Digital Cyber Written Information Security Program (WISP)
The objective of Digital Cyber, LLC (“DIGITAL CYBER”) in the development and implementation of this comprehensive written information security program (“WISP”), is to create effective administrative, technical and physical safeguards for the protection of personal information, including that of our employees. The WISP sets forth our procedure for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information.
For purposes of this WISP, “personal information” is defined as per the following regulations: first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account, credit card, or debit card number, with or without any required security code, access code, personal
identification number, or password, that would permit access to a resident’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
The purpose of the WISP is to better: (a) ensure the confidentiality, integrity and availability of personal information and any other relevant sensitive data; (b) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (c) protect against the unauthorized access or purposeful/accidental destruction of such information, including the prevention of it being used in a manner that creates a substantial risk of identity theft or fraud; and (d) ensure that ACTIVE CYBER is compliant under any relevant local, state or federal security dictates.
In formulating and implementing the WISP, ACTIVE CYBER has addressed and incorporated the following protocols:
Identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information;
Assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information;
Evaluated the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks;
Designed and implemented a WISP that puts safeguards in place to minimize those risks.
Implemented regular monitoring of the effectiveness of those safeguards and a communications plan that mandates the issuance of periodic security threat and awareness updates.
Implemented a comprehensive security training program to maintain employee awareness and compliance to applicable policies and procedures.
IV. DATA SECURITY COORDINATOR AND DATA SECURITY COMMITTEE:
ACTIVE CYBER has designated Shawn Mathew as the Data Security Coordinator to implement, supervise and maintain the WISP. The Data Security Coordinator will also facilitate the formation of a two-person Data Security Committee made of cross-functional ACTIVE CYBER employees and management. The Committee will meet periodically to review current security practices and any pertinent violations during the preceding period.
V. INTERNAL RISK MITIGATION POLICIES:
To guard against internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and to evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting such risks, the following mandatory measures are effective immediately:
ACTIVE CYBER will only collect personal information of clients, customers or employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal, state or local regulations.
Access to ACTIVE CYBER systems and applicable third party support applications shall be limited to those employees whose duties, relevant to their job description, have a legitimate need to access said records, and only for this legitimate job-related purpose. Employee level access will be periodically reviewed and updated to reflect new or changing job responsibilities and employee status (terminated, etc).
Written and electronic records containing personal information shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements.
A copy of the WISP is made available to all employees.
All employment contracts, where applicable, will be amended to require all employees to comply with the provisions of the WISP and to prohibit any nonconforming use of personal data as defined by the WISP.
Terminated employees must return all records containing personal data, in any form, in their possession at the time of termination. This includes all data stored on any portable device and any other device owned directly by the terminated employee.
A terminated employee’s physical and electronic access to records containing personal information shall be restricted at the time of termination. This shall include remote electronic access to personal records, voicemail, internet, and email access. All keys, access devices, company IDs, business cards, and the like shall be surrendered at the time of termination.
Disciplinary action will be applicable in all cases of violation of the WISP, irrespective of whether personal data was actually accessed or used without authorization.
All security measures, including the WISP, shall be reviewed on, at a minimum, an annually basis to ensure that the policies contained in the WISP are adequate and meet all applicable federal and state regulations.
Should ACTIVE CYBER business practices change in a way that impacts the collection, storage, and/or transportation of records containing personal information, the WISP will be reviewed to ensure that the policies contained in the WISP are adequate and meet all applicable federal and state regulations.
The Data Security Coordinator or his/her designee shall be responsible for all review and modifications of the WISP and shall fully consult and apprise management of all reviews, including any recommendations for improved security arising from the review.
The Data Security Coordinator shall maintain a secured and confidential master list of devices and passwords containing personal data.
Current employees’ user IDs and passwords shall conform to accepted security standards. All passwords shall be changed on at least an annually basis, and more often if deemed necessary (e.g. seasonally).
