- 1.1. “Additional Service” means a Service or an upgrade to the Platform developed by Precoro according to a separate written individual request of a User sent to Precoro that is ordered by the Customer and provided by Precoro in accordance with these Terms and such individual request, and which invokes additional fees payable by the Customer in addition to its fees under the Payment Plan. Fees for Additional Services are agreed upon individually. In any case, Precoro reserves the right to unilaterally terminate the provision of AdditionalServices at any given time without providing reasons to do so.
- 1.2. When we refer to “Precoro”,or we use pronouns like “we,” “us,” or “our,” we are referring to Precoro, Inc as well as its parents, affiliates, and subsidiaries, our Website, or our Service.
- 1.3. “Concierge Setup“ is an additional service which means all implementation and training services for which fees begin to be charged after your Precoro Account is fully set up, but in any case, no later than thirty (30) days after Precoro has started setting up your Precoro Account.
- 1.4. “Customer” means a legal entity that has Users visiting, browsing, accessing, downloading, installing, or otherwise using the Platform.
- 1.5. “Customer Data” refers to any data, information, content, records, and files that a Customer (or any of its Users) loads, receives through, transmits to, or enters into the Platform or otherwise provides to Precoro, including any and all intellectual property rights in any of the foregoing.
- 1.6. “Order Form” refers to the document setting up a special arrangement signed or executed by electronic means (including e-mail) by the Customer and Precoro at any given time.
- 1.7. “Party” or “Parties” means the Company and/or the Customer.
- 1.8. “Payment Plan” is a regular tariff that indicates a fee for each User and the minimum quantity of Users and shall be chosen and paid by the Customer on a regular basis according to the Terms.
- 1.9. “Platform” refers to (i) the software, hardware, and systems used by Precoro to host and make the Services available; and (ii) the Website.
- 1.10. “Precoro Account” refers to a tool that is linked to a certain User and Customer via the registration process and specific information provided during the process of creating a Precoro Account, and that allows users to sign in to the Website and use the Services available therein.
- 1.11. “Services” refers to the services provided by Precoro via the Website and which provide streamlined procurement processes for businesses. This includes the possibility of carrying out and recording requests, approvals, purchases, receipts, and to record payments for the Customer's procurements.
- 1.12. “Terms” refers to the Terms and Conditions that manage and govern relationships between Customer and Precoro and provision of Services.
- 1.13. “User” is an individual who is an employee or contractor of a Customer that is authorized by the latter to have access to and use the Platform via a Precoro Account.
- 1.14. “Website” refers to the website https://precoro.com/, which we use for the provision of Services.
2. Subject Matter and General Information
- 2.1. These Terms apply to and administer your access to and use of the Website and the Services available on it.
- 2.2. It is crucial that you read and understand these Terms. They contain limitations of our obligations to you, as well as restrictions and exemptions from our liability to you for damage that you may suffer as a result of creating a Precoro Account with us.
- 2.3. We reserve the right to amend these Terms at any time. Any amendments will become effective upon posting of the revised version on our Website. We encourage you to regularly review the Agreement for any changes. In the event that we make amendments to the Terms that substantially reduce your rights or significantly increase your responsibilities, we will provide you with prior notice of at least 30 days. Such notice will be posted on our Website and may also be sent to the email address provided by you. Notice sent by email will be considered received on the next working day following the date of sending. By continuing to access or use Precoro after the effective date of any amendments, you acknowledge your acceptance of the revised Terms.
- 2.4. The Company has succeeded in developing a cloud-based spend management solution for small and midsize businesses that helps automate procurement processes. The Company keeps all information in one place, which lets Users track requisitions, approvals, budgets, and orders.
3. Our Services
- 3.1. You will need a Precoro Account to access the Services and Additional Services. Your Precoro Account lets you sign into Services.
- 3.2. By Creating a Precoro account, you, therefore, accept the terms associated with it. In case any of alterations or adjustments to the Terms, you hereby give your consent by continuing to use the Services after being notified of any respective changes. You agree not to use any false, inaccurate, or misleading information when signing up for your Precoro Account. You cannot transfer your Precoro Account credentials to another User, Customer, or any third party. To protect your Precoro Account, keep your Precoro Account details and password confidential. You are solely responsible for all the activity that occurs on your Precoro Account.
- 3.3. You must immediately notify Precoro of any actual or suspected unauthorized use of the Platform. Precoro reserves the right to suspend, deactivate, or replace any Precoro Account if it determines that it may have been used for an unauthorized purpose or in violation of these Terms. Limitations of Use
- 3.4. The Customer acknowledges and agrees that he/she is responsible for all Users' compliance with these Terms and any guidelines and policies published by Precoro from time to time and all Users' activities on the Platform. Without limiting the generality of any of the foregoing, the Customer will not allow, by any means, any other person (including any User) to:
- 3.4.1. use the Platform to send, upload, collect, transmit, store, use, disclose, process or ask Precoro to obtain from third parties or perform any of the above with respect to any Customer data:
- 126.96.36.199. that contains any computer viruses, worms, malicious code, or any software intended to damage or alter a computer system or data;
- 188.8.131.52. that the Customer or the applicable User does not have the lawful right to send, upload, collect, transmit, store, use, disclose, process, copy, transmit, distribute and display or process in any other way;
- 184.108.40.206. that violates any applicable law or infringes violates, or otherwise embezzles the intellectual property or other rights of any third party (including any moral right, privacy right or right of publicity, etc.); or
- 3.4.2. disable, overly burden, impair or otherwise interfere with servers or networks connected to the Platform (e.g., a denial of a service attack, etc.);
- 3.4.3. attempt to gain unauthorized access to the Platform;
- 3.4.4. use any data mining, robots, or similar data gathering or extraction methods or copy, modify, reverse engineer, reverse assemble, disassemble or decompile the Platform or any part thereof or otherwise attempt to discover any source code; except as expressly provided for in these Terms, etc.;
- 3.4.5. use the Platform for the purpose of building a similar or competitive product or service; or
- 3.4.6. use the Platform other than permitted by these Terms.
- 3.4.1. use the Platform to send, upload, collect, transmit, store, use, disclose, process or ask Precoro to obtain from third parties or perform any of the above with respect to any Customer data:
- 3.5. In case Precoro indicates or in any way discovers any activity or facts described in clause 3.4 above, it reserves the right to immediately suspend the use of a Precoro Account, whose Users were involved in said activity, without any notices and thus claim from the respective Customer any damages, penalties, fines or other payments suffered by Precoro (if any) as a result of said activity.
