Protecht Data Processing Addendum

The Customer and Protecht have entered into the Services Agreement. This Data Processing Addendum incorporating Standard Contractual Clauses (“Addendum”) supplements the terms and conditions of the Services Agreement and consists of the following components:

• the main body of this Addendum,
• Schedule A to this Addendum (including Annexures I-IV), which sets out the scope, nature and purpose of processing by Us,
• Schedule B to this Addendum, which incorporates the European Union Standard Contractual Clauses including Schedule A Annexures I-IV, which are applicable to data processing activities that are subject to the EU GDPR, and
• Schedule C to this Addendum, which incorporates the United Kingdom Standard Contractual Clauses including Schedule A Annexures I-IV, which are applicable to data processing activities that are subject to the UK GDPR.

This Addendum is subordinate to and qualified by the Services Agreement, including the indemnification and limitations of liability provisions of the Services Agreement.

 

1. Definitions

In this Addendum, the following meanings apply, unless the contrary intention appears:

“Adequacy Decision” and “Adequacy Regulation” means any valid adequacy decision or regulation (as applicable) as referred to in Article 45 of the EU GDPR or the UK GDPR (as applicable);

“Commencement date” means the earlier of the date of the Services Agreement, this Addendum or the first use of the Protecht Services by the Customer;

“Customer” means the recipient of Protecht Services, as identified in the Services Agreement, which is a party to the Services Agreement;

“Data Breach” means a confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised third-party access to Personal Data;

“Data Subject” means an identified or identifiable natural person as defined by Privacy Laws;

“EU GDPR” means the General Data Protection Regulation (EU) 2016/679;

“Personal Data” means any information relating to a Data Subject which is protected by Privacy Laws and provided by You to the Protecht Group in the course of using the Protecht Services pursuant to the Services Agreement;

“Privacy Laws” means all applicable data protection and privacy legislation in force from time to time in the European Union, the United Kingdom, the United States, Canada, Australia and New Zealand, and includes the EU GDPR and the UK GDPR;

“Protecht” means the Protecht Group entity which is a party to the Services Agreement;

“Protecht Group” means Protecht and each affiliate of Protecht, and “Protecht Group Entity” means an entity in the Protecht Group. For the purposes of this definition, “affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity, and “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

“Protecht Services” means the services (including the Customer’s access to and use of the Protecht.ERM Service) from time to time provided by the Protecht Group to the Customer pursuant to the Services Agreement;

“Sale” is inclusive of the meaning provided in California Civil Code §1798.140 (t), if applicable;

“Services Agreement” means the agreement governing the provision of the Protecht Services to the Customer, including any agreed statement of work or order under that agreement;

“Service Provider” has the meaning given by the California Civil Code §1798.140;

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses published by the

European Commission, reference 2021/914 or any subsequent final version thereof which automatically applies;

“UK GDPR” means the EU GDPR as it forms part of the laws of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and 2020;

“Unrecognised Country” means any country, organization or territory outside of the United Kingdom and the European Economic Area, as relevant, which is not subject to an Adequacy Decision or Adequacy Regulation;

"We," "Us" or "Our" means each Protecht Group Entity to the extent that it uses, processes, transfers or stores Your Personal Data; and

"You" or "Your" means the Customer.

In this Addendum, the terms “controller, processor, sub-processor, processing, third party and appropriate technical and organisational measures” have the meanings given by the EU GDPR, unless the contrary intention appears.

 

2. Compliance with Privacy Laws

(a) Each party will comply with all Privacy Laws applicable to that party. This Addendum is in addition to, and does not relieve, remove or replace, a party's obligations or rights under any Privacy Laws. You retain control of Your Personal Data and remain responsible for Your compliance obligations, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions You give to Us.

(b) Each party will have in place appropriate policies and procedures to comply, and ensure that its personnel comply, with their respective obligations under all Privacy Laws applicable to that party.  

(c) If there is any change in any Privacy Laws, the parties will act reasonably and in good faith to agree on any amendments to this Addendum that may be reasonably required to ensure that the processing of Personal Data continues to comply with applicable Privacy Laws.

