This Data Protection Addendum (including its Exhibits) (“Addendum”) forms part of and is subject to the terms and conditions of the Hosted Services Agreement (the “Agreement”) by and between UpGuard, Inc. (“Company”) and the counterparty to the Agreement (“Customer”), unless an agreement mutually acceptable to both parties has been executed by the authorized representatives of each party.
1.
Subject Matter and Duration.
1.1
Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Covered Personal Data under the terms of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
1.2
Duration. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. This Addendum will terminate automatically upon termination of the Agreement.
2.
Definitions. For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
2.1
“Covered Personal Data” means Usage Data that is Personal Data Processed by Company under the Agreement.
2.2
“Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Covered Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).
2.3
“Personal Data” has the meaning assigned to the terms “personal data” or “personal information” under applicable Data Protection Laws, and will, at a minimum, mean any information relating to an identified or identifiable natural person.
2.4
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.5
“Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Personal Data attributable to Company.
3.
Processing Terms for Covered Personal Data.
3.1
Company’s Role under Data Protection Laws. Company is a “Business” and/or independent “Controller” (as such terms are defined by Data Protection Laws) of Covered Personal Data. Under no circumstances shall the parties be considered joint “Controllers” under Data Protection Laws.
3.2
Company’s Processing of Covered Personal Data. Company may Process Covered Personal Data in accordance with the Company Privacy Policy available at: https://www.upguard.com/company/privacy.
3.3
Information Security. Company shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Covered Personal Data.
3.4
Security Incidents. Upon becoming aware of a Security Incident, Company agrees to provide written notice without undue delay to Customer. Company shall be solely responsible for remediating the Security Incident, including the provision of any legally required notice to affected data subjects required under Data Protection Laws.
3.5
EEA, Swiss, and UK Standard Contractual Clauses. If Covered Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Company in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module One’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. Each party’s signature to the Agreement shall be considered a signature to the Addendum and the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
EXHIBIT A TO THE DATA PROTECTION ADDENDUM
This Exhibit A forms part of the Addendum and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.
The parties agree that the following terms shall supplement the Standard Contractual Clauses:
1.
Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) the optional text in Clause 11 is deleted; and (v) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
2.
Annex I. Annex I to the Standard Contractual Clauses shall read as follows:
A. List of Parties
Data Exporter: Customer.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.
Activities relevant to the data transferred under these Clauses: As set forth in the Addendum.
Role: Controller.
Data Importer: Company.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.
Activities relevant to the data transferred under these Clauses: As set forth in the Addendum.
Role: Controller.
B. Description of the Transfer:
Categories of data subjects whose personal data is transferred: Data subjects whose Personal Data will be Processed pursuant to the Agreement.
Categories of personal data transferred: Customer Personal Data that is Processed pursuant to the Agreement, including user log-in information, contact information of Customer personnel, Customer users, and users of Customer vendors (e.g., name, title, email address, etc).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To the parties’ knowledge, no sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the technology used by the parties, or as otherwise agreed upon by the parties.Nature of the processing: The nature of the Processing of Customer Personal Data by Service Provider is the performance of the Services.
Purpose(s) of the data transfer and further processing: The nature of the Processing of Customer Personal Data by Service Provider is the performance of the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with its privacy policy.
E. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
F. Additional Data Transfer Impact Assessment Questions for Data Importer:
Will data importer process any personal data that is transferred to the United States under the Clauses about a non-United States person that could reasonably be considered “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?
Not to data importer’s knowledge.
Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Clauses? For example, FISA Section 702. If yes, please list these laws:
As of the effective date of the Addendum, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending.
Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain:
No.
Has data importer ever received a request from public authorities for personal data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain:
G. Data Transfer Impact Assessment Outcome: Taking into account the information and obligations set forth in the Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.
3.
Annex II. Annex II of the Standard Contractual Clauses shall read as follows:
Data importer shall implement and maintain technical and organizational measures designed to protect personal data in accordance with Exhibit B to the Addendum.
Data importer shall implement and maintain technical and organizational measures designed to protect personal data in accordance with Exhibit B to the Addendum.
4.
Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:
The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.
Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.
Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.
The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.
Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.
Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.
5.
Clarifying Terms. The parties agree that the termination right contemplated by Clause 14(f) and Clause 16(c) of the Standard Contractual Clauses will be limited to the termination of the Standard Contractual Clauses.
EXHIBIT B TO THE DATA PROTECTION ADDENDUM
Security Requirements
This Exhibit B forms part of the Addendum. Capitalized terms not defined in this Exhibit B have the meaning set forth in the Addendum.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall endeavor to implement technical and organizational measures (including as described in Art. 32. of GDPR) designed to maintain a level of security appropriate to the risk to Customer Data, including inter alia, as appropriate:
- the ability to protect the ongoing confidentiality, integrity, availability and resilience of processing systems and Services that process Customer Data;
- the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Customer Data.