Employees are required to report any suspicious or unauthorized use of personal information to a supervisor or the Data Security Coordinator.
ACTIVE CYBER shall maintain monitoring and auditing capabilities for all internal ACTIVE CYBER systems. Specific audit procedures shall be established for each relevant system and dictated by the criticality of the system and its associated data store.
ACTIVE CYBER will routinely test the key controls and practices dictated by the WISP, with any violations or deficiencies being reported to ACTIVE CYBER senior management.
VI. EXTERNAL RISK MITIGATION POLICIES:
Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes personal information.
Personal information shall not be removed from the business premises in electronic or written form absent legitimate business need and use of reasonable security measures, as described in this policy.
All system security software, including, anti-virus, anti-malware, and internet security, shall be reasonably up-to-date and installed on any computer that stores or processes personal information.
There shall be secure user authentication protocols in place that:
Control user IDs and other identifiers;
Assign passwords in a manner that conforms to accepted security standards, or applies use of unique identifier technologies;
Control passwords to ensure that password information is secure.
VII. DAILY OPERATIONAL PROTOCOL
This section of our WISP outlines our daily efforts to minimize security risks to any computer system that processes or stores personal information, ensures that physical files containing personal information are reasonable secured, and develops daily employee practices designed to minimize access and security risks to personal information of our clients and/or customers and employees.
The Daily Operational Protocol shall be reviewed and modified as deemed necessary at a meeting of the Data Security Coordinator and personnel responsible and/or authorized for the security of personal information.
Storage and Transmission Practices
All ACTIVE CYBER employees must guard against unauthorized access to sensitive data that is being transmitted over a public electronic communications network or stored
electronically. Such measures include encryption of any customer or partner data stored on desktops, laptops or other removable storage devices. Employees must never store sensitive data on an unencrypted medium or transmit sensitive data over an unencrypted channel. Use of SFTP, HTTPS, and PGP are the preferred methods of communication.
When disposing or scrubbing tangible devices used to store sensitive data, the device must be physically destroyed as to make it unreadable or fully overwritten a minimum of three times.
We will only collect personal information of clients and customers and employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal and state and local laws.
Within 30 days of the publication of or any update to the WISP, the Data Security Coordinator or his/her designee shall perform an audit of all relevant company records to determine which records contain personal information, assign those files to the appropriate secured storage location, and redact, expunge or otherwise eliminate all unnecessary personal information in a manner consistent with the WISP.
Any personal information stored shall be disposed of when no longer needed for business purposes or required by law for storage. Disposal methods must be consistent with those prescribed by the WISP.
No personal information will ever be transferred to paper or any media other than ACTIVE CYBER secured electronic devices.
All electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Electronic records containing personal information shall not be stored or transported on any portable electronic device, sent or transmitted electronically to any portable device, or sent or transported electronically to any computer, portable or not, without first being encrypted. The only exception shall be where there is no reasonable risk of unauthorized access to the personal information or it is technologically not feasible to encrypt the data as and where transmitted.
Access Control Protocol:
All our computers shall restrict user access to those employees having an authorized and unique log-in ID assigned by the Data Security Coordinator.
Access to electronically stored records containing personal information shall be electronically limited to those employees having an authorized and unique log- in ID assigned by the Data Security Coordinator.
To the extent applicable to each device type, all laptop and other computing: (i) will be equipped
with a minimum of AES 128 bit full hard disk drive encryption and will have pre-boot pin based authentication; (ii) will have industry standard up to date virus and malware detection and prevention software installed with virus definitions updated no less than every three (3) calendar days; and iii) shall maintain software so as to remain on a supported release. This shall include, but not be limited to, the obligation to promptly implement any applicable security related enhancement or fix made available by supplier of such software.