4. Payment Terms
- 4.1. In order to be able to pay for the Services and use them, you need to have a positive balance of funds in your Precoro Account at all times. Replenishment of the balance is done by wire transfer or a credit card payment, or any other methods which may be clearly advertised on the Website in accordance with a relevant invoice with a sum equal to the amount of said transfer.
- 4.2. Services are provided on a subscription basis. Service fees are payable 100% in advance, and the subscription period starts once the complete payment for the subscription and implementation services is received from the customer by the Precoro team. You can download your invoice or pay by credit card https://app.precoro.com/manage/company/balance.
- 4.3. All payment obligations pursuant to this Agreement shall remain in force at all times, and all payments are non-refundable except as otherwise provided in section 5 below.
- 4.4. If the balance in your Precoro Account is not enough to cover a one (1) day Services fee, it will be blocked.
- 4.5. The funds are credited in US dollars at the exchange rate indicated by Precoro according to Precoro’s accounting rules on the date of the invoice.
- 4.6. We charge you for using the Services (excluding Additional Services) by debiting your Precoro Account on a monthly basis according to your Payment Plan. You must choose your Payment Plan on the Website. Charging for Additional Services is carried out according to Article 1.1., 4.17. and 4.20. of the Terms.
- 4.7. The amount (rounded up to two (2) decimals) to be debited from your balance is calculated by using the formula:
Cost of services Precoro = ΣN*Qa*P It means
● N — Number of users with the same Qa
● Qa — % of activity in Precoro is calculated as the percentage of the number of days for which the user has been marked "Active" to the number of days in a month and rounded to an integer.
● P is the cost of the user.
- 4.8. Your Precoro Account is activated after we receive your first payment for Services and Additional Services (if ordered). Following the activation of your Precoro Account, it shall be regularly and automatically debited by Precoro in accordance with your Payment Plan and terms and conditions indicated in this document unless there is a separate agreement in writing agreeing otherwise or the Concierge Setup is used in which case fees will be charged no later than thirty (30) days from the activation date. You can follow and check your balance here https://app.precoro.com/manage/company/balance.
- 4.9. We start to charge you for using the Concierge Setup after your Precoro Account is fully set up, but in any case, no later than thirty (30) days after we kick off the Precoro Account setup.
- 4.10. When you add a User to your Precoro Account, and the number of added Users exceeds the minimum number of Users indicated in the Payment Plan, your balance will be debited based on the current number of Users you have.
- 4.11. When you add a User to your Precoro Account, and the number of added Users is less than the minimum quantity of Users indicated in the Payment Plan, your balance will be debited based on the minimum quantity of Users indicated in the Payment Plan.
- 4.12. Some Customers’ fees under certain Payment Plans may change from time to time when the initial number of Users increases. An automatic Payment Plan change is not available, and in order to request a change of fees in your Payment Plan, you need to contact our support team at [email protected]. Precoro will charge your Precoro Account for the actual number of Users in case you did not request a change of fees as required.
- 4.13. If there are not enough funds in your Precoro Account balance to pay for one day of using the Services, Precoro reserves the right to suspend the access of all your Users to the Precoro Account.
- 4.14. Users with administrative rights can access information about their balance of funds and corresponding payment history in their Precoro Account as indicated below:
- 4.15. We notify Users with administrative rights about the suspension of their Precoro Accounts thirty (30), ten (10) days, and one (1) day in advance before a suspension.
- 4.16. The Customer shall pay the fees as set out in the Payment Plan to Precoro in accordance with the payment terms specified herein and in the Payment Plan. The fees outlined in these Terms are subject to an annual adjustment based on the aggregate change in the Consumer Price Index (CPI), provided that the duration of these Terms, including any planned extensions, exceeds one year. The adjustment to the fees based on the CPI will occur on an annual basis, starting from the commencement date of these Terms. Precoro will calculate the adjusted fees by applying the percentage change in the CPI to the original fees. The adjusted fees will take effect on the anniversary of the commencement date of these Terms. Precoro will provide written notice to the Customer regarding the adjusted fees at least thirty (30) days before the anniversary date of these Terms. The notice will include the calculation methodology used to determine the adjusted fees. If the Customer disagrees with the adjusted fees, they must notify Precoro in writing within ten (10) business days from the receipt of the notice. In such a case, the parties will engage in good faith discussions to resolve the matter.
- 4.17. According to a Customer’s separate request, the Parties may agree upon a fee for Additional Services which are not indicated in a Payment Plan.
- 4.18. Precoro has the right to change its Payment Plan fees unilaterally. If such change is to the disadvantage of the Customer, Precoro shall notify the Customer in writing within ninety (90) days Parties in writing. The Customer has the right within thirty (30) days of such notice to terminate the affected Service in writing with effect from the date the fee increase would have entered into force. If such notice of termination is not given, the Customer is deemed to have approved new fees.
- 4.19. Precoro prepares and sends invoices of any fees that are due and payable to Customers using their contact details on file with Precoro. Unless otherwise expressly stipulated in the Payment Plan, the Customer shall pay all invoices within ten (10) calendar days of the invoice date.
- 4.20. Fees for Additional Services (if any) are indicated in a separate invoice.
- 4.21. If the Customer believes that Precoro has charged or invoiced them incorrectly, they must contact Precoro no later than thirty (30) days after having been charged, especially if the Customer has received an invoice in which an error or problem appeared, in order to receive an adjustment or credit, if applicable. In the event of a dispute, the Customer shall pay any disputed amounts in accordance with the payment terms indicated herein, and all parties included will discuss the disputed amounts in good faith in order to resolve the dispute.
- 4.22. Precoro reserves the right to suspend the Customer’s access to the Services until all due amounts are paid in full.
- 4.23. The Fees set out in these Terms do not include applicable sales, use, gross receipts, value-added, GST or HST, personal property, or any other taxes in any and all jurisdictions, and all applicable duties, tariffs, assessments, export, and import fees or similar charges (including interest and penalties imposed thereon) on the transactions contemplated in connection with these Terms, and the Customer pays, indemnifies and holds Precoro harmless from same, other than taxes based on the net income or profits of Precoro.
