Order Processing Contract in accordance with Art. 28 GDPR


You are here: InLoox Order Processing Contract in accordance with Art. 28 GDPR

InLoox GmbH

Order Processing Contract in accordance with Art. 28 GDPR

Version: June 15, 2021

Agreement

between the

customer of InLoox GmbH
- Party responsible - hereinafter referred to as the Client -

and

InLoox GmbH, Walter-Gropius-Strasse 17, D-80807 München
- Order processor - hereinafter referred to as the Contractor -

1. Subject matter and duration of the order

(1) The subject matter of the order depends on the respective order of the customer and the general terms and conditions referenced therein, which are referred to altogether here (hereinafter referred to as “Service Agreement”).

(2) The duration of this order (term) is the same as the term of the Performance Agreement.

2. Specification of the order content

(1) The type and purpose of the processing of personal data by the Contractor for the Client are described specifically in the Service Agreement. The Contractor will provide the following services in particular for the Client within the framework of the Service Agreement:

  • installation of a project management software in computer systems operated by the Client;
  • provision of maintenance services in computer systems operated by the Client;
  • installation, operation and maintenance of a project management software on servers of the named subcontractor of the Contractor.

The provision of the contractually agreed data processing will be carried out by the Contractor itself exclusively in a member state of the European Union or in another contracting country of the Agreement on the European Economic Area. Any other relocation to a third country requires the prior permission of the Client and may only take place if the specific requirements in accordance with Art. 44 et seqq. GDPR are fulfilled. This consent can be granted for individual processing cases named in this Contract for one specific third country at a time, even with regards to subcontracting relationships. Where expressly indicated in Appendix 1 - Technical and Organisational Measures - individual processing operations take place outside a Member State of the European Union or in another Contracting State to the Agreement on the European Economic Area; in these cases, however, the appropriate level of protection is always guaranteed in the third country (see Appendix 2) and ensured by the measures specified in Appendix 1. Any other transfer to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled. Such consent may be granted for individual processing operations referred to in this contract for a specific third country, including in respect of subcontracting relationships.

(2) The subject matter of the processing of personal data is the following data types/categories (list/description of the data categories):

  • Personal master data
  • Communication data (e.g. phone number, email address)
  • Address details
  • Contract master data (contractual relationship, product and contractual interests)
  • Customer history
  • Contract billing and payment data
  • Planning and management data, including resources
  • Other data, if entered by the customer (e.g. date of birth, proficiencies)

(3) The categories of the persons concerned by the processing include:

  • Employees
  • Suppliers and external service providers
  • Customers
  • Business partners
  • Interested parties
  • Other contact persons, if entered by the customer

3. Technical and organisational measures

(1) Before beginning the processing, the Contractor must document the implementation of the necessary technical and organisational measures specified before the placing of the order, in particular with regards to the specific order performance, and hand the documentation over to the Client for verification. Upon acceptance by the Client, the documented measures will form the basis of the order. If the verification/an audit by the Client results in a need for adjustment, this must be carried out mutually.

(2) The Contractor must establish the security in accordance with Art. 28(3)(c) and Art. 32 GDPR in particular in connection with Art. 5(1) and (2) GDPR. Altogether, the measures to be executed are measures for data protection and to guarantee a protection level appropriate to the risk in terms of the confidentiality, integrity, availability and capacity of the systems. The technical sophistication, the implementation costs and, and the type, extent and purpose of the processing, and the different likelihood of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR must thereby be considered. The particular technical and organisational measures taken are listed in Appendix 1.

(3) The technical and organisational measures are subject to the technical progress and the further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The security level of the set measures may thereby not fall below the minimum requirement. Significant changes must be documented.

4. Amendment, restriction and deletion of data

(1) The Contractor may not amend or delete data that is processed in the order, or restrict its processing, on its own authority, but may only do so after receiving documented instructions from the Client, if no statutory requirements oblige the Contractor to take action independently. Should a person concerned contact the Contractor directly in this respect, the Contractor will forward this solicitation immediately to the Client.

(2) If included in the scope of the service, the deletion plan, right to be forgotten, correction, data portability and information must be ensured directly by the Contractor after receiving documented instruction from the Client.

