This data processing agreement (the “DPA”) constitutes a binding agreement between the GuardSquare group contracting entity specified in the relevant Order (or if no Order was signed, the GuardSquare group contracting entity to the Agreement (as defined below)) (“Guardsquare”), and the client contracting entity specified in the relevant Order (or if no Order was signed, the client contracting entity to the Agreement) (the “Client”).
The Client and Guardsquare may individually be referred to as a “Party” and jointly as “the Parties”.
PREAMBLE
Whereas the Parties entered into (whether through physical or electronic signature or click-through acceptance, or through deemed acceptance as per the terms of the Agreement, e.g. by accessing or using the products or services in scope of the Agreement) a master agreement, possibly including software or services specific addenda and/or orders concluded pursuant to the afore referenced (which may cover software licensing, related support services, or services (including SaaS)) (“the Agreement”);
Whereas in the context of performing the Agreement, Guardsquare may process personal data on behalf of the Client;
Whereas this DPA sets out the rights and obligations of the Parties in respect of such personal data processing by Guardsquare.
This DPA is incorporated into the Agreement by reference.
NOW THEREFORE,
the Parties hereby agree as follows:
1. References in this DPA to “data controller”, “personal data”, “data processor”, “data subject” and “processing” (and "process "and "processes" shall be construed accordingly) (or such equivalent terms as may be used under applicable personal data protection legislation) shall have the meanings ascribed to them under applicable personal data protection legislation (which may include the General Data Protection Regulation (Regulation (EU) 2016/679)(the “GDPR”)). Capitalized terms used herein but not separately defined herein, shall have the meaning ascribed to them in the Agreement. This DPA shall constitute a data processing agreement for the purposes of the GDPR.
Details of the
processing activities pursuant to the Agreement – which processing details
may differ depending on the software (based service) in scope (“the Guardsquare Solutions”), are set out in
annexes to this DPA, or on a Guardsquare designated webpage (“the Processing Details”).
2. To the extent that Guardsquare is deemed (pursuant to applicable personal data protection law) to process Client personal data pursuant to the Agreement, the Parties acknowledge that the Client will be the data controller, and Guardsquare the data processor, in relation to such personal data processing (or such equivalent terms as may be used under applicable personal data protection legislation) (each as defined in the applicable personal data protection legislation). Each Party shall comply with the obligations that apply to it under applicable personal data protection law. The Client shall ensure that it is entitled to make the relevant personal data available to Guardsquare so that Guardsquare may lawfully process the personal data in accordance with the Agreement on the Client’s behalf, which may include Guardsquare processing such personal data outside the country where the Client and the data subjects are located in order for Guardsquare to perform the Agreement.
3. In relation to such processing of personal data hereunder, Guardsquare agrees that it shall:
(a) act only upon the Client’s lawful reasonable instructions when processing personal data, only process such data to the extent necessary to perform the Agreement, and not use such data for any other purpose.
(b) implement and maintain adequate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Client agrees that compliance with the measures set out in the Processing Details shall constitute such appropriate technical and organizational measures for Guardsquare to protect the Client personal data under its control pursuant to the Agreement against unauthorized or unlawful processing, access or disclosure and against accidental loss, destruction of, or damage to, such data (a "Security Incident").
Within 60 hours of becoming aware of a Security Incident, Guardsquare shall inform the Client thereof, and shall subsequently provide such information and cooperation as the Client may reasonably require in order to remedy or mitigate the effects of the Security Incident.
(c) notify the Client if it receives any complaint, request, notice or communication which relates to the processing of personal data hereunder (including requests from data subjects exercising their rights pursuant to Chapter 3 of the GDPR), and Guardsquare shall provide reasonable co-operation and assistance to the Client, as reasonably requested by the Client, in order to assist the Client with its compliance with its legal obligations under applicable data protection legislation (including under Chapter 3 of the GDPR and pursuant to Articles 32 to 36 of the GDPR), taking into account the nature of the processing and the information available to Guardsquare. The Client shall reimburse Guardsquare for any time spent by Guardsquare personnel as part of any such cooperation and assistance, at Guardsquare’s then applicable professional services rates, together with any out of pocket expenses reasonably incurred by Guardsquare.