5. Refund Policy
- 5.1. Precoro represents and warrants to the Customer that during the Term's validity period, the functionality of the Platform and Services at the time of the Payment Plan shall not materially decrease.
- 5.2. To submit a warranty claim under this Section, the Customer shall:
- 5.2.1. reference this Section, and
- 5.2.2. submit a support request in writing asking to resolve a material decrease in functionality. If the material decrease in functionality persists without relief for more than thirty (30) days after a warranty claim has been provided to Precoro under this Section, then the Customer may receive a refund of any prepaid, unused Services' fees paid by the Customer for the unused period of any Services where the material decrease has taken place. Notwithstanding the foregoing, this warranty shall not apply to any deficiency due to any modification or defect made or caused by someone other than Precoro.
6. Our Responsibility to You
- 6.1. Subject to the Customer's compliance according to these Terms, Precoro will make the Platform available to the Customer on the terms and conditions set out in these Terms.
- 6.2. Precoro may, at its discretion and without any notice:
- 6.2.1. suspend, terminate, or limit the Customer's access to or use of the Precoro Account or the Platform or any component thereof; or
- 6.2.2. modify the Platform without notice or approval of Customers and/or Users.
- 6.3. Precoro will use commercially reasonable efforts to provide reasonable advance notice of such a suspension, termination, or limitation.
- 6.4. The data center provider of Precoro works with commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
- 6.5. Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores twice a day and replicated across several data centers and availability zones.
- 6.6. Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using industry-standard methods.
- 6.7. The Precoro product is designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with the goal of preventing single points of failure. This design assists Precoro operations in maintaining and updating the product applications and backend while limiting downtime.
7. Exclusion of liability
- 7.1. We will not be liable to you if you do not let us know about an incorrectly executed Service within thirty (30) days after the date of the Service.
- 7.2. We also hold no liability under these Terms if we fail to perform or incorrectly implement the Service where the reason for this was due to events outside of our control or our statutory obligations.
- 7.3. We do not assume liability for damage that is due to any unusual and unforeseeable events over which the Company has no control and whose consequences, despite exercising due care, the Company could not have avoided. This equally applies to cases in which the Company is bound by any orders under State of Delaware legislation, national, court, or administrative orders stating otherwise.
- 7.4. We do not exclude or limit in any way our liability to you where it would be unlawful to do so.
8. Intellectual Property
- 8.1. The content of the Websites as well as the Precoro software, unless noted otherwise, are intellectual property and copyrighted works of the Company. All rights, titles, and interests not expressly granted with respect to the content and the software used in the Website as well as for the provision of the Services are reserved. The “Precoro” logotype is the registered trademark, and all rights are reserved. It cannot be used by any third party unless expressly authorized in writing by the Company.
- 8.2. All rights, title, and interest in the Property will remain with Precoro and are not “sold” to the Customer. Precoro expressly reserves all rights, title, and interest in, and the Customer will not acquire any right, title, or interest to the Platform (including software or any part thereof) and any other materials or content provided by Precoro under these Terms, including any and all modifications, improvements, customizations, updates, enhancements, aggregations, compilations, derivative works, translations, adaptations and results from processing in any form or medium to any of the foregoing.
- 8.3. Precoro shall be entitled to use Customer's trademarks and brands for the purpose of promotion, advertisement, and marketing.
9. Privacy and Confidentiality
10. Data Deletion
11. Term, Termination
- 11.1. These Terms shall be enforced upon creating a Precoro Account and are valid for the whole period of existence of such an account unless otherwise not explicitly stated in the Payment Plan or any other instrument in writing signed by both Precoro and the Customer.
- 11.2. Precoro may terminate these Terms or exclude a Customer from it at any time by providing advance written notice of not less than thirty (30) days to the Customer.
- 11.3. After the initial subscription - the period of existence of Precoro Account, these Terms shall be deemed renewed automatically each year for successive one-year terms unless Precoro or the Customer terminates the Terms in accordance with Section 11.2., 11.3., 11.4. of theseTerms. The Customer may withdraw from these Terms for their own convenience by providing written notice at least thirty (30) days in advance via email at [email protected]. These Terms will be terminated at the end of the applicable renewal period following such notice. The Customer has no right to withdraw from these Terms if there are any debts or financial obligations pertaining to Precoro until any such obligations or debts are settled.
- 11.4. Either Party has the right to, in addition to other remedies, suspend or terminate these Terms if one Party commits a material breach of any provision of these Terms and fails to resolve said breach or to commence corrective action reasonably acceptable to the aggrieved Party and proceed with due diligence to completion within fourteen (14) days after a receipt of a notice of such a breach.
12. Force Majeure
- 13.1. You may not transfer or assign any rights or obligations you have under these Terms without the Company's prior written consent. The Company may transfer or assign these Terms or any right or obligation hereunder at any time.
- 13.2. The Company Services are provided “as-is” and without any representation or warranty, whether express, implied, or statutory. The Company specifically disclaims any implied warranties of title, merchantability, fitness for a particular purpose, and non-infringement.
- 13.3. Precoro may change its contact information by posting the new contact information on its Website or by advising the Customer beforehand. The Customer is solely responsible for keeping its contact information up to date with Precoro via the Platform at all times during the validity of the Terms, and this information may be treated by Precoro as official.
- 13.4. Neither party to these Terms will be liable for delays caused by any event or circumstances beyond reasonable control, including acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes, or other labor problems (other than those involving Precoro employees), Internet service provider failures or delays, or the unavailability or modification by third parties of third-party websites/services.
- 13.5. Any provision of these Terms found by a tribunal or court of competent jurisdiction to be illegal or unenforceable will be severed from these Terms, and all other provisions of these Terms will remain in full force and effect.
- 13.6. The Customer's relationship with Precoro is that of an independent contractor, and neither Party is an agent or partner of the other. The Customer has no right to represent any third party with authority to act on behalf of Precoro.
- 13.7. The Customer will gain access to Precoro technical support twenty-four (24) hours a day from Monday to Friday via email at [email protected] or via the Precoro Website.
- 13.8. These Terms and any action related thereto will be governed by and construed in accordance with the substantive laws of the State Delaware. Should it be impossible to resolve the dispute by means of negotiations, any dispute, controversy, or claim arising out of or in connection with these Terms, including any questions regarding its existence, validity, or terminations, shall be referred to and finally resolved by an appropriate court of the State Delaware under its rules which are deemed to be incorporated in reference to this clause.
