Data processing agreement
Updated: 12 October 2022
Relevant definitions from applicable data protection legislation, i.e. the EU General Data Protection Regulation 2016/679 (GDPR), are also applied in this agreement.
2 Background and purpose
As a consequence of the service agreement, the processor will process personal data on behalf the controller. Roles and responsibilities as controller and processor follows from applicable data protection legislation, but are also further described in this agreement.
This agreement shall govern the rights and duties in line with applicable data protection legislation, to ensure that personal data will not be accessed by unauthorized parties, or be used, changed or deleted without authorization. This includes processing of personal data in relation to collection, transmission, storage, processing and presentation of the service.
The processor shall only process personal data on the basis of instruction from the controller. Instructions for processing are given in the service agreement, and through various configuration options made available to the controller by the processor. The purpose of processing is further described in the service description. This agreement does however not exclude the use of any other legal basis for processing of other personal data for alternative purposes, where for instance consent is lawfully collected from the data subject and the processor itself takes on the role as controller for such purposes.
For a limited and specific amount of personal data, if applicable, the parties also agree to act as joint controllers. The scope for joint controllership is limited to profiling data related to human cyber risk, such as assessments of knowledge and interest, in connection with the individual identities of data subjects. The purpose of this particular arrangement is to provide Secure Practice with legal grounds to reject any request to re-identify data relating to human cyber risk, ensuring such data in practice will remain anonymous towards the original controller.
3 Categories of data
Personal data which may be processed under the terms of this agreement, includes:
- Names (including nicknames) of users (including for the customer's employees, consultants, partners);
- Contact information for users (email, phone numbers, etc.);
- Technical data about user equipment (IP address, operating system, etc.);
- Position, department, work location, superior(s) for users;
- Email messages analyzed by users (including sender and recipient(s));
- Personal service progress status and progress for users;
- User responses to forms embedded in the service;
- Communication between the users within the service;
- Service related communication with users;
- Logs for service use, including error messages;
- Profiling data related to human cyber risk.
4 Processor obligations
Processor shall implement and govern routines and instructions for the processing which is required for safe processing of personal data in accordance with applicable data protection legislation.
Processor have an individual responsibility to ensure that all personal data are processed in compliance with the terms of this agreement. No part of this agreement or the service terms shall prevent the controller in implementing required measures to be in compliance with applicable data protection legislation.
Processor shall at any time specify where personal data are stored on behalf of the controller. Any personal data which are processed under this agreement shall at any time be processed and stored within the EU/EEA, and shall not be transferred to third countries without pre-approval from the controller.
Processor shall ensure assistance as required to the controller in their obligations according to applicable data protection legislation. This includes, but is not limited to, the controller's obligations to comply with data subject rights with regards to access, rectification, erasure, restriction of processing and data portability, to the extent that this is required for the controller's legal compliance.
If however required by current legislation, processor may however provide a third party with access to personal data after notifying the controller in writing that such access has been requested, in order to allow the opposition of such access to be brought forward wherever this may be a possibility.
5 Information security
Processor shall implement appropriate measures for information security, taking into account the categories, extent and purpose for personal data processing, and at the same time the risk involved with processing, after assessing the cost/benefit of such measures and their suitability for reducing risk.
Measures shall include satisfactory technical, physical and organizational security controls appropriate for protecting personal data under this agreement against unauthorized or unlawful access, modification, erasure, damage, loss and unavailability.
Processor shall practice a systematic approach to internal audit of information security in the business, supported by a management system based on ISO/IEC 27001 or similar. Based on this shall the following among other controls be implemented:
- Personal access control for any access to personal data, constrained by technical mechanisms for authorization and procedures for the provisioning and removal of access;
- Secure communication enabled by encrypted connections for confidentiality and integrity when transferring personal data in network outside of the processor's control;
- Pseudonymization and encryption to mitigate identification of individuals and combination of personal data if exposed outside of authorized systems;
- Routines for maintenance and updates to software to prevent malicious exploit of known vulnerabilities;
- Physical access control for any equipment and infrastructure where personal data are processed in a form where logical access control is not implemented or effective on its own;
- Procedures for erasure of unencrypted storage media after use, so that unauthorized recovery is made as difficult as practically possible;
- Training in information security and personal data processing for all employees who are given access to systems where personal data are processed.
