Dated: Feb 2nd, 2020
ONEiO DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “Addendum”) is effective as of January 1, 2020 (the “Addendum Effective Date”) by and between ONEiO Cloud Corporation, (“We”, “Us” or “Our”) and the customer to the Service (“Customer”).
This Addendum supplements the ONEiO Master Subscription Agreement, as updated from time to time between Customer and Us, or other agreement between Customer and Us, governing Customer’s use of the Service (the “Agreement”).
Unless otherwise defined in this Addendum or in the Agreement, all capitalised terms used in this Addendum will have the meanings given to them below:
1.1. “Location” means the data center facilities, servers, networking equipment, and host software systems that are used to provide the Service.
1.2. “ONEiO Security Standards” means the security standards attached to this Addendum as Annex 1.
1.3. “Personal Data” means the personal data, as defined in the GDPR, that is forming part of the Customer Data.
1.4. "GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
1.5. “Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
1.6. “Post‐Termination Period” means the 30 days period following the Termination Date in which Customer can retrieve Customer Data from the Service.
1.7. “Security Incident” means either (a) a breach of security of the ONEiO Security Standards leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Data; or (b) any unauthorised access to Our equipment or facilities, where in either case such access results in destruction, loss, unauthorised disclosure, or alteration of Customer Data.
2. Data Processing
2.1. Scope and Roles. This Addendum applies when We are processing Personal Data that is included in the Customer Data. In this context, We will act as “processor” to the Customer who may act either as “controller” or “processor” with respect to Personal Data (as each term is defined in the GDPR).
2.2. Customer Controls. The Service provides Customer with a number of controls, including security features and functionalities, that Customer may use to delete or restrict the use of Customer Data as described in the Service Description. Customer may use these controls as technical and organisational measures to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects.
2.3. Details of Data Processing.
2.3.1. Subject matter. The subject matter of the data processing under this Addendum is the Personal Data that is forming part of the Customer Data.
2.3.2. Duration. The duration of the data processing under this Addendum is 30 days unless otherwise expressly agreed with the Customer. The Customer can delete all Customer Data at any time in the Service.
2.3.3. Nature of processing. Instant and automatic transmission of messages between two integrated data systems chosen by the Customer. Transmitted messages are stored in the Service for 30 days for message conversation view. Data transmission is carried out automatically in accordance with the configuration provided by the Customer from time to time.
2.3.4. Purpose. The purpose of the data processing is to enable communication between two different data systems.
2.3.5. Type of Personal Data. The Personal Data is comprised of person and system identification data (eg. name, phone number, email address, office location, login information) included in the Customer Data, as determined by the Customer from time to time. No special categories of personal data (GDPR art. 9) is processed.
2.3.6. Categories of data subjects. The data subjects may include the personnel and customers of the Customer and Customer’s integration counterparty, as well as the personnel of their customers and suppliers.
2.4. Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this Addendum, including the GDPR.
2.5. Access or Use. We will not access or use Customer Data, except as necessary to maintain or provide the Service, or as necessary to comply with the law or binding order of a governmental body.
3. Customer Instructions
We will process Personal Data only in accordance with Customer’s instructions. The parties agree that this Addendum is Customer’s complete and final documented instruction to Us in relation to Personal Data. Additional instructions outside the scope of this Addendum (if any) require prior written agreement between Us and Customer, including agreement on any additional fees payable by Customer to Us for carrying out such instructions. Customer is entitled to terminate this Addendum and the Agreement if We decline to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this Addendum. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the processing of Customer Data in accordance with Customer’s instructions will not cause Us to be in breach of the GDPR.
4. Confidentiality of Customer Data
We will not disclose Customer Data to any government or any other third party, except as necessary to comply with the law or a valid and binding order of a law enforcement agency. If a law enforcement agency sends Us a demand for Customer Data, We will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, We may provide Customer’s basic contact information to the law enforcement agency. If we are compelled to disclose Customer Data to a law enforcement agency, then We will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless We are legally prohibited from doing so.
5. Confidentiality Obligations of Our Personnel
We restrict Our personnel from processing Customer Data without authorisation by Us as described in the ONEiO Security Standards. We impose appropriate contractual obligations upon Our personnel, including relevant obligations regarding confidentiality, data protection and data security.