This Data Processing Agreement and its Annexes (the “Agreement”) is an addendum to the Terms of Service (“Principal Agreement”) between the Company (or/and the “Data Processor”) and the Customer (the “Data Controller”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
- 1. The Agreement sets out the rights and obligations of the Data Controller and the Company (the Data Processor), when processing personal data on behalf of the Data Controller.
- 2. The Agreement has been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC GDPR.
- 3. In the context of the provision of Services, the Company will process personal data on behalf of the Data Controller in accordance with the Agreement.
- 4. The Agreement shall take priority over any similar provisions contained in other agreements between the parties.
II. The Rights and Obligations of the Data Controller
- 1. The Data Controller is responsible for ensuring that the processing of Personal Data takes place in compliance with the GDPR, the applicable EU or Member State data protection provisions, and the Agreement.
- 2. The Data Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
- 3. The Data Controller shall be responsible, among others, for ensuring that the processing of personal data, which the Company is instructed to perform, has a legal basis.
III. Processing of Personal Data
- 1. Company shall:
- 1.1. comply with all applicable data protection laws in the processing of personal data; and
- 1.2. not process personal data other than on the relevant Data Controller’s documented instructions.
- 2. The Data Controller instructs Company to process personal data.
- 3. Company shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any sub-processor who may have access to the Data Controller’s personal data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant the Data Controller’ personal data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the sub-processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- 1. The Company shall only grant access to the personal data being processed on behalf of the Data Controller to persons under the Company’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.
- 2. The Company shall, at the request of the Data Controller, demonstrate that the concerned persons under the Company’s authority are subject to the abovementioned confidentiality.
V. Security of Processing
- 1. Article 32 GDPR stipulates that taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
- 2. The Data Controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks.
- 3. Depending on their relevance, the measures may include the following:
- a) Pseudonymisation and encryption of personal data;
- b) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- 4. According to Article 32 GDPR, the Company shall also – independently from the Data Controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the Data Controller shall provide the Company with all information necessary to identify and evaluate such risks.
- 5. Furthermore, the Company shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32 GDPR by inter alia providing the Data Controller with information concerning the technical and organizational measures already implemented by the Company pursuant to Article 32 GDPR along with all other information necessary for the Data Controller to comply with the Data Controller’s obligation under Article 32 GDPR.
VI. Use of Sub-processors
- 1. Customer agrees that the Company may engage sub-processors to process personal data on Customer's behalf in accordance with applicable law. A current list of the Company sub-processors may be found at https://precoro.com/privacy Customer acknowledges and agrees to the engagement of the third parties listed on the sub-processor page as sub-processors in connection with the provision of the Services under this Agreement.
- 2. Where Company engages a sub-processor, Company will enter into a Data Processing Agreement with the sub-processor that imposes on the sub-processor at least the same level of protection that apply to Company under this Agreement.
- 3. If the Company engages a sub-processor in a country outside the European Economic Area that is not recognized by the European Commission as providing an adequate level of protection for personal data, then Company shall, in advance of any transfer of personal data to sub-processor, take steps to ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.
- 4. Company shall provide Customer reasonable advance notice (for which email shall suffice) if it adds or removes sub-processors. Customer may object in writing to Company’s appointment of a new sub-processor on reasonable grounds relating to data protection by notifying Company promptly in writing within five (5) calendar days of receipt of Company’s notice. Such notice shall explain the reasonable grounds for the objection. In such an event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by Company without the use of the objected-to-new sub-processor.
VII. Transfer of Data to Third Countries or International Organisations
- 1. Any transfer of personal data to third countries or international organizations by the Company shall only occur on the basis of documented instructions from the Data Controller and shall always take place in compliance with Chapter V GDPR.
- 2. In case transfers to third countries or international organizations, which the Company has not been instructed to perform by the Data Controller, is required under EU or Member State law to which the Company is subject, the Company shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
VIII. Assistance to the Data Controller
- 1. Taking into account the nature of the processing, the Company shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible, in the fulfillment of the Data Controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.
- a) the right to be informed when collecting personal data from the data subject
- b) the right to be informed when personal data have not been obtained from the data subject
- c) the right of access by the data subject
- d) the right to rectification
- e) the right to erasure (‘the right to be forgotten’)
- f) the right to restriction of processing
- g) notification obligation regarding rectification or erasure of personal data or restriction of processing
- h) the right to data portability
- i) the right to object
- j) the right not to be subject to a decision based solely on automated processing, including profiling.
IX. Notification of Personal Data Breach
- 1. The Company shall notify the Data Controller without undue delay upon Company becoming aware of a personal data breach affecting the Data Controller's personal data, providing the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform data subjects of the personal data breach under the data protection laws.
- 2. The Company shall co-operate with the Data Controller and take reasonable commercial steps as directed by the Data Controller to assist in the investigation, mitigation, and remediation of each such personal data breach.
X. Erasure and Return of Data
XI. Audit and Inspection
- 1. Subject to this section XI, Company shall make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the processing of the Data Controller personal data by the sub-processors.
- 2. The Company shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the Data Controller’s and the Company’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the Company’s physical facilities on presentation of appropriate identification.
XII. The Parties' Agreement on Other Terms
XIII. General Terms
- 1. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the parties changing address.
- 2. Governing Law and Jurisdiction. This Agreement is governed by the laws of the State of Delaware.
- 3. Any dispute arising in connection with this Agreement, which the parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the State of Delaware.
This Precoro Inc. Data Processing Agreement and its Annexes (hereinafter referred to as the “Clauses”) reflects the parties’ agreement with respect to the processing of personal data by us on behalf of you in connection with the Precoro Inc. subscription services under the Precoro Inc. customer Terms of Service available at https://precoro.com/terms between you and us (also referred to in this DPA as the “Agreement”).
Chapter I. Purpose of the clauses
- 1. For the purposes of implementation of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation (EU) 2016/679”), the rights 2 and obligations of the Data Controller and the Data Processor in processing of personal data on behalf of the Data Controller shall be set out herein. The Clauses shall be aimed at protecting the rights of the data subjects, minimising the specific risks with respect to protection of personal data and ensure the clarity of the relationship between the Data Controller and the Data Processor and the respective rights and obligations of the Data Controller and the Data Processor.