Breach of Data Security Protocol:
Should an employee come to be aware that a security breach has taken place at any one of our facilities, that any amount of unencrypted personal information has been lost, stolen, or accessed without authorization, or that encrypted personal information, along with the access code or security key, has been acquired by an unauthorized person or for unauthorized purposes, the following protocol is to be followed:
Employees are to notify the Data Security Coordinator or department head in the event of a known or suspected security breach or unauthorized use of personal information.
In the event the security breach involves the potential exposure of partner customer data (Cloud, etc) or the compromise of partner systems, the Data Security Coordinator will immediately notify any relevant partner security organization. All subsequent steps shall be coordinated in agreement with the partner security organization.
The Data Security Coordinator shall also be responsible for drafting and logging a security breach notification. The security breach notification shall include the following:
A detailed description of the nature and circumstances of the security breach or unauthorized acquisition or use of personal information;
The steps already taken relative to the incident;
Any steps intended to be taken relative to the incident subsequent to the filing of the notification; and
Information regarding whether law enforcement officials are engaged in investigating the incident.
Any corresponding notifications made to partner entities (Cloud, etc) that might be impacted by the breach.
Active Cyber already has a consistent level of data protection and security across our organization, but we have introduced new measures to ensure compliancy.
Information Audit — We carried out audit to make sure we continue to not store any personal data on our computers.
Policies and Procedures — we have revised data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
Data Protection – our main policy and procedure document for data protection has been revised to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy and the rights of individuals.
Data Retention and Erasure – our policy is not to store any personal data on our computers.
Data Breaches – our procedures ensure that we have safeguards in place to identify, assess, investigate and report any personal data breach as early as possible. Our procedures have been explained to all employees.
International Data Transfers and Third -Party Disclosures – where Active Cyber stores or transfers personal information outside the EU, we have robust procedures in place to secure the integrity of the data.
Subject Access Request (SAR) – we have revised our SAR procedures to accommodate the revised 30 -day timeframe for providing the requested information and for making this provision free of charge
Privacy Notice/Policy – our Privacy Notice complies with the GDPR, ensuring that all individuals whose personal information we may need to process and retain will be informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
Obtaining Consent – we will seek consent before obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information
Direct Marketing – we will not use any personal data for direct marketing.
Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, we have developed stringent procedures for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subjects.
Processor Agreements – we will not engage third parties to process personal data.
Data Subject Rights
If we hold any personal data, we would provide easy-to-access information via our website of an individual’s right to access any personal information that Active Cyber processes about them and to request information about:
what personal data we hold about them
the purposes of the processing
the categories of personal data concerned
the recipients to whom the personal data has/will be disclosed
how long we intend to store your personal data for
if we did not collect the data directly from them, information about the source
the right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
the right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
the right to lodge a complaint or seek judicial remedy and who to contact in such instances.
Information Security and Technical and Organizational Measures
Active Cyber takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction.
Legal basis for processing personal information (EEA visitors only)
If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we will normally collect personal information from you only (i) where we need the personal information to perform a contract with you (including to provide Services), (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate our Sites and Services and to communicate with you as necessary to provide our Sites and Services to you and for our legitimate commercial interest, for instance, when responding to your queries, improving our Sites and Services, undertaking marketing, or for the purposes of detecting or preventing illegal activities. We may have other legitimate interests, and if appropriate we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.
How does Active Cyber keep my personal information secure?
We use appropriate technical and organizational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. When you enter sensitive information (such as login credentials), we encrypt the transmission of that information using secure socket layer technology (SSL).
We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the internet or method of electronic storage is 100% secure, however. Therefore, we cannot guarantee its absolute secrecy. If you have any questions about security on our Sites, you can contact us at firstname.lastname@example.org.
International data transfers
Your personal information may be transferred to, and processed in, countries other than the country in which you are a resident. These countries may have data protection laws that are different from the laws of your country and, in some cases, may not provide the same level of protection.