 

3. Acknowledgments

The parties acknowledge that:

(a) if We process any Personal Data on Your behalf when performing Our obligations under the Services Agreement, You are the controller of the Personal Data and We are the processor of the Personal Data for the purposes of the Privacy Laws;

(b) Schedule A sets out the scope, nature and purpose of processing by Us, the duration of the processing and the types of Personal Data and categories of Data Subject;

(c) We may update Schedule A from time to time to reflect new products, features or functionality comprised within the Protecht Services and We will take reasonable efforts to notify you of any such updates.

(d) the Personal Data may be used, processed, transferred or stored outside the European Economic Area (EEA) and the United Kingdom, or the country where You are located, in order to carry out and provide the Protecht Services and meet Our other obligations under the Services Agreement; and

(e) the Personal Data may be used, processed, transferred or stored by any Protecht Group Entity, in order to carry out and provide the Protecht Services and meet Our other obligations under the Services Agreement.

 

4. Consents and notices

You will ensure that You have all necessary and appropriate consents and notices in place to enable lawful transfer of the Personal Data to Us for the duration and purposes of the Services Agreement so that We may lawfully use, process, transfer and store the Personal Data in accordance with the Services Agreement on Your behalf. 

 

5. Processor obligations

We will, in relation to any Personal Data processed in connection with the performance by Us of our obligations under the Services Agreement:

(a) process that Personal Data only on Your documented written instructions unless We are required otherwise by any applicable laws. The Services Agreement, this Addendum and Your use of the Services (including their features and functionality) are Your instructions to Us in relation to the processing of Personal Data. We will not process Personal Data for any other purpose or in a way that does not comply with this Addendum or the Privacy Laws. Where required to process Personal Data other than in accordance with your instructions, We will promptly notify You of this before performing the processing required, unless those laws prohibit Us from so notifying You. We will promptly inform You if, in Our opinion, Your instructions conflict with the requirements of applicable Privacy Laws and We will be entitled to cease processing Personal Data until the infringing instruction is withdrawn, or amended to render it lawful;

(b) at Your written request, but subject to clauses 8 and 9 of this Addendum, provide reasonable assistance to You: 

(i) in Your fulfilment of Your obligations to respond to requests for exercising Data Subject’s rights; and 

(ii) in Your compliance with Your obligations under relevant Privacy Laws, including reasonably allowing for and reasonably contributing to audits and inspections conducted by You (or another auditor authorised by You) under relevant Privacy Laws.  

We may, at Our discretion, charge You and You agree to pay Us a fee for that assistance calculated on a time and materials at Our then current standard published rates;

(c) at Your written request, but subject to and in accordance with the provisions of the Services Agreement, delete or return Personal Data and copies thereof to You on termination of the Services Agreement, unless We are required by applicable Privacy Laws to store the Personal Data (and for these purposes the term ‘delete’ means to put that Personal Data beyond use or recognition);

(d) take reasonable steps to ensure that persons authorised by Us (if any) to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and

(e) process that Personal Data in conformity with the technical and organisational measures set out in Annexure II of Schedule B, which may be updated or modified from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Protecht Services.

 

6. Your Personal Data

Your Personal Data is provided to Us solely as a Service Provider to You. Any Sale of Your Personal Data is strictly prohibited. We certify that we understand and agree that, except as required by applicable law, We will not (i) engage in a Sale of Your Personal Data; (ii) retain, use, or disclose Your Personal Data for any purpose other than providing the Services to You or as authorised by the Services Agreement and this Addendum; (iii) retain, use, or disclose Your Personal Data outside of the direct business relationship between Us or the scope of the authorisation pursuant to the Services Agreement and this Addendum.

 

7. Sub-processors

You acknowledge and agree that members of the Protecht Group may be retained as sub-processors. You also consent to Our use of third-party sub-processors in connection with the provision of the Services, and to Our disclosure and provision of Personal Data to those sub-processors. We will enter into a written agreement with each sub-processor: i. to comply with the Privacy Laws, and ii. provide a substantially similar level of data protection as set out in this Addendum with respect to the protection of Your Personal Data (to the extent applicable to the services provided by the sub-processor). We will be liable to You for the acts and omissions of any sub-processor as if they were Our acts and omissions. The current list of Our sub-processors can be found though Our security webpage. We will give You 30 days’ notice of any intended addition or replacement of any sub-processor, thereby giving You the opportunity to object to any new sub-processor based on reasonable and specific grounds relating to data protection. Any such objection must be accompanied by details of those grounds and provided to Us in writing within 14 days after receipt of Our notification. If You object, both parties will act reasonably and in good faith to resolve Your objection, such as by making available to You a use of the Services that avoids processing by the new sub-processor. If the parties are unable to resolve Your objection within 60 days after the date of Your objection, either party may terminate the Services Agreement by providing written notice to the other party.