- 2. For the purposes of provision of cloud-based procurement software services, the Data Processor shall process personal data on behalf of the Data Controller hereunder. The terms and conditions of processing of personal data shall be set forth in Annex 1 hereto.
Chapter II. Obligations of the parties
- 3. The Data Controller:
- 3.1. is responsible for ensuring that personal data is processed in accordance with Regulation (EU) 2016/679 (Article 24), other European Union or Member State law governing protection and/or processing of personal data and these Clauses;
- 3.2. has the right and obligation to make decisions on the purposes and means of processing of personal data;
- 3.3. shall be responsible, among other, for ensuring that processing of personal data which is assigned to the Data Processor has legal grounds.
- 4. The Data Processor:
- 4.1. processes personal data only in accordance with the documented instructions issued by the Data Controller except for the cases where this is required by the European Union or Member State law applicable to the Data Processor (in such cases Data Processor shall inform the Data Controller of the legal requirement before processing, unless that law prohibits such information for reasons of substantial public interest). Such instructions shall be set out in Annex 1 and Annex 3 to the Clauses. The Data Controller shall also be entitled to issue further instructions during the entire period of the processing of personal data; however, such instructions related to the Clauses must always be in line with the respective rights and obligations of the Parties set out in the Clauses and documented;
- 4.2. shall immediately notify the Data Controller if, in the opinion of the Data Processor, the Data Controller’s instructions are in conflict with Regulation (EU) 2016/679 or other European Union or Member State law governing protection of personal data;
- 4.3. shall maintain records related to the activities of processing of personal data carried out on behalf of the Data Controller. The afore-mentioned obligation shall apply to each Data Processor and, where applicable, the representative of the Data Processor in accordance with Article 30(2) of Regulation (EU) 2016/679.
- 5. The Data Processor shall immediately inform the Data Controller if instructions given by the Data Controller, in the opinion of the Data Processor, contravene the Regulation (EU) 2016/679 or the applicable EU or Member State data protection provisions.
- 6. These Clauses shall not release the Parties from other obligations applicable to them under Regulation (EU) 2016/679 or other legal acts.
Chapter III. Confidentiality
- 7. The Data Processor shall grant access to the personal data processed on behalf of the Data Controller only to the persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. Parties ensure that:
- 7.1 In case of a need to change in the persons having access to personal data, their right of access to the Data Controller’s personal data shall be revoked not later than on the last day on which their tasks require them to have access to the personal data of the Data Controller entrusted to Data Processor. In case of discontinuation of employment relationship with the employee of the Data Processor, the access rights to the Data controller’s personal data shall be revoked not later than on the last day of work.
- 7.2. The list of persons granted access to personal data shall be reviewed on a periodical basis – quarterly. Following the afore-mentioned review, such access to personal data shall be suspended if such access is no longer necessary; thus, personal data cannot be accessible to such persons.
- 8. Upon the Data Controller’s request, the Data Processor shall demonstrate that the persons who are supervised by the Data Processor and to whom processing of personal data is assigned shall be subject to the obligation of confidentiality provided for in paragraph 7 hereof.
Chapter IV. Security of processing
- 9. Following Article 32 of Regulation (EU) 2016/679, the Data Controller and the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
- 10. The Data Controller shall assess possible risk to the rights and freedoms of natural persons in processing of personal data and implement measures to minimise such risk. Depending on the appropriateness of the measures, they may be as follows:
- 10.1. the pseudonymisation and/or encryption of personal data;
- 10.2. the ability to ensure the continues confidentiality, integrity, availability and resilience of processing systems and services;
- 10.3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- 10.4. a process for regular testing, inspecting and evaluating the technical and organisational measures for ensuring the security of the processing.
- 11. According to Article 32 of Regulation (EU) 2016/679, the Data Processor shall also – independently from the Data Controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing activity entrusted to it by the Data Controller, and implement the measures to mitigate those risk. To this end, the Data Controller shall provide the Data Processor with all information necessary for identification and assessment of such risk.
- 12. Furthermore, the Data Processor shall help the Data Controller in ensuring compliance with the Data Controller’s obligation provided for in Article 32 of Regulation (EU) 2016/679 inter alia providing the Data Controller with information on technical and organisational measures which have already been implemented by the Data Processor under Article 32 of Regulation (EU) 2016/679 together with all other information necessary for the Data controller to comply with its obligation under Article 32 of Regulation (EU) 2016/679.
- 13. If, according to the assessment made by the Data Controller, the mitigation of the identified risks requires further measures to be implemented by the Data Processor, the Data Controller shall specify these additional measures in Annex 3 hereto and the Data Processor shall implement additional measures and the measures which have already been implemented under Article 32 of Regulation (EU) 2016/679. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with its obligations as provided in Chapter X of the Clauses.
Chapter V. Engagement of other data processors
- 14. The Data Processor shall comply with the requirements set forth in Articles 28(2) and 28(4) of Regulation (EU) 2016/679 in order to engage another data processor (hereinafter referred to as the “Sub-processor”).
- 15. The terms and conditions of the Data Controller in accordance with which the Data Processor may engage sub-processors and the list of the sub-processors authorised by the Data Controller shall be laid down in Annex 2 hereto.
- 16. The Data Processor shall not engage a sub-processor for performance of the processing carried out under these Clauses without a prior general written authorisation of the Data Controller:
- 16.1. The Data Processor has the general written authorisation to engage sub-processors of the Data Controller. The Data Processor shall notify the Data Controller of any planned amendments related to engagement or replacement of sub-processors in writing, Data Processor will provide Data Controller with at least 30 days to object to the addition or replacement of sub-processors in connection with Data Processor’s performance, calculated from the date Data Processor provides notice to Data Controller.
- 17. Where the Data Processor engages a sub-processor for carrying out the particular processing on behalf of the Data Controller, the same data protection obligations as set out between the Data Controller and the Data Processor shall be imposed on the sub-processor by way of a contract or another legal act under European Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of Regulation (EU) 2016/679. Prior to processing, the data processor shall inform the sub-processor of the identity and contact details of the Data Controller for which the sub-processor processes personal data.
- 18. Upon request of the Data Controller, a copy of the contract with a sub-processor and subsequent amendments thereto, shall be provided to the Data Controller, thus, enabling the Data Controller to ensure that the sub-processor was subject to the same data protection obligations as laid down by the Clauses. The Data Processor shall notify the Data Controller of any failure by the sub-processor to fulfill its obligations under that contract or other legal act binding on sub-processor. The Data Processor is not obliged to provide the provisions of the data processing agreement on the business-related issues which do not have an impact on the terms and conditions of the legal protection of personal data of the contract concluded with the sub-processor.
