Guardsquare Acquires Extended Threat Defense (XTD) Technology & Assets From Verimatrix | Learn More >

Search
Talk to us

Data Processing Agreement

 

 
 

 
DATA PROCESSING AGREEMENT

This data processing agreement (the “DPA”) constitutes a binding agreement between the Guardsquare group contracting entity specified in the relevant Agreement (“Guardsquare”), and the customer or reseller contracting entity to the Agreement (the “Company”).

The Company and Guardsquare may individually be referred to as a “Party” and jointly as “the Parties”.

PREAMBLE

Whereas the Parties entered into (whether through physical or electronic signature or click-through acceptance) General Terms and Conditions or Reseller General Terms and Conditions (as applicable), including the appendices attached thereto and any Order Forms concluded pursuant to such (Reseller) General Terms and Conditions (“the Agreement”);

Whereas in the context of performing the Agreement, Guardsquare may process personal data as a processor on behalf of the Company (acting as controller), or as a sub-processor to Company (acting as processor);

Whereas this DPA sets out the rights and obligations of the Parties in respect of such personal data processing by Guardsquare under the Agreement.

This DPA is incorporated into the Agreement by reference.

NOW THEREFORE, the Parties hereby agree as follows:

1. Context. This DPA is supplemental to the Agreement and applies to Guardsquare’s processing of Personal Data made available to Guardsquare by Company pursuant to the Agreement or otherwise obtained by Guardsquare in performing the Agreement. If there is a conflict or inconsistency between the terms of this DPA and the provisions of the Agreement, the DPA will prevail.

2. Definitions and interpretation.

2.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

The body of the DPA may contain additional definitions. Any capitalized terms used in the DPA which are not otherwise defined herein are as defined in the Agreement.

2.2 Headings in this DPA are for convenience only and shall not affect the meaning of the terms of this DPA. The words “including”, “in particular”, “e.g.” and similar terms shall mean ‘including without limitation’ unless indicated otherwise. A reference to a legal act or legal provision (i) is a reference to that act or provision as it may be amended or re-enacted from time to time, and (ii) includes a reference to any subordinate or executive act or provision. 

3. Company obligations. 

As between the Parties, Company controls which data (including Personal Data) is made available to Guardsquare for Processing in relation to the Services. Company undertakes not to provide Guardsquare with any Special Categories of Personal Data (as defined in Art. 9 of the GDPR) and/or Personal Data allowing the direct identification of the Data Subject (including any of the following: first name, last name, identification number, credit card number, social security number, personal financial information) unless otherwise agreed in writing between the Parties.

In compliance with the GDPR, as between the Parties, the Company shall, under its sole responsibility:  a) provide Data Subjects with all required information with respect to the Processing activities, and in particular, inform the Data Subjects about:  (i) the existence of their rights of access, rights to rectification and erasure, right to restriction of processing, right to data portability and right to object; (ii) the nature, the legal basis, and purpose of the Processing; b) where Processing is based on the Data Subjects’ consent, obtain and maintain such Data Subjects’ consent for the Processing; c) maintain a record of Processing activities; e) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and be able to demonstrate compliance with the GDPR.

Company warrants that it has all the rights and authorizations necessary to make the Personal Data available to Guardsquare for Processing for the purposes of the Agreement.

4. Guardsquare obligations. 

Guardsquare will only Process Personal Data that Company makes available to it pursuant to the Agreement, giving the Company full control of what Personal Data is Processed by Guardsquare.

Guardsquare will not sell, trade, or rent Personal Data obtained pursuant to the Agreement without the Company’s prior consent.

As Processor, Guardsquare further commits to:

