DATA PROCESSING ADDENDUM

 

This Data Processing Addendum (“DPA”) shall operate between: (i) Interactive Meeting Technology, LLC, hereinafter “IMT,” acting on its own behalf and as agent for each IMT Affiliate; and (ii) the Customer acting on its own behalf and as agent for each Customer Affiliate, as defined below, (each a “Party” and collectively the “Parties”).

This DPA forms a part of IMT’s Terms of Service (“Agreement”) and shall remain in effect as long as Customer is engaged with IMT’s services. Except as modified below, the Agreement shall remain in full force and effect. Even in cases where the Agreement is terminated, this DPA shall remain in full force and effect as it pertains to the processing of Customer Personal Information.

 

1.              Definitions

1.1            In this DPA, the following terms shall have the meanings set out below:

1.1.1        “Applicable Laws” means United States (“US”) Federal, US State, European Union (“EU”), European Economic Area (“EEA”), EU Member State, or any other applicable laws or regulations with respect to any Customer Personal Information in respect of which Customer is subject to Data Protection Laws;

1.1.2        “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.1.3        “Customer Personal Information” means any Personal Information, including Personal Information about Participants and Users, processed by IMT on behalf of a Customer pursuant to or in connection with the Agreement;

1.1.4        “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; the California Consumer Privacy Act (“CCPA”); any other data protection law to which Customer Personal Information may be subject;

1.1.5        “Participant” means a natural person engaged through games, quizzes, or other interactive properties by Customer through the Services or Software. A Participant is not a User, as defined in the Agreement.

1.1.6        “Personal Information” means any information relating to an identified or identifiable natural person.

1.1.7        “Services” means the services and other activities to be supplied to or carried out by or on behalf of IMT for Customer pursuant to the Agreement;

1.2            The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

1.3            Any terms not defined herein shall have the same meaning as in the Agreement.

 

2.              General Provisions

2.1            Obligations of the Parties

2.1.1                 Customer and IMT shall be separately responsible for conforming with such statutory data protection provisions (including Data Protection Laws) as are applicable to each of them.

2.1.2                 Each Party shall inform the other without undue delay and comprehensively about any errors or irregularities related to the processing of Customer Personal Information detected during the course of the Agreement.

2.1.3                 Each party shall offer, as may be required by Data Protection Laws, reasonable assistance in the form of a procedure, practice, or technology to the other Party regarding any complaint or request to provide, amend, transfer, or delete Customer Personal Information, or to stop, mitigate, or remedy any unauthorized processing of Personal Information. Provisions governing obligations under GDPR are described in Section 3.

2.1.4                 Customer shall be responsible for the accuracy, quality, and legality of Customer Personal Information and the means by which Customer acquired the Customer Personal Information.  In particular Customer shall:

2.1.4.1             ensure its notice or consent obligations under Data Protection Laws towards the subjects of Customer Personal Information, including Participants and Users, are met;

2.1.4.2             ensure that it has the right, license, or other legal authority to transfer Customer Personal Information to IMT;

2.1.4.3             ensure that its use of the Services as well as any instructions provided to IMT are in compliance with Data Protection Laws.

2.1.5                 IMT will ensure that it and/or any person acting under IMT’s authority, including IMT Agents, will:

2.1.5.1             Retain, use, disclose, transfer or otherwise process the Customer Personal Information only for the specified purpose of performing the Services for Customer in accordance with the Agreement between Customer and IMT;

2.1.5.2             Not sell any Customer Personal Information.

 

2.2            Return and Deletion of Customer Personal Information

2.2.1                 Subject to Sections 2.2.2 and 2.2.3 IMT shall promptly and in all events within 60 days of the date of termination of any Services involving the processing of Customer Personal Information (the “Termination Date”), and upon request will delete and procure the deletion of all copies of Customer Personal Information.

2.2.2                 Subject to Section 2.2.3, Customer may, by written notice to IMT within 60 days of the Termination Date, request IMT to (a) return a complete copy of all Customer Personal Information to Customer; and (b) delete and procure the deletion of all other copies of Customer Personal Information. IMT and each Subprocessor shall comply with any such written notice within 90 days of the Termination Date. If Customer does not make a request of IMT within 60 days of the Termination Date, IMT shall be free to delete all Customer Personal Information, including Personal Information pertaining to Participants.

2.2.3                 IMT may retain Customer Personal Information solely to the extent and for such period as required by Applicable Laws and always provided that IMT shall ensure (i) the confidentiality of all such Customer Personal Information and (ii) that such Customer Personal Information is only processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage.