UpGuard Information Technology Architectures
UpGuard’s technology can be considered as two distinct arenas:
- Enterprise technology systems - such as ERP, collaboration and communication, document management, etc.
- Product systems - the technology components that directly support the UpGuard SaaS product and services.
The Enterprise systems technology stack is comprised of:
- SaaS applications and API-enabled integrations
- UpGuard-issued end-user devices
- Network physical appliances for support of office networks and the enterprise VPN service
The Product systems technology stack is comprised of:
- Infrastructure as a Service(“IaaS”) workloads deployed within cloud-native network and security infrastructures
- SaaS applications
The security measures explained in this document will be explicit for each of these arenas where differences exist, otherwise answers will apply generally to both arenas.
Customer Data is processed and stored in Google Cloud Platform (“GCP”) data centers in the US. File storage may be stored in other GCP regions in place of US cloud data center locations on customer request. A summary description of the product system architecture and the workloads that support the product can be provided on request.
1. Physical Access Control
UpGuard will implement controls designed so unauthorized persons are prevented from gaining physical access to premises, buildings or rooms where Customer Data processing systems are located. of a div block.
Contextual information: Cloud Services
The cloud data centers where the IaaS and SaaS services reside are outside of UpGuard’s physical security control. Information regarding GCP’s security can be found at: https://cloud.google.com/security.
Contextual information: UpGuard premises
There are no servers located at UpGuard premises - the data processing and storage for product and enterprise systems is exclusively provided by cloud services.A private network is maintained at UpGuard offices; access is restricted to UpGuard end-user devices.
A segregated guest wireless internet service is available to visitors.
A segregated guest wireless internet service is available to visitors.
a.
Unauthorized individuals are prevented from gaining access by card entry systems.
b.
Access to communications rooms containing network equipment is restricted by card access systems to IT staff.
c.
Video surveillance is installed at the premises.
2. System Access Control
UpGuard will implement controls designed so data processing systems that process Customer Data are prevented from being used without authorization.
Contextual information: UpGuard product systems and enterprise technology systems
Admin and other privileged access is assigned according to least privileged access, with strong authentication control applied through password standards enforcement and mandatory multi-factor authentication. Access to higher-value information assets (as well as many lower-value assets) is assigned according to enterprise roles-based access control.
Access logs for the product systems are retained for one year.
Access logs for the product systems are retained for one year.
Contextual information: UpGuard product systems
The product workloads reside on GCP virtual private networks. Access to these resources is available only after connection to a private UpGuard network (VPN). Connectivity into the VPN is allowed remotely and from office locations, and is protected by network access controls and 2FA enforcement.
a.
UpGuard implements controls designed to prevent unauthorized personnel from accessing Customer Data processing systems.
b.
UpGuard provides dedicated user IDs for every authorized worker accessing Customer Data processing systems for authentication purposes.
c.
UpGuard assigns dual authentication factors (password and one additional factor) to all authorized workers for authentication purposes.
d.
UpGuard’s systems storing, transporting or presenting any Customer Data are password protected in a manner designed to prevent access by unauthorized persons: (i) after boot sequences; and (ii) when left unused for a short period.
e.
UpGuard has access control supported by an authentication system.
f.
UpGuard has implemented a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password, and requires the regular change of passwords.
k.
UpGuard has implemented controls so passwords are always stored in encrypted form.
l.
UpGuard has implemented an offboarding procedure to deactivate user accounts and access when a worker leaves UpGuard employment.
m.
UpGuard has implemented procedures to remove or modify administrator permissions when an administrator leaves UpGuard employment or rescinds an administrator role.
n.
UpGuard has controls in place that are designed to prevent use of unauthorized hardware for access to Privileged class enterprise systems and applications.
o.
UpGuard has controls in place designed to monitor and remediate installation of unauthorized software on devices that are able to access Privileged class enterprise systems and applications.
Data Access Control
UpGuard will implement controls designed so (i) persons can gain access only to the Customer Data to which they have a right of access, and (ii) Customer Data is not read, copied, modified or removed without authorization in the course of performance of Services.
Contextual information: UpGuard System/Data Classification
UpGuard assigns classification (Public|Confidential|Privileged) to all of its information systems. Any that handle (store, transport or present) customer data are assigned Privileged classification.
Contextual information: Physical storage media
Beyond the necessary presence of internal ‘hard disks’ on physical end-user devices, UpGuard’s routine business processes avoid in total the use of any physical storage media.For any exception that would require the transfer of Privileged class data from cloud storage to portable mass storage media, controls (e.g. physical security, data/disk encryption) would be enforced in an effort to protect the confidentiality and integrity of Customer Data until hand-off to another party.
UpGuard has implemented the following controls for all Privileged class information systems:
1.