- 19. The Data Processor shall agree on a third-party beneficiary clause with a sub-processor (if any) providing that in case of bankruptcy of the primary Data Processor, the Data Controller shall be entitled to enforce the data processing agreement directly against the sub-processor engaged by the primary Data Processor and/or issue direct instructions on processing, for example, instruct the subprocessor to delete or return personal data.
- 20. The data processor shall be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR. If the sub-processor fails to fulfill the personal data protection obligations, the primary Data Processor with which/whom data processing agreement is concluded shall remain fully liable towards the Data Controller for fulfilment of the sub-processor’s obligations. This shall not affect the data subjects’ rights provided for in Regulation (EU) 2016/679, in particular, the rights provided for in Articles 79 and 82 of Regulation (EU) 2016/679 in respect of the Data Controller and the Data Processor including the rights in respect of the sub-processors.
Chapter VI. Transfer of data to third countries2 or international organisations
- 21. The Data Processor shall be entitled to transfer personal data to third countries or international organisations only after receipt of the documented instructions of the Data Controller and in accordance with the requirements of Chapter V of Regulation (EU) 2016/679.
- 22. If personal data must be transferred to third countries or international organisations in accordance with European Union or Member State law which must be complied with by the Data Processor although the Data Controller has not given instructions to do this to the Data Processor, the Data Processor shall notify the Data Controller of the afore-mentioned legal requirement prior to transfer of data unless such legal act prohibits communication of such information.
- 23. The Data Processor shall not be entitled to carry out the following actions without the documented instructions of the Data Controller or the particular request under European Union or Member States law in accordance with these Clauses:
- 23.1. to transfer personal data to a Data Controller or a Data Processor in a third country or in an international organisation;
- 23.2. to transfer processing of personal data to a sub-processor in a third country;
- 23.3. to allow the Data Processor to process personal data in a third country.
- 24. The Data Controller’s instructions or approval regarding transfers of personal data to a third country including, if applicable, the transfer tool under Chapter V of Regulation (EU) 2016/679 on which the Data Controller’s instructions are based, shall be set out in Annex 3 of these Clauses.
- 25. These Clauses shall not be standard data protection clauses defined in Articles 46(2)(c) and 46(2)(d) of Regulation (EU) 2016/679 and the Parties shall not be entitled to rely on the Clauses as the basis of transfer of personal data to third countries or international organisations in accordance with Chapter V of Regulation (EU) 2016/679.
Chapter VII. Assistance to the data controller
- 26. Taking into account the nature of processing, the Data Processor shall assist the Data Controller to fulfill the Data Controller’s obligation to respond to the requests for exercise of the data subject’s rights provided for in Chapter III of Regulation (EU) 2016/679 by appropriate technical and organisational measures, insofar as this is possible. This implies that the Data Processor shall, insofar as this is possible, assist the Data Controller in its obligation to give effect to the following data subject rights:
- 26.1. the right to be informed when personal data has been obtained from the data subject;
- 26.2. the right to be informed when personal data has been obtained not from the data subject;
- 26.3. the data subject’s right to access data;
- 26.4. the right to rectification;
- 26.5. the right to erasure (“right to be forgotten”);
- 26.6. the right to restriction of processing;
- 26.7. the notification obligation regarding rectification or erasure of personal data or restriction of processing;
- 26.8. the right to data portability;
- 26.9. the right to object to processing;
- 26.10. the right not to be subject to decisions based solely on automated processing, including profiling.
- 27. In addition to the Data Processor’s obligation to assist the Data Controller in accordance with paragraph 12 hereof, the Data Processor, taking into account the nature of processing and information available to the Data Processor, shall also assist the Data Controller in ensuring compliance with:
- 27.1. the Data Controller’s obligation to without undue delay and, where feasible, not later than within 72 hours after having become aware of it, notify the competent supervisory authority [specify the competent supervisory authority] of the personal data breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
- 27.2. the Data Controller’s obligation to notify without undue delay the data subject if personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
- 27.3. the Data Controller’s obligation to carry out a data protection impact assessment of the envisaged personal data processing operations where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
- 27.4. the Data Controller’s obligation to consult the competent supervisory authority [specify the competent supervisory authority] prior to processing if the data protection impact assessment indicates that processing of data would result in high risk if the Data Controller fails to take measures to mitigate the risk.
- 28. The Parties shall establish in Annex 3 hereto the appropriate technical and organisational measures, which should be taken by the Data Processor to assist the Data Controller with the data subject rights and with the obligations under Articles 33 to 36 of Regulation (EU) 2016/679, as set out in paragraphs 27 hereof.
Chapter VIII. Notification of personal data breach
- 29. The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach. The Data Processor shall notify the Data Controller within 24 hours from the moment on which the Data Processor becomes aware of the personal data breach so that the Data Controller could fulfill the Data Controller’s obligations to report the personal data breach to the competent supervisory authority in accordance with Article 33 of Regulation (EU) 2016/679.
- 30. The obligation to assist the Data Controller to notify the competent supervisory authority of a personal data breach provided for in paragraph 27.1 hereof shall imply that the Data Processor must assist the Data Controller to obtain the information specified below which, according to Article 33(3) of Regulation (EU) 2016/679, must be indicated in the Data Controller’s notification to the competent supervisory authority:
- 30.1. the nature of the personal data including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data concerned;
- 30.2. the likely consequences of the personal data breach;
- 30.3. the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
- 30.4. any other relevant information which is or may be necessary for the Data Controller when preparing the notification or responding to additional requests of the competent supervisory authority related to the personal data breach.
- 31. Annex 3 to the Clauses shall set out all elements which must be provided by the Data Processor to assist the Data Controller to notify the competent supervisory authority of a personal data breach. If the Data Processor fails to provide all information on the personal data breach to the Data Controller or later additional information becomes evident, the Data Processor shall be obliged to without undue further delay but not later than within 24 hours from the moment of becoming aware of new information give an additional notification to the Data Controller specifying all missing information.
- 32. Upon request of the Data Controller, in addition to the information provided for in paragraph 31 hereof, the Data Processor shall provide copies of the documents, for example, the documents justifying the carried out actions, applied measures or carried out internal inspections and conclusions of the inspections.
