Data processing agreement
08 April 2024
- GENERAL
- The Company shall be the data controller for all processing of personal data carried out using the Service unless otherwise specified in this data processing agreement. Mitigater shall, within the scope of the Service, process personal data on behalf of the Company as a data processor. The purpose, duration, nature, and objectives of the processing, as well as the types of personal data and categories of data subjects affected by the processing, are further detailed in Appendix - Description of the processing of personal data in the Service. The Company is responsible for ensuring that all such processing of personal data complies with applicable data protection legislation, including the General Data Protection Regulation (EU 2016/679) ("Applicable Legislation").
- GENERAL OBLIGATIONS OF MITIGATER
- As data processors, Mitigater shall only process personal data in accordance with the Company's written instructions under this data processing agreement, as well as any additional documented instructions provided by the Company from time to time. Additional instructions may be communicated to Mitigater via email or on a specific form. These instructions should contain equivalent information as specified in the appendix to this data processing agreement.
- In the event that Mitigater lack instructions necessary to fulfill their duties, Mitigater shall promptly inform the Company and await further instructions. Should Mitigater find that an instruction conflicts with Applicable Legislation, Mitigater shall inform the Company without undue delay. If, in such a case, the Company fails to provide additional instructions, Mitigater shall disregard the conflicting instruction and notify the Company accordingly. Should the Company persist in the unlawful instruction, Mitigater are entitled to terminate the Agreement prematurely as per the terms outlined in the general terms and conditions.
- Despite clause 2.1, Mitigater have the right to process personal data to the extent required to fulfill their obligations under Applicable Legislation, such as complying with orders from authorities. However, Mitigater must inform the Company of this legal obligation before proceeding with such processing, unless mandatory legislation prohibits Mitigater from providing such information.
- If any requests for information regarding the Company's processing of personal data are received by Mitigater, Mitigater shall direct them to the Company by notifying the Company's contract manager via email. Mitigater may not disclose personal data or any other information regarding the processing of personal data without written instructions from the Company. Mitigater are not authorized to represent the Company or act on behalf of the Company with any third party, including supervisory authorities.
- TECHNICAL AND ORGANIZATIONAL MEASURES
- Mitigater shall implement the technical and organizational measures required by Applicable Legislation to protect the personal data processed within the Service, including those specified in the security appendix to this data processing agreement. Company's prior approval is necessary for any changes to the technical and organizational measures that may decrease the level of security. The parties agree that these measures shall be regularly reviewed to ensure their adequacy considering the risks associated with the processing of personal data.
- Upon request, Mitigater shall assist the Company with necessary information available to Mitigater for the Company to fulfill its obligations regarding impact assessments and prior consultations with relevant supervisory authorities regarding the processing conducted by Mitigater on behalf of the Company within the Service. Mitigater have conducted an impact assessment regarding the processing of personal data performed on behalf of the Company, which is available to the Company upon request.
- To the extent possible, Mitigater shall assist the Company by taking appropriate technical and organizational measures to enable the Company to fulfill its obligation to respond to requests to exercise data subjects' rights as provided by Applicable Legislation. The Service includes certain functionality to facilitate the Company's compliance with requests from data subjects to exercise their rights under Applicable Legislation.
- Mitigater shall ensure that access to personal data is restricted to Mitigater' personnel who require access to fulfill their obligations to the Company. Furthermore, Mitigater shall ensure that such authorized personnel observe confidentiality equivalent to that provided under clause 8 below through individual confidentiality agreements.
- PERSONAL DATA INCIDENTS
- In the event of a personal data incident (as defined in Applicable Legislation), Mitigater shall notify the Company in writing through the Company's contract manager without undue delay after becoming aware of the incident and no later than within 24 hours in accordance with Mitigater' applicable procedure. The notification shall include information about the nature of the incident, categories and number of data subjects and personal data records affected, the likely consequences of the incident, and a description of the measures Mitigater (if any) have taken to limit the potential negative effects of the incident to enable the Company to fulfill its obligation, if any, to report the personal data incident to the relevant supervisory authority. If it is not possible to provide all the information at once, Mitigater shall provide the information to the Company as soon as it becomes available to Mitigater.