 

8. Audit

You acknowledge that We are regularly audited by independent third-party auditors and/or internal auditors. You may exercise Your right to inspection and audit under relevant Privacy Laws by requesting, and We will comply by:

(a) providing access through Our security webpage to relevant details of Our information security program and security posture;

(b) responding to reasonable and relevant queries that are not addressed by the resources made available through Our security webpage; and

(c) providing such additional information in Our possession or control as may be lawfully requested by a data protection regulator, including an EU or UK supervisory authority, with regard to the data processing activities carried out by Us under the Services Agreement and this Addendum.

 

9. Information

We will keep detailed, accurate and up-to-date written records regarding Our processing of Personal Data in accordance with Our record-keeping requirements under applicable Privacy Laws. You agree that, in relation to any obligation to assist, co-operate or provide information or access to documents, including in connection with any right of audit or inspection, under the Services Agreement, including this Addendum:

(a) that right or obligation is qualified in relation to any third-party sub-processor by the terms of our agreement with that sub-processor;

(b) We are only obliged to disclose information or documents to the extent that information or those documents are reasonably available to Us and You do not otherwise have access to that information or those documents;

(c) We have no obligation to disclose information or documents relating to any other customer or where disclosure would contravene any law or be in breach of any obligation of confidence;

(d) some information and documents may be available for inspection only (not copy) at Our premises and in summary form only or through Our security webpage; and

(e) all information and documents will be disclosed on a strictly confidential “need to know” basis.

 

10. Data Breach

In the event of a Data Breach, We will:

(a) notify You without undue delay but in any event no later than 48 hours after becoming aware of the Data Breach;

(b) not contact any other person (including any regulator or affected individual) in connection with the Data Breach without Your prior written consent, except to the extent:

(i) We are asked by You to do so;

(ii) they are also Our customer and have been affected by the same incident;

(iii) We are engaging consultants to provide professional advice or technical assistance in connection with the Data Breach;

(iv) We are required to do so in order to comply with applicable law or where We are otherwise legally compelled, including by any regulator acting with lawful authority; or

(v) It is appropriate for Us to do so to in order to notify, seek the assistance of or otherwise co-operate with defence, intelligence or law enforcement authorities; and

(c) provide reasonable assistance to You in relation to any Data Breach notifications You are required to make under the Privacy Laws. 

In addition, each party will reasonably cooperate with the other with respect to the investigation and resolution of any Data Breach including, in the case of Protecht prompt provision of the following, to the extent then known by Protecht: (i) the possible cause and consequences of the Data Breach; (ii) the categories of Personal Data involved and approximate number of both Data Subjects and Personal Data records concerned; (iii) a summary of the possible consequences for the relevant Data Subjects; (iv) a summary of any unauthorised recipients of the Personal Data; and (v) the measures taken or proposed to be taken by Protecht to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

11. Transfer of Personal Data

The following apply to a transfer of Personal Data by You to Us in an Unrecognised Country where that Personal Data is subject to either the EU GDPR or the UK GDPR and where appropriate safeguards under the EU GDPR or the UK GDPR, respectively, can be met by entering into Standard Contractual Clauses:

(a) where that transfer is subject to the EU GDPR, Module 2 of the SCCs, and Schedule B to this Addendum will apply to any such transfers; and

(b) where that transfer is subject to the UK GDPR, Module 2 of the SCCs, and Schedule C to this Addendum will apply to any such transfers.

If We adopt an alternative Personal Data transfer mechanism (including any new version of or successor to the SCCs adopted pursuant to applicable Privacy Laws) not described in this Addendum (Alternative Transfer Mechanism), the Alternative Transfer Mechanism will apply instead of the SCCs as described in this Addendum (but only to the extent that Alternative Transfer Mechanism complies with applicable Privacy Laws and extends to the territories to which personal data is transferred). We will take reasonable efforts to notify You if we adopt any Alternative Transfer Mechanism.