Specifically, our Sites and Services are hosted in the USA, and our group companies and third-party service providers and partners operate around the world. The data we collect from you may be transferred to, and stored at, a destination outside the EEA. It may also be processed by staff operating outside the EEA who work for us or for one of our service providers.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. These include EU -US and Swiss-US Privacy Shield, as well as APEC participation.
EU -U.S. and Swiss -U.S. Privacy Shield
Active Cyber participates in and has certified their compliance with the EU-U.S. Privacy Shield Framework and the Swiss -U.S. Privacy Shield Framework. Active Cyber is committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List: https://www.privacyshield.gov.
Active Cyber is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Active Cyber complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Active Cyber is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Active Cyber may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S. -based third-party dispute resolution provider (free of charge)
Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a Service you have requested, for as long as your account remains active, or to comply with applicable legal, tax, or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Your data protection rights
Depending on the country in which you reside, you may have the following data protection rights:
If you wish to access, correct, update, or request deletion of your personal information. These rights can be exercised by contacting us at the contact details provided under the “How to contact us” heading below.
In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.
You have the right to opt out of marketing communications we send you at any time. You can exercise this right by sending us an email at email@example.com, or you can unsubscribe by following instructions contained in the message you received. We do reserve the right to send you certain communications relating to the Services, such as service announcements and administrative messages, that are considered part of your account membership, and we do not offer you the opportunity to opt out of receiving those messages.
Similarly, if we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent w ill not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Economic Area, Switzerland, and certain non -European countries (including the U.S. and Canada) are available here.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. The data controller of your personal information is Active Cyber Inc.
If you have any questions about our GDPR compliance policies, please contact Shawn Mathew at 214 -646-3353 or firstname.lastname@example.org via email.
Partner Specific Security Directives
In addition to the policies and procedures outlined above, all ACTIVE CYBER Cloud Application consultants are required to adhere to the following security practices and directives.
Only authorized ACTIVE CYBER consultants are permitted access to Cloud Application tenants, Projector and any other third-party applications used to support Cloud implementations or development activities.
ACTIVE CYBER consultants will be diligent in ensuring the confidentiality, availability and integrity of Cloud client data. Specific requirements for ensuring the security of Cloud client personal data (any information related to client practices, client financial data and client users) are:
No client personal data shall be resident on a consultant laptop unless that laptop is physically secured. No personal data should be resident on a laptop while it is in transit, whether in a consultant’s car, an airport or any other mode of transportation.
No client personal data shall be resident on a consultant laptop unless that laptop is logically secured. All consultant laptops must maintain a valid anti-virus application that is running in auto -update mode to ensure maintaining the most recent virus and malware protection files.
All consultants must utilize encrypted mechanisms for the storage and transmission of Cloud client personal data. Any files stored on laptops, desktops or any sort of removable storage must be secured via encryption (password protected zip files, etc). File transmission protocols must be encrypted (SFTP, PGP, HTTPS, etc).
Any indication of any potential threat to, or exposure of, Cloud client personal data must be reported to the ACTIVE CYBER Data Security Coordinator ( Shawn Mathew ).
GDPR STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organization:
<customer>, Inc. which has agreed this Standard Contractual Clauses as data exporter on its own behalf and on behalf of its affiliates or their respective clients and client affiliates in the European Economic Area (the data exporter)
Active Cyber, LLC which has agreed this Standard Contractual Clauses as a data importer (the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
References in these Clauses to Directive 95/46/EC shall be replaced by the equivalent provisions of Regulation (EU) 2016/679 (“GDPR”), pursuant to Article 94 of the GDPR.
Clause 1 – Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 – Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 – Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4 – Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5 – Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter;
(k) to provide reasonable assistance to the data exporter in the data exporter responding to any requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
(l) that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
(m) to provide reasonable assistance to the data exporter in the data exporter complying with its obligations under Articles 35 and 36 of the GDPR.
Clause 6 – Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7 – Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 – Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9 – Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely England.
Clause 10 – Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business-related issues were required as long as they do not contradict the Clause.
