Data Processing Addendum
This Data Processing Addendum, including the Standard Contractual Clauses where applicable (“DPA”), is entered into between Power Accelerate BV (“Power Accelerate”) and the customer entity (“Customer”) identified in the applicable subscription agreement governing use of the Power Accelerate Service (the “Agreement”). This DPA is incorporated by reference into the Agreement. All capitalized terms used in this DPA but not defined will have the meaning set forth in the Agreement. To the extent of any conflict or inconsistency between this DPA, any previously executed data processing agreement, and the remaining terms of the Agreement, this DPA will govern. Power Accelerate and Customer are each referred to herein as a “Party” and collectively as the “Parties.”
In the course of providing the Service under the Agreement, Power Accelerate may Process certain Personal Data (such term defined below) on behalf of Customer and where Power Accelerate Processes such Personal Data on behalf of Customer, the Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
“Applicable SCCs” means the Standard Contractual Clauses (i.e. EU SCCs and/or UK SCCs) that apply to Personal Data Processed pursuant to this DPA.
“Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Data Protection Act, and the United Kingdom Data Protection Act of 2018. For the avoidance of doubt, if Power Accelerate’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
“Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
“EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Schedule A to this DPA.
“Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in the performance of the Service under the Agreement, but does not include the Parties’ business contact information (specifically, business addresses, phone numbers, and email addresses) used solely to facilitate the Parties’ communications for administration of the Agreement.
“Personal Data Breach” means any accidental, unlawful or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of or damage to Personal Data or any other unauthorized Processing of Personal Data.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Service” means the services Power Accelerate is obligated to provide pursuant to the Agreement.
“Subprocessor” means any Power Accelerate affiliate or other direct or indirect subcontractor with which Power Accelerate contracts to Process Personal Data in relation to the Agreement.
“UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth in this DPA.
2. Relationship of the Parties and Scope
a. Power Accelerate as a Processor. The Parties acknowledge and agree that with regard to Personal Data, Customer is a “Controller” and Power Accelerate is a “Processor,” as such terms are defined by Data Privacy Laws. For purposes of the CCPA, Customer is a “business,” and Power Accelerate is a “service provider,” as such terms are defined in the CCPA. In some circumstances, Customer may be a Processor of Personal Data, in which case Customer appoints Power Accelerate as its Subprocessor, which shall not change the obligations of either Customer or Power Accelerate under this DPA.
b. Processing Details. The details of the Processing are set forth in Annex I.B of the EU SCCs (Schedule A).
c. Processing Limitations.
i. Power Accelerate will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf; (3) in accordance with Customer’s instructions, which include the terms of this DPA; and (4) in compliance with Data Privacy Laws. Power Accelerate will not sell Personal Data or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.
ii. Where explicitly required by Data Privacy Laws, Power Accelerate shall (1) implement the same degree of security to protect Personal Data as required by Data Privacy Laws; (2) as set forth in Section 6 (Customer’s Audit Rights), grant Customer the right to take reasonable and appropriate steps to (a) ensure Power Accelerate uses the Personal Data consistent with Customer’s obligations and (b) upon notice, stop and remediate any unauthorized user of Personal Data; and (3) notify Customer if it can no longer meet its obligations under this DPA.
d. Compliance with Laws. Power Accelerate will comply with all Data Privacy Laws applicable to Power Accelerate in its role as provider of the Service. Customer will comply with all applicable Data Privacy Laws relevant to use of the Service, including by obtaining any consents and providing any notices required under applicable Data Privacy laws for Power Accelerate to provide the Service. Customer will ensure that Customer and its Authorized Users are entitled to transfer the Personal Data to Power Accelerate so that Power Accelerate and its Subprocessors may lawfully Process the Personal Data in accordance with this DPA. Power Accelerate will promptly inform Customer if, in Power Accelerate’s opinion, an instruction from Customer infringes Data Privacy Laws.
e. Certification. Power Accelerate hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
3. Assistance and Cooperation
a. Data Subject Requests. Taking into account the nature of the Processing and to the extent legally permitted, Power Accelerate will promptly notify Customer, or refer the individual back to the Customer, if Power Accelerate receives any requests from an individual seeking to exercise any rights afforded to them under Data Privacy Laws regarding their Personal Data. Power Accelerate shall assist Customer by appropriate technical and organizational measures, as this is possible, for the fulfilment of Customer’s obligation to respond to a request from a Data Subject to exercise rights under applicable Data Privacy Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Power Accelerate’s provision of such assistance, including any fees associated with provision of additional functionality.