 

2.3            Security Incident

2.3.1                 If either Party learns of any unauthorized access, breach, or disclosure of Customer Personal Information concerning the their own or the other Party’s systems involved with the Service, that Party shall give prompt notification to the other Party and the Parties shall cooperatively establish a data breach notification and remediation plan, in compliance with Data Protection Laws, with the responsibility and expense for such notification and remediation plan being borne according to the Parties’ respective, proportionate responsibility for the disclosure or breach.

 

2.4            Third-Party and International Transfer

2.4.1                 Customer authorizes IMT to disclose or transfer Customer Personal Information to, or allow access to Customer Personal Information by, third parties for the purposes of providing the Services for Customer. IMT will, prior to any disclosure, impose on the third party obligations concerning Customer Personal Information substantially similar to those in this DPA.

2.4.2                 Customer recognizes that IMT is based in the US and authorizes IMT to transfer any Customer Personal Information to the US. Provisions governing the transfer of Customer Personal Information from the EU are described in Section 3.

 

2.5            Demonstrating Compliance

2.5.1                 IMT shall make available to Customer information reasonably necessary to demonstrate compliance under this DPA, including, where required by Data Protection Laws, auditing in regular intervals (but no more than once per year) the technical, organizational, and security measures taken by IMT and documenting the resulting findings.

2.5.2                 IMT shall, upon Customer’s written request and within a reasonable period of time, provide Customer with all information reasonably necessary for such audit.

2.5.3                 At Customer’s written request, IMT shall allow such audit (whether on-site or remotely) to be carried out either (i) by an independent third party audit firm bound by a duty of confidentiality and selected by the Customer and approved by IMT (which approval shall not unreasonably be withheld or delayed) and where applicable, in agreement with the competent regulatory agency, or (ii) by a competent regulatory agency. The Parties shall agree the scope of the audit in advance. Customer shall notify IMT in writing with a minimum of 30 calendar days prior to any such audit being carried out.

 

3.              GDPR Provisions

3.1            Definitions

3.1.1                 “Subprocessor” means any person (including any third party, but excluding an IMT Agent) appointed by or on behalf of IMT to process Customer Personal Information in connection with the Agreement;

3.1.2                 Terms not described in this section shall be defined consistent with Section 1.

3.1.3                 The term “Personal Information” as used in this DPA shall have the same meaning as “Personal Data” under GDPR for the purposes of Section 3.

3.1.4                 The terms, “Commission”, “Controller,” “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “processing/process/processes,” “Processor,” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

 

3.2            Use of Standard Contractual Clauses for Transfer of Data Outside of the EU

3.2.1                 Customer acknowledges that, from time to time during the term of the DPA, Customer Personal Information will be transferred to third countries. To facilitate transfer of Customer Personal Information to third countries, the parties agree to enter into the EU Standard Contractual Clauses.

3.2.2                 The Customer (as “data exporter”) and IMT (as “data importer”) hereby enter into, as of the Effective Date, the Standard Contractual Clauses for the transfer of GDPR Personal Information to processors established in third countries, Decision 2010/87/EU (the “SCCs”) (the text of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) which are incorporated by this reference and constitute an integral part of this DPA, along with any subsequent revisions to the SCCs that may be issued. The Parties are deemed to have accepted and executed the SCCs in their entirety, including the appendices.

3.2.3                 In the event of inconsistencies between the provisions of this DPA and the SCCs in relation to the subject-matters addressed herein, the provisions of the SCCs shall prevail as it relates to the Parties’ data protection obligations in connection with Customer Personal Information transfers.

3.2.4                 The information contained in Appendix 1 of this DPA shall fulfill the requirements of the SCCs Appendix 1 (Description of Processing).

3.2.5                 The information contained in Appendix 2 of this DPA shall fulfill the requirements of the SCCs Appendix 2 (Technical and Organizational Measures).

3.2.6                 At such time as the EU Commission, a Supervisory Authority, or a similar EU regulator modifies the SCCs, such SCCs shall apply upon their effective date. Parties agree that the reference and hyperlink in Section 3.2.2 may be modified to include the new SCCs upon notice to Customer, without the need for subsequent agreement.

 

3.3            Obligations of IMT for Customer Personal Information Regulated by GDPR

3.3.1                 IMT, as Processor, shall process and use Customer Personal Information only within the scope of Customer’s instructions (as described in the Agreement and this DPA) and shall process such data in compliance with the Data Protection Laws. IMT shall also notify the Customer if it is of the opinion that any instructions issued by the Customer violates Data Protection Laws.