5. Quality assurance and other duties of the Contractor

In addition to compliance with the regulations of this order, the Contractor also has statutory duties in accordance with Art. 28 to Art. 33 GDPR; in this respect, it guarantees adherence to the following standards in particular:

a) Written order of a data protection officer that carries out its activities in accordance with Art. 38 and Art. 39 GDPR. The contact details of the data protection officer must be shared with the Client upon contract conclusion. Changes of the data protection officer must be reported to the Client immediately.

b) The safeguarding of confidentiality in accordance with Art. 28(3)(2)(b), Art. 29 and Art. 32(4) GDPR. When carrying out its work, the Contractor will only use employees who are bound to confidentiality and have been familiarised beforehand with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the authorisations granted in this Contract, unless they are legally obliged to process the data.

c) The implementation of and compliance with all technical and organisational measures necessary for this order in accordance with Art. 28(3)(2)(c) and Art. 32 GDPR. The details are listed in Appendix 1.

d) The Client and the Contractor will work together with the supervisory authority, upon request, in the performance of their tasks.

e) The immediate informing of the Client about control actions and measures by the supervisory authorities, if they relate to specific and fundamental assignments and if such information is not prohibited by law. This also applies if a competent authority is carrying out an investigation of the order processing by the Contractor in relation to the processing of personal data, within the framework of administrative offence or criminal proceedings.

f) If the Client is subject in turn to an examination by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a person concerned or a third party, or another claim in connection with the order processing by the Contractor, the Contractor must support it to the best of its abilities, to the extent legally permitted.

g) The Contractor will regularly control the internal processes, as well as the technical and organisational measures, in order to guarantee that the processing within its area of responsibility takes place in accordance with the requirements of the applicable data protection law, and that the protection of the rights of the person concerned is guaranteed.

h) Verifiability of the technical and organisational measures for the Client within the framework of its control authorisation in accordance with Figure 7 of this Contract.

6. Subcontracting relationships

(1) Subcontracting relationships within the meaning of this rule are such services that relate directly to the provision of the main service. These do not include secondary services that the Contractor uses, e.g. in the form of telecommunications services, post/transport services, maintenance and user services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and capacity of hardware and software of data processing systems. However, the Contractor is obliged to also use appropriate and lawful contractual agreements and control measures to guarantee the data protection and data privacy of the Client’s data in the case of outsourced secondary services.

(2) The Contractor may only assign subcontractors (other order processors) after receiving prior explicit written permission or documented permission from the Client.

a) The Client agrees to the tasking of the subcontractors named in Appendix 2 under the condition of a contractual arrangement in accordance with Art. 28(2-4) GDPR.

b) Changes of the existing subcontractor are permitted provided that:

  • the Contractor notifies the Client of such outsourcing to subcontractors 14 days in advance at the latest, in writing or in text form, and
  • the Client does not send the Contractor an objection, in writing or in text form, to the planned outsourcing by the time of the transfer of the data, and
  • a contractual agreement in accordance with Art. 28(2-4) GDPR is set as a basis.

(3) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor will ensure legitimacy under data protection law by corresponding measures. The same applies if service providers within the meaning of Sect. 1(2) are used.

(4) Any further outsourcing by the subcontractor requires the explicit permission of the main client (text form at least). All contractual regulations in the contract chain must also be imposed on the other subcontractor. The technical and organisational measures of subcontractors must comply with the technical and organisational measures defined herein and may only fall below the level agreed herein in justified circumstances.

7. Control rights of the Client

(1) The Client has the right, in consultation with the Contractor, to carry out reviews or have reviews carried out by examiners named on a case-by-case basis. It has the right to convince itself of the adherence to this Agreement by the Contractor in its business operations by means of random sample controls that must generally be announced in a timely manner and 14 days beforehand at the latest.

(2) The Contractor will ensure that the Client can be convinced of the adherence to the obligations of the Contractor in accordance with Art. 28 GDPR. The Contractor is obliged to share with the Client, upon request, the required information and in particular demonstrate the implementation of the technical and organisational measures.

(3) The demonstration of such measures that do not just concern the specific order can take place by:

  • the adherence to approved rules of conduct in accordance with Art. 40 GDPR;
  • the certification in accordance with an approved certification process in accordance with Art. 42 GDPR;
  • current attestations, reports or report extracts of independent entities (e.g. auditors, audits, data protection officers, IT security departments, data protection auditors, quality auditors);
  • suitable certification by IT security or data protection audits (e.g. in accordance with BSI Grundschutz).

