Agreement, howsoever caused, Supplier will without undue delay cease processing the Customer Personal Data and, as required to comply with applicable laws, provided such retention does not infringe Data Protection Laws and is subject to the DPA and confidentiality, privacy, and security terms, and that Supplier may process such Personal Data for no other purpose, arrange for the prompt and safe return or destruction of all Customer Personal Data together with all copies in its possession or control and, where requested by Customer, certify that such destruction has taken place. A continued processing of Customer Personal Data by Supplier strictly limited to standard backup cycles and legal retention obligations remains reserved.

ANNEX 1
DATA PROCESSING PARTICULARS

The subject matter and duration of the processing The provision of Services by Supplier under the Services Agreement for the duration of the Services Agreement.
The nature and purpose of the processing
  • managing guest lists for Customer events;
  • managing table planning for Customer events;
  • management of emails to invitees or attendees of Customer events (live, virtual, or hybrid); and
  • providing customer support for the above.
The type of Personal Data being processed
  • first name, last name, job title and company;
  • e-mail addresses (if Customer elects to use zkipster’s Services for sending emails);
  • activity data regarding event attendance; and
  • dietary and accessibility requirements.
The categories of data subjects invitees or attendees of Customer events.

ANNEX 2
SUBPROCESSORS

Subprocessor name Subprocessor role Subprocessor location
zkipster UK Sales and Support to parent company The Harley Building, 77 New Cavendish Street, London W1W 6XB, United Kingdom, support@zkipster.com
zkipster USA Sales and Support to parent company 413 West 14th Street, FL2, New York, NY 10014, USA, support@zkipster.com
zkipster ME Sales and Support to parent company Dubai Media City, Building 5, Dubai, UAE, support@zkipster.com
zkipster AU Sales and Support to parent company Level 1, 60 Martin Place, Sydney, 2000, Australia, support@zkipster.com
Badge Mobile Wallet Pass Management Platform 548 Market St., PMB 99802San Francisco, CA 94104, United States, https://www.trybadge.com
Chargebee Subscription Billing & Revenue Operations Platform 909 Rose Avenue, Suite 950, Rockville, MD 20852, United States, https://www.chargebee.com
Frontegg Cloud-based identity management 2570 W El Camino Real, Mountain View, CA 94040, USA, https://www.frontegg.com
Gainsight Customer Success & Product Experience 350 Bay Street, Suite 100, San Francisco, CA 94133, United States, https://www.gainsight.com
HubSpot Customer Service and Marketing management and communications. Ground Floor, Two Dockland Central, Guild St, North Dock, Dublin, D01 K2C5, Ireland, https://legal.hubspot.com/dpa
Intercom Customer Service management 55 2nd Street, 4th Floor, San Francisco, CA 94105, USA, security@intercom.com
Meta Platforms Messaging Service, API Provider for WhatsApp Communication 1Hacker Way, Menlo Park CA 94025 USA, https://www.whatsapp.com/contact
Microsoft Azure Hosting, Storage and diagnostics Microsoft Schweiz GMBH, Richtistrasse 3, CH-8304 Wallisellen, Switzerland, https://trust.microsoft.com/
Okta Cloud-based identity management 100 1st St 6th floor, San Francisco, CA 94105, USA, https://security.okta.com
Pusher Real time communication API 160 Old St, London EC1V 9BW, United Kingdom, support@pusher.com
Salesforce Customer Service management, authentication and communications. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA, https://trust.salesforce.com/
Stripe Payment Processing & Financial Infrastructure 354 Oyster Point Blvd, South San Francisco, CA 94080, United States
Twilio (sendgrid) Email and Text Service, API Provider 375 Beale Street Suite 300 San Francisco, CA 94105 USA, https://support.twilio.com/hc/en-us
Workato Integration & Automation Platform 215 Castro Street, Suite 300, Mountain View, CA 94041, United States, https://workato.com/

 

ANNEX 3
Technical and Organizational Measures to Ensure the Security of the Data

Description of the technical and organizational measures implemented by the Supplier (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

SECURITY MANAGEMENT

Supplier maintains a written information security management system (ISMS), in accordance with this Annex. The information security program will include the following measures:

Supplier actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.

To the extent Supplier process cardholder or payment data (such as payment or credit cards), Supplier will maintain its ISMS in accordance with the PCI DSS standard, augmented to cover Personal Data, or such other alternative standards that are substantially equivalent to PCI DSS for the establishment, implementation, and control of its ISMS.

MAINTAIN AN INFORMATION SECURITY POLICY

Supplier's ISMS is based on its security policies that are regularly reviewed (at least yearly) and maintained and disseminated to all relevant Parties, including all personnel. Security policies and derived procedures clearly define information security responsibilities including responsibilities for:

  • Maintaining security policies and procedures;
  • Secure development, operation and maintenance of software and systems;
  • Security alert handling;
  • Security incident response and escalation procedures;
  • User account administration;
  • Monitoring and control of all systems as well as access to Personal Data.