Processor is bound by a duty of confidentiality with respect to personal data processed on behalf of the customer under this agreement, and shall be able to document who have had access to such data. This obligation shall be further reflected in contracts with employees, consultants and sub-contractors, and applies also after the termination of this agreement.
Processor is only permitted to use sub-processors for personal data processing where the customer is the controller, after the controller's pre-approval. If a new sub-processor of such data is introduced, the controller shall be notified about the change no less than 60 days in advance. Should the controller wish to reject such change, the controller shall have the right to terminate the service agreement with effect from the time when the change should have taken place.
All parties involved in processing such personal data on behalf of the processor are maintained with a description of scope for processing on a list of sub-processors web page.
The processor is responsible for establishing individual data processing agreements with all such sub-processors, and that any sub-processors of these in turn are approved by the processor for compliance with applicable personal data legislation, and are meeting any requirements which can be raised on the background of this agreement. Processor shall also ensure a level of information security with the sub-processor which is no less stringent than what follows of this agreement, and must upon request be able to disclose documentation of data processing terms with given sub-processors for the controller's review.
Processor shall on their own initiative apply a systematic approach to uncover and resolve any incompliance related to their processing of personal data, to ensure continuous compliance with this agreement and applicable personal data legislation.
Processor shall at a minimum one time each year perform security testing of systems comprised by the service terms, and provide controller access to the results of such security tests upon request. Processor is obligated to correct any findings within reasonable time, taking into account the individual severity and risk of exploit of each such finding.
Processor shall support the controller in the occasion of an audit from supervisory authorities, to the degree that this is required to assess whether personal data are processed in compliance with applicable data protection legislation.
Controller shall regardless have access to audit the processor, including the use of an independent auditor and third party for penetration testing of systems comprised by the service agreement, given that the processor's extraordinary efforts in this relation are compensated.
In the event where incompliance with this agreement or applicable data protection legislation is uncovered, the parties shall take immediate action to restore compliance.
8 Notification of breach
Processor shall notify the controller if there has been uncovered incompliance with this agreement or applicable data protection legislation.
In line with applicable data protection legislation, such notification of a breach shall be sent to the controller as soon as possible, and without undue delay.
The duty of notification shall also apply where there is a suspicion or confirmation of unauthorized access to personal data. In this case, the processor shall notify the controller no later than 24 hours after a suspicion about the breach has been found.
Processor shall assist the controller in handling the incident to mitigate impact for data subjects as much as possible, including providing information about:
- Potential scope of personal data involved in the breach, including an estimate of number of affected data subjects and possible consequences for these;
- Mitigating actions taken or proposed by the processor to handle the incident, including steps to limit damage and a plan for restoring the service;
- Contact information for data protection adviser in processor's organization.
Processor may be held liable for damages and fines incurred by the controller, and costs related to this, for breaches caused by the processor's incompliance with this agreement. The maximum compensation amount that the controller may demand from the processor in relation to this is limited upwards to the maximum compensation amount which otherwise follows from the service terms.
Controller is independently responsible for risk assessment, internal audit and information security in relation to the outsourcing to an external processor, as required by applicable data protection legislation.
For the scope of this agreement comprised by joint controllership, responsibilities of the processor also extend to legislative requirements from taking on the role as joint controller. This includes, but is not limited to, an independent responsibility to secure personal data, perform data protection impact assessments, inform data subjects about the scope and means of processing, and respond to requests who wish to exercise their rights for the data in this scope. Regardless of processor responsibilities, however, the controller remains independently responsible for its own role in related processing.
10 Duration and termination
This agreement is valid for as long as the service agreement is maintained, and will automatically cease upon termination or expiry of the service agreement.
In the event of a breach with this agreement or applicable data protection legislation, the controller may impose the processor to stand down from further processing of personal data with immediate effect.
Upon effective termination of this agreement, the processor is obliged to erase all personal data received on behalf of the controller, under this agreement. Processor shall, without undue delay after the agreement's termination, document in writing to the controller that such erasure has been performed in compliance with the agreement.
Processor can no longer process personal data on behalf of the controller after the termination of this agreement.