8. Reporting of violations by the Contractor

(1) The Contractor will support the Client in the compliance with the duties for the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations, named in Articles 32 to 36 GDPR. This includes, inter alia:

a) Ensuring a suitable protection level by means of technical and organisational measures that consider the circumstances and purpose of the processing and the forecasted probability and severity of a possible rights violation by security flaws, and enable immediate detection of relevant incidents of violation;

b) the obligation to immediately report breaches of personal data to the Client;

c) the obligation to support the Client within the framework of its obligation to provide information to the party concerned, and provide it with all relevant information in this regard immediately:

d) immediately forwarding solicitation from people concerned, e.g. right to information, to the Client;

e) supporting the Client in its data protection impact assessment;

f) supporting the Client within the framework of prior consultation with the supervisory authority.

(2) For support services that are not included in the service description or cannot be traced back to misconduct of the Contractor, the Contractor may claim a compensation. The basis for the calculation of the remuneration is the Service Agreement or the general remuneration rates of the Contractor for comparable activities.

9. Authority of the Client to issue instructions

(1) The Client will confirm verbal instructions immediately (text form at least).

(2) The Contractor must inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor is entitled to discontinue the implementation of the corresponding instruction until it is confirmed or changed by the Client.

10. Deletion and return of personal data

(1) Copies or duplicates of data will not be produced without the knowledge of the Client. Exceptions are backup copies, if they are necessary to guarantee proper data processing, and data that is necessary in terms of adherence to statutory retention obligations.

(2) After the completion of the contractually agreed work or earlier upon request by the Client – upon the termination of the Service Agreement at the latest – the Contractor must hand over all documents, processing and use results produced, and databases, that it obtains possession of in connection with the contractual relationship, to the Client or destroy them in accordance with data protection law after obtaining prior permission. The same applies for test and scrap material. The determination of the termination of the service agreement requires notification by the Client. With the declaration that the contractual relationship is to be terminated, the deletion period with regard to documents subject to retention shall also commence.

(3) Documentation that proves proper data processing that is suitable for the order must be stored by the Contractor in accordance with the respective retention periods beyond the end of the Contract. It may transfer it to the Client for its relief at the end of the Contract.

11. Other

The point of contact on the part of the Client, and also for data protection, is generally the point of contact named as the billing contact; this can be changed or added to at any time by the Client. The point of contact on the part of the Contractor is its respective data protection officer, which can be reached at inloox@ws-datenschutz.de.