3.3.2                 IMT shall ensure that its personnel entrusted with processing Customer Personal Information are subject to a contractual or statutory obligation of secrecy and have been duly instructed regarding such obligation prior to the beginning of their processing activities. The obligation of secrecy shall continue even after the termination of the above-mentioned activities or after termination of the employment at IMT.

3.3.3                 IMT confirms that it has structured its internal corporate organization to ensure compliance with the specific requirements of the protection of Customer Personal Information in accordance with Article 32 of the GDPR and that it has taken the appropriate technical and organizational measures to adequately protect Customer Personal Information against misuse and loss in accordance with the requirements of the Data Protection Laws.

3.3.4                 IMT shall assist the Customer in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to IMT.

3.3.5                 Taking into account the nature of processing and information available to IMT, IMT shall reasonably assist the Customer in fulfilling its obligations with regard to the rights of the Data Subjects under GDPR and shall provide to Customer reasonably necessary information to provide those rights to Data Subjects. In addition, IMT shall:

3.3.5.1             Promptly notify Customer if IMT receives a request from a Data Subject under Data Protection Laws with respect to Customer Personal Information; and

3.3.5.2             Ensure that IMT does not respond to that request except on the documented instructions of Customer or as required by Data Protection Laws to which IMT is subject, in which case IMT shall, to the extent permitted by Data Protection Laws, inform Customer of that legal requirement before IMT responds to the request.

3.3.6                 IMT shall notify the Customer immediately if it becomes aware of a Personal Data Breach impacting Customer Personal Information that would require a response under Article 33 of the GDPR. In the case of such notification, IMT shall provide Customer with sufficient information to allow Customer to meet its obligations to report or inform Data Subjects or Supervisory Authorities of a Personal Information Breach under Data Protection Laws. IMT shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

 

3.4            Subprocessing

3.4.1                 Customer authorizes IMT to appoint (and permit each Subprocessor appointed in accordance with this DPA to appoint) Subprocessors in accordance with this Section 3.4 and any restrictions in the DPA or Agreement.

3.4.2                 IMT may continue to use those Subprocessors already engaged by IMT as at the date of this DPA, subject to IMT meeting the obligations set out in Section 3.4.4.

3.4.3                 Customer gives IMT general authorization to engage additional Subprocessors. IMT shall give Customer written notice of the appointment of any new Subprocessor via an up-to-date list of all Subprocessors available at https://www.socialpoint.io/privacy-policy/, which Customer may review at any time. If, upon review of the list of Subprocessors, Customer notifies IMT in writing of any objections (on reasonable grounds) to the proposed appointment, IMT shall work with Customer in order to reach a mutually agreeable solution as it relates to the particular Subprocessor.

3.4.4                 With respect to each Subprocessor, before the Subprocessor first processes Customer Personal Information, IMT shall:

3.4.4.1             Carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Information required by this DPA and the Agreement; and

3.4.4.2             Ensure that the arrangement between IMT and the Subprocessor is governed by a written contract with obligations no less strict than those required of IMT as those set out in this DPA and as required by Data Protection Laws.

3.4.5                 IMT shall be required to communicate to Subprocessors all requests, notices, or other instructions provided by Customer, including, but not limited to, requests for deletion, modification, or access to Customer Personal Information.

 

3.5            Data Protection Impact Assessment and Prior Consultation

3.5.1                 IMT shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by Article 35 or 36 of the GDPR or equivalent provisions of Data Protection Laws, in each case solely in relation to processing of Customer Personal Information and taking into account the nature of the processing and information available to IMT.

 

4.              Miscellaneous

4.1            In the event of any conflict, inconsistency, or incongruity between the provisions of this DPA and any of the provisions of the Agreement, the provisions of this DPA shall in all respects govern and control as relates to the subject matter described herein.

\

4.2            Where Customer Personal Information becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures while being processed, IMT shall inform Customer without undue delay. IMT shall, without undue delay, notify to all pertinent parties in such action, that any Customer Personal Information affected thereby is in Customer’s sole property and area of responsibility, that Customer Personal Information is at Customer’s sole disposition, and that Customer is the responsible body in the sense of the relevant data protection act.

 

4.3            No change of or amendment to this DPA and all of its components, including any commitment issued by IMT, shall be valid and binding unless made in writing and unless it makes express reference to being a change or amendment to this DPA.