- If it is likely that a personal data incident poses a risk to the data subjects' personal integrity, Mitigater shall, to the extent possible, immediately after becoming aware of the personal data incident, take appropriate remedial measures to prevent or limit the potential negative effects of the personal data incident.
- ACCESS TO INFORMATION, ETC.
- Mitigater shall continuously document the measures taken to fulfill its obligations under this data processing agreement. Upon request, the Company shall have the right to access the latest version of such documentation. For information on the processing of personal data carried out within the Service, see the appendix to this data processing agreement.
- Furthermore, Mitigater shall enable and assist the Company, or a third party designated by the Company, in conducting an audit, including inspection, of the technical and organizational measures Mitigater take to fulfill its obligations under this data processing agreement. Mitigater shall be notified in writing of such an audit at least 30 days in advance. All costs of the audit shall be borne by the Company, including any costs incurred by Mitigater for participating in the audit. The Company shall ensure that any third party conducting the audit on behalf of the Company shall observe confidentiality no less restrictive than that provided under clause 8 below. Corresponding provisions apply to the Company's request for an audit of a Sub-processor engaged by Mitigater in connection with the Service, see clause 6 below.
- ENGAGEMENT OF SUB-PROCESSORS
- The Company hereby approves Mitigater engaging subcontractors listed on Mitigater' website from time to time to process personal data on behalf of the Company in connection with the Services ("Sub-processors"). The subcontractors engaged by Mitigater at the time of entering into this Agreement are also listed in the appendix to this data processing agreement. The Company further grants general advance approval to Mitigater for engaging new Sub-processors provided that Mitigater ensure that the Sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing complies with the requirements of Applicable Legislation.
- Mitigater shall enter into a data processing agreement with the Sub-processor. Such a data processing agreement shall include provisions equivalent to those set forth in this appendix and Applicable Legislation.
- In the event that Mitigater intend to engage a new Sub-processor, Mitigater shall inform the Company thereof by email to the Company's contract manager. Mitigater shall provide information about the Sub-processor's identity (including full company name, registration number, and address), the location (geographical) where the Sub-processor will process personal data, the type of service the Sub-processor will perform, and the protective measures that the Sub-processor will take to protect the personal data processed. The Company has the right to object to Mitigater engaging the Sub-processor to process personal data on behalf of the Company within two (2) weeks from the notification, whereby Mitigater and the Company shall jointly seek a mutually acceptable solution, and otherwise the Agreement may be terminated prematurely as provided in the General Terms and Conditions.
- TRANSFER TO AND PROCESSING OF PERSONAL DATA OUTSIDE THE EU/EEA AREA
- The Company hereby approves Mitigater, as necessary, transferring the Company's personal data outside the EU/EEA area. Such transfer may only take place if (i) the country has an adequate level of protection for personal data according to a decision by the EU Commission covering the processing of personal data, (ii) if Mitigater ensure that appropriate safeguards are in place, such as standard data protection clauses adopted by the EU Commission, in light of the legislation of the recipient country, or (iii) if any other exception in Applicable Legislation allows for the transfer.
- In the event that Mitigater transfer personal data outside the EU/EEA based on standard data protection clauses, the Company hereby authorizes Mitigater to enter into such standard contractual clauses on behalf of the data controller.
- CONFIDENTIALITY
- Without prejudice to confidentiality commitments in the Agreement, the following shall also apply.
- Mitigater shall keep personal data processed on behalf of the Company strictly confidential. Thus, Mitigater shall not, directly or indirectly, disclose any personal data to third parties unless authorized in writing by the Company, unless Mitigater are required by law to disclose personal data or it is necessary for the performance of the Agreement. Mitigater agree that this confidentiality commitment shall continue to apply even after the termination of the Agreement.
- The Company undertakes to keep all information received regarding Mitigater' security measures, procedures, IT systems, or otherwise of a confidential nature strictly confidential and further undertakes not to disclose to any outsider confidential information originating from Mitigater or its Sub-processors. However, the Company has the right to disclose such information that the Company is obliged to disclose by law or under the Agreement. The Company agrees that this confidentiality commitment shall continue to apply even after the termination of the Agreement.
