Data Processing Addendum
This
Data Processing Addendum, including the Standard Contractual Clauses where
applicable (“DPA”), is entered into between Power
Accelerate BV
(“Power Accelerate”)
and the customer entity (“Customer”) identified in the applicable subscription
agreement governing use of the Power Accelerate Service (the “Agreement”). This DPA is
incorporated by reference into the Agreement. All capitalized terms used in
this DPA but not defined will have the meaning set forth in the Agreement. To
the extent of any conflict or inconsistency between this DPA, any previously
executed data processing agreement, and the remaining terms of the Agreement,
this DPA will govern. Power Accelerate and Customer are each referred to
herein as a “Party” and collectively as the “Parties.”
In
the course of providing the Service under the Agreement, Power
Accelerate may
Process certain Personal Data (such term defined below) on behalf of Customer
and where Power Accelerate Processes such Personal Data on behalf
of Customer, the Parties agree to comply with the terms and conditions in this
DPA in connection with such Personal Data.
1. Definitions
“Applicable
SCCs” means the Standard Contractual Clauses (i.e. EU SCCs and/or UK SCCs) that
apply to Personal Data Processed pursuant to this DPA.
“Data
Privacy Laws” means all applicable laws, regulations, and other legal or
self-regulatory requirements in any jurisdiction relating to privacy, data
protection, data security, breach notification, or the Processing of Personal
Data, including without limitation, to the extent applicable, the California
Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General
Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the Swiss
Federal Data Protection Act, and the United Kingdom Data Protection Act of
2018. For the avoidance of doubt, if Power Accelerate’s Processing activities
involving Personal Data are not within the scope of a given Data Privacy Law,
such law is not applicable for purposes of this DPA.
“Data
Subject” means an identified or identifiable natural person about whom Personal
Data relates.
“EU
SCCs” means the Standard Contractual Clauses issued pursuant to Commission
Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual
clauses for the transfer of personal data to third countries pursuant to
Regulation (EU) 2016/679 of the European Parliament and of the Council,
completed as set forth in Schedule A to this DPA.
“Personal
Data” includes “personal data,” “personal information,” “personally
identifiable information,” and similar terms, and such terms shall have the
same meaning as defined by applicable Data Privacy Laws, that is Processed in
the performance of the Service under the Agreement, but does not include the
Parties’ business contact information (specifically, business addresses, phone
numbers, and email addresses) used solely to facilitate the Parties’
communications for administration of the Agreement.
“Personal
Data Breach” means any accidental, unlawful or unauthorized access, acquisition,
use, modification, disclosure, loss, destruction of or damage to Personal Data
or any other unauthorized Processing of Personal Data.
“Process”
and “Processing” mean any operation or set of operations performed on Personal
Data or on sets of Personal Data, whether or not by automated means, such as
collection, recording, organization, creating, structuring, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
“Service”
means the services Power Accelerate is obligated to provide pursuant to
the Agreement.
“Subprocessor”
means any Power Accelerate affiliate or other direct or indirect
subcontractor with which Power Accelerate contracts to Process Personal Data in
relation to the Agreement.
“UK
SCCs” means the International Data Transfer Addendum to the EU Commission
Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth
in this DPA.
2.
Relationship of the Parties and Scope
a. Power
Accelerate as
a Processor. The Parties acknowledge and agree that with regard to Personal
Data, Customer is a “Controller” and Power Accelerate is a “Processor,” as such
terms are defined by Data Privacy Laws. For purposes of the CCPA, Customer is a
“business,” and Power Accelerate is a “service provider,” as such terms
are defined in the CCPA. In some circumstances, Customer may be a Processor of
Personal Data, in which case Customer appoints Power
Accelerate as
its Subprocessor, which shall not change the obligations of either Customer or Power
Accelerate under
this DPA.
b. Processing
Details. The details of the Processing are set forth in Annex I.B of the EU
SCCs (Schedule A).
c. Processing
Limitations.
i.
Power Accelerate will Process Personal Data solely: (1) to fulfill its
obligations to Customer under the Agreement, including this DPA; (2) on
Customer’s behalf; (3) in accordance with Customer’s instructions, which
include the terms of this DPA; and (4) in compliance with Data Privacy Laws.