 

4.4            Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

 

 

APPENDIX 1

Description of Processing


Data exporter and Controller

The data exporter and Controller is:

Customer, as defined in this DPA.

 

Data importer and Processor

The data importer and Processor is:

IMT, as defined in this DPA.

 

Data subjects

The Customer Personal Information transferred concern the following categories of Data Subjects:

  • Users, as defined in the Agreement.
  • Participants, as defined in the DPA.

 

Categories of data

The Customer Personal Information transferred concern the following:

 

Users:

  • Name and contact information (e.g. address, phone number, email, fax, etc.);
  • Billing information (e.g. credit card, bank account, billing contact information);
  • Order/service information (e.g. current account/service information, purchase history);
  • Information about employer and/or co-workers using the Service;
  • Information contained in posts made in public areas of the Service.

 

Participants:

  • Name and contact information (e.g. address, phone number, email, etc.);
  • Other information Customer may choose to collect through custom fields or activities designed through the Service.

 

Special categories of data (if appropriate)

The Customer Personal Information transferred concern the following special categories of data:

None.

 

Processing operations

The Customer Personal Information transferred will be subject to the following basic processing activities:

The Customer Personal Information collected is used to facilitate the services provided as described in the Agreement and this DPA.

 

 

APPENDIX 2

Technical and Organizational Measures

This Section describes the technical and organizational security measures and procedures that IMT shall, as a minimum, maintain to protect the security of Customer Personal Information. IMT will keep documentation of technical and organizational security measures identified below to facilitate audits and for the conservation of evidence.

 

  1. General Measures:

Notwithstanding the specific technical and organizational security measures detailed in the following, IMT shall implement the following general security measures:

  • policies, rules, handling instructions with the minimum content detailed in applicable law that identify, detail and accompany its security programs and procedures and that are binding for the staff dealing with information systems or Customer Personal Information;
  • continuing review of its security programs and procedures to ensure that they are in compliance with applicable law and are adequate, having regard to the risks with which IMT may be confronted when processing the Customer Personal Information on behalf of Customers the nature of the data, industry good practice, and the cost of their implementation at that time. Such review shall take place at least once a year and in case of any significant changes in the information systems, processing system, organization, content of the information of filings or processing operations, or as a consequence of the periodical reviews carried out;
  • training of staff with access to Customer Personal Information on regular basis, including training on the obligations of employees under company privacy and security policies as well as general security awareness;
  • records / documentations listing
  • equipment and software being under IMT’s control and used for the processing with the following information: (i) name, type and location of equipment, name of its manufacturer; and (ii) name and version of the software, name and contact details of its manufacturer;
  • buildings, premises, security systems and storage infrastructure used for Customer Personal Information processing;
  • if security measures are adopted through external entities, IMT has obtained written description of the activities performed that guarantees compliance with the measures adopted in this Policy;
  • appointment of system administrators in compliance with the following requirements: individual appointment; coordination and oversight of system administrators through a management structure that includes security officers; adoption and oversight of suitable measures requiring system administrators’ to keep system logs and to keep them secure and accurate; periodic audit of system administrators’ activities to assess compliance with the assigned tasks (including system logs), the instructions received, and the applicable laws; keeping of an updated list with system administrators’ identification details that can be provided to Customers upon request;
  • appointment of one or more security officers in charge of coordinating and controlling the security measures;
  • the distribution of functions between the organizational units as well as the operatives regarding the use of Customer Personal Information shall be laid down expressly;
  • determination of functionality and security, all changes to software, hardware or communication links must be tested in a testing environment and require approval prior to moving into production;
  • any tests to be conducted prior to the implementation or modification of an information system shall not use real data, unless the corresponding security level is ensured and the execution of said tests is authorized. If tests using real data are foreseen, a security copy must previously be made.

 

  1. Access Control of Processing Areas:

IMT shall implement suitable measures to prevent unauthorized persons from gaining access to the data processing equipment (namely database and application servers and related hardware) where the Customer Personal Information are processed or used. This shall be accomplished as follows:

  • Outsourced processing: IMT hosts its Services with outsourced cloud infrastructure providers. Additionally, IMT maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Addendum.
  • Physical and environmental security: IMT hosts its product infrastructure with multi-tenant, outsourced infrastructure providers.
  • Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in IMT’s Services is designed to ensure that only the appropriate assigned individuals can access the relevant features, views and customization options.
  • Authorization to data sets is performed through validating the IMT Agent or User’s permissions against the attributes associated with each data set.