Appendix 1 – Technical and Organisational Measures

A. Contractor:

1. Confidentiality (Art. 32(1)(b) GDPR)

  • Access control
    There is a difference between access control for the InLoox sites, access control for the secure areas within the InLoox sites and access control for the external data centres.
    • Access control, InLoox sites:
      • Locking systems (physical keys, chip cards or tokens)
      • Authorisation assignment (key management and general access authorisation)
      • Visitor control
      • Clean desk regulations
      • Access by third-party personnel (e.g. cleaning staff) to individual buildings or rooms is documented
    • Access control for secure areas within the InLoox sites:
      • Second, independent locking system (physical keys, fingerprint readers, chip cards or tokens)
      • Authorisation assignment (key management and general access authorisation)
      • Limited group of users
      • General visitor prohibition
    • Access control, data centres:
      There is a difference between data centres that InLoox operates within the framework of InLoox now! and for managed services, data centres that InLoox operates for internal use, e.g. administration, development, marketing and data centres for customer support.
      • Data centres for the operation of InLoox now! and for managed services:
        • InLoox does not operate its own data centres within the framework of InLoox now! or for managed services, but has hired Microsoft Data Centres in Germany. These data centres have different certification, including ISO 27001.
        • The data centres are in Frankfurt am Main and Berlin. All databases are protected in accordance with German and European law.
        • The access authorisation for the data centres is personalised and restricted to a documented group of people.
        • The details about access control for the data centres are in Appendix 2 in the “Subcontractor Microsoft Data Centres in Germany” section.
        • The system notifies users that are stored in the project platform by e-mail about actions of other users. These e-mails are sent via SendGrid. SendGrid is located in the United States of America, with the same level of protection for these data centers being recognised by Standard Contract Clauses. For details see Appendix 2 in the "Subcontractor SendGrid Inc." section.
      • Data centres for internal use at InLoox:
        • InLoox has hired data centres in Microsoft Azure. These data centres have different certification, including ISO 27001.
        • The data centres are in the European Union and in the United States of America. If personal data about citizens of the EU is placed in data centres outside the European Union, acknowledgement of the same protection level by Standard Contract Clauses exists for this data centre.
        • The access authorisation for the data centres is personalised and limited to a documented group of personnel.
        • Details about access control for the data centres are in Appendix 2, in the “Subcontractor Microsoft Azure” section.
      • Data centres for customer support:
        • InLoox uses Freshdesk, a software operated by Freshworks Inc., for support requests from customers submitted by e-mail or via a web form.
        • The use of a data centre in Frankfurt am Main, Germany, and a data processing agreement that conforms to data protection regulations are contractually regulated.
        • Details about access control for the data centres are in Appendix 2, in the “Subcontractor Freshworks Inc.” section.
  • Access control
    There is a difference between access control for the data centres, access control for the data centres for customer support, access control for the InLoox sites, access control via the internet, and general access control.
    • General access control:
      • Access authorisation is set up as necessary (principle of operational necessity)
      • Differentiation according to specialist area, and between normal, privileged and external accounts (group and role concept)
      • Authorisation approval and withdrawal process (documented processes when issuing/withdrawing authorisation)
      • There is a guideline for the blocking of computers.
      • Timeouts are configured in accordance with the technical possibilities.
      • The data carriers of stationary computers, laptops/notebooks and mobile data carriers are encrypted.
      • All access is secured with user names and passwords.
      • There are password complexity requirements.
      • Electronic and paper-bound information is deleted in accordance with data protection standards.
    • Access control via the internet:
      • Access to the data protection systems is generally protected with hardware firewalls.
      • Access to the data protection systems is protected by means of user names and passwords.
      • Access to data processing systems takes place by means of VPN technology and personal access data.
      • Remote access to the data processing systems is only permitted for a limited group of users.
      • Remote access to data protection relevant systems requires two-factor authentication.
      • Data protection relevant core systems are only available via the company network.
    • Access control at the InLoox sites:
      • Access to the in-house data processing systems is also protected via boot passwords specific to the specialist area.
      • There are clean desk regulations.
    • Access control in the data centres:
      • Remote maintenance access to the systems in the data centres is limited to certain IP address areas and InLoox sites (reduced access points).
      • Remote maintenance access to the systems in the data centres is reserved for special roles (minimised user group).
      • The security level for the data centres is within the scope of responsibility of Microsoft. As well as the physical security, this also includes the security of the environment and access control guidelines. Details about the access control of data centres is in Appendix 2, in the “Subcontractor Microsoft Data Centres in Germany” and “Subcontractor Microsoft Azure” sections.
    • Access control in the data centres for customer support:
      • Remote maintenance access to the systems in the data centres is limited to certain IP address areas and InLoox sites (reduced access points).
      • Remote maintenance access to the systems in the data centres is reserved for special roles (minimised user group).
      • The security level for the data centres is within the scope of responsibility of Freshworks. As well as the physical security, this also includes the security of the environment and access control guidelines. Details about the access control of data centres is in Appendix 2, in the “Subcontractor Freshworks Inc.” section.
  • Access and entry control
    In practice, access authorisation is often coupled with entry authorisation, so the measures for entry also have indirect effects on access.
    • Access authorisation is configured depending on necessity (principle of operational necessity).
    • Differentiation according to specialist area, and between normal, privileged and external accounts (group and role concept).
    • Authorisation approval and withdrawal process (documented processes when issuing/withdrawing authorisation).
    • There are password complexity requirements.
    • Electronic and paper-bound information is deleted in accordance with data protection standards.
  • Separation control
    • Separation of test and production systems (sandboxing)
    • Separate storage in different systems:
      • CRM / general customer data
      • ERP / accounting-relevant data
      • Service and support data
      • Production data of customers of InLoox now!
      • Production data of costumers of managed services
    • Additional features for production data of customers of InLoox now!:
      • Each user account is thus implemented in its own isolated database schema (SQL schema separation).
      • Logical client separation
      • Definition of database rights
      • Multi-level authorisation concept: Different users have different rights to enter, change and delete data in the user interface.