 

This Addendum is regarded as having been executed by the parties by their execution of the Services Agreement.

  

SCHEDULE A

Description of processing

Scope, nature and purpose of processing	We will process the Personal Data for the purposes of providing to the Customer the Protecht Services as set out in the Services Agreement.
Duration of the processing	For the duration of the Services Agreement.
Types of Personal Data	In each case applicable to the Protecht Services:  Name, title, work email address for user access and notifications. Any other Personal Data uploaded to the Protecht Services by the Customer, including the Personal Data of any customers, clients, business partners and suppliers of the Customer as well as any other categories of Data Subjects whose Personal Data is uploaded by the Customer to the Protecht Services.
Categories of Data Subjects	In each case as applicable to the Customer and its use of Protecht Services:  Your employees, contractors and workers. Your customers, clients, business partners and suppliers and other categories of Data Subjects whose Personal Data is uploaded by the Customer to the Protecht Services.

 

SCHEDULE B

EU Standard Contractual Clauses

If You are situated in the EEA, Module 2 of the Standard Contractual Clauses (the Standard Contractual Clauses) will apply in relation to the transfer of Personal Data from the EEA, and will form part of the Agreement, completed as follows:

1. Clause 7 of the Standard Contractual Clauses (Docking Clause) does apply.
2. Clause 9(a) Option 2 (General written authorisation) is selected, and the time period to be specified is 30 days. For the purposes of Clause 9(a), the Data Importer has the Data Exporter’s prior general authorisation to engage sub-processors in accordance with Clause 8 of this Data Processing Addendum. Data Importer will make available to the Data Exporter the current list of sub-processors and advise Data Exporter of any changes to Sub-processors in accordance with Clause 8 of this Data Processing Addendum.
3. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
4. With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option one will apply. The Parties agree that the governing law will be the law of the Republic of Ireland.
5. In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
6. Annexure I of the Standard Contractual Clauses will be deemed agreed and completed with the information set out in Annexure I to Schedule B.
7. Annexure II of the Standard Contractual Clauses will be deemed agreed and completed with the information set out in Annexure II to Schedule B.
8. Annexure III of the Standard Contractual Clauses will be deemed agreed and completed with the information set out in Annexure III to Schedule B.

 

ANNEXURE I – SCHEDULE B

A. List of parties

Data Exporter	The Customer
Name:	As specified in the Services Agreement
Address:	As specified in the Services Agreement
Contact person name:	As specified in the Services Agreement
Position:	As specified in the Services Agreement
Contact details	As specified in the Services Agreement

           

Data Importer
Name:	Protecht
Address:	c/- Level 8, 299 Elizabeth St, Sydney NSW 2000, Australia
Contact person name:	Blake Barnett
Position:	Data Protection Officer
Contact details	privacy@protechtgroup.com

 

B. Description of transfer

Categories of Data Subjects whose Personal Data is transferred	In each case as applicable to the Protecht Services: The Data Exporter’s current and former employees, contractors and workers. The Data Exporter’s current and former customers, clients, business partners and suppliers and any other categories of Data Subjects whose Personal Data is uploaded by the Data Exporter to the Protecht Services.
Categories of Personal Data transferred	In each case as applicable to the Protecht Services: Employees, contractors and workers: name, title, work email address for user access and notifications. Customers, clients, business partners and suppliers and other categories of Data Subjects whose Personal Data is uploaded by the Data Exporter to the Protecht Services:   name and other contact details, identification related information, account related information, transaction related information.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	Data Exporter may upload special categories of Personal Data to the Protecht Services, the extent of which is solely determined by the Data Exporter in compliance with Privacy Laws, and may include the following categories, if any: racial or ethnic origin; religious or philosophical beliefs; trade union membership; genetic data or biometric data; health information; and sex life or sexual orientation. No additional restrictions or safeguards are applied by Data Importer to any sensitive or special category of Personal Data,
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).	Data will be transferred on a continuous basis, as applicable to the Protecht Services.

Nature of the Processing

We will process the personal data for the purposes of providing the Protecht Services as set out in the Services Agreement.