- LIABILITY
- In the event that Mitigater incur damages or receive claims as a result of Mitigater' processing of personal data in accordance with the Company's instructions, the Company shall indemnify Mitigater for the damage caused thereby. However, Mitigater shall be responsible for the performance of Sub-processors' obligations towards the Company if the Sub-processor fails to fulfill its obligations. Any limitation of liability under this data processing agreement shall not apply in relation to the Company's liability under this data processing agreement.
- If the Company's additional documented instructions regarding the processing of personal data are not supported by the Service or do not follow from Mitigater' commitments under the Agreement and which Mitigater could not reasonably have foreseen, and these requirements result in Mitigater incurring additional costs, Mitigater shall have the right to choose between terminating the agreement with immediate effect or receiving compensation from the Company for these costs.
APPENDIX - DESCRIPTION OF THE PROCESSING OF PERSONAL DATA IN THE SERVICE
This appendix shall be deemed an integral part of the data processing agreement.
1. PURPOSE OF THE PROCESSING
THE PERSONAL DATA IS PROCESSED FOR THE FOLLOWING PURPOSES:
To provide the service and support of the service; and
To fulfil any additional documented instructions provided by the company from time to time.
2. LOCATIONS WHERE PERSONAL DATA WILL BE PROCESSED
The personal data is processed by mitigaters. For information about the sub-processors engaged by mitigaters and where they process the company's personal data, refer to mitigaters' website as periodically indicated.
3. RETENTION OF PERSONAL DATA
See below in point 4 for further information on how long personal data is retained.
4. DETAILED DESCRIPTION OF THE PROCESSING OF PERSONAL DATA IN THE SERVICE
See below for a detailed description of the processing of personal data occurring in the service.
MANAGE THE SERVICE
CATEGORIES OF DATA SUBJECTS
The following categories of data subjects may be subject to processing:
- The company's employees and employees of the company's companies or suppliers.
CATEGORIES OF PERSONAL DATA
The following categories of personal data may be processed depending on the data registered by the company:
- Identity information (e.g., name)
- Contact information (e.g., email address)
- User account information (e.g., system permissions)
PROCESSING OF PERSONAL DATA
For this purpose, the following processing of personal data is included, for example:
- Collection through registration of data
- Access for viewing and editing personal data through the service
- Transfer of personal data to collect and ensure updated and accurate data
- Access for the data subject to information concerning the data subject in connection with their use of the service
- Preparation of reports for monitoring and basis
RETENTION OF PERSONAL DATA
Personal data is retained for the duration the company uses the service and in accordance with other applicable legislation.
TECHNICAL FUNCTIONALITY AND SECURITY
CATEGORIES OF DATA SUBJECTS
The following categories of data subjects may be subject to processing:
- All categories of data subjects as specified above.
CATEGORIES OF PERSONAL DATA
The following categories of personal data may be processed depending on the data registered by the company's users:
- All categories of personal data as specified above
- Technical data (e.g., IP address)
PROCESSING OF PERSONAL DATA
For this purpose, the following processing of personal data is included, for example:
- Backup
- Troubleshooting
- Incident management
RETENTION OF PERSONAL DATA
Personal data is retained for the same period as specified in relation to the respective purposes of the processing of personal data above. Data in logs is retained for troubleshooting and incident management for a period of 12 months from the time of the log event. Data in backups is retained for a period of 4 months from the date of the backup.
SUB-PROCESSORS
The following Sub-processors are engaged by Mitigater to provide the Services at the time of entering into the Data Processing Agreement.
Identity | Location | Service |
---|---|---|
Sub-processor - Reg.nr | Place | Service |
Sub-processor - Reg.nr | Place | Service |
ANNEX - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The following technical and organizational measures are implemented by the Supplier and Sub-processors to protect the Personal Data covered by this Data Processing Agreement:
- Access control measures, such as password management and authentication procedures (including two-factor authentication), logging, user authorization controls, and access to data center facilities.
- Measures to ensure confidentiality, such as encryption during transmission.
- Measures to ensure availability, such as backups, firewalls, antivirus systems, logging, and uninterrupted power supply (UPS).
Furthermore, the Supplier has procedures in place to manage security incidents, staff are subject to confidentiality requirements, and security measures are conducted on a regular basis.