2. Integrity (Art. 32(1)(b) GDPR)

  • Transfer control
    • All employees are contractually bound to confidentiality and secrecy.
    • All employees are contractually bound to § 88 TKG [Telecommunications Act].
    • The data carriers of stationary computers, laptops/notebooks and mobile data carriers are encrypted.
    • Web interfaces use secured connections (TLS/SSL) with key lengths that correspond to the current state of technology.
    • InLoox sites and remote connections to InLoox sites are secured via virtual private network (VPN) tunnels.
    • Access to the data entry systems is generally secured with hardware firewalls.
    • The deletion periods of the transferred data meet the statutory requirements and are established in the internal deletion concept.
    • For communication with external business partners, customers and service providers, state-of-the-art encryptions are used, if the communication partner wishes. The signatures used in the encryption are validated against the certification body.
  • Entry control
    There is a difference between the entry control of data that InLoox uses internally, e.g. for the management, development, support and marketing, and the entry control of production data of customers of InLoox now! and general entry controls.
    • General entry control:
      • Access takes place by means of individual user names and passwords.
      • A multi-level authorisation plan ensures that different users have different rights to enter, change and delete data in the user interface.
    • InLoox internal entry control:
      • Versioning of internal documents (document management).
      • Versioning of source codes (source code management).
      • Logging of support tickets (customer service management).
    • Entry control of production data of customers of InLoox now!:
      • Datasets include an issue, change and deletion label.

3. Availability and capacity (Art. 32(1)(b) GDPR)

  • Availability control
    There is a difference between the availability control of data that a) InLoox uses internally, e.g. for administration, development and marketing, the availability control of customer support data, the availability control of production data of customers of InLoox now! and the availability control of production data of customers of managed services.
    • Availability control of InLoox internal data:
      There is a difference between data processing systems that InLoox operates itself within the sites and data processing systems in external data centres that InLoox has hired.
      • Data processing systems within the InLoox sites:
        • Fire safety equipment (fire extinguishers, smoke and fire detectors), smoking ban
        • Uninterrupted power supply (UPS)
        • Air conditioning system
        • Use of RAID systems in the servers
        • Use of anti-virus
        • Data backup by replication of data at different InLoox sites and in external data centres.
      • Data processing systems in external data centres:
        • InLoox has hired data centres in Microsoft Azure. These data centres have different certification, including ISO 27001.
        • Details about the availability control of the data centres are in Attachment 2 in the “Subcontractor Microsoft Azure” section.
    • Availability control of customer support data:
      • Details about the availability control of the data centres are in Attachment 2 in the “Subcontractor Freshworks Inc.” section.
    • Availability control of production data of customers of InLoox now! and for managed services:
      • InLoox does not operate its own data centres within the framework of InLoox now! and for managed services, but has hired Microsoft Data Centres in Germany. These data centres have different certification, including ISO 27001.
      • The data centres are in Frankfurt am Main and Berlin. All databases are protected in accordance with German and European law.
      • Simultaneous provision in systems that are independent of one another (“hot spare” principle).
      • Details about the availability control of the data centres are in Attachment 2 in the “Subcontractor Microsoft Data Centres in Germany” section.
    • Additional characteristics regarding production data of InLoox now! customers:
      • Daily, fully-automated backups of the project databases. The retention time is 7 days (InLoox now! Professional) or 30 days (InLoox now! Enterprise). 
      • Backup opportunity via the customer (self-service backup)
      • Quickly recoverability by support staff
      • Geo-redundant document storage

4. Procedure for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

  • Data protection management:
    • Audit planning and implementation of internal and external audits
    • Implementation of awareness-raising measure/regular staff training
    • Reporting
    • Risk management and analysis
    • Implementation of penetration tests
    • Data protection impact assessment and measure planning for new and changed sequences as a standard process
  • Process for handling data protection incidents:
    • Reporting obligation/reporting process
    • Regular staff training
  • Data protection friendly default settings:
    • Guidelines for private end devices used for business purposes (BYOD)
    • Guidelines for company end devices
    • Group and network security guidelines (domain policy)
  • Order control:
    No order data processing within the meaning of Art. 28 GDPR without corresponding instruction of the Client by
    • clear contract arrangement
    • formalised order management
    • strict selection and monitoring of the respective service provider/subcontractor

B. Subcontractors:

See also the references to the current state of the measures for each respective subcontractor in Appendix 2.