6. Security of Data Processing
6.1. We have implemented and will maintain the technical and organisational measures for the Service as described in the ONEiO Security Standards and this Section of this Addendum. In particular, We have implemented and will maintain the following technical and organisational measures:
(a) security of the Service as set out in Section 1.1 of the ONEiO Security Standards;
(b) physical security of the facilities as set out in Section 1.2 of the ONEiO Security Standards;
(c) measures to control access rights for Our employees and contractors in relation to the Service as set out in Section 1.1 of the ONEiO Security Standards; and
(d) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented by Us as described in Section 2 of the ONEiO Security Standards.
6.2. Customer may elect to implement technical and organisational measures in relation to the Customer Data. Such technical and organisational measures include the following which may be obtained by Customer directly from a third-party supplier or from Us as described in the Service Description:
(a) pseudonymisation and encryption to ensure an appropriate level of security;
(b) measures to ensure the ongoing confidentiality, integrity, availability and resilience of the data processing systems and services provided by Customer to third parties;
(c) measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident affecting the Service; and
(d) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented by Customer.
7.1. Authorised Sub‐processors. Customer agrees that We may use sub‐processors to fulfil Our contractual obligations under this Addendum or to provide certain services on Our behalf, such as providing infrastructure and database services. Our website lists sub‐processors that are currently engaged by Us to carry out specific processing activities on behalf of the Customer. At least 45 days before We engage any new sub‐processor to carry out specific processing activities on behalf of Customer, We will issue the Customer a Change Notice as provided in the Master Subscription Agreement. Customer hereby consents to Our use of sub‐processors as described in this Section. Except as set forth in this Section, or as Customer may otherwise authorise, We will not permit any sub‐processor to carry out specific processing activities on behalf of Customer.
7.2. Sub‐processor Obligations. If We authorise any sub‐processor as described in Section 7.1 above:
(i) We will restrict the sub‐processor’s access to Customer Data only to what is necessary to maintain the Service or to provide the Service to Customer in accordance with the Documentation, We will prohibit the sub‐processor from accessing Customer Data for any other purpose;
(ii) We will enter into a written agreement with the sub‐processor and, to the extent that the sub‐processor is performing the same data processing services that are being provided by Us under this Addendum, We will impose on the sub‐processor the same contractual obligations that We have under this Addendum; and
(iii) We will remain responsible for Our compliance with the obligations of this Addendum and for any acts or omissions of the sub‐processor that cause Us to breach any of Our obligations under this Addendum.
8. Data Subject Rights
Taking into account the nature of the Service, We offer Customer certain controls as described in Sections 2.2 and 9 that Customer may elect to use to comply with its obligations towards data subjects.
9. Optional Security Features
We are making available security features and functionalities that Customer may elect to use. Customer is responsible for (a) properly configuring the Service, (b) using the controls available in connection with the Service (including the security controls) to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, (c) using the controls available in connection with the Service (including the security controls) to allow the Customer to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident (e.g. backups and routine archiving of Customer Data), and (d) taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes use of encryption technology to protect Customer Data from unauthorised access and measures to control access rights to Customer Data.
10. Security Breach Notification
10.1. Security Incident. If We become aware of a Security Incident, We will without undue delay: (a) notify Customer of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimise any damage resulting from the Security Incident.
10.2. Our Assistance. To assist Customer in relation to any personal data breach notifications Customer is required to make under the GDPR, We will include in the notification under section 10.1(a) such information about the Security Incident as We are reasonably able to disclose to Customer, taking into account the nature of the Service, the information available to Us, and any restrictions on disclosing the information, such as confidentiality.
10.3. Unsuccessful Security Incidents. Customer agrees that:
(i) an unsuccessful Security Incident will not be subject to this Section 10. An unsuccessful Security Incident is one that results no unauthorized access to Customer Data or to any of Our equipment or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log‑on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
(ii) Our obligation to report or respond to a Security Incident under this Section 10 is not and will not be construed as an acknowledgement by Us of any fault or liability with respect to the Security Incident.
10.4. Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means We select, including via email. It is Customer’s sole responsibility to ensure that Customer’s administrators maintain accurate contact information on the management console of the Service at all times.
10.5. Privacy Impact Assessment and Prior Consultation. The information made available by Us under Section 11 is intended to assist Customer in complying with Customer’s obligations under the GDPR in respect of data protection impact assessments and prior consultation.
11. Certifications and Audits
11.1. ISO‐Certification. As of the Addendum Effective Date, We are not certified under ISO 27001. However, We agree to maintain an information security program for the Service that complies with the ISO 27001 standards or such other alternative standards as are substantially equivalent to ISO 27001 for the establishment, implementation, control, and improvement of ONEiO Security Standards.