Chapter IX. Erasure and return of data
Chapter X. Audit and inspection of the data processor
- 34. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of Regulation (EU) 2016/679 and the Clauses and enable and assist the Data Controller or another auditor mandated by the Data Controller to carry out an audit including on-the-spot inspections.
- 35. An audit (including inspections) of the Data Processor and sub-processors carried out by the Data Controller shall be subject to the procedures provided for in paragraphs 7 and 8 of Annex 3 hereto.
- 36. The Data Processor shall grant the supervisory authorities which, according to the law in force, have access to the equipment of the Data Controller and the Data Processor, or the representatives acting on behalf of such supervisory authorities access to data processor’s physical facilities or fulfill other instructions of the supervisory authorities to carry out an audit or another inspection. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority on request.
Chapter XI. Final provisions
- 37. The terms and conditions of the Clauses shall come into force from the date of signature of the Clauses.
- 38. During the period of provision of personal data processing services, the Clauses cannot be terminated if the Parties have not agreed on other terms and conditions of the Clauses regulating provision of personal data processing services.
- 39. If provision of personal data processing services is terminated and personal data is deleted or returned to the Data Controller in accordance with paragraph 33 of the Clauses and paragraph 4 of Annex 3 to the Clauses, the Clauses may be terminated by a written notice given by either Party.
- 40. Without prejudice to any provisions of Regulation (EU) 2016/679, if the Data Processor breaches his/its obligations hereunder, the Data Controller shall be entitled to order the Data Processor to suspend personal data processing on a temporary basis till the latter complies with the Clauses or the Clauses are terminated. The Data Processor shall immediately notify the Data Controller if he/it cannot perform its tasks as agreed in the Clauses for any reason.
- 41. The Data Controller shall be entitled to terminate the Clauses if:
- 41.1. the Data Processor substantial or persistent breaches the Clauses or his/its obligations under Regulation (EU) 2016/679;
- 41.2. the Data Processor fails to comply with the binding decision of the court or supervisory authority in relation to his/its obligations provided for in the Clauses or Regulation (EU) 2016/679;
- 41.3. the processing of personal data by the Data Processor has been suspended by the Data Controller pursuant to paragraph 43.1 and (or) 43.2 of the Clauses and compliance with these Clauses is not restored within a one month following suspension.
- 42. The Clauses shall take precedence over any similar provisions related to processing of personal data set out in other agreements between the Parties.
- 43. Each Party shall appoint a person responsible for executing the Clauses.
to The standard contractual clauses for the data processing agreement Information on processing of personal data
- 1. Information on processing of personal data:
- 1.1. The purpose of processing of personal data by the Data Processor shall be:
The purpose of processing:
• to provide, operate, and maintain services
• to improve, analyze, personalize, and services
• to contact Precoro for support
• to store end-user data
- 1.2. Processing of personal data by the Data Processor shall be mainly related to (nature of processing):
• Monitoring activities
• Support and Maintenance
• Authorization and Authentication of system users
• Analytics of system usage needed for analyzing the quality of services provisioning
• Other technical activities needed to perform services as per the Purchase Order
- 1.3. The processing shall cover the following the type of personal data:
• Log files, which contain information about a users’ IT system, a user’s IP address, browser type, domain names, internet service provider (ISP), the pages viewed on our site, operating system, access times, and referring website addresses
• Name, Surname
• Job title
• Phone number
• Email address.
- 1.4. The processing shall cover the following categories of data subjects:
• Controller’s employees
• Controller’s suppliers
- 1.5. The Data Processor shall be entitled to process personal data on behalf of the Data Controller after entry into force of the Clauses. Duration of processing: Continious basis.
- 1.1. The purpose of processing of personal data by the Data Processor shall be:
to The standard contractual clauses for the data processing agreement Information on sub-processors
- 1. Authorised sub-processors:
- 2. Prior notification of granting authorisation to the new sub-processors
Notification of Additions or Changes to Subprocessors. Data Processor will notify Data Controller of any additions to or replacements of its Subprocessors via email or other contact methods and make that list available on Data Controller’s request. Data Processor will provide Data Controller with at least 30 days to object to the addition or replacement of Subprocessors in connection with Data Processor’s performance under the Agreement, calculated from the date Data Processor provides notice to Data Controller. If Data Controller reasonably objects to the addition or replacement of Data Processor’s Subprocessor, Data Processor will immediately cease using that Subprocessor in connection with Data Processor’s Services under the Agreement, and the parties will enter into good faith negotiations to resolve the matter. If the parties are unable to resolve the matter within 15 days of Data Controller’s reasonable objection (which deadline the parties may extend by written agreement), Data Controller may terminate the Agreement and/or any statement of work, purchase order, or other written agreements. The parties agree that Data Processor has sole discretion to determine whether Data Controller’s objection is reasonable.
to The standard contractual clauses for the data processing agreement Instructions on processing of personal data
- 1. Instruction to Process Data
The Data Processor shall carry out the following actions in the course of processing of personal data on behalf of the Data Controller:
- • only process the personal data on Data Controller instructions as set out below or in writing from time to time;
- • immediately inform Data Controller if it considers an instruction infringes the Data Protection Legislation;
- • not make independent use of the personal data and only process the personal data to the extent, and in such manner, as is necessary for the purposes of providing the services;
- • not modify, amend, delete or alter the personal data except as instructed by Data Controller;
- • not transmit or send any personal data unless it is encrypted; and not store personal data on any portable medium or device unless the data is encrypted and the encryption key is held or transmitted separately.
- 2. Security of Processing
The Data Processor ensures in his field of responsibility the implementation of and compliance with technical and organizational measures that are necessary to provide a level of data protection that meets the requirements of the applicable data protection provisions. The Data Processor shall in particular provide an internal organization that satisfies the requirements of the applicable data protection provisions. For clarity, the below measures apply to the locations and systems under the Data Processor’s (or its subcontractors') control and the Data Processor shall not be responsible for technical and organizational measures with respect to the data center, environment, systems which are under the Data Controller's (or its subcontractor's) control. The measures to be implemented by the Data Processor include the following measures:
- 2.1 Technical and Organizational Security Measures
- 2.1.1 Organization of Information Security
- a. Security Ownership. The Data Processor has appointed an information security officer responsible for coordinating and monitoring the security rules and procedures.