(d) only disclose such personal data to a third party subject to the Client’s prior written consent, such consent not to be unreasonably withheld.
(e) maintain a personal data record to allow Guardsquare to provide the Client with the necessary information regarding its data processing activities hereunder; such personal data record shall be in a format of Guardsquare’s choice and shall contain at least the following information:
-
Name and contact details of the Parties in their respective roles of processor and controller hereunder;
-
Name and contact details of Guardsquare’s data protection officer (“DPO”) if one is required under applicable personal data protection law, or in the event Guardsquare has a DPO even though not legally required;
-
The categories of personal data processed and the types of processing carried out on behalf of the Client pursuant to the Agreement;
-
A general description of the technical and organisational security measures that are in place (as per clause 3 (b) above);
-
Detail on any transfers of personal data to a country outside the EEA, including the identification of those third countries and reasonable documentation regarding the safeguards that are in place to ensure adequate personal data protection, except if the transfer were to be based on an adequacy decision.
4. Guardsquare may engage affiliates, its and its affiliates’ contractors, and third-party providers identified in the Processing Details (the “Sub-Processors”) as sub-processors under the Agreement without having to obtain the Client’s additional prior written consent, and Guardsquare shall (i) impose upon such Sub-Processors data protection obligations equivalent to those set out herein, and (ii) be responsible for the acts and omissions of its Sub-Processors under the Agreement. Guardsquare shall inform the Client of any intended changes concerning the addition or replacement of its Sub-Processors (making such information available on a Guardsquare designated webpage shall suffice for this purpose). Unless the Client objects to such changes in writing setting out its reasonable concerns in detail within four (4) weeks from such notice, the change shall be deemed accepted by the Client. If the Client objects, Guardsquare shall consult with the Client, consider the Client’s concerns in good faith and inform the Client of any measures taken to address the Client’s concerns. If the Client upholds its objection and/or demands significant accommodation measures, and if either would result in a material increase in cost for Guardsquare to perform the Agreement, Guardsquare shall be entitled to increase the fees payable by the Client under the Agreement or, at its option, terminate the Agreement or impacted Order. Where necessary to legalize the use of a Sub-Processor as processor, the Client hereby authorizes Guardsquare to conclude the contractual clauses set out in EU Commission Decision C(2010)593 Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC (the “Standard Contractual Clauses”) with such processors on behalf of the Client (as per Article 46 of the GDPR). Each such conclusion of Standard Contractual Clauses shall be considered a supplement to this DPA.
5. In case of processing of personal data outside the European Economic Area, Guardsquare undertakes to enter into a suitable agreement with the Client and/or any relevant third parties (including the above referenced Standard Contractual Clauses) and/or adopt any necessary measures in order to ensure an adequate level of protection for such personal data in accordance with applicable data protection legislation.
6. Guardsquare shall ensure that the personal data is processed solely by reliable personnel who have committed to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality.