11.2. Audits. We use external auditors to verify the adequacy of the security measures of the Service. This audit: (a) will be performed at least annually; (b) will be performed by independent third-party security professionals at Our selection and expense; and (c) will result in the generation of an audit report (“Report”), which will be Our Confidential Information. Such Reports will be made available to Customer subject to a mutually agreed upon non‐disclosure agreement covering the Report (an “NDA”).
11.3. Audit Reports. At Customer’s written request, We will provide Customer with a confidential Report so that Customer can reasonably verify Our compliance with Our obligations under this Addendum. The Report will constitute Our Confidential Information under the confidentiality provisions of the Agreement or the NDA, as applicable.
11.4. Customer’s Independent Determination. Customer is responsible for reviewing the information made available by Us relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations as well as Customer’s obligations under this Addendum.
11.5. Customer Audits. Customer agrees to exercise any right it may have to conduct an audit or inspection by instructing Us to carry out the audit described in Section 11.2. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Us written notice as provided for in the Agreement. If We decline to follow any instruction requested by Customer regarding audits or inspections, Customer is entitled to terminate this Addendum and the Agreement.
12. Processing Location(s)
Customer may choose from the available Location(s) where Customer Data will be processed. Once Customer has made its choice, We will not transfer Customer Data from Customer’s selected Location(s), except with the Customer’s prior written consent.
13. Termination of the Addendum
This Addendum shall continue in force until the termination of the Agreement (the “Termination Date”).
14. Return or Deletion of Customer Data
The Service provides Customer with controls that Customer may use to retrieve or delete Customer Data as described in the Documentation. Up to the Termination Date, Customer will continue to have the ability to retrieve or delete Customer Data in accordance with this Section. For 30 days following the Termination Date (“Post-Termination Period”), Customer may retrieve or delete any remaining Customer Data from the Service, subject to the terms and conditions set out in the Agreement, unless (i) prohibited by law or the order of a governmental or regulatory body, or (ii) Customer has not paid all amounts due under the Agreement. No later than the end of the 30-day period, Customer will close all ONEiO accounts. We will delete all Customer Data promptly after the Post-Termination Period, unless prohibited by law or an order of a governmental or regulatory body.
15. Limitations of Liability
The liability of each party under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement. Customer agrees that any regulatory penalties incurred by Us in relation to the Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Addendum or the GDPR shall count towards and reduce Our liability under the Agreement as if it were liability to the Customer under the Agreement.
16. Duties to Inform
If Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Us, We will inform Customer without undue delay. We will also notify all relevant parties in such action (e.g. creditors, bankruptcy trustee) that any Customer Data subjected to such proceedings is Customer’s property and processed under the Customer’s responsibility and control.
Customer agrees that the details of this Addendum constitute Our Confidential Information under the confidentiality provisions of the Agreement.
18. Entire Agreement; Conflict
This Addendum supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between Customer and Us, whether written or verbal, regarding the subject matter of this Addendum. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this Addendum, the terms of this Addendum will control.
19. Counterparts and Email Delivery
This Addendum may be executed in two or more equal counterparts, each of which will be deemed original. The parties may deliver this Addendum by email transmission.
ONEiO Security Standards
Capitalised terms not otherwise defined in this document have the meanings assigned to them in the applicable ONEiO Master Subscription Agreement.
1. Information Security Program. We will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed (a) to satisfy the security objectives: availability, integrity and confidentiality, (b) to identify reasonably foreseeable and internal risks to security and unauthorised access to the Service, and (c) to minimise security risks, including through risk assessment and regular testing. We will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:
1.1 Data Security. The Service will be electronically accessible to employees, contractors and any other person as necessary to provide the Service. We will maintain access controls and policies to manage what access is allowed to the Service. We will maintain corrective action and incident response plans to respond to potential security threats.
1.2 Physical Security
1.2.1 Physical Access Controls. Facilities where physical components of the Service are housed (“Facilities”) have physical barrier controls to prevent unauthorised entrance to the Facilities. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in‐house security guard service, receptionist, etc.). Visitors are required to sign‐in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorised employees or contractors while visiting the Facilities.
1.2.2 Limited Employee and Contractor Access. Our sub-contractors provide access to Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked.
1.2.3 Physical Security Protections. All access points /doors are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Our sub-contractor also maintains electronic intrusion detection systems designed to detect unauthorised access to the Facilities, including monitoring points of vulnerability with door contacts, glass breakage devices, interior motion‐detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
2. Continued Evaluation. We will conduct periodic reviews of the security of the Service and adequacy of its information security program as measured against industry security standards and its policies and procedures. We will continually evaluate the security of the Service to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.