 

  1. Access Control to Data Processing Systems:

IMT shall implement suitable measures to prevent its data processing systems from being used by unauthorized persons. This shall be accomplished as follows:

 

  • dedication and identification of individual IMT Agents – identification characteristics shall be exclusive to specific functions;
  • IMT Agent authentications are individual and will not be assigned to another person, even if at a different time;
  • IMT Agent authentications provide state-of-the-art protection against misuse; when using passwords, IMT follows the CIS AWS Foundations Benchmark v1.2.0 for Password creation, usage and management.
  • multi-factor authentication is required for all IMT Agents.
  • access to systems requires a security key that is updated every 90 days.
  • IMT Agent authentications will be regularly reviewed and adapted by dedicated system administrators (at least yearly);
  • IMT Agent authentications will automatically be deactivated upon termination or if the IMT Agent is disqualified from accessing certain projects, data or company systems;
  • all failed logon attempts will be logged, monitored and tracked and IMT Agent authentications shall automatically be deactivated after ten failed logon attempts;
  • Employee computers will automatically be locked if left idle for a certain period of time with IMT Agent authentication required to reopen;
  • staff are bound via policies and instructions to keep their IMT Agent authentications secure and confidential and are held responsible in case of non-compliance with this obligation;
  • use of industry standard firewall, up-to-date anti-virus and malware protection and/or other similar protection technology;
  • all security incidents are recorded indicating at least (i) the type of incident, (ii) the date on and time at which the incident took place or was detected, (iii) the person giving the notice and the recipient of such notice, (iv) the effects of the incident and corrective measures applied including the identification of the person who carried them out, and (v) the specific data recovered and, as the case may be, the data that had to be manually recorded;
  • in the event of a security incident concerning Customer Personal Information, a handling process must be established which covers at least the following matters:
    • investigation of the cause;
    • identification and notification to the potentially affected data subjects; and
    • examination and implantation of sufficient measures to prevent future recurrence of the same or similar kinds of incidents;
  • procedures are in place and specific authorizations and instructions are given to ensure the confidentiality and integrity of Customer Personal Information when performing processing operations outside the processing premises or through mobile devices. For the use of mobile devices which contain or provide access to Customer Personal Information the following minimum standards shall be applied:
    • IMT Agents shall be obliged to take special precautions while having the mobile devices transported, stored or used outside the processing premises;
    • IMT Agents are prohibited from attempting to bypass company-required mobile device controls;
    • if an IMT Agent attempts to bypass company-required controls, the device will be wiped of sensitive information and the device will be blocked from company systems;
    • IMT Agent must set a mobile device to have a minimum of a 4-digit PIN and a five-minute lockout time;
    • IMT Agents receive information regarding best practices when using a mobile device; and
    • mobile devices are protected by cryptographic protection measures where risk assessment deems it necessary.
  • security measures required for access to Customer Personal Information through communication networks, whether they are public or not, must guarantee a security level equivalent to that applying to local access;
  • staff is instructed regarding safe handling of documents containing Customer Personal Information;
  • monitors of computers used for public relations are placed so that the Customer Personal Information displayed on the screen cannot be seen by the public; and
  • documents, devices and media containing Customer Personal Information are subject to controlled and documented destruction avoiding access to the information contained therein or its later recovery; and
  • for non-automated files additionally, the following shall apply:
    • filing is performed in a way that guarantees the appropriate storage of the documents, the localization and consultation of the information and the performance and of the rights of access, rectification, cancellation and objection; and
    • whenever documents containing Customer Personal Information are not stored in the aforementioned ways, due to the fact that they are being revised or dealt with either prior or after their filing, it is best practice for the person in charge of the documents to guard them and block access by unauthorized persons.

 

  1. Access Control to Use Specific Areas of Data Processing Systems:

IMT shall commit that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Customer Personal Information cannot be read, copied, modified, or removed without authorization. This shall be accomplished as follows:

 

  • IMT Agents or Users are granted access to Customer Personal Information as required to perform their duties only and policies are in place detailing the underlying authorization concept;
  • dedication and identification of individual IMT Agents or Users – identification characteristics shall be exclusive to specific functions;
  • IMT Agent or User access rights will be regularly reviewed and adapted by dedicated system administrators;
  • a list of IMT Agents or Users authorized to carry out the processing of data is in place containing the following information: (i) full name of the authorized person, (ii) date of granting and expiring as well as the scope of an authorization to access Customer Personal Information, (iii) identifier (in case where data are processed in an information system);
  • save for the exceptional situations, the technical support team has access to Customer Personal Information only after going through the standard access control process or the anonymization of the data;
  • IMT Agents or Users are trained and instructed with respect to their access rights;
  • media and documents containing Customer Personal Information will allow the identification of the information they contain and its inventory and can only be accessed by personnel specifically authorized for that purpose.
  • automatic, system-driven reminders for IMT Agents or Users regarding the restrictions to access Customer Personal Information are implemented; and
  • IMT Agent or User access to Customer Personal Information without authorization results in effective and measured disciplinary actions.