Data subjects whose personal data will be processed, and applicable markets	Personal data attributes	Source	Responsibility	Purpose/s
The Data Exporter’s employees, contractors and workers. The Data Exporter’s customers, clients, business partners and suppliers and other categories of Data Subjects whose Personal Data is uploaded to the Protecht Services by the Data Exporter	Personal Data needed to provide and enhance the Protecht Services including name, title, work email address for user access and notifications. Personal Data uploaded to the Protecht Services including Personal Data of any customers, clients, business partners and suppliers and other categories of Data Subjects as provided by the Data Exporter.	The Data Exporter	The Data Exporter	To provide and enhance the Protecht Services in accordance with the Services Agreement

 

Purpose(s) of the data transfer and further processing

We will process the Personal Data for the purposes of providing and enhancing the Protecht Services as set out in the Services Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the Services Agreement and for a reasonable period thereafter, in accordance with the Data Importer’s retention policy and as required by applicable laws.

For transfers to (sub) processors, also specify subject matter, nature and duration of the processing

Details of the sub-processors to whom the Data Importer transfers the Personal Data, together with details of the subject matter, nature and duration of the processing are published though the Data Importer’s security webpage.

 

C. COMPETENT SUPERVISORY AUTHORITY

For the purposes of Clause 13, the competent supervisory authority will be determined in accordance with the following:

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, will act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established will act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, will act as competent supervisory authority.

 

ANNEXURE II – SCHEDULE B

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Data Importer must develop, implement, maintain and test adequate technical and organisational measures to protect the confidentiality, integrity, and availability of the Personal Data being transferred by the Data Exporter to the Data Importer as described in Annexure I (“Customer Data”) that are no less rigorous than accepted industry practices and which comply with the International Organization for Standardization’s standards: ISO/IEC 27001 – Information Security Management System Requirements or other equivalent industry standards, as updated from time to time.

Terms defined in the Data Importer’s Data Processing Addendum have the same meaning where they are used in this Annexure II.

The measures below should be implemented as a minimum.

1. SECURITY GOVERNANCE AND COMPLIANCE

a) The Data Importer must maintain and implement an information security management system which documents the Data Importer’s organisational structure, the security policies, responsibilities, practices, procedures, processes and resources, used by the Data Importer to manage information security in respect of the provision of the Protecht Services, including in relation to the accessing and processing of Customer Data.

b) The Data Importer must ensure that at all times it maintains sufficient resources, management structures and management oversight to allow it to meet its security obligations under this Annexure.

c) The Data Importer must establish and use auditable, repeatable and integrated processes to effectively identify, manage and report risks in a manner that is consistent with the nature and scope of the Protecht Services.

2. DATA PROTECTION

a) Data Importer will, at its own expense, protect the confidentiality, authenticity and integrity of Customer Data at rest as well as in transit processed within the infrastructure of the Data Importer or any sub-contractors or sub-processors Data Importer has engaged to provide services under the Agreement.

b) Customer Data must be encrypted while transmitted over external networks using TLS 1.2 or above. Encryption algorithms and technologies in use will be publicly validated and subject to the acceptable industry standards (e.g., AES, RSA).

3. DATA AVAILABILITY

a) Data Importer must ensure the continuity of availability of Customer Data prior to any major modification, update, upgrade or other change to its system or the Protecht Services that may affect any Customer Data.

b) Data Importer will implement controls to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

c) Data Importer must regularly test (at least annually) and update business continuity and disaster recovery plans to ensure that they are up to date and effective. Upon request from the Data Exporter, Data Importer must provide access to documentation to demonstrate compliance with the requirements of this sub-clause 3(c).

4. DATA ACCESS

a) Data Importer must maintain controls to prevent unauthorized access to systems, networks, applications and data (including Customer Data). As a minimum, Data Importer will maintain access management practices that ensure:

1) access is granted through an access profile (role)

ii) access rights are assigned to a role on a need-to-know basis and least privilege basis to ensure segregation of duties and the assignment of roles follows a structured and documented procedure;

iii) withdrawal of access to Customer Data and related assets is performed in a timely manner for personnel who exit Data Importer’s organisation or are re-assigned outside the scope of services under the Agreement;

iv) Data Importer user accounts and system privileges are regularly reviewed;

v) mandating the use of strong passwords by Data Importer personnel according to industry standards on all systems processing or storing Customer Data; and

vi) remote access to Data Importer systems uses multi-factor authentication (where it is supported) and is only provided on a needs basis.

b) In relation to any access to or use of any part of the Data Exporter’s system or infrastructure (but only to the extent of that access or use), the Data Importer must comply with the Data Exporter’s s security policies and practices as current from time to time and notified to the Data Importer (where not in conflict with the Data Importer’s security policies and practices).

