GDPR Data Processing Addendum

GDPR Data Processing Addendum

bg-pattern

This Data Processing Addendum (“DPA”) amends and forms part of the Armis General Terms and Conditions (the “Agreement”) between Armis Inc. (“Company”) and Customer as identified in the Agreement. (“Customer”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. Definitions

1.1. In this DPA:

a) “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR;

b) “Customer Personal Data” means any data of Customer provided to Company that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer or Customer’s customers are the Controller, and which is Processed by Company to provide the Services;

c) “Data Protection Law” means General Data Protection Regulation (EU) 2016/679 (“GDPR”) and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/1/36/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland and the United Kingdom (“UK”), each as applicable, and as may be amended or replaced from time to time;

d) “Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;

e) “International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the UK and includes any onward transfer of Customer Personal Data from the international organization or the country outside of the EEA, Switzerland or the UK to another international organization or to another country outside of the EEA, Switzerland and the UK;

f) “Services” means the services provided by Company to Customer under the Agreement;

g) “Subprocessor” means a Processor engaged by Company to Process Customer Personal Data; and

h) “Standard Contractual Clauses” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time.

i) “UK Standard Contractual clauses” means the clauses annexed to EU Commission Decision 2010/87/EU, of February 5, 2010, on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as applicable in the UK, and as amended or replaced from time to time.

1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Scope and applicability

2.1. This DPA applies to Processing of Customer Personal Data by Company to provide the Services.

2.2. The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I.

2.3. Customer is a Controller and appoints Company as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.

2.4. If Customer is a Processor on behalf of other Controller(s), then Customer: is the single point of contact for Company; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.

2.5. Customer acknowledges that Company may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Company is the Controller for such Processing and will Process such data in accordance with Data Protection Law.

3. Instructions

3.1. Company will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions.

3.2. The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work.

3.3. Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Company may charge a reasonable fee to comply with any additional instructions.

3.4. Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions.

4. Personnel

4.1. Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.

5. Security and Personal Data Breaches

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.

5.2. Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer’s intended Processing and will notify Company prior to any intended Processing for which Company’s security measures may not be appropriate.

5.3. Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.

6. Subprocessing

6.1. Customer hereby authorizes Company to engage Subprocessors. A list of Company’s current Subprocessors is included in Annex III.

6.2. Company will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.

6.3. Company will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection. If Company chooses to retain the Subprocessor, Company will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.

7. Assistance

7.1. Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.

7.2. Company will maintain records of Processing of Customer Personal Data in accordance with Data Protection Law.

7.3. Company may charge a reasonable fee for assistance under this Section 7. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.

8. Audit

8.1. Upon reasonable request, Company must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once a year by Customer and performed by an independent auditor as agreed upon by Customer and Company. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data, and shall be conducted during normal business hours and in a manner that causes minimal disruption.

8.2. Company will inform Customer if Company believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Company may suspend the audit or inspection, or withhold requested information until Company has modified or confirmed the lawfulness of the instructions in writing.

8.3. Company and Customer each bear their own costs related to an audit.

9. International Data Transfers

9.1. Customer hereby authorizes Company to perform International Data Transfers to any country deemed adequate by the EU Commission or the UK Government, as appropriate; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the (UK) Standard Contractual Clauses referred to in Section 9.2.

9.2. By signing this DPA, Company and Customer conclude module 2 (controller-to-processor) of the Standard Contractual Clauses, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Company; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 1 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; Clause 13, (a) paragraph 2 is implemented; Clause 17 option 1 is implemented and the governing law is the law of Ireland; the court in Clause 18(b) are the Courts of Ireland; Annex I, II and III to module 2 of the Standard Contractual Clauses are Annex I, II and III to this DPA respectively.

9.3. By signing this DPA, Company and Customer conclude the UK Standard Contractual Clauses which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Company; the governing law in Clause 9 and Clause 11.3 of the UK Standard Contractual Clauses is the law of England and Wales; the information in Appendix 1 to the UK Standard Contractual Clauses is provided in Annex I to this DPA; Appendix 2 to the UK Standard Contractual Clauses is Annex II to this DPA; and the optional indemnification clause is struck. In addition, the following changes apply: (i) references to Data Protection Law are replaced with references to applicable UK data protection law, (ii) references to the EU or Member States are replaced with references to the UK, (iii) references to EU authorities are replaced with references to the competent UK authorities.

9.4. Customer hereby represents and warrant that (a) it is not and will not be in breach of any provision of the (UK) Standard Contractual Clauses; and (b) it is not, and nor are any of its Subprocessors, subject to the U.S. Foreign Intelligence Surveillance Act (“FISA”) or Executive Order 12333 (“EO”), and nor has customer or any Subprocessor received any requests under Section 702 of the FISA or, to the best of Customer’s knowledge, been subject to any action under the EO.

9.5. If Company’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Company’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Company will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative (UK) Standard Contractual Clauses are approved by Supervisory Authorities, Company reserves the right to amend the Agreement and this DPA by adding to, changing or replacing, the (UK) Standard Contractual Clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.

10. Notifications

10.1. Customer will send all notifications, requests and instructions under this DPA to Company’s Legal Department via email to [email protected] Company will send all notifications under this DPA to Customer’s contact at the email address that Company has on file.

11. Liability

11.1. Subject to any limitation of liability set out in the Agreement, to the extent permitted by applicable law, where Company has paid damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the damages or fines.

12. Termination and return or deletion

12.1. This DPA is terminated upon the termination of the Agreement.

12.2. Customer may request return of Customer Personal Data up to forty-five (45) days after termination of the Agreement. Unless required or permitted by applicable law, Company will delete all remaining copies of Customer Personal Data within sixty (60) days after returning Customer Personal Data to Customer.

13. Modification of this DPA

13.1. This DPA may only be modified by a written amendment signed by both Company and Customer.

14. Invalidity and severability

14.1. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

ANNEX I

A. LIST OF PARTIES

Data importer:

  • Name: Armis Inc.
  • Address: 300 Hamilton Avenue, Suite 500, Palo Alto, California 94301, USA
  • Contact person’s name, position and contact details: Legal Department, 300 Hamilton Ave., 5th Floor, Palo Alto, CA 94301, [email protected]
  • Activities relevant to the data transferred under these Clauses: Armis provides a cybersecurity management platform.
  • Signature and date: Please see the date of the Agreement and the Ordering Document.
  • Role (controller/processor): Processor

Data exporter:

  • Name: Customer
  • Address: The Customer’s contact details, as identified in the Ordering Document
  • Contact person’s name, position and contact details: The Customer’s contact details, as identified in the Ordering Document
  • Activities relevant to the data transferred under these Clauses: Transfer of Customer’s users credentials of Armis’ cybersecurity platform and Customer information system data as required to provide the cybersecurity management services
  • Signature and date: Please see the signature and date of the Agreement and Ordering Document
  • Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

  • Categories of Data Subjects whose personal data is transferred
#Category
1Customer’s customers connecting devices to Customer networks monitored by Armis.
2Customer’s personnel, staff and contractors connecting devices to Customer networks monitored by Armis.
  • Categories of personal data transferred
#Category
1Names
2Usernames
3Email addresses
4Device identifiers (hostnames, MAC Addresses, IP addresses)
5Device communication metadata (ports, protocols, etc.)
  • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
#Category
1Not applicable.  The Services are not intended to Process special categories of data.
  • The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

On a continuous basis.

  • Nature of the processing

The data will be transferred for the provision of the Solutions and Services as set out in the Agreement.

  • Purpose(s) of the data transfer and further processing
#Operation
1To deliver the cybersecurity benefits of the Armis product offering and corresponding services.
  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law. In principle, the Company aims to store data related to devices in customer environments for up to one (1) year, and to store other data (e.g. usernames) through the duration of the Agreement.

  • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority of the country where the Customer is based shall act as competent supervisory authority, unless the Customer informs Company otherwise.

ANNEX II

SECURITY MEASURES

Company will implement the following types of security measures:

1. Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:

  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);
  • Security staff, janitors;
  • Surveillance facilities, video/CCTV monitor, alarm system; and
  • Securing decentralized data processing equipment and personal computers.

2. Virtual access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password);
  • Automatic blocking (e.g. password or timeout);
  • Access brokered through zero trust access solution with finely tuned behavioral analytics capabilities that enable continuous monitoring and enforcement capabilities in protection of potential misuse or compromise;
  • Automatic blocking (complex passwords, MFA, behavioral anomaly based enforcement);
  • Creation of one master record per user, user-master data procedures per data processing environment; and
  • Encryption of archived data media.

3. Data access control

Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:

  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses and alerting on anomalistic behaviors;
  • Disciplinary action against employees who attempt to access Customer Personal Data without authorization;
  • Regular review of privileged access and validation of automated IAM provisioning controls;
  • HR-integrated role-based provisioning and deprovisioning capabilities that maintain least privilege access based on each employee’s status, specific role and responsibilities; and
  • Encryption.

4. Disclosure control

Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:

  • Encryption/tunneling;
  • Tightly controlled access to production systems and data;
  • Fully brokered, monitored, and controlled technical sessions;
  • Logging; and
  • Transport security.

5. Entry control

Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

  • Logging and reporting systems;
  • Audit trails and documentation; and
  • Anomaly-based alerting and enforcement.

6. Control of instructions

Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:

  • Unambiguous wording of the contract;
  • Formal commissioning (request form); and
  • Criteria for selecting the Processor.

7. Availability control

Technical and organizational measures to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:

  • Backup procedures;
  • Mirroring of hard disks (e.g. RAID technology);
  • Uninterruptible power supply (UPS);
  • Remote storage;
  • Endpoint hardening and protection tooling (e.g. AV, HIPS, FIM, etc.); and
  • Tested disaster recovery plans and procedures.

8. Separation control

Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:

  • Separation of databases;
  • “Internal client” concept / limitation of use;
  • Segregation of functions (production/testing); and
  • Procedures for storage, amendment, deletion, transmission of data for different purposes.

ANNEX III

LIST OF SUBPROCESSORS

Customer authorizes Company to engage the following Subprocessors:

#Name and addressContact person’s name, position and contact detailsDescription of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized)
1Amazon Web ServicesContact person and details as included in the Armis-AWS agreement
Responsibilities are isolated to operating as our IaaS provider.