7. Where Guardsquare is acting as a processor under the Agreement, at the Client’s reasonable written request and no more than once per Agreement contract year unless required under applicable law, Guardsquare shall make available to the Client such information as reasonably deemed necessary by Guardsquare to demonstrate Guardsquare’s compliance with its obligations hereunder (making such information available on a Guardsquare designated web page shall suffice for this purpose). To this end, the Client shall be entitled to have an independent, reputable third party (in any event excluding Guardsquare competitors as reasonably determined by Guardsquare) audit Guardsquare’s compliance with its obligations under this DPA, provided that any such audit shall be contingent on the following:
(i) such audit shall be limited to one per Agreement contract year (unless additional audits are required under applicable law or at a regulator’s request (as documented by the Client)), must be notified reasonably in advance (a minimum of thirty days, unless otherwise required under applicable law or a regulator request (as documented by the Client)), and may only occur during Guardsqsuare’s normal business hours at the locations that are directly related to the performance of Guardsquare’s obligations hereunder; (ii) access shall be limited to a reasonable number of participants from the Client/third-party auditor, considering the scope of the audit; (iii) the audit shall be conducted at mutually agreeable times; (iv) Guardsquare personnel may, at Guardsquare’s option, supervise such audit; (v) such audit shall be conducted in a manner that is designed to minimize any adverse impact on Guardsquare’s normal business operations and its performance of the Agreement; (vi) Client and the entity conducting the audit shall comply with all safety and security procedures of Guardsquare in conducting any such audit; (vii) Client shall inform any third-party auditor of the obligations of confidentiality set forth in the Agreement and secure such person’s agreement to be bound by such provisions; (viii) any information accessed by the Client or its third-party auditors in the performance of any such audit, including any resulting audit report, shall be deemed to be the Confidential Information of Guardsquare; in no event shall Guardsquare be required to provide any access that could reasonably be expected to result in an impact to any other Guardsquare client or in a disclosure of another Guardsquare client’s information; In the event that Guardsquare agrees to provide, or is otherwise required (under applicable law or pursuant to a regulatory request), to provide access to multi-client environments, then the Client shall ensure that any risks to or impact on another Guardsquare client’s environment are avoided; (ix) any audit may only occur pursuant to a mutually agreed scope defined in writing by the Parties prior to the audit; (x) the Client shall reimburse Guardsquare for any out of pocket costs reasonably incurred as part of any such audit, and shall reimburse Guardsquare for any time spent by Guardsquare personnel as part of any such audit, at Guardsquare’s then applicable rates.
Alternatively, at Guardsquare’s option, Guardsquare may allow a reputable third-party auditor chosen by Guardsquare to perform audits on the Client’s behalf (or on behalf of multiple Guardsquare clients), and the Client hereby authorizes Guardsquare to issue such mandate to the third-party auditor.
The above audit right only applies to the extent that it cannot be excluded under applicable personal data protection law.
8. Upon the Client’s written request, Guardsquare shall delete the personal data or, at the Client's discretion, return the Client personal data (the modalities (including associated fees) to be agreed) to the Client once such data is no longer required for the purposes of the Agreement, subject to Guardsquare retaining any copies as may be required by applicable law.
9. The Client undertakes to comply with the principle of data minimization. The Client acknowledges and agrees that it is the Parties’ intent to minimise personal data processing by Guardsquare in pursuance of proportionality and necessity principles and as such, the Client acknowledges and agrees that it has a duty to limit access to/the provision of personal data to Guardsquare to what is necessary for Guardsquare to be able to perform its obligations pursuant to the Agreement, and to anonymise or apply pseudonymisation in respect of any personal data made accessible to Guardsquare. Such personal data as necessary for the purposes of Guardsquare performing the Agreement are reflected in the Processing Details. The Client shall use reasonable efforts not to provide Guardsquare with personal data in excess of those set out in such Processing Details, and shall inform its relevant personnel in this respect so as to make them aware of and comply with such data minimisation principle.
10. The Client warrants that it has sufficient rights and authorizations to make the personal data available to Guardsquare hereunder, and for granting Guardsquare the authorization to use such personal data as stated herein. The Client shall indemnify Guardsquare in respect of any third-party claims against Guardsquare resulting from a breach of this warranty.
11. This DPA shall automatically terminate upon the expiry or earlier termination of the Agreement.
ANNEXES:
Annex 1 : ThreatCast Personal Data Processing Details
Annex 2 : AppSweep Personal Data Processing Details
Appendix 1: Technical and Organisational Measures
ANNEX 1: THREATCAST PERSONAL DATA PROCESSING DETAILS
This Annex and Appendix 1 shall apply to the extent the Guardsquare Solution ThreatCast is in scope of the Agreement.
1.TYPES OF PERSONAL DATA
- Pseudo-unique device identifiers
- IP addresses
- Geographical device location
- Information about the device and the operating system
- Information about mobile threats that occurred:
- Application version where the threat occurred
- The type of the threat (such as hooking attempt, package tampering etc.)