Power Accelerate will not sell Personal Data or otherwise Process Personal Data
for any purpose other than for the specific purposes set forth herein. For
purposes of this paragraph, “sell” shall have the meaning set forth in the
CCPA.
ii.
Where explicitly required by Data Privacy Laws, Power Accelerate shall (1)
implement the same degree of security to protect Personal Data as required by
Data Privacy Laws; (2) as set forth in Section 6 (Customer’s Audit Rights),
grant Customer the right to take reasonable and appropriate steps to (a) ensure
Power Accelerate uses the Personal Data consistent with Customer’s obligations
and (b) upon notice, stop and remediate any unauthorized user of Personal Data;
and (3) notify Customer if it can no longer meet its obligations under this
DPA.
d. Compliance
with Laws. Power Accelerate will comply with all Data Privacy Laws applicable
to Power Accelerate in
its role as provider of the Service. Customer will comply with all applicable
Data Privacy Laws relevant to use of the Service, including by obtaining any
consents and providing any notices required under applicable Data Privacy laws
for Power Accelerate to
provide the Service. Customer will ensure that Customer and its Authorized
Users are entitled to transfer the Personal Data to Power Accelerate
so that Power
Accelerate and
its Subprocessors may lawfully Process the Personal Data in accordance with
this DPA. Power Accelerate will promptly inform Customer if, in Power
Accelerate’s opinion,
an instruction from Customer infringes Data Privacy Laws.
e. Certification.
Power Accelerate hereby
certifies that it understands the restrictions and obligations set forth in
this DPA and that it will comply with them.
3.
Assistance and Cooperation
a. Data
Subject Requests. Taking into account the nature of the Processing and to the
extent legally permitted, Power Accelerate will promptly notify Customer, or
refer the individual back to the Customer, if Power
Accelerate receives
any requests from an individual seeking to exercise any rights afforded to them
under Data Privacy Laws regarding their Personal Data. Power
Accelerate shall
assist Customer by appropriate technical and organizational measures, as this
is possible, for the fulfilment of Customer’s obligation to respond to a
request from a Data Subject to exercise rights under applicable Data Privacy
Laws. To the extent legally permitted, Customer shall be responsible for any
costs arising from Power Accelerate’s provision of such assistance,
including any fees associated with provision of additional functionality.
b. Complaints
or Requests for Personal Data. Power Accelerate will promptly notify Customer of (1)
any third-party or Data Subject complaints regarding the Processing of Personal
Data; or (2) any government or Data Subject requests for access to or
information about Power Accelerate’s Processing of Personal Data on
Customer’s behalf, unless prohibited by applicable laws. Power
Accelerate will
provide Customer with reasonable cooperation and assistance in relation to any
such request.
c. Data
Protection Impact Assessment. Taking into account the nature of the Processing
and the information available to Power Accelerate, Power
Accelerate will
provide reasonable assistance to and cooperation with Customer for Customer’s
performance of any legally required data protection impact assessment of the
Processing or proposed Processing of Personal Data involving Power
Accelerate in
the form of publicly-available documentation for the Service. Additional
support for data protection impact assessments may require mutual agreement on
fees, the scope of Power Accelerate’s involvement, and any other terms that
the Parties deem appropriate.
d. Supervisory
and Other Regulatory Authorities. Power Accelerate shall provide reasonable
assistance to and cooperation with Customer for Customer’s consultation with
regulatory authorities in relation to the Processing or proposed Processing of
Personal Data, including complying with any obligation applicable to Power
Accelerate under
Data Privacy Laws to consult with a regulatory authority in relation to Power
Accelerate’s Processing
or proposed Processing of Personal Data.
4.
Subprocessors
a. Appointment
of Subprocessors. Customer acknowledges and agrees that Power
Accelerate’s Affiliates
and certain third parties may be retained as subprocessors (“Subprocessors”) to
Process Personal Data on Power Accelerate’s behalf in order to provide the
Service. Power Accelerate will impose contractual obligations on
any Subprocessor Power Accelerate appoints requiring it to protect
Customer Personal Data to standards which are no less protective than those set
forth under this DPA. Power Accelerate remains liable for its Subprocessors’
performance under this DPA to the same extent Power
Accelerate is
liable for its own performance.
b. Notification
of New Subprocessors. Customer can reach out to info@poweraccelerate.com to obtain a list of it’s current Subprocessors.