b. Complaints or Requests for Personal Data. Power Accelerate will promptly notify Customer of (1) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (2) any government or Data Subject requests for access to or information about Power Accelerate’s Processing of Personal Data on Customer’s behalf, unless prohibited by applicable laws. Power Accelerate will provide Customer with reasonable cooperation and assistance in relation to any such request.
c. Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to Power Accelerate, Power Accelerate will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of Personal Data involving Power Accelerate in the form of publicly-available documentation for the Service. Additional support for data protection impact assessments may require mutual agreement on fees, the scope of Power Accelerate’s involvement, and any other terms that the Parties deem appropriate.
d. Supervisory and Other Regulatory Authorities. Power Accelerate shall provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Power Accelerate under Data Privacy Laws to consult with a regulatory authority in relation to Power Accelerate’s Processing or proposed Processing of Personal Data.
a. Appointment of Subprocessors. Customer acknowledges and agrees that Power Accelerate’s Affiliates and certain third parties may be retained as subprocessors (“Subprocessors”) to Process Personal Data on Power Accelerate’s behalf in order to provide the Service. Power Accelerate will impose contractual obligations on any Subprocessor Power Accelerate appoints requiring it to protect Customer Personal Data to standards which are no less protective than those set forth under this DPA. Power Accelerate remains liable for its Subprocessors’ performance under this DPA to the same extent Power Accelerate is liable for its own performance.
b. Notification of New Subprocessors. Customer can reach out to email@example.com to obtain a list of it’s current Subprocessors.
c. Right to Object to Subprocessors. Customer may object to Power Accelerate’s use of a new Subprocessor by notifying Power Accelerate promptly in writing at firstname.lastname@example.org (with its reasonable grounds for objection) within ten (10) business days after receipt of Power Accelerate’s notice. In the event Customer objects to a new Subprocessor on reasonable grounds, Power Accelerate will use commercially reasonable efforts to make available to Customer a change in the Service or Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Subprocessor. If Power Accelerate is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may upon written notice terminate without penalty the applicable Order(s) or the Agreement. Customer will receive a prorated refund of any prepaid amounts for any remaining time under the applicable Order(s) or the Agreement.
a. Security Measures. Power Accelerate will use appropriate technical and organizational measures to protect Personal Data that it Processes, as described in the Power Accelerate Security Program Addendum located at https://poweraccelerate.com/spa/. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risk. Power Accelerate will ensure that the persons Power Accelerate authorizes to Process Personal Data are subject to written confidentiality agreements or a statutory obligation of confidentiality.
b. Power Accelerate’s Security Assistance. Customer agrees that Power Accelerate will (taking into account the nature of the Processing of Personal Data and the information available to Power Accelerate) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of Personal Data, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by implementing and maintaining the security measures set forth in Annex II to the EU SCCs (Schedule A). Power Accelerate may update the security it implements so long as overall security of Personal Data is not reduced.
6. Customer’s Audit Rights
a. Audit Rights. If required by Data Privacy Laws applicable to Personal Data, Power Accelerate will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Power Accelerate’s compliance with its obligations under this DPA in accordance with Section 6(c) (Additional Business Terms for Reviews and Audits). Power Accelerate will contribute to such audits as described in Section 5(b) (Power Accelerate’s Security Assistance) and this Section 6 (Customer’s Audit Rights).
b. Standard Contractual Clauses. If Customer has entered into EU SCCs or UK SCCs as described in Section 8 (International Transfers of Personal Data), Power Accelerate will, without prejudice to any audit rights of a supervisory authority under such Applicable SCCs, allow Customer or an independent auditor appointed by Customer to conduct audits as described in the Applicable SCCs in accordance with Section 6(c) (Additional Business Terms for Reviews and Audits).