5. DATA HANDLING

a) Data Importer must ensure that any Customer Data that it processes is classified and managed in accordance with Data Importer’s applicable information classification and data management standards.

b) Data Importer must ensure that all of its personnel delivering services to Data Exporter are made aware of and trained on information security threats and are equipped to support organizational information security policies in general as well as within their specific job functions.

c) Data Importer must maintain disciplinary procedures to sanction individual unintentional or intentional misconduct leading to a breach of information security policies and procedures.

d) Upon termination, Data Importer must return or securely destroy any Customer Data in accordance with the provisions of the Services Agreement, unless otherwise required to be retained by applicable law.

6. PHYSICAL SECURITY

a) Data Importer must maintain (or, in the case of third party operated data centres, take reasonable steps to ensure the maintenance of) effective procedures to prevent unauthorized physical access, damage and interference to processing facilities, systems, networks and information, including Customer Data, used in delivery of Protecht Services, including but not limited to:

i) procedures to monitor physical access to ensure that only authorised personnel are allowed access; and

ii) controls to prevent unauthorised removal of Customer Data related to the Protecht Services on portable storage media by their personnel.

7. VULNERABILITIES MANAGEMENT & CHANGE MANAGEMENT

a) Data Importer will implement appropriate change management and capacity management processes, including reviewing and testing all changes before they are deployed in a live environment to ensure that it maintains secure operations of information processing systems.

b) Data Importer must ensure that security is included in development and support processes to maintain the security of application system software and information, including by ensuring that segregation of duty is enforced amongst individuals with development responsibilities and production privileges and by implementing adequate procedural controls to prevent the usage of production data in a test environment.

c) The Data Importer must use an appropriate risk assessment framework to measure risk related to technical vulnerabilities in order to define patch severity/criticality level and will maintain a vulnerability management process that reduces risks resulting from exploitation of vulnerabilities.

d) Data Importer will obtain timely information about vulnerabilities applicable to systems, applications and networks being used for or connected to the delivery of the Protecht Services and will evaluate their exposure to such vulnerabilities and take appropriate measures to address the associated risk in a timely manner.

8. RISK ASSESSMENT

a) Data Importer will participate in Data Exporter’s third-party risk management program by providing access through Data Importer’s security webpage to relevant details of the Data Importer's information security program and security posture and by responding to reasonable and relevant queries that are not addressed by the information available through that webpage. Data Importer will keep current the information made available through its security webpage and update it when a significant change occurs to Data Importer's information security program or security posture.

b) Data Importer must implement processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of Customer Data handling commensurate with the risk involved in performing the Protecht Services.

9. SECURITY INCIDENT MANAGEMENT

a) Data Importer must maintain a consistent and effective approach for security incident management, which includes monitoring capabilities and effective procedures to detect and manage in a timely manner events indicating a potential security incident.

b) The Data Importer must perform routine monitoring of the critical events in its environment and have the technical capability to detect anomalies and malicious behaviour.

c) Data Importer will implement reasonable controls in order to restore the availability and access to Customer Data in a timely manner in the event of a security incident.

d) Upon becoming aware of a Data Breach, Data Importer must promptly and without delay notify Data Exporter but in no event later than 72 hours. Data Importer agrees to promptly cooperate with Data Exporter in any investigations or enquiries of the Data Breach by Data Exporter or by a regulatory or law enforcement agency, including through third-party forensics professionals.

e) Data importer must retain, preserve and make available to Data Exporter all relevant records, logs, files, data reporting and other materials required to comply with applicable laws or industry standards.