- b. Security Roles and Responsibilities. The Data Processor personnel with access to personnel data are subject to confidentiality obligations.
- 2.1.2 Human Resources Security
- a. General. The Data Processor informs its personnel about relevant security procedures and their respective roles. The Data Processor also informs its personnel of the possible consequences of breaching its security policies and procedures. Employees who violate security policies may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker or contractor may result in the termination of his or her contract or assignment with the Data Processor.
- b. Training. The Data Processor personnel with access to personal data receive:
- I. annual mandatory training regarding privacy and security procedures for the Services to aid in the prevention of unauthorized use (or inadvertent disclosure) of personal data;
- II. annual training regarding effectively responding to security events; and
- III. training is regularly reinforced through refresher training courses, emails, posters, notice boards, and other training materials.
- 2.1.3 Device Management
- a. Devices. Data Processor personnel use trusted devices/corporate desktops and laptops, and corresponding controls are applied to non-enrolled devices. A full suite of anti-malware products is operated in real-time on all Data Processor’s servers and computers.
- b. Removable Media. Where necessary, removable media ports are restricted from being connected to media without prior authorization.
- c. Software. New software is installed and tested on isolated systems to prevent the infection of live operating systems.
- d. Updating. All software including the operating system and the anti-malware software on the machines is updated and patched frequently.
- 2.1.4 Personnel Access Controls
- a. Access Policy. An access control policy is established, documented, and reviewed based on business and information security requirements.
- b. Access Recordkeeping. The Data Processor maintains a record of security privileges of its personnel that have access to personal data, networks, and network services.
- c. Access Authorization.
- I. The Data Processor has data access policies that implement the following:
- (a) Principles of least privilege and need to know basis access;
- (b) Regular access rights reviews;
- (c) Traceability of every login to a single person;
- (d) Lock-outs of accounts due to failed login attempts;
- (e) Locking access of unattended laptops/devices after 10 minutes of inactivity;
- (f) Clean desk and clear screen controls;
- (g) Regular review of unauthorized access events (on a weekly or per need basis).
- II. The Data Processor has password policies that follow industry best practices with password length/complexity requirements.
- I. The Data Processor has data access policies that implement the following:
- 2.1.5 Cryptography
- a. Cryptographic controls:
- I. The Data Processor maintains policies on the use of cryptographic controls based on assessed risks.
- II. The Data Processor ensures that the used cryptographic standards adhere to industry standards.
- b. Key management.
There are measures for managing keys and digital certificates included in cryptographic controls policies.
- a. Cryptographic controls:
- 2.1.6 Physical and Environmental Security
- a. Physical Access to Facilities
- I. The Data Processor limits access to its facilities where systems that process personal data are located to authorized individuals.
- II. A security alarm system or other appropriate security measures are in place to provide alerts of security intrusions.
- b. Protection from Disruptions.
- I. Data Processor’s facilities are designed in a way that safeguards confidential information and assets;
- II. Equipment is protected to reduce risks from unauthorized access, environmental threats, and hazards;
- III. Equipment is protected from power supply interruption and other disruptions caused by failures in supporting utilities;
- IV. Power and telecommunications cabling carrying data or supporting information services are protected from interception or damage; and
- V. Equipment is correctly maintained to help ensure the availability and integrity of confidential information and assets.
- a. Physical Access to Facilities
- 2.1.7 Operations Security
- a. The Data Processor maintains policies describing its security measures and the relevant procedures and responsibilities of its personnel who have access to personal data and to its systems and networks.
- b. Timely update. The Data Processor continues to update its operational processes, procedures, and/or practices in a timely manner to ensure that they are effective against the latest threats discovered.
- c. Mobile Devices. When mobile devices are used to access personal data, they are managed according to the Endpoint Protection Policy. In this case, Data Processors’ personnel follow the general code of conduct, recognizing the need to protect accessed data. Technical measures described in p.2.1.3 fully apply to mobile device protection.
- d. Backup. Backup recovery media, where possible, is kept in an encrypted format.
- 2.1.8 Communications Security and Data Transfer
- a. Network policies. The Data Processor has network policies that implement the following:
- I. Segregation and filtering of traffic between the Internet and Corporate Zones and between different Corporate Zones;
- II. Intrusion detection capability;
- III. Access control and password policies on network devices.
- a. Network policies. The Data Processor has network policies that implement the following:
- 2.1.9 System Acquisition, Development, and Maintenance
- a. Security Requirements. The Data Processor has adopted security requirements for the purchase or development of information systems, including for application services delivered through public networks.
- b. Change management. The Data Processor has a formal process for making changes in IT services and infrastructure systems that ensures that all changes are made in a thoughtful way to minimize negative impact to services and clients.
- 2.1.10 Information Security Incident Management
- a. Response Process. The Data Processor has a robust incident handling and response process that includes the containment of threats, investigation, recovery, and restoration of services. The Data Processor maintains a record of information security breaches with a description of the breach, the severity of the incident, the name of the reporter and to whom the breach was reported, and the procedure for recovering data.
- b. Reporting. The Data Processor will report within 24 hours to the Data Controller any security incident that has resulted in a loss, misuse, or unauthorized acquisition of personal data processed under this agreement.
- 2.1.11 Information Security Aspects of Business Continuity Management
- a. Planning. The Data Processor maintains business continuity and disaster recovery plans for the facilities in which the Data Processor information systems that process personal data are located.
- b. Data Recovery. The Data Processor’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct personal in its original state from before the time it was lost or destroyed.
- 2.1.12 Annual Audit
- Data Processor maintains current independent verification of the effectiveness of its technical and organizational security measures (e.g., SOC2 Type 1 or Type 2, or other relevant industry-recognized independent security review report.) The independent information security review is performed at least annually.
- 2.1.1 Organization of Information Security
- 2.1 Technical and Organizational Security Measures
- 3. Data Retention Period/Data Erasure Procedures
Personal data is being stored for the period of services provision and no longer than 1 year after termination of the contract unless otherwise required by applicable legislation.
- 4. Instructions on Transfer of Personal Data to a Third Country or International Organisations
The Data Processor shall only disclose the personal data to a third party on documented instructions from the Data Controller. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the Data Processor or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
- (I) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
- (II) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
- (III) the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- (IV) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the Data Processor with all the other safeguards under these Clauses, in particular purpose limitation.