Clause 11 – Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12 – Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Clause 13 – Liability
The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred. Indemnification is contingent upon:
(a) the data exporter promptly notifying the data importer of a claim, and
(b) the data importer being given the possibility to cooperate with the data exporter in the defense and settlement of the claim
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is, <customer>, Inc. and its affiliated entities, and/or a client (or its affiliated entities) of <customer> located in the European Economic Area.
The data importer is Active Cyber, LLC
The personal data transferred concern the following categories of data subjects (please specify):
Individuals who have a relationship with the Data exporter may include the personal data of employees, customers, contractors or others.
Categories of data
The personal data transferred concern the following categories of data (please specify):
Personal data shared differs based on services to be provided, but may include personal details (such as name, contact information), financial information (such as account details, compensation information), professional and educational background information or other details regarding the individual’s relationship with the Data Exporter.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Special categories of data shared differs based on services to be provided. The Data Exporter determines the collection and processing of personal data, including special categories of data, and may elect services that include the collection, processing and storing of special categories of data as required and permitted by laws applicable to the data transfer.
The personal data transferred will be subject to the following basic processing activities (please specify): The personal data will be subject to processing activities that support <customer> and its affiliates in internal processing of accounting information of its employees, customers, contractors, or others.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The technical and organizational security measures implemented by the data importer are as described below, and as further specified in any underlying Agreements:
1. Information Security Policies and Standards
The Data Importer will implement security requirements for staff and all subcontractors, Service Providers, or agents who have access to Personal Data. These are designed to:
Prevent unauthorized persons from gaining access to Personal Data processing systems (physical access control);
Prevent Personal Data processing systems being used without authorization (logical access control);
Ensure that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
Ensure the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing (entry control);
Ensure that Personal Data are Processed solely in accordance with the Instructions (control of instructions);
Ensure that Personal Data are protected against accidental destruction or loss (availability control); and
Ensure that Personal Data collected for different purposes can be processed separately (separation control).
These rules are kept up to date and revised whenever relevant changes are made to the information system that uses or houses Personal Data, or to how that system is organized.
2. Physical Security
The Data Importer will maintain commercially reasonable security systems at all Data Importer sites at which an information system that uses or houses Personal Data is located. The Data Importer reasonably restricts access to such Personal Data appropriately.
Physical access control has been implemented for all data centers. Unauthorized access is prohibited through 24×7 onsite staff, biometric scanning and security camera monitoring. Data Centre physical security is audited by an independent firm.
Surveillance camera on entry door is installed and security monitoring by building management is implemented.
3. Organizational Security
When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of Personal Data stored on them.
Data Importer implemented security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.
All Personal Data security incidents are managed in accordance with appropriate incident response procedures.
All sensitive data transmitted by Service Provider are encrypted while in transit and when on portable devices or media.
4. Network Security
The Data Importer maintains network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection systems, access control lists and routing protocols.
5. Access Control
Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Data.
User administration procedures define user roles and their privileges, how access is granted, changed and terminated; addresses appropriate segregation of duties; and defines the logging/monitoring requirements and mechanisms. All employees of the Data Importer are assigned unique User-IDs.
Access rights are implemented adhering to the “least privilege” approach.
The Data Importer implements commercially reasonable physical and electronic security to create and protect passwords.
6. Virus and Malware Controls
The Data Importer installs and maintains anti-virus and malware protection software on the system.
The Data Importer implements a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations; security controls; security practices and security incident reporting.
Service Provider has clearly defined roles and responsibilities for the employees. Screening is implemented before employment with terms and conditions of employment applied appropriately.
Service Provider employees strictly follow established security policies and procedures. Disciplinary process will be applied if employees committed a security breach.
8. Business Continuity
The Data Importer implements appropriate disaster recovery and business resumption plans. Data Importer reviews both business continuity plan and risk assessment regularly. Business continuity plans are being tested and updated regularly to ensure that they are up to date and effective.