c. Right
to Object to Subprocessors. Customer may object to Power
Accelerate’s use
of a new Subprocessor by notifying Power Accelerate promptly in writing
at info@poweraccelerate.com (with its reasonable
grounds for objection) within ten (10) business days after receipt of Power Accelerate’s notice. In the event
Customer objects to a new Subprocessor on reasonable grounds, Power
Accelerate will
use commercially reasonable efforts to make available to Customer a change in
the Service or Customer’s configuration or use of the Service to avoid
Processing of Personal Data by the objected-to new Subprocessor. If Power
Accelerate is
unable to make available such change within a reasonable period of time, which
will not exceed thirty (30) days, either Party may upon written notice
terminate without penalty the applicable Order(s) or the Agreement.
Customer will receive a prorated refund of any prepaid amounts for any
remaining time under the applicable Order(s) or the Agreement.
5.
Security
a. Security
Measures. Power Accelerate will use appropriate technical and
organizational measures to protect Personal Data that it Processes, as
described in the Power Accelerate Security Program Addendum located
at https://poweraccelerate.com/spa/. Such measures will take into account the state of the
art, the costs of implementation and the nature, scope, context and purposes of
Processing, as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, so as to ensure a level of security
appropriate to the risk. Power Accelerate will ensure that the persons Power
Accelerate authorizes to Process
Personal Data are subject to written confidentiality agreements or a statutory
obligation of confidentiality.
b. Power
Accelerate’s Security
Assistance. Customer agrees that Power Accelerate will (taking into account the nature
of the Processing of Personal Data and the information available to Power
Accelerate)
assist Customer in ensuring compliance with any of Customer’s obligations in
respect of security of Personal Data, including if applicable Customer’s
obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by
implementing and maintaining the security measures set forth in Annex II to the
EU SCCs (Schedule A). Power Accelerate may update the security it implements
so long as overall security of Personal Data is not reduced.
6.
Customer’s Audit Rights
a. Audit
Rights. If required by Data Privacy Laws applicable to Personal Data, Power
Accelerate will allow Customer or an
independent auditor appointed by Customer to conduct audits (including
inspections) to verify Power Accelerate’s compliance with its obligations under
this DPA in accordance with Section 6(c) (Additional Business Terms for Reviews
and Audits). Power Accelerate will contribute to such audits as
described in Section 5(b) (Power Accelerate’s Security Assistance) and this Section
6 (Customer’s Audit Rights).
b. Standard
Contractual Clauses. If Customer has entered into EU SCCs or UK SCCs as
described in Section 8 (International Transfers of Personal Data), Power
Accelerate will, without prejudice to
any audit rights of a supervisory authority under such Applicable SCCs, allow
Customer or an independent auditor appointed by Customer to conduct audits as
described in the Applicable SCCs in accordance with Section 6(c) (Additional
Business Terms for Reviews and Audits).
c. Additional
Business Terms for Reviews and Audits
i.
Customer may exercise its right to audit Power Accelerate under Sections 6(a)
and 6(b) where (1) there has been a Personal Data Breach within the previous
six (6) months or there is reasonable suspicion of a Personal Data Breach
within the previous six (6) months, or (2) Customer will pay all reasonable
costs and expenses incurred by Power Accelerate in making itself available for
an audit. If a third party is to conduct the audit, the third party must be
mutually agreed to by Customer and Power Accelerate and must execute a written
confidentiality agreement acceptable to Power Accelerate before conducting the
audit. Except for audits conducted pursuant to Section 6(c)(i)(1), Customer may
invoke its audit right no more than once annually.
ii.
To request an audit under Sections 6(a) or 6(b), Customer must submit a
detailed audit plan to Power Accelerate at info@poweraccelerate.com at least thirty (30) days
in advance of the proposed audit date, describing the proposed scope, duration,
and start time of the audit. The scope may not exceed a review of Power
Accelerate’s compliance
with the Applicable SCCs or its compliance with the Data Privacy Laws
necessitating the audit, in each case with respect to the Personal Data. The
audit must be conducted during regular business hours at the applicable
facility, subject to Power Accelerate policies, and may not interfere with Power
Accelerate business activities.
iii.