1. Microsoft Corporation, as of January 2020

Microsoft has implemented and will maintain for Customer Data in the Core Online Services the following security measures, which in conjunction with the security commitments in this DPA (including the GDPR Terms), are Microsoft’s only responsibility with respect to the security of that data.

Domain Practices
Organization of Information Security

Security Ownership. Microsoft has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.

Security Roles and Responsibilities. Microsoft personnel with access to Customer Data are subject to confidentiality obligations.

Risk Management Program. Microsoft performed a risk assessment before processing the Customer Data or launching the Online Services service.

Microsoft retains its security documents pursuant to its retention requirements after they are no longer in effect.

Asset Management

Asset Inventory. Microsoft maintains an inventory of all media on which Customer Data is stored. Access to the inventories of such media is restricted to Microsoft personnel authorized in writing to have such access.

Asset Handling

  • Microsoft classifies Customer Data to help identify it and to allow for access to it to be appropriately restricted.
  • Microsoft imposes restrictions on printing Customer Data and has procedures for disposing of printed materials that contain Customer Data.
  • Microsoft personnel must obtain Microsoft authorization prior to storing Customer Data on portable devices, remotely accessing Customer Data, or processing Customer Data outside Microsoft’s facilities.
Human Resources Security Security Training. Microsoft informs its personnel about relevant security procedures and their respective roles. Microsoft also informs its personnel of possible consequences of breaching the security rules and procedures. Microsoft will only use anonymous data in training.
Physical and Environmental Security

Physical Access to Facilities. Microsoft limits access to facilities where information systems that process Customer Data are located to identified authorized individuals.

Physical Access to Components. Microsoft maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of Customer Data they contain.

Protection from Disruptions. Microsoft uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.

Component Disposal. Microsoft uses industry standard processes to delete Customer Data when it is no longer needed.

Communications and Operations Management

Operational Policy. Microsoft maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.

Data Recovery Procedures

On an ongoing basis, but in no case less frequently than once a week (unless no Customer Data has been updated during that period), Microsoft maintains multiple copies of Customer Data from which Customer Data can be recovered.

  • Microsoft stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located.
  • Microsoft has specific procedures in place governing access to copies of Customer Data.
  • Microsoft reviews data recovery procedures at least every six months, except for data recovery procedures for Azure Government Services, which are reviewed every twelve months.
  • Microsoft logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.

Malicious Software. Microsoft has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks.

Data Beyond Boundaries

  • Microsoft encrypts, or enables Customer to encrypt, Customer Data that is transmitted over public networks.
  • Microsoft restricts access to Customer Data in media leaving its facilities.

Event Logging. Microsoft logs, or enables Customer to log, access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.

Access Control

Access Policy. Microsoft maintains a record of security privileges of individuals having access to Customer Data.

Access Authorization

  • Microsoft maintains and updates a record of personnel authorized to access Microsoft systems that contain Customer Data.
  • Microsoft deactivates authentication credentials that have not been used for a period of time not to exceed six months.
  • Microsoft identifies those personnel who may grant, alter or cancel authorized access to data and resources.
  • Microsoft ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/log-ins.

Least Privilege

  • Technical support personnel are only permitted to have access to Customer Data when needed.
  • Microsoft restricts access to Customer Data to only those individuals who require such access to perform their job function.

Integrity and Confidentiality

  • Microsoft instructs Microsoft personnel to disable administrative sessions when leaving premises Microsoft controls or when computers are otherwise left unattended.
  • Microsoft stores passwords in a way that makes them unintelligible while they are in force.

Authentication

  • Microsoft uses industry standard practices to identify and authenticate users who attempt to access information systems.
  • Where authentication mechanisms are based on passwords, Microsoft requires that the passwords are renewed regularly.
  • Where authentication mechanisms are based on passwords, Microsoft requires the password to be at least eight characters long.
  • Microsoft ensures that de-activated or expired identifiers are not granted to other individuals.
  • Microsoft monitors, or enables Customer to monitor, repeated attempts to gain access to the information system using an invalid password.
  • Microsoft maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
  • Microsoft uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.