c. Additional Business Terms for Reviews and Audits
i. Customer may exercise its right to audit Power Accelerate under Sections 6(a) and 6(b) where (1) there has been a Personal Data Breach within the previous six (6) months or there is reasonable suspicion of a Personal Data Breach within the previous six (6) months, or (2) Customer will pay all reasonable costs and expenses incurred by Power Accelerate in making itself available for an audit. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Power Accelerate and must execute a written confidentiality agreement acceptable to Power Accelerate before conducting the audit. Except for audits conducted pursuant to Section 6(c)(i)(1), Customer may invoke its audit right no more than once annually.
ii. To request an audit under Sections 6(a) or 6(b), Customer must submit a detailed audit plan to Power Accelerate at email@example.com at least thirty (30) days in advance of the proposed audit date, describing the proposed scope, duration, and start time of the audit. The scope may not exceed a review of Power Accelerate’s compliance with the Applicable SCCs or its compliance with the Data Privacy Laws necessitating the audit, in each case with respect to the Personal Data. The audit must be conducted during regular business hours at the applicable facility, subject to Power Accelerate policies, and may not interfere with Power Accelerate business activities.
iii. Following receipt by Power Accelerate of a request for an audit under Sections 6(a) or 6(b), Power Accelerate and Customer will discuss and agree in advance on the reasonable start date, scope, and duration of any audit under Sections 6(a) or 6(b).
iv. Customer will be responsible for any fees it incurs, including any fees charged by any auditor appointed by Customer to execute any such audit.
v. Customer will provide Power Accelerate any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use the audit reports only to meet its regulatory audit requirements and to confirm compliance with the requirements of the Applicable SCCs or the Data Privacy Law necessitating the audit. The audit reports, and all information and records observed or otherwise collected in the course of the audit, are Confidential Information of Power Accelerate under the terms of the Agreement.
vi. Power Accelerate may object in writing to an auditor appointed by if the auditor is, in Power Accelerate’s reasonable opinion, not suitably qualified or independent, a competitor of Power Accelerate, or otherwise manifestly unsuitable. Any such objection by Power Accelerate will require Customer to appoint another auditor or conduct the audit itself.
vii. Nothing in this DPA will require Power Accelerate either to disclose to Customer or its auditor, or to allow Customer or its auditor to access: (a) any data of any other customer of Power Accelerate; (b) Power Accelerate’s internal accounting or financial information; (c) any trade secret of Power Accelerate; (d) any information that, in Power Accelerate’s reasonable opinion, could: (i) compromise the security of Power Accelerate systems or premises; or (ii) cause Power Accelerate to breach its obligations under applicable law or its security and/or privacy obligations to Customer or any third party; or (e) any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Applicable SCCs or the Data Privacy Law necessitating the audit.
d. No Modification of Applicable SCCs. Nothing in this Section 6 varies or modifies any rights or obligations of Customer or Power Accelerate under any Applicable SCCs entered into as described in Section 8 (International Transfers of Personal Data).
7. Personal Data Breaches
a. Personal Data Breach Notification and Response. Power Accelerate will comply with the Personal Data Breach-related obligations directly applicable to it under Data Privacy Laws. Power Accelerate shall notify Customer of a confirmed Personal Data Breach of which Power Accelerate becomes aware without undue delay and in any event no later than seventy-two (72) hours following such confirmation. To the extent available, this notification will include Power Accelerate’s then-current assessment of the following:
i. the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
ii. the likely consequences of the Personal Data Breach; and
iii. measures taken or proposed to be taken by Power Accelerate to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.
b. Additional Notifications. Power Accelerate will provide timely and periodic updates to Customer as additional information regarding the Personal Data Breach becomes available. Customer acknowledges that any updates may be based on incomplete information.
c. No Assessment of Personal Data by Power Accelerate. Power Accelerate will not assess the contents of Personal Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.
d. No Acknowledgment of Fault by Power Accelerate. Power Accelerate’s notification of or response to a Personal Data Breach under this Section 7 will not be construed as an acknowledgement by Power Accelerate of any fault or liability with respect to the Personal Data Breach.
e. Compliance with Law. Nothing in this DPA or in the Applicable SCCs will be construed to require Power Accelerate to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.