Following receipt by Power Accelerate of a request for an audit under Sections
6(a) or 6(b), Power Accelerate and Customer will discuss and agree in advance
on the reasonable start date, scope, and duration of any audit under Sections
6(a) or 6(b).
iv.
Customer will be responsible for any fees it incurs, including any fees charged
by any auditor appointed by Customer to execute any such audit.
v.
Customer will provide Power Accelerate any audit reports generated in
connection with any audit under this section, unless prohibited by law.
Customer may use the audit reports only to meet its regulatory audit
requirements and to confirm compliance with the requirements of the Applicable
SCCs or the Data Privacy Law necessitating the audit. The audit reports, and
all information and records observed or otherwise collected in the course of
the audit, are Confidential Information of Power Accelerate under the terms of
the Agreement.
vi.
Power Accelerate may object in writing to an auditor appointed by if the
auditor is, in Power Accelerate’s reasonable opinion, not suitably
qualified or independent, a competitor of Power Accelerate, or otherwise
manifestly unsuitable. Any such objection by Power Accelerate will require
Customer to appoint another auditor or conduct the audit itself.
vii.
Nothing in this DPA will require Power Accelerate either to disclose to
Customer or its auditor, or to allow Customer or its auditor to access: (a) any
data of any other customer of Power Accelerate; (b) Power Accelerate’s internal accounting or
financial information; (c) any trade secret of Power Accelerate; (d) any
information that, in Power Accelerate’s reasonable opinion, could:
(i) compromise the security of Power Accelerate systems or premises; or (ii)
cause Power Accelerate to breach its obligations under applicable law or its
security and/or privacy obligations to Customer or any third party; or (e) any
information that Customer or its third party auditor seeks to access for any
reason other than the good faith fulfilment of Customer’s obligations under the
Applicable SCCs or the Data Privacy Law necessitating the audit.
d. No
Modification of Applicable SCCs. Nothing in this Section 6 varies or modifies
any rights or obligations of Customer or Power Accelerate under any Applicable
SCCs entered into as described in Section 8 (International Transfers of
Personal Data).
7.
Personal Data Breaches
a. Personal
Data Breach Notification and Response. Power Accelerate will comply with the
Personal Data Breach-related obligations directly applicable to it under Data
Privacy Laws. Power Accelerate shall notify Customer of a confirmed Personal
Data Breach of which Power Accelerate becomes aware without undue delay and in
any event no later than seventy-two (72) hours following such confirmation. To
the extent available, this notification will include Power Accelerate’s then-current assessment of the following:
i.
the nature of the Personal Data Breach, including, where possible, the
categories and approximate number of data subjects concerned and the categories
and approximate number of personal data records concerned;
ii.
the likely consequences of the Personal Data Breach; and
iii.
measures taken or proposed to be taken by Power Accelerate to address the
Personal Data Breach including, where applicable, measures to mitigate its
possible adverse effects.
b. Additional
Notifications. Power Accelerate will provide timely and periodic updates to
Customer as additional information regarding the Personal Data Breach becomes
available. Customer acknowledges that any updates may be based on incomplete
information.
c. No
Assessment of Personal Data by Power Accelerate. Power Accelerate will not
assess the contents of Personal Data in order to identify information subject
to any specific legal requirements. Customer is solely responsible for
complying with legal requirements for incident notification applicable to
Customer and fulfilling any third-party notification obligations related to any
Personal Data Breach.
d. No
Acknowledgment of Fault by Power Accelerate. Power Accelerate’s notification of or response
to a Personal Data Breach under this Section 7 will not be construed as an
acknowledgement by Power Accelerate of any fault or liability with respect to
the Personal Data Breach.
e. Compliance
with Law. Nothing in this DPA or in the Applicable SCCs will be construed to
require Power Accelerate to violate, or delay compliance with, any legal
obligation it may have with respect to a Personal Data Breach or other security
incidents generally.
8.
International Transfers of Personal Data
a. Transfer
Authorization. Customer authorizes Power Accelerate and its Subprocessors to
make international transfers of the Personal Data in accordance with this DPA
so long as applicable Data Privacy Laws for such transfers are respected.
b. Transfers
from the EEA. With respect to Personal Data transferred from the European
Economic Area (“EEA”), the EU SCCs incorporated herein shall apply, form part
of this DPA, and take precedence over the rest of this DPA as set forth in the
EU SCCs. They will be deemed completed as follows:
i.