Network Design. Microsoft has controls to avoid individuals assuming access rights they have not been assigned to gain access to Customer Data they are not authorized to access.

Information Security Incident Management

Incident Response Process

  • Microsoft maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.
  • For each security breach that is a Security Incident, notification by Microsoft (as described in the “Security Incident Notification” section above) will be made without undue delay and, in any event, within 72 hours.
  • Microsoft tracks, or enables Customer to track, disclosures of Customer Data, including what data has been disclosed, to whom, and at what time.

Service Monitoring. Microsoft security personnel verify logs at least every six months to propose remediation efforts if necessary.

Business Continuity Management

Microsoft maintains emergency and contingency plans for the facilities in which Microsoft information systems that process Customer Data are located.

Microsoft’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original or last-replicated state from before the time it was lost or destroyed.

2. SendGrid Inc., as of April 2018

1. Network-Level Controls

a) SendGrid will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data. The firewall(s) must be able to effectively perform thefollowing functions: stateful inspection, logging, support for strong encryption and hashing, ICMP and SNMP based monitoring and antispoofing.

b) SendGrid will have network-based security monitoring for the segment(s) on which hosts handling Personal Data are logically located.

c) SendGrid will assess network-level vulnerabilities and address critical vulnerabilities within 30 days.

d) SendGrid will employ change management standards for network/infrastructure components handling Personal Data.

2. Hosting Level Controls

a) SendGrid will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, SendGrid will implement access control processes and restrict access to operating system configurations based on the least privilege principle.

b) SendGrid will perform patch management on systems that host or handle Personal Data.
SendGrid will implement critical patches within vendor recommended timeframes on systems that host or handle Personal Data, not to exceed 30 days after the patch is identified.

c) SendGrid will implement specific controls to log activities of users with elevated access to systems that host or handle Personal Data.

d) SendGrid will, at a minimum, assess system-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will employ a comprehensive antivirus or endpoint security solution for endpoints which handle Personal Data.

f) Physical servers will be protected with appropriate physical security mechanisms, including but not limited to badged access, locked cages, secure perimeter, cameras, alarms, and enforced user provisioning controls.

3. Application-Level Controls

a) SendGrid will maintain documentation on overall application architecture, process flows, and security features for applications handling Personal Data.

b) SendGrid will employ secure programming guidelines and protocols in the development of
applications processing or handling Personal Data.

c) SendGrid will regularly perform patch management on applications that host or handle Personal Data. SendGrid will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, not to exceed 30 days.

d) SendGrid will, at a minimum, assess application-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.

e) SendGrid will perform code review and maintain documentation of code reviews performed for applications that host or handle Personal Data.

f) SendGrid will employ change management standards for applications hosting or handling
Personal Data.

4. Data-Level Controls

SendGrid will use strong encryption (TLS) for transmission of Personal Data that is considered Confidential Information. Data backups of Personal Data will be encrypted at rest and while in transit; however due to the dynamic nature of data in SendGrid’s production environment, Personal Data in SendGrid’s production databases will not be encrypted at rest.

5. End User Computing Level Controls

a. SendGrid will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.

b. SendGrid will ensure that end user computing devices that handle Personal Data are encrypted.

6. Compliance Controls

a. SendGrid will make a good faith effort to operate within the parameters of SendGrid’s then-current Information Security Policy. This Policy will be provided to Customer in soft copy format upon request.

b. Notwithstanding any of the foregoing, SendGrid will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.

3. Freshworks Inc., as of April 2019

Information Security Program 

  • Freshdesk, hereinafter referred to as “Processor”, has appointed one or more security officers responsible for coordinating and monitoring security policies and procedures.
  • Processor personnel with access to personal data are subject to confidentiality obligations.
  • Processor performs a risk assessment before processing personal data.
  • Processor provides security training ensuring his personnel are informed of security policies, procedures, and their respective roles.
  • Processor informs personnel of the possible consequences resulting from not following security policies and procedures.

Physical Access Control

  • Processor limits access to facilities where information systems that process personal data are located with badge-controlled access for authorized personnel.
  • Processor premises are monitored 24x7 by a security force utilizing CCTV or similar methods at all entry points.
  • Visitors to Processors’ premises must be accompanied by authorized personnel at all times and visits are logged in a visitor register.
  • Processor uses industry best practice security measures to protect against loss of data due to environmental disruptions such as loss of power or other interferences.