8. International Transfers of Personal Data
a. Transfer Authorization. Customer authorizes Power Accelerate and its Subprocessors to make international transfers of the Personal Data in accordance with this DPA so long as applicable Data Privacy Laws for such transfers are respected.
b. Transfers from the EEA. With respect to Personal Data transferred from the European Economic Area (“EEA”), the EU SCCs incorporated herein shall apply, form part of this DPA, and take precedence over the rest of this DPA as set forth in the EU SCCs. They will be deemed completed as follows:
i. Where Customer acts as a controller and Power Accelerate acts as Customer’s processor with respect to the Personal Data subject to the EU SCCs, its Module 2 applies. Where Customer acts as a processor and Power Accelerate acts as Customer’s subprocessor with respect to the Personal Data subject to the EU SCCs, its Module 3 applies.
ii. Clause 7 (the optional docking clause) is included.
iii. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization).
iv. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
v. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland.
vi. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
vii. Annexes I-III of the EU SCCs are set forth in Schedule A of the DPA.
viii. By entering into this DPA, the Parties are deemed to be signing the EU SCCs and its applicable Annexes.
c. Transfers from Switzerland. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any EEA jurisdiction) governs the international nature of the transfer, references to the GDPR in Clause 4 of the EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner.
d. Transfers from the United Kingdom. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any EEA jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs that, upon notice from Customer, will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
i. Table 1 of the UK SCCs: (1) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Schedule A; (2) the Key Contact shall be the contacts set forth in Schedule A.
ii. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
iii. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedule A.
iv. Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19 of the UK SCCs.
v. By entering into this DPA, the Parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.
e. Alternative Data Transfer Mechanism. If Power Accelerate adopts an alternative data transfer mechanism (including any new version of or successor to the Applicable SCCs adopted pursuant to Data Privacy Laws) for the transfer of Personal Data that is not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism will apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Privacy Laws).
9. Additional Safeguards for Transfers
a. Additional Safeguards. To the extent that Power Accelerate Processes Personal Data of Data Subjects located in or subject to the applicable Data Privacy Laws of the EEA, Switzerland, or the United Kingdom, Power Accelerate agrees to the following safeguards in this Section 9 to protect such data to an equivalent level as applicable Data Privacy Laws.
b. Notification of Law Enforcement Requests. Power Accelerate will inform Customer of any request for disclosure of Personal Data by a law enforcement, civil, administrative, national or public security or other competent authority outside Europe, including but not limited to pursuant to the U.S. Foreign Intelligence Surveillance Act (FISA) §702, Executive Order (E.O.) 12333, the Stored Communications Act (18 U.S.C. § 2703), the CLOUD Act (18 U.S.C. § 2523) (each a “Law Enforcement Request”), unless Power Accelerate is otherwise prohibited under applicable law.
c. Challenging Demands. Power Accelerate will use all reasonably available legal mechanisms to challenge any Law Enforcement Requests it receives as well as any non-disclosure provisions attached thereto.
d. Notification of Inability to Comply. Power Accelerate will promptly notify Customer if Power Accelerate can no longer comply with the Applicable SCCs or the clauses in this Section. Power Accelerate shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, Order Forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Customer’s other rights and remedies with respect to a breach of the Agreement.
10. Return and Deletion of Personal Data
a. Deletion Upon Termination. Upon termination of the Agreement and written verified request from Customer’s authorized representative (which for purposes of this section is either a billing owner or an administrator of Customer’s Account or a Customer personnel who has confirmed in writing that they are authorized to make decisions on behalf of the Customer), Power Accelerate will delete Personal Data as specified in the Agreement, unless prohibited by applicable law.
SCHEDULE A Annex I
A. LIST OF PARTIES
Customer, a user of the Power Accelerate Service
As listed in the Agreement
Contact person’s name, position and contact details:
As listed in the Agreement
Activities relevant to the data transferred under these Clauses:
As described in Section B below
Controller and/or Processor
Power Accelerate BV (“Power Accelerate”)
Emiel Van Hammestraat 12, 2570 Duffel, Belgium
Contact person’s name, position and contact details:
Activities relevant to the data transferred under these Clauses:
Data importer will process the data in order to provide the Service pursuant to the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- The categories of data subjects whose personal data is transferred are determined solely by the data exporter. In the normal course of the data importer’s Service, the categories of data subject might include (but are not limited to): the data exporter’s personnel, customers, service providers, business partners, affiliates, and other end users.