- Forensic information about the threat (such as the name of the rootkit used)
- Date and time when the threat has occurred.
In addition, in the user management and administration part of the Platform (as defined in the Agreement) service:
- Names and email addresses of the Client personnel who have access to the Platform;
- Integration data such as webhooks.
2. CATEGORIES OF DATA SUBJECT
The “Authorized Users” as defined in the Agreement, namely Client personnel and end users authorised by the Client to access and use the Platform as per the terms of the Agreement.
3.PROCESSING
a.SCOPE
For the purposes of providing the Client with access to, and use of, the (ThreatCast) Platform as per the terms of the Agreement. ThreatCast is a mobile application security monitoring tool used by organizations to collect and process information about the security threats facing their mobile applications.
Personal Data are Processed by Guardsquare thereunder:
1. To provide the Client with the Platform service (including support services) as per the terms of the Agreement.
2. To improve the Software and Platform through analysing the Platform usage.
b.NATURE
As per 3.a. above.
c. PURPOSE OF PROCESSING
As per 3.a. above.
d. RETENTION PERIOD
Subject to any mandatory legal limitations:
(i) Guardsquare will retain the Personal Data for the term of the relevant Agreement, or for a period of six months since the Client’s last account activity, whichever is longer. When the retention period is over, the Personal Data will be retained in anonymized form.
(ii) In addition, upon the Client’s written request, Guardsquare will anonymize the Personal Data within a period of one (1) month from Guardsquare’s receipt of such request.
4. TECHNICAL AND ORGANISATIONAL MEASURES
As set out in Appendix 1.
5. SUB-PROCESSORS
Guardsquare may in any event engage its affiliates and Guardsquare’s and its affiliates’ independent contractors as Sub-Processors hereunder without the Client’s additional prior written consent. Use of any other third-party Sub-Processor will be governed by the terms of the DPA, provided that the below listed third parties are hereby in any event approved as Sub-Processor. The Client acknowledges and agrees that its rejection of particular third parties to act as Sub-Processors may result in the Platform not being available to it, without liability on Guardsquare.
Approved third-party Sub-Processors:
|
Sub-Processor
|
Which Personal Data
|
Purpose
|
Processing Location
|
|
Google
|
Personal Data as per 1. above
|
Platform cloud provider
|
EEA
|
|
Salesforce
|
Authorized Users Personal Data
|
To process support tickets
|
EEA
|
|
Whildbit (Postmark service)
|
Authorized Users Personal Data
|
Transactional email provider
|
US
|
ANNEX 2: APPSWEEP PERSONAL DATA PROCESSING DETAILS
This Annex and Appendix 1 shall apply to the extent Guardsquare Solution “AppSweep” is in scope of the Agreement.
1.TYPES OF PERSONAL DATA
- User full name
- User email address
- IP addresses of users who access the service
- Geographical device location of users who access the service
- Information about the device and the operating system used to access the service
- Service usage statistics
- Projects, applications and related security findings data as derived from the security analysis, including, but not limited to:
- Information on the application build(s) uploaded by the user (timestamp, name, status, runtime, composition data including but not limited to languages, libraries and class structure) as well as;
- application binary that is uploaded by the user
- Information on the project(s) created by the user (including various project metadata such as name, timestamp, association with GitHub)
- Information on the findings in the build (findings type, severity)
- User’s role in project(s) (owner, member)
2.CATEGORIES OF DATA SUBJECT
The “Users” as defined in the Agreement.
3.PROCESSING
a.SCOPE
AppSweep is an automated, mobile application security testing tool that produces findings based on the scan of a mobile application initiated by its users.
AppSweep is available upon sign-up (with credentials and/or social sign in).