System Access Control

  • Processor maintains and updates a list of all authorized users that have access to personal data.
  • Processor has implemented measures to prevent unauthorized personnel from accessing data processing systems.
  • Processor may only grant access to personal data to any third party (except personnel and approved sub-contractors) with prior approval from Controller.
  • Processor ensures that access control is supported by an authentication system.

Data Access Control

  • The access rights of personnel to personal data is restricted to the necessary minimum required for their job functions.
  • Processor has measures in place to prevent use/installation of unauthorized hardware and/or software.
  • Processor has established rules for the safe and permanent destruction of data that are no longer required.

Transmission Control

  • Personal data is encrypted when transmitted over Processor’s internal network.
  • Personal data is encrypted when transmitted over public networks.

Input Control

  • Processor has established logging mechanisms that record data entry and deletion.
  • Processor is logging all activities in the area of data input as for example:
    • Unsuccessful access attempts;
    • Authority exceptions;
    • Privilege changes;
    • Data object owner changes;
    • Out of working hours access.
  • Processor is ensuring that logs are regularly inspected for security incidents.

Availability Control

  • Processor has business continuity plans and is regularly testing the business continuity concepts.
  • Processor implements backup processes and other measures are that ensure rapid restoration of business critical systems as and when necessary.
  • Processor is using uninterrupted power supplies (for example: UPS, batteries, generators, etc.) to ensure power availability to the data centers.
  • Processor has sufficient capacity for data storage.
  • Processor has a disaster recovery plan in place and is regularly testing it.

Data Separation Control

  • Using technical capabilities (multi-tenancy) to achieve data separation between Personal Data from one and any other customer.
  • Due to multi-tenant/shared SaaS model no dedicated instances for each Customer.
  • Processor’s customers (including their affiliates) have access only to their respective own customer data and transactions.

Workstation Security

  • Freshworks contains the storage and processing of customer data to AWS Data Center.
  • A password protected keyboard/screen lock that is automatically activated by a period of inactivity is set. The inactivity time interval is no more than 30 minutes.
  • The password associated with a computer access user ID is the primary means of verifying Identity and subsequently allowing access to the computer and to the information. Identity verification password is kept secret and not shared with anyone else.
  • Identity verification passwords must not be trivial or predictable and must:
    • Be at least 8 positions in length
    • Contain a mix of alphabetic and non-alphabetic characters (numbers, punctuation or special characters) or a mix of at least two types of non-alphabetic characters.
    • Not contain the user ID as part of the password
  • The password must be changed at least once every three months (90 days). Digital keys based dual authentication are used for authentication.

Information Security Incident Management

Processor maintains a record of security incidents with a description of the incident, the time period, the consequences, the name of the reporter or service, to whom the incident was reported, and the remediation.

Evaluation and certifications

Processor has obtained ISO 27001 certification regarding its data security and/or data protection systems and organization.

Appendix 2 – Approved subcontracting contracts

The order processers below are considered approved upon signing the Agreement:

Name of the order processor:

Microsoft Corporation

Subject of performance:

Microsoft Azure data centres that InLoox hires for internal use, e.g. for administration, development, support and marketing

Company head office and country:

One Microsoft Way, Redmond, Washington 98052, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Standard Contract Clauses * (Art. 46 (2)(c) and (d) GDPR)

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

Microsoft Ireland Operations Limited

Subject of performance:

Microsoft Data Centres in Germany that InLoox hires within the framework of InLoox now! and managed services.

Company head office and country:

One Microsoft Place, South County Business Park, Leopardstown, Dublin, D18 P521, Ireland

Data processing location:

Germany

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “1. Microsoft Corporation”

Name of the order processor:

SendGrid Inc.

Subject of performance:

E-mail notifications from InLoox now! to users stored in the project platform about actions of other users, as well as e-mail notifications for managed services, from InLoox support and other administrative systems, such as the InLoox Online Store.

Company head office and country:

1801 California St., Suite 500, Denver, Colorado 80202, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Standard Contract Clauses * (Art. 46 (2)(c) and (d) GDPR)

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “2. SendGrid Inc.”

Name of