Data Processing Agreement

Data Processing Agreement

Last updated: 24 May 2018

This DPA is entered into between the Company and the Customer and is incorporated into and governed by the terms of the Agreement.

Any capitalised term not defined in this DPA shall have the meaning given to it in the Agreement.

Affiliatesmeans any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;
Agreementmeans the agreement between the Company and the Customer for the provision of the Services;
Controllermeans the Customer;
Data Protection Lawmeans the GDPR and/or any subsequent amendment or replacement or supplementary legislation;
Data Subjectshall have the same meaning set out in Data Protection Law;
DPAmeans this data processing agreement together with Exhibits A and B;
GDPRmeans Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
Personal Datashall have the same meaning as in Data Protection Law;
Processormeans the Company;
Standard Contractual Clausesmeans the EU model clauses for personal data transfer from controllers to processors c2010-593 - Decision 2010/87EU;
Sub-Processormeans any person or entity engaged by the Company or its Affiliate to process Personal Data in the provision of the Services to the Customer.
  1. Purpose
  2. Scope
  3. Processor Obligations
  4. Controller Obligations
  5. Sub-Processors
  6. Liability
  7. Audit
  8. Data Breach
  9. Compliance, Cooperation and Response
  10. Term and Termination
  11. General

The parties agree that this DPA is incorporated into and governed by the terms of the Agreement.

Exhibit A

Overview of data processing activities to be performed by the Processor

1. Controller

The Controller transfers Personal Data identified in sections 3, 4 and 5 below, as it relates to the processing operations identified in section 6 below.

The Controller is the Customer.

2. Processor

The Processor receives data identified in sections 3, 4 and 5 below, as it relates to the processing operations identified in section 6 below.

The Processor is the Company.

3. Data Subjects

The Personal Data transferred includes but is not limited to the following categories of Data Subjects:

  • Employees and contractors of the Controller and other users added by the Controller from time to time.
  • Customers of the Controller.
  • Suppliers to the Controller.
  • Other individuals to the extent identifiable in the content of emails or their attachments.

4. Categories of Data

The Personal Data transferred includes but is not limited to the following categories of data:

  • Personal details, names, passwords, email addresses of users.
  • Personal Data within emails which identifies or may reasonably be used to identify, data subjects.
  • Meta data including sent, to, from, date, time, subject, which may include Personal Data.
  • File attachments that may contain Personal Data.
  • Data sent by users of their own accord in free text fields or in files uploaded to the Service, which may include Personal Data.
  • Information offered by users as part of support enquiries.
  • Other data added by the Controller from time to time.
  • Technical operational data including IP addresses, logins, search queries, which may include Personal Data.

5. Special categories of Data

No sensitive data or special categories of data are permitted to be transferred and shall not be contained in the content of or attachments to, emails.

6. Processing operations

The Personal Data transferred will be subject to the following basic processing activities:

  • Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the Controller’s instructions. The Processor processes Personal Data only on behalf of the Controller.
  • Processing operations include but are not limited to: automatically explaining bank transactions in Freeagent, automatically uploading receipt emails to FreeAgent, sending general information about the Service to the Controller. These operations relate to all aspects of Personal Data processed.
  • Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyse and resolve technical issues both generally in the provision of the Services and specifically in answer to a Controller query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.
  • Virus, anti-spam and Malware checking in accordance with the Services provided. This operation relates to all aspects of Personal Data processed.

Exhibit B

Technical and Organisational Security Measures (“TOMs”)

The Processor utilises third party data centres that maintain current ISO 27001 certifications. The Processor will not utilise third party data centres that do not maintain ISO 27001 certifications, or other substantially similar or equivalent certifications and/or attestations.

Upon the Controller’s written request (no more than once in any 12 month period), the Processor shall provide within a reasonable time, a copy of the most recently completed certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the Services). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties.

The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available. It is acknowledged and agreed that the technical and organisational measures described therein will be updated and amended from time to time, at the sole discretion of the Processor.

Confidentiality

TOMs to ensure the confidentiality of the Personal Data processed by the Service.

  • Data is encrypted in transit: data transmitted between the user's browser and the Service is always encrypted over HTTPS using TLS protocols with minimum 128-bit keys and using SHA256 certificates. The Processor uses modern, strong ciphers for encryption. Known-weak ciphers are explicitly disabled with regular protocol reviews. Data sent to third parties is always sent over encrypted connections. This mitigates the risk of deliberate data interception or accidental data leakage, for example man-in-the-middle attacks.

  • Data is encrypted at rest: data at rest, for example in backups or on the Processor's computers, is always encrypted using AES encryption with minimum 256-bit keys. This mitigates the risk of data falling into unauthorised hands, for example due to network exfiltration or stolen devices.

  • Data retention policies: the Processor maintains policies to ensure the minimal amount of Personal Data is retained and that Personal Data is not retained any longer than necessary. This mitigates the risk of accidental or deliberate disclosure of Personal Data.

  • The principle of least privilege access is embedded at all levels in the Processor, from staff down to operating system server processes. This ensures that only the data that is authorised to be processed may be accessed. This mitigates the risk of accidental or deliberate disclosure of Personal Data.

  • The data centres used by the Processor implement multiple physical access controls to prevent unauthorised people from physically accessing data processing equipment which processes or uses Personal Data.

  • The Processor only authorises specific staff to access the Service's production systems. This mitigates the risk of accidental or deliberate disclosure of Personal Data.