SECURE NETWORKS AND SYSTEMS

Supplier maintains appropriate firewall configurations designed to protect Personal Data that controls all traffic allowed between Supplier's (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive areas within its internal network. This includes current documentation, change control and regular reviews.

PROTECTION OF PERSONAL DATA

Supplier keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage to that which is necessary, in accordance with the needs of its customers.

Supplier uses strong encryption and hashing for Personal Data anywhere it is stored. Supplier maintains secure encryption and key management. All transmission of Personal Data across open, public networks is encrypted using strong cryptography and security protocols.

VULNERABILITY MANAGEMENT PROGRAM

Supplier protects all systems against malware and regularly updates anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Anti-virus software is used on all systems commonly affected by malware to protect such systems from current and evolving malicious software threats.

Supplier develops and maintains secure systems and applications by:

  • Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities,
  • Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices, e.g. such as code reviews and OWASP secure coding practices, that incorporates information security throughout the software-development lifecycle,
  • Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.

IMPLEMENTATION OF STRONG ACCESS CONTROL MEASURES

"Supplier Network" means the Supplier's data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Supplier to process or store Personal Data.

The Supplier Network will be accessible to employees, Suppliers and any other person as necessary to provide the services to the Company. Supplier will maintain access controls and policies to manage what access is allowed to the Supplier Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Supplier will maintain corrective action and incident response plans to respond to potential security threats.

Supplier strictly restricts access to Personal Data on a need to know basis to ensure that critical data can only be accessed by authorized personnel. This is achieved by:

  • Limiting access to system components and Personal Data to only those individuals whose job requires such access; and
  • Establishing and maintaining an access control system for system components that restricts access based on a user’s need to know, with a “restrictive by default” setting.

Supplier identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for its actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.

User authentication utilizes at least passwords that have to meet complexity rules, and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.

Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.

RESTRICTION OF PHYSICAL ACCESS TO PERSONAL DATA

Any physical access to data or systems that house Personal Data are appropriately restricted using appropriate entry controls and procedures to distinguish between onsite personnel and visitors. Access to sensitive areas is controlled and includes processes for authorization based on job function and access revocation for personnel and visitors.

Media and backups are secured and (internal and external) distribution is strictly controlled. Media containing Personal Data no longer needed for business or legal reasons is rendered unrecoverable or physically destroyed.

REGULAR MONITORING AND TESTING OF NETWORKS

All access to network resources and Personal Data is tracked and monitored using centralized logging mechanisms that allow thorough tracking, alerting, and analysis on a regular basis as well as when something does go wrong. All systems are provided with correct and consistent time and audit trails are secured and protected, including file-integrity monitoring to prevent change of existing log data and/or generate alerts in cases of unauthorized access or anomalies of access. Audit trails are retained for an appropriate period where feasible and proportionate consistent with industry standards.

Security of systems and processes is regularly tested, at appropriate intervals in line with industry standards. This is to ensure that security controls for system components, processes and custom software continue to reflect a changing environment. Security testing includes:

  • Processes to test rogue wireless access points;
  • Internal and external network vulnerability tests;
Penetration testing based on industry-accepted approaches.
All test results are kept on record and any findings are remediated in a timely manner.
In daily operations IDS (intrusion detection system) is used to detect and alert on intrusions into the network and file-integrity monitoring has been deployed to alert personnel to unauthorized modification of critical systems.

INCIDENT MANAGEMENT

Supplier has implemented and maintains an incident response plan and is prepared to respond without undue delay to a system breach. Incident management includes:

  • Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers,
  • Specific incident response procedures,
  • Analysis of legal requirements for reporting compromises,
  • Coverage of all critical system components,
  • Regular review and testing of the plan,
  • Training of staff,
  • Inclusion of alerts from all security monitoring systems,
  • Modification and evolution of the plan according to lessons learned and to incorporate industry developments.
Supplier has also implemented a business continuity process (BCP) and a disaster recovery process (DRP) that are maintained and regularly tested. Data backup processes have been implemented and are tested regularly.

PHYSICAL SECURITY

PHYSICAL ACCESS CONTROLS

Physical components of the Supplier Network are housed in nondescript facilities ("Facilities"). Physical barrier controls are used to prevent unauthorized entrance to Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and Suppliers are assigned photo-ID badges that must be worn while the employees and Suppliers are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and appropriately supervised by authorized employees or Suppliers while visiting the Facilities.

LIMITED EMPLOYEE AND SUPPLIER ACCESS

Supplier provides access to the Facilities to those employees and Suppliers who have a legitimate business need for such access privileges. When an employee or Supplier no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or Supplier continues to be an employee of Supplier or its affiliates.

PHYSICAL SECURITY PROTECTIONS

All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Supplier also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, etc.) with door contacts, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and Suppliers is logged and routinely audited.

CONTINUED EVALUATION

Supplier will conduct periodic reviews of the Security of its Supplier Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Supplier will continually evaluate the security of its Supplier Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.