Where Customer acts as a controller and Power Accelerate acts as Customer’s
processor with respect to the Personal Data subject to the EU SCCs, its Module
2 applies. Where Customer acts as a processor and Power Accelerate acts as
Customer’s subprocessor with respect to the Personal Data subject to the EU
SCCs, its Module 3 applies.
ii.
Clause 7 (the optional docking clause) is included.
iii.
Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General
written authorization).
iv.
Under Clause 11 (Redress), the optional requirement that data subjects be
permitted to lodge a complaint with an independent dispute resolution body does
not apply.
v.
Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU
Member State that allows for third-party beneficiary rights). The Parties
select the law of Ireland.
vi.
Under Clause 18 (Choice of forum and jurisdiction), the parties select the
courts of Ireland.
vii.
Annexes I-III of the EU SCCs are set forth in Schedule A of the DPA.
viii.
By entering into this DPA, the Parties are deemed to be signing the EU SCCs and
its applicable Annexes.
c. Transfers
from Switzerland. With respect to Personal Data transferred from Switzerland
for which Swiss law (and not the law in any EEA jurisdiction) governs the
international nature of the transfer, references to the GDPR in Clause 4 of the
EU SCCs are, to the extent legally required, amended to refer to the Swiss
Federal Data Protection Act or its successor instead, and the concept of
supervisory authority shall include the Swiss Federal Data Protection and
Information Commissioner.
d. Transfers
from the United Kingdom. With respect to Personal Data transferred from the
United Kingdom for which United Kingdom law (and not the law in any EEA
jurisdiction) governs the international nature of the transfer, the UK SCCs
form part of this DPA and take precedence over the rest of this DPA as set
forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs
that, upon notice from Customer, will control. Undefined capitalized terms used
in this provision shall mean the definitions in the UK SCCs. For purposes of
the UK SCCs, they shall be deemed completed as follows:
i.
Table 1 of the UK SCCs: (1) the Parties’ details shall be the Parties and their
affiliates to the extent any of them is involved in such transfer, including
those set forth in Schedule A; (2) the Key Contact shall be the contacts set
forth in Schedule A.
ii.
Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the
EU SCCs as executed by the Parties.
iii.
Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in
Schedule A.
iv.
Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19
of the UK SCCs.
v.
By entering into this DPA, the Parties are deemed to be signing the UK SCCs and
its applicable Tables and Appendix Information.
e. Alternative
Data Transfer Mechanism. If Power Accelerate adopts an alternative data
transfer mechanism (including any new version of or successor to the Applicable
SCCs adopted pursuant to Data Privacy Laws) for the transfer of Personal Data
that is not described in this DPA (“Alternative Transfer Mechanism”),
the Alternative Transfer Mechanism will apply instead of any applicable
transfer mechanism described in this DPA (but only to the extent such
Alternative Transfer Mechanism complies with Data Privacy Laws).
9.
Additional Safeguards for Transfers
a. Additional
Safeguards. To the extent that Power Accelerate Processes Personal Data of Data
Subjects located in or subject to the applicable Data Privacy Laws of the EEA,
Switzerland, or the United Kingdom, Power Accelerate agrees to the following
safeguards in this Section 9 to protect such data to an equivalent level as
applicable Data Privacy Laws.
b. Notification
of Law Enforcement Requests. Power Accelerate will inform Customer of any
request for disclosure of Personal Data by a law enforcement, civil,
administrative, national or public security or other competent authority
outside Europe, including but not limited to pursuant to the U.S. Foreign
Intelligence Surveillance Act (FISA) §702, Executive Order (E.O.) 12333, the
Stored Communications Act (18 U.S.C. § 2703), the CLOUD Act (18 U.S.C. § 2523)
(each a “Law Enforcement Request”), unless Power Accelerate is otherwise
prohibited under applicable law.
c. Challenging
Demands. Power Accelerate will use all reasonably available legal mechanisms to
challenge any Law Enforcement Requests it receives as well as any
non-disclosure provisions attached thereto.
d. Notification
of Inability to Comply. Power Accelerate will promptly notify Customer if Power
Accelerate can no longer comply with the Applicable SCCs or the clauses in this
Section. Power Accelerate shall not be required to provide Customer with
specific information about why it can no longer comply, if providing such
information is prohibited by applicable law. Such notice shall entitle Customer
to terminate the Agreement (or, at Customer’s option, affected statements of
work, Order Forms, and like documents thereunder) and receive a prompt pro-rata
refund of any prepaid amounts thereunder. This is without prejudice to
Customer’s other rights and remedies with respect to a breach of the Agreement.