Personal Data are Processed by Guardsquare thereunder:
1. Within the scope of the user Instructions, in order to provide the Client with the Service as per the Agreement.
2. To improve the Service through analysing the Service usage.
b.NATURE
As per 3.a. above.
c.PURPOSE OF PROCESSING
As per 3.a. above.
d.RETENTION PERIOD
Subject to any mandatory legal limitations:
(i) as default, Guardsquare retains the Personal Data indefinitely
(ii)However, the user can anytime initiate the deletion of Personal data by using the in-product features (marked on the user interface by the deletion button and as described in our help center).
Once initiated by the user, Personal data deletion will be carried on automatically by Guardsquare with completion taking up to one month including data backups.
Personal Data might be retained by Guardsquare in anonymized, aggregated form and for statistical purposes only.
4.TECHNICAL AND ORGANISATIONAL MEASURES
As set out in Appendix 1.
5.SUB-PROCESSORS
Guardsquare may in any event engage its affiliates and Guardsquare’s and its affiliates’ independent contractors as Sub-Processors hereunder without the Client’s additional prior written consent. Use of any other third-party Sub-Processor will be governed by the terms of the DPA, provided that the below listed third parties are hereby in any event approved as Sub-Processor. The Client acknowledges and agrees that its rejection of particular third parties to act as Sub-Processors may result in the Platform not being available to it, without liability on Guardsquare.
Approved third-party Sub-Processors:
|
Sub-Processor
|
Which Personal Data
|
Purpose
|
Processing Location
|
|
Google (Google Cloud Platform)
|
Personal Data as per 1. above
|
Platform cloud provider
|
EEA
|
|
Google (Google Analytics)
|
User Personal Data
|
Product and usage analytics
|
US
|
|
HubSpot
|
User Personal Data
|
Marketing automation and analytics
|
US
|
|
Salesforce
|
User Personal Data
|
To process support tickets
|
EEA
|
|
Wildbit (Postmark Service)
|
User Personal Data
|
Transactional Email
|
US
|
|
LuckyOrange
|
User Personal Data
|
Collects data on the user's behavior on the website. This is used to compile statistical reports.
|
EEA
|
|
Intercom
|
User Personal Data
|
Collects user behavior on the website, and allows targeted messages to be communicated to users regarding their use of the service.
|
EEA
|
|
Mapbox
|
User Personal Data
|
Collects IP address of users device or emulator used for interactive analysis testing of an instrumented application as well as IP address of communication endpoints.
|
US
|
APPENDIX 1
TECHNICAL AND ORGANISATIONAL MEASURES
1.System Security
1.1Application server security
Guardsquare’s server infrastructure is hosted and managed within Google’s secure data centres and utilizes the Google Cloud Platform (‘GCP’) technology.
Google Cloud Platform products regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards around the world.
See the complete GCP compliance overview at the Google Cloud Platform web site: https://cloud.google.com/security/compliance.
1.2Data security
1.2.1Access
The Guardsquare Solutions provide customers with admin functionality to manage their users and roles to define access to customer data.
Guardsquare personnel have access to the Guardsquare Solutions’ databases on a strict ‘need to know’ basis, for example to provide technical support.
1.2.2Encryption
Personal data is encrypted in transit using TLS 1.2+ with an encryption algorithm of 128 bits or higher and a cryptographic hash function algorithm of 256 bits or higher.
Personal data is encrypted at rest with an AES encryption algorithm of 256 bits or higher.
2.Penetration Testing and Vulnerability Assessment
Guardsquare performs both internal and external security testing.
Internal security testing is performed as part of Guardsquare’s secure software development lifecycle.
Third-party security testing is performed by an independent and reputable security consulting firm of Guardsquare’s choice. Findings from each assessment are reviewed with the assessors, risk ranked, processed, resolved, and verified individually by the responsible teams.
3.Secure Development Best Practices
Guardsquare applies secure software development best practices and security by design to mitigate known vulnerability types such as those listed on the OWASP Top 10 Web Application Security Risks.
4.Contact
Guardsquare Processing contact:
privacy@guardsquare.com
Mailing address:
GuardSquare NV
Tervuursevest 362 LEUVEN
