Annexes to Data Processing Agreement
ANNEX 1:
DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
1. Categories of Data Subject's and Personal Data subject to Processing according to this Agreement
a. Categories of Data Subjects:
i. Customer end users
ii. Customer employees
iii. Customer applicants
iv. Customer contact persons
v. Customer employees next of kin
b. Categories of Personal Data:
i. User logs and IP addresses
ii. Contact information
iii. PersonalID numbers
iv. Next of kin information
v. Payroll information and history
vii. Bank account information
viii. Personal documents like passports, certificates, health certificates, etc.
ix. Appraisals
x. Records of work related activities
xi. Flight information
xii. Travel expenses
xiii. Work and rest hours
xiiii Content of any customized data records and fields added by the Customer.
2. Types of Sensitive Personal Data subject to Process according to the Agreement
This section is only relevant if the Processor shall process sensitive Personal Data as indicated below on behalf of the Controller as part of the Services Agreement. In order for the Processor to process such data on behalf of the Controller, the types of Sensitive Personal Data in questions must be specified by the Controller.
The Controller is also responsible for informing the Processor of any additional types of sensitive Personal Data applicable according to privacy legislation in the Controller's country of establishment.
Subject matter and duration of the Processing of Controller Personal Data
The duration of the Processing is determined by the Maintenance agreement with the customer.
The nature and purpose of the Processing of Controller Personal Data
The Personal Data will be Processed for purpose of providing the services set out and otherwise agreed to in the Maintenance agreement.
ANNEX 2:
TECHNICAL AND ORGANISATIONAL MEASURES
1. Organizational security measures
1.1. Security Management
a. Security policy and procedures: Processor must document a security policy with regard to the processing of personal data.
b. Roles and responsibilities:
i. Roles and responsibilities related to the processing of personal data is clearly defined and allocated in accordance with the security policy.
ii. During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand-over procedures is clearly defined.
ii. During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand-over procedures is clearly defined.
c. Access Control Policy: Specific access control rights are allocated to each role involved in the processing of personal data, following the need-to-know principle.
d. Resource/asset management: Processor shall have a register of the IT resources used for the processing of personal data (hardware, software, and network). A specific person is assigned the task of maintaining and updating the register (e.g. IT officer).
e. Change management: Processor makes sure that all changes to the IT system are registered and monitored by a specific person (e.g. IT or security officer). Regular monitoring of this process takes place.
1.2. Incident response and business continuity
a. Incidents handling / Personal data breaches:
i. An incident response plan with detailed procedures is defined to ensure effective and orderly response to incidents pertaining personal data.
ii. Processor will report without undue delay to Controller any security incident that has resulted in a loss, misuse or unauthorized acquisition of any personal data.
ii. Processor will report without undue delay to Controller any security incident that has resulted in a loss, misuse or unauthorized acquisition of any personal data.
b. Business continuity: Processor establishes the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data (in the event of an incident/personal data breach).
1.3. Human resources
a. Confidentiality of personnel: Processor ensures that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process.
b. Training: Processor ensures that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data are also properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
2. Technical security measures
2.1. Access control and authentication
a. An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing and deleting user accounts.
b. The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities.
c. When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to personal data only to those who require it for achieving the Processor’s processing purposes.
d. Where authentication mechanisms are based on passwords, Processor requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.
e. The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network.
2.2. Logging and monitoring:
a. Log files are activated for each system/application used for the processing of personal data. They include details about login, logout, modification and deletion.
2.3. Security of data at rest
a. Server/Database security
i. Database and applications servers are configured with restricted permissions.
ii. Database and applications servers only process the personal data that are actually needed to process in order to achieve its processing purposes.
b. Workstation security:
i. Anti-virus applications and detection signatures is configured on a regular basis.
ii. Critical security updates released by the operating system developer is installed regularly.
2.4. Network/Communication security:
a. Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols.
b. Traffic to and from the IT system is monitored and controlled through Firewalls and logs.
2.5. Back-ups:
a. Backup and data restore procedures are defined, documented and clearly linked to roles and responsibilities.
b. Backups are given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
c. Execution of backups is monitored to ensure completeness.
2.6. Application lifecycle security:
a. During the development lifecycle to the best of our knowledge we use best practice, state of the art and well acknowledged secure development practices or standards.
2.7. Data deletion/disposal:
a. Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction will be performed.
b. Shredding of paper and portable media used to store personal data is carried out.
2.8. Physical security:
a. The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures (e.g. Intrusion detection system) or organizational measures shall be set in place to protect security areas and their access points against entry by unauthorized persons.
ANNEX 3:
AUTHORIZED TRANSFERS OF CONTROLLER PERSONAL DATA
For Adonis Support and Consultancy (all customers)
|
Authorized sub-processor |
Processing activity |
Location of service center(s) |
|
Adonis Kharkiv LLC |
Support operation and service maintenance |
Ukraine |
|
Adonis Development and QA LLC |
Software development and trouble shooting |
Ukraine |
|
Adonis Project LLC |
Support operation and service maintenance |
Ukraine |
|
Adonis Soft LLC |
Software development and trouble shooting |
Russia |
|
Adonis SEA Inc |
Support operation and service maintenance |
Philippines |
The support and consultancy sub-processors will never get transferred data, but may have access to data through the hosted systems or access to customer systems.
For Support and Consultancy - Adonis Cloud customers
|
Authorized sub-processor |
Processing activity |
Location of service center(s) |
|
Microsoft Ireland Operations LTD |
ASP usage report and license audit |
Ireland/Norway |
|
Microsoft Ireland Operations LTD |
Datacenter hosting Operation and service maintenance |
Azure
|
|
Front Information AS |
SMS sending |
Norway
|
|
Ironstone AS |
Operation and service maintenance |
Norway |