10.
Return and Deletion of Personal Data
a. Deletion
Upon Termination. Upon termination of the Agreement and written verified
request from Customer’s authorized representative (which for purposes of this
section is either a billing owner or an administrator of Customer’s Account or
a Customer personnel who has confirmed in writing that they are authorized to
make decisions on behalf of the Customer), Power Accelerate will delete
Personal Data as specified in the Agreement, unless prohibited by applicable
law.
SCHEDULE
A Annex I
A.
LIST OF PARTIES
Data
exporter(s):
Details/Descriptions:
Name:
Customer,
a user of the Power Accelerate Service
Address:
As
listed in the Agreement
Contact
person’s name, position and contact details:
As
listed in the Agreement
Activities
relevant to the data transferred under these Clauses:
As
described in Section B below
Role
(controller/processor):
Controller
and/or Processor
Data
importer(s):
Details/Descriptions:
Name:
Power Accelerate BV (“Power Accelerate”)
Address:
Emiel
Van Hammestraat 12, 2570 Duffel, Belgium
Contact
person’s name, position and contact details:
Activities
relevant to the data transferred under these Clauses:
Data
importer will process the data in order to provide the Service pursuant to the
Agreement.
Role
(controller/processor):
Processor
B.
DESCRIPTION OF TRANSFER
Categories
of data subjects whose personal data is transferred
- The categories of data
subjects whose personal data is transferred are determined solely by the
data exporter. In the normal course of the data importer’s Service, the
categories of data subject might include (but are not limited to): the
data exporter’s personnel, customers, service providers, business
partners, affiliates, and other end users.
Categories
of personal data transferred
- The categories of
personal data transferred are determined solely by the data exporter. In
the normal course of the data importer’s Service, the categories of
personal data transferred might include (but are not limited to): name,
email address, telephone, title, and feature flag configuration entered by
the data exporter or its end users.
Sensitive
data transferred (if applicable) and applied restrictions or safeguards that
fully take into consideration the nature of the data and the risks involved,
such as for instance strict purpose limitation, access restrictions (including
access only for staff having followed specialised training), keeping a record
of access to the data, restrictions for onward transfers or additional security
measures.
- The data importer does
not intentionally or knowingly process any special category data. However,
the categories of personal data transferred are determined solely by the
data exporter.
- Sensitive data
transferred (if applicable) and applied restrictions or safeguards that
fully take into consideration the nature of the data and the risks
involved, such as for instance strict purpose limitation, access
restrictions (including access only for staff having followed specialized
training), keeping a record of access to the data, restrictions for onward
transfers or additional security measures.
The
frequency of the transfer (e.g. whether the data is transferred on a one-off or
continuous basis).
- The Personal Data
shall be transferred continuously for as long as Power
Accelerate
provides
the Service pursuant to the Agreement.
Nature
of the processing
- The nature of the
processing consists of collecting, storing and transferring Personal Data
to facilitate Power Accelerate’s provision of the Service to
Customer as further described in the Agreement.
Purpose(s)
of the data transfer and further processing
- The purposes of the
data transfer is so that Power Accelerate can provide the Service to
Customer as further described in the Agreement. There is no processing
other than as set forth above.
The
period for which the personal data will be retained, or, if that is not
possible, the criteria used to determine that period
- The Personal Data
shall be retained as directed by Customer as needed to provide the
Services pursuant to the Agreement.
For
transfers to (sub-) processors, also specify subject matter, nature and
duration of the processing
- Same as above
C.
COMPETENT SUPERVISORY AUTHORITY
Identify
the competent supervisory authority/ies in accordance with Clause 13: Irish
Data Protection Commission for Personal Data from the EEA; United Kingdom
Information Commissioner’s Office for Personal Data from the United Kingdom
Annex
II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND
ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Power Accelerate emphasizes the following principles in
the design and implementation of its security program and practices: (a)
physical and environmental security to protect the Service against unauthorized
access, use, or modification; (b) maintaining availability for operation and
use of the Service; (c) confidentiality to protect customer data; and (d)
integrity to maintain the accuracy and consistency of data over its life cycle.