 

  1. Transmission Control:

IMT shall implement suitable measures to prevent the Customer Personal Information from being read, copied, altered, or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This shall be accomplished as follows:

 

  • In-transit: IMT makes HTTPS encryption available on every one of its login interfaces and on all Customer applications. IMT’s HTTPS implementation uses industry standard algorithms and certificates.
  • At-rest: IMT stores IMT Agent and User passwords following policies that follow industry standard process for security. IMT has implemented technologies to ensure that stored data is encrypted at rest.

 

  1. Input Control:

IMT shall implement suitable measures to make sure that it can check and establish whether and by whom Customer Personal Information has been inputted into data processing systems or removed. This shall be accomplished as follows:

 

  • authentication of system IMT Agents;
  • role based access for IMT Agents to be able to access Customer data.
  • logging of additions, updated, downloads and deletes of all Customer Data. Logs include user, user interface, time stamp and number of records impacted.

 

  1. Availability Control:

IMT shall implement suitable measures to make sure that Customer Personal Information is protected from accidental destruction or loss. This shall be accomplished as follows:

  • IMT’s Services are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists IMT’s operations in maintaining and updating the product applications and backend while limiting downtime.
  • appropriate business continuity plans are in place regarding recovery measures in case of a disaster alongside with regular tests of the effectiveness of the business continuity plans in place and adaptions where required; and
  • procedures are in place covering backup copies and addressing the following minimum requirements:
    • backup copies are made regularly (each night);
    • all databases are backed up and maintained using at least industry standard methods.
    • backup copies shall be made available for restoration in case of system failures at least within seven days warranting the restoration of the data to the state in which they were at the time of the last performed backup (within the timelines set out in this DPA);
    • the correct definition, operation and application of backup and recovery copies procedures will be verified at least annually.

 

  1. Job Control:

IMT implements suitable measures to ensure that, in the case of commissioned processing of Customer Personal Information, the Customer Personal Information are processed strictly in accordance with the instructions of the Customers.  This shall be accomplished as follows:

  • measures are implemented to ensure that Customers’ instructions regarding the processing of Customer Personal Information will be followed and brought to the attention of the staff dealing with the processing of Customer Personal Information;
  • Customer is granted regular access and control rights as more closely defined in this DPA; and
  • third parties are granted access to Customer Personal Information only upon Customers’ express prior written permission for each single case or as permitted under this DPA (e.g., as regards the commissioning of subcontractors).

 

  1. Separation of Processing for Different Purposes:

IMT shall implement suitable measures to make sure that data collected for different purposes can be processed separately. This shall be accomplished as follows:

  • access to Customer Personal Information is separated through application security for appropriate IMT Agents;
  • segmentation of Customer Personal Information into databases that are classified as having Customer Personal Information and have extra security measures and access limitations;
  • interfaces, batch processes, and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.

 

  1. Additional measures implemented by IMT in relation to the processing of special categories of data:

Where special categories of data are processed, IMT additionally ensures that

  • where risk assessment deems it necessary, special categories of data is encrypted and stored separately;
  • the identity of the recipient of special categories of data transferred over public electronic communications networks is validated;
  • restoration of access to special categories of data guaranteed within at least seven (7) days;
  • copies or reproductions of documents containing special categories of data will take place only under the control of specifically authorized persons;
  • cabinets, files or other elements where non-automated filings are stored are placed in areas where access is limited by doors that shall have opening systems through a key or an equivalent device with such areas being kept closed when access to the documents included in the filing is not required, or if, due to the characteristics of IMT’s premises, such measures cannot be implemented, to have adopted alternative measures that would have to be described and justified in a security document;
  • procedures are in place and specific authorizations and instructions are given to ensure the confidentiality and integrity of special categories of data for use of and access to removable devices and media containing special categories of data as well as for transport of these data outside the processing premises; and
  • removable media containing special categories of data is destroyed or made unusable if not further used or can be re-used only if information previously contained on this media is not intelligible and cannot be re-constructed by any technical means.