Categories of personal data transferred
- The categories of personal data transferred are determined solely by the data exporter. In the normal course of the data importer’s Service, the categories of personal data transferred might include (but are not limited to): name, email address, telephone, title, and feature flag configuration entered by the data exporter or its end users.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- The data importer does not intentionally or knowingly process any special category data. However, the categories of personal data transferred are determined solely by the data exporter.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- The Personal Data shall be transferred continuously for as long as Power Accelerate provides the Service pursuant to the Agreement.
Nature of the processing
- The nature of the processing consists of collecting, storing and transferring Personal Data to facilitate Power Accelerate’s provision of the Service to Customer as further described in the Agreement.
Purpose(s) of the data transfer and further processing
- The purposes of the data transfer is so that Power Accelerate can provide the Service to Customer as further described in the Agreement. There is no processing other than as set forth above.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- The Personal Data shall be retained as directed by Customer as needed to provide the Services pursuant to the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- Same as above
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: Irish Data Protection Commission for Personal Data from the EEA; United Kingdom Information Commissioner’s Office for Personal Data from the United Kingdom
Annex II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Power Accelerate emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.
Pseudonymization and encryption of personal data
Customer Data is encrypted in transit and encrypted at rest. The connection to https://make.poweraccelerate.com is encrypted with at least 128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS.
Confidentiality, integrity, availability and resilience of processing systems and services
Power Accelerate maintains an information security program, which includes: (a) having a formal risk management program; (b) conducting risk assessments of all systems and networks that process Customer Data; (c) maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities, a written information security policy, and an incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data; (d) monitoring for security incidents; (e) and having resources responsible for information security efforts.
Restoration and availability of personal data
Customer Data is in multiple Azure availability zones and regions for resiliency.
Testing, assessing, and evaluating security measures
To the extent Power Accelerate determines, in its sole discretion, that any remediation is required based on the results of such testing, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue.
User identification and authorization
Access to manage Power Accelerate’s Microsoft Azure environment requires multi-factor authentication, management access to the Service is logged, and access to Customer Data is restricted to a limited set of approved Power Accelerate employees. Azure networking features such as security groups are leveraged to restrict access to Azure instances and resources and are configured to restrict access using the principle of least privilege. Employees are trained on documented information security and privacy procedures. Every Power Accelerate employee signs a data access policy that binds them to the terms of Power Accelerate’s data confidentiality policies and access to Power Accelerate systems is promptly revoked upon termination of employment.
Protection of data during transmission
Customer Data is encrypted in transit and encrypted at rest (and remains encrypted at rest). The connection to https://make.poweraccelerate.com is encrypted with 128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS.
Protection of data during storage
Customer Data is stored cross-regionally with Microsoft Azure. Data backups are encrypted. Customer data is encrypted at rest with AES 256 bit secret keys.
Power Accelerate uses Microsoft Azure to provide management and hosting of production servers and databases in Europe. Microsoft employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.
Access to Power Accelerate critical systems is restricted, monitored, and logged. At a minimum, log entries include date, timestamp, action performed, and the user ID or device ID of the action performed. The level of additional detail to be recorded by each audit log will be proportional to the amount and sensitivity of the information stored and/or processed on that system. All logs are protected from change.
To prevent and minimize the potential for threats to Power Accelerate’s systems, baseline configurations are required prior to deployment of any user, network, or production equipment. Systems are centrally managed and configured to detect and alert on suspicious activity.
IT Security Governance and Management
IT Security Governance and Management structures and processes are designed to ensure compliance with data protection principles at their effective implementation. Power Accelerate maintains a formal information security program. The Power Accelerate Team is responsible for implementing security controls and monitoring Power Accelerate for suspicious activity. Policies and Procedures, including the Power Accelerate Information Security Policy, are updated on an annual basis and reviewed and approved by Management. Senior management meets with the board of directors to review business objectives, projects, resource needs, and risk mitigation activities, including results from internal and external assessments.
Power Accelerate maintains web Server and application log details that include any changes to sensitive configuration settings and files. At minimum, log entries include date, timestamp, action performed, and the user ID or the device ID of the action performed. Logs are protected from change. Users who would like to exercise their rights under applicable law to update information which is out of date or incorrect may do so at any time by emailing firstname.lastname@example.org.
ANNEX III – SUBPROCESSORS
Customer has authorized the use of Subprocessors as set forth in Section 4 of the DPA.