UpGuard has implemented controls so designed so Customer Data cannot be read, copied, modified or removed without authorization during or after performance of Services.
2.
UpGuard grants access only to authorized personnel and assigns minimum entitlements necessary for those personnel to perform their business roles.
3.
UpGuard allows the personnel who use the Customer Data processing systems only access to the Customer Data to which they need to carry out their responsibilities.
4.
UpGuard restricts access to Customer Data files and programs with access to Customer Data based on a “need-to-know basis”, i.e. according to the security principle of least privileged access.
5.
UpGuard stores physical media containing Customer Data in secured areas. (Also see contextual information note above.)
6.
UpGuard has procedures designed so the safe and permanent destruction of Customer Data that is no longer required.
7.
UpGuard maintains a vendor risk management program to monitor the security states and scores of relevant vendors (those providing services that store, process or transport Customer Data), and to manage remediation requests to vendors when required.
Data Transmission Control
UpGuard will implement controls designed so (i) Customer Data must not be read, copied, modified or removed without authorization during or after processing and (ii) it is possible to establish to whom Customer Data was or is transferred.
Contextual information: data access sessions and integration flows
All Customer Data access sessions and integration flows utilize industry standard transport methods (TLS - Transport Layer Security - at v1.2 or better).
Contextual information: printing
UpGuard’s routine business processes avoid wherever possible the printing of any Customer Data.
UpGuard has implemented the following controls for all Privileged class information systems:
1.
UpGuard encrypts Customer Data during any transmission.
2.
UpGuard maintains technical controls designed to detect unauthorized or accidental movement of Customer Data out of UpGuard’s information systems. Any Customer Data removal for business purposes must be specifically authorized.
Input Control
UpGuard will implement controls designed so it is able to examine and establish whether and by whom Customer Data have been entered into Customer Data processing systems, modified or removed.
UpGuard has implemented the following controls for all Privileged class information systems:
1.
UpGuard has implemented controls designed to log administrators' and users' Customer Data Processing activities.
2.
UpGuard has implemented controls designed to permit only authorized personnel to enter, modify and remove Customer Data, and to limit access to the scope of their duties.
Job Control
UpGuard will implement controls designed soCustomer Data being processed in the performance of UpGuard’s Services is processed solely in accordance with the Agreement.
UpGuard has implemented the following controls for all Privileged class information systems:
1.
UpGuard implements controls designed so Customer Data is not used for any reasons other than for the purposes it has been contracted to perform or as otherwise instructed by the Customer.
2.
UpGuard implements controls designed so staff members and contractors process Customer Data strictly in accordance with regulatory and contractual requirements.
3.
UpGuard has implemented controls designed so Customer Data is always physically or logically separated so that, in each step of the processing, the relevant customer for which the data is processed can be identified.
Availability Control
UpGuard will implement controls designed so Customer Data is protected against accidental destruction or loss.
UpGuard has implemented the following controls for all Privileged class information systems:
1.
UpGuard creates back-up copies of Customer Data stored in information systems.
2.
UpGuard has the ability to restore Customer Data from back-ups.
3.
UpGuard has in place disaster recovery and business continuity / contingency plans.
4.
UpGuard implements controls to use only authorized business equipment to perform the Services.
5.
UpGuard has implemented controls so designed so whenever a staff member leaves a workspace unattended, materials containing Customer Data are rendered inaccessible through physical or technology controls, or a combination of these.
6.
UpGuard has implemented controls designed so the secure disposal of documents and data carriers containing Customer Data.
7.
UpGuard maintains network firewalls designed to prevent unauthorized access to the network enclaves where information systems reside.
8.
UpGuard has implemented controls designed so that each system used to process Customer Data is protected by anti-malware controls.
Purpose Separation Control
UpGuard will implement controls designed so Customer Data collected for different purposes must be processed separately.
UpGuard has implemented the following controls for all Privileged class information systems:
1.
UpGuard has implemented controls designed so each category of Customer Data it collects is processed only for the purposes for which it was collected.
2.
UpGuard has implemented controls designed so different categories of Customer Data are always physically or logically separated so that, in each step of the processing, each category of Customer Data is processed only for the purposes for which it was collected.
Organizational Requirements
UpGuard will implement controls designed sothe internal organization of UpGuard meets the specific requirements of data protection.
UpGuard has implemented the following controls (without limitation):
1.
UpGuard has designated a data protection officer in an effort to confirm compliance with data protection requirements.
2.
UpGuard has obtained the written commitment of its employees, agents, and subcontractors to maintain the confidentiality of Customer Data.
3.
UpGuard has trained staff on data privacy and data security.
4.
UpGuard maintains controls and undertakes regular audits in an effort to confirm its compliance with data protection requirements.
5.
UpGuard has obtained a SOC-2 Type II audit report and will undergo a SOC-2 Type II audit carried out by an independent third party on an annual basis.