      1. Process the Personal Data exclusively on Company’s behalf and only on the Company’s documented instructions, as set forth in the Agreement and this DPA, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by the Data Protection Laws to which Guardsquare is subject; in such event, Guardsquare shall inform Company of that legal requirement before processing, unless applicable law prohibits such notification on important grounds of public interest;
      2. not Process Personal Data obtained pursuant to the Agreement or permit it to be Processed or accessed, in whole or in part, outside the scope and purpose of the Agreement (without limiting Guardsquare’s rights in relation to telemetry data and anonymized aggregated data as per the terms of the Agreement);
      3. the confidentiality of such Personal Data which is Processed under the Agreement;
      4. procure that persons authorized to Process such Personal Data under the Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      5. immediately inform the Company if, in Guardsquare’s opinion, an instruction infringes the Data Protection Laws; If the Company nevertheless insists on Guardsquare performing the requested Processing task as originally requested, Guardsquare shall not be responsible for (any adverse consequences resulting from) Processing activities at Company’s request if such Processing subsequently proves to be in breach of Data Protection Laws;
      6. if Company is located in the EEA, and in any other event where the GDPR is applicable, should Guardsquare transfer Personal Data outside the EEA, it may do so provided the transfer is carried out under applicable Standard Contractual Clauses and/or subject to such other safeguards as legally permitted or required at any time;
      7. only engage a sub-Processor with a written contract that imposes substantially similar Personal Data protection obligations on the sub-Processor as those imposed on Guardsquare under this DPA; Guardsquare shall remain responsible to Company for the performance of such sub-Processor’s obligations in relation to the Processing of Personal Data;
      8. assist Company by appropriate measures, for the fulfilment of Company’s obligations to respond to requests for exercising the Data Subjects’ rights under applicable Data Protection Laws; however, given the nature and limited scope of Personal Data Processed under the Agreement and this DPA, which does not allow Guardsquare to directly identify data subjects from its records, any Data Subject’s request will need to be facilitated by Company, in order for Guardsquare to be able to provide necessary assistance;
      9. without prejudice to Guardsquare’s rights under the Agreement in relation to use of telemetry and anonymized data after the end of the Agreement, delete or return all Company Personal Data to Company after the end of the provision of Services relating to processing, and delete existing copies except to the extent applicable law requires storage of the Personal Data;
      10. assist Company, upon its reasonable written request, to allow Company to remain compliant with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority, it being understood that such services provided by Guardsquare may be subject to additional costs;
      11. make available to the Company all information reasonably required to demonstrate compliance with this DPA and allow for and contribute to audits, conducted at the Company’s cost by the Company or an independent reputable auditor, it being understood that such services provided by Guardsquare and audits may be subject to additional costs; Any such audit shall additionally be contingent on the following (unless otherwise required under applicable law, as documented by the Company and notified to Guardsquare):
        1. such audit shall be limited to one per Agreement contract year, must be notified reasonably in advance (a minimum of thirty days, and may only occur during Guardsquare’s normal business hours at the locations that are directly related to the performance of Guardsquare’s obligations under the DPA; (ii) access shall be limited to a reasonable number of participants from the Company or third-party auditor considering the scope of the audit; (iii) the audit shall be conducted at mutually agreeable times; (iv) Guardsquare personnel may, at Guardsquare’s option, attend such audit; (v) such audit shall be conducted in a manner that is designed to minimize any adverse impact on Guardsquare’s normal business operations and its performance of the Agreement; (vi) Company and the third-party auditor shall comply with Guardsquare’s reasonable safety and security requirements in conducting any such audit; (vii) Company shall inform any third-party auditor of the obligations of confidentiality set forth in the Agreement and secure such person’s agreement to be bound by such provisions; (viii) any information accessed by the Company or its third-party auditors in the performance of any such audit, including any resulting audit report, shall constitute Guardsquare’s Confidential Information; in no event shall Guardsquare be required to provide any access that could reasonably be expected to result in an impact to any other Guardsquare client or in a disclosure of another Guardsquare client’s information; in the event that Guardsquare agrees to provide, or is otherwise required (under applicable law or pursuant to a regulatory request), to provide access to multi-client environments, then the Company shall ensure that any risks to or impact on another Guardsquare client’s environment are avoided; and (ix) any audit may only occur pursuant to a mutually agreed scope defined in writing by the Parties prior to the audit.
      12. notify the Company upon receipt of any request from a Supervisory Authority, or a court order, to disclose any of Company’s Personal Data, and, to the extent practicable, will at Company’s cost provide reasonable assistance in opposing such disclosure; and
      13. notify the Company in writing (which includes e-mail), without undue delay after becoming aware of a Personal Data Breach, such notice to include reasonable details of the Personal Data breach.

5. Sub Processors

The Company consents to Guardsquare engaging its affiliates, its and its affiliates’ contractors, and third-party providers identified in Annex 1 (XTD Platform Processing Details) (the “Sub-Processors”) as sub-processors under the Agreement without having to obtain the Company’s additional prior written consent. Guardsquare shall (i) impose upon such Sub-Processors data protection obligations equivalent to those set out herein, and (ii) be responsible for a breach by its Sub-Processors of Guardsquare’s obligations under the DPA. Guardsquare shall inform the Company of any intended changes concerning the addition or replacement of its Sub-Processors (a communication on Guardsquare’s website shall be adequate for this purpose). Unless the Company objects to such changes in writing setting out its reasonable concerns in detail within thirty (30) days from such notice, the change shall be deemed accepted by the Company. If the Company objects, Guardsquare shall consult with the Company, consider the Company’s concerns in good faith and inform the Company of any measures taken to address the Company’s concerns. If the Company upholds its objection and/or demands significant accommodation measures, and if Guardsquare does not consider these possible or if these would result in a material increase in cost for Guardsquare to perform the Agreement or DPA, Guardsquare may increase the fees payable by the Company under the Agreement or the Company may terminate the Agreement or impacted Order Form as the Company’s sole remedy.

6. Technical and organizational measures. 

Taking into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Guardsquare shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

7. Data protection impact assessment. 

The Company represents and warrants that, to the extent required under Data Protection Laws (i) the Company has performed, prior to entering into the DPA, a data protection impact assessment required by Data Protection Laws and completed appropriate due diligence on Guardsquare and, (ii) based on all information obtained, there are no additional technical and organizational measures required in respect of the Processing of Company Personal Data by Guardsquare in performing the Agreement. Guardsquare shall cooperate with and provide reasonable assistance to the Company in performing such data protection assessment and due diligence, taking into account the nature of Processing and the information available to Guardsquare.

ANNEX 1 – XTD Platform Processing Details

Sub-Processor Which Personal Data Purpose Processing Location
AWS Personal Data as per 1. above Platform cloud provider EEA
Elastic Search Personal Data as per 1. above Platform cloud provider EEA
Salesforce Authorized Users Personal Data Automated ticket reporting for support EEA

All data available here: https://protectmyapp.atlassian.net/wiki/spaces/RAV/pages/46235914/Raven+TLV+Dictionary

Counterspy

Counterspy relies on the same backends for XTD operations (protection, analytics, etc) but uses VMX backends for controlling and managing users (usermanagement, keys).

As part of XTD operations in Counterspy, Guardsquare will receive user identifiers (emails) of the users who perform the operations.  These are stored as part of build records & application data.

Analytics data is gathered by the same component as for XTD and reported back to the same infrastructure.

In the case of a protected web application, XTD only receives the data from a third-party processor, but once it is in XTD, it is the same as all other data.

Talk to us