  • The Controller's Personal Data is kept logically separate from other Personal Data. This mitigates the risk of accidental disclosure of Personal Data.

Integrity

TOMs to ensure the integrity of the Personal Data processed by the Service.

  • All access of Personal Data, including use of the Service by the Controller, is logged and an audit trail of changes is maintained. The Controller may view the audit trail within the Service to help ensure Personal Data is accurate and up to date. This mitigates the risk of Personal Data being altered or deleted either accidentally or deliberately and supports the data subjects' right to rectification.

  • The Controller may view, update, and delete all their Personal Data held in the Service. This mitigates the risk of Personal Data becoming inaccurate or out of date and supports data subjects' right to rectification.

  • The principle of least privilege access is embedded at all levels in the Processor, from staff down to operating system server processes. This ensures that only the data that is authorised to be processed may be accessed. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Data.

  • The Processor only authorises specific staff to access the Service's production systems. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Data.

  • The Processor maintains separate development and production systems utilising different security tokens, passwords, and privileges. This mitigates the risk of accidental or deliberate alteration or destruction of Personal Data.

Availability

TOMs to ensure the availability of the Personal Data processed by the Service.

  • The availability of the Service is monitored continually. Automatic notifications are sent to the Processor in the event of the Service becoming unavailable so that the Processor may act to restore availability in a timely fashion.

  • The Processor only authorises specific staff to access the Service's production systems. This mitigates the risk of accidental or deliberate interference with the Service which could affect availability.

  • If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage.

  • Further TOMs including but not limited to those ensuring resilience.

Resilience

TOMs to ensure the resilience of the Personal Data processed by the Service.

  • Data is backed up offsite every no less than every 15 minutes as per the data retention policy. This mitigates the risk of data loss, destruction or damage.

  • Data centres used by the Processor utilise multiple redundant network connections to major internet exchanges. This provides resilience in the face of adverse network conditions.

  • Data centres used by the Processor utilise redundant UPS power supplies supported by diesel generators for standby power. This mitigates the risk of power outages and provides resilience in the face of electrical supply problems.

  • Data centres used by the Processor utilise redundant N+2 air cooling systems to mitigate the risk of overheating computing and network equipment.

  • Data centres used by the Processor utilise modern fire systems for prevention, detection and response with direct connections to the local fire service.

  • Data centres used by the Processor provide automatic protection against distributed denial of service (DDoS) attacks. This provides resilience in the face of network attacks whether directed against the Service or others on the network.

  • DNS services used by the Processor are built on distributed, redundant architectures. This provides resilience in the face of adverse network conditions.

Timely restoration of access to Personal Data

TOMs to ensure the timely restoration of access to the Personal Data processed by the Service.

  • The Processor uses modern devops practices, including but not limited to infrastructure-as-code, to enable new servers to be commissioned as necessary in a timely fashion. This mitigates the risk of loss of access to Personal Data in the face of problems with existing servers, including but not limited to web servers, application servers, and database servers.

  • The Processor's backup and restoration processes enable the timely restoration of Personal Data from backups as per the data retention policy. This mitigates the risk of loss of access to Personal Data caused by problems with the database.

General Technical measures

The Processor implements general technical measures, including but not limited to the following, to support the confidentiality, integrity, availability, and resilience of Personal Data.

Physical security

  • Office premises protected by locks and alarms.
  • All paper shredded after use.
  • Old computer equipment securely formatted before disposal.

Device security

  • All computers and devices use full disk encryption.
  • All backup media use full disk encryption.
  • All computers and devices regularly updated and security-patched.
  • All passwords generated by and stored in an industry-leading password manager.

Network security

  • All networks protected by firewalls.
  • All Personal Data that is transmitted, either to the Service or to a third party, is sent over encrypted networks.
  • Access to Personal Data over public wifi is prohibited unless a VPN is used.

System security

  • All passwords and authentication keys rotated regularly.
  • All servers regularly updated and security-patched.
  • All user passwords hashed with a one-way cryptographic hashing function with salt before storage.

Website security

  • All web traffic protected by HTTPS / TLS and appropriate security headers.
  • Web server ciphers regularly reviewed and known weak ciphers disallowed.

Data centre security

  • Manned 24hr/day all year.
  • Entry controlled via electronic access control terminals.
  • Continual high definition video surveillance.
  • All personnel movements recorded and documented.

Data security

  • 3 copies of all data with backups on 2 different media.
  • Backups stored off-site.
  • Data deleted when no longer needed.

Software development

  • All developers are familiar with the OWASP Top Ten web application security risks.
  • All software must pass automated tests before deployment.
  • Data privacy is always a fundamental requirement for the Service's software.

General Organisational measures

  • Staff with access to Personal Data only process that data when instructed to do so and only within the scope of the instructions.
  • Staff are trained on:
    • responsibilities as a Controller and Processor under GDPR;
    • staff responsibilities for Protecting Personal data, including the collection, processing and use of Personal Data only within the framework and for the purposes of their duties (e.g. Service provision);
    • proper procedures to identify callers;
    • proper procedures to identify social engineering and phishing attacks;
    • security policies.
  • Personal Data is only accessed as needed and only when approved by the Controller (e.g. for support), or by technical staff for necessary support and maintenance of the Service.
  • Staff confidentiality agreements.
  • Only designated staff can access production systems.
  • Personal Data used for internal purposes only e.g. as part of the respective customer relationship, may be transferred to a third party such as a subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.
  • The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred to companies located outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the Standard Contractual Clauses.