10. SOLUTIONS SECURITY

To the extent the Data Importer is providing a software solution to Data Exporter that requires to be accessed by Data Exporter personnel, the Data Importer must ensure that:

a) The solution supports single-sign-on (SSO) protocols such as SAML2.0 and that this can be enforced as the only login method.

b) The solution supports multi-factor authentication (MFA).

c) The solution provides audit logging and alerting capabilities that can be enabled to monitor user activities and transactions.

d) The solution includes patching as part of the scope of the Services Agreement.

e) The solution includes role-based access controls that allow separation of duties and permissions for individual users (e.g. administrators vs. regular users).

 

ANNEXURE III – SCHEDULE A

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

Details of the sub-processors to whom We transfer the Personal Data, together with details of the subject matter, nature and duration of the processing are published through the Data Importer’s security webpage.

 

ANNEX IV - SUPPLEMENTARY MEASURES FOR INTERNATIONAL DATA TRANSFERS TO ENSURE COMPLIANCE WITH GDPR AND SCHREMS II

Following the recommendations provided by the European Data Protection Board to supplement international data transfers[1] and, in light of the judgement issued by the Court of Justice of the European Union in the Schrems II case[2], the Data Importer will:

a) enumerate the laws and regulations in the destination country applicable to the importer or its (sub) processors that would permit access by public authorities to the Personal Data that are subject to the transfer, in particular in the areas of intelligence, law enforcement, administrative and regulatory supervision applicable to the transferred data;

b) in the absence of laws governing the public authorities’ access to data, provide information and statistics based on the importer’s experience or reports from various sources (e.g. partners, open sources, national case law and decisions from oversight bodies) on access by public authorities to Personal Data in situations of the kind of the data transfer at hand (i.e. in the specific regulatory area; regarding the type of entities to which the data importer belongs, etc.);

c) indicate which measures are taken to prevent the access to transferred data (if any);

d) provide sufficiently detailed information on all requests of access to Personal Data by public authorities which the importer has received over a specified period of time, and about the requests received, the data requested, the requesting body and the legal basis for disclosure and to what extent the importer has disclosed the data request;

e) specify whether and to what extent the importer is legally prohibited to provide the information mentioned above;

f) commit to reviewing, under the law of the country of destination, the legality of any order to disclose Personal Data, notably whether it remains within the powers granted to the requesting public authority, and to challenge the order if, after a careful assessment, it concludes that there are grounds under the law of the country of destination to do so. When challenging an order, the Data Importer should seek interim measures to suspend the effects of the order until the court has decided on the merits;

g) not disclose the Personal Data requested until required to do so under the applicable procedural rules;

h) commit to providing the minimum amount of information permissible when responding to the order, based on a reasonable interpretation of the order;

i) notify promptly the Data Subject of the request or order received from the public authorities of the third countries, or of the importer’s inability to comply with the contractual commitments;

1. assist the Data Subject in exercising their rights in the third country jurisdiction through ad hoc redress mechanisms and legal counselling; and
2. adopt and regularly review its internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions, when necessary, to ensure that an essentially equivalent level of protection to that guaranteed within the EEA of the Personal Data transferred is maintained.

 

SCHEDULE C

UK Approved Addendum

to EU Standard Contractual Clauses

If You are situated in the United Kingdom, Module 2 of the Standard Contractual Clauses will apply together with the UK Addendum to the Standard Contractual Clauses (SCCs) in relation to the transfer of Personal Data from the United Kingdom, subject to the following:

Part 1

Table 1: Parties

Start date	The date of the Services Agreement
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	See Annex I – Schedule B	See Annex I – Schedule B
Key Contact	See Annex I – Schedule B	See Annex I – Schedule B

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
1
2	X	Applies	Option does not apply	Option 2 – General Authorisation	30 days
3
4

 

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Annex I.A – Schedule B

Annex 1B: Description of Transfer: See Annex I.B – Schedule B

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Annex II – Schedule B

Annex III: List of Sub processors (Modules 2 and 3 only): See Annex III – Schedule B

Annex IV: Supplementary Measures for International Data Transfers to Ensure Compliance with GDPR and SCHREMS II: See Annex IV– Schedule B

 

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19: Importer Exporter neither Party

 

Part 2: Mandatory Clauses

The Alternative Part 2 Mandatory Clauses will apply, as follows:
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commission Office (ICO) and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those mandatory clauses.