Specific
measures:
Measure
Description
Pseudonymization
and encryption of personal data
Customer
Data is encrypted in transit and encrypted at rest. The connection to https://make.poweraccelerate.com is encrypted with at least
128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data
transfer are performed over encrypted protocols such as TLS.
Confidentiality,
integrity, availability and resilience of processing systems and services
Power
Accelerate maintains an information security program, which includes: (a)
having a formal risk management program; (b) conducting risk assessments of all
systems and networks that process Customer Data; (c) maintaining a tiered
remediation plan to ensure timely fixes to any discovered vulnerabilities, a
written information security policy, and an incident response plan that
explicitly addresses and provides guidance to its personnel in furtherance of
the security, confidentiality, integrity, and availability of Customer Data;
(d) monitoring for security incidents; (e) and having resources
responsible for information security efforts.
Restoration
and availability of personal data
Customer
Data is in multiple Azure
availability zones and regions for resiliency.
Testing,
assessing, and evaluating security measures
To
the extent Power Accelerate determines, in its sole discretion,
that any remediation is required based on the results of such testing, it will
perform such remediation within a reasonable period of time taking into account
the nature and severity of the identified issue.
User
identification and authorization
Access
to manage Power Accelerate’s Microsoft Azure environment requires
multi-factor authentication, management access to the Service is logged, and
access to Customer Data is restricted to a limited set of approved Power
Accelerate employees. Azure networking features such
as security groups are leveraged to restrict access to Azure instances and resources
and are configured to restrict access using the principle of least privilege.
Employees are trained on documented information security and privacy procedures.
Every Power Accelerate employee signs a data access policy
that binds them to the terms of Power Accelerate’s data confidentiality policies and
access to Power Accelerate systems is promptly revoked upon
termination of employment.
Protection
of data during transmission
Customer
Data is encrypted in transit and encrypted at rest (and remains encrypted at
rest). The connection to https://make.poweraccelerate.com is encrypted with 128-bit
encryption and supports TLS 1.2 and above. Logins and sensitive data transfer
are performed over encrypted protocols such as TLS.
Protection
of data during storage
Customer
Data is stored cross-regionally with Microsoft Azure. Data backups are
encrypted. Customer data is encrypted at rest with AES 256 bit secret keys.
Physical
security
Power Accelerate uses Microsoft
Azure to
provide management and hosting of production servers and databases in Europe. Microsoft employs a robust physical
security program with multiple certifications, including SSAE 16 and ISO 27001
certification.
Logging
Access
to Power Accelerate
critical
systems is restricted, monitored, and logged. At a minimum, log entries include
date, timestamp, action performed, and the user ID or device ID of the action
performed. The level of additional detail to be recorded by each audit log will
be proportional to the amount and sensitivity of the information stored and/or
processed on that system. All logs are protected from change.
System
configuration
To
prevent and minimize the potential for threats to Power
Accelerate’s systems, baseline
configurations are required prior to deployment of any user, network, or
production equipment. Systems are centrally managed and configured to detect
and alert on suspicious activity.
IT
Security Governance and Management
IT
Security Governance and Management structures and processes are designed to
ensure compliance with data protection principles at their effective
implementation. Power Accelerate maintains a formal information
security program. The Power Accelerate Team is responsible for implementing
security controls and monitoring Power Accelerate for suspicious activity. Policies and
Procedures, including the Power Accelerate Information Security Policy, are
updated on an annual basis and reviewed and approved by Management. Senior
management meets with the board of directors to review business objectives,
projects, resource needs, and risk mitigation activities, including results
from internal and external assessments.
Data
quality
Power Accelerate maintains web Server and application
log details that include any changes to sensitive configuration settings and
files. At minimum, log entries include date, timestamp, action performed, and
the user ID or the device ID of the action performed. Logs are protected from
change. Users who would like to exercise their rights under applicable law to
update information which is out of date or incorrect may do so at any time by
emailing info@poweraccelerate.com.
ANNEX
III – SUBPROCESSORS
Customer
has authorized the use of Subprocessors as set forth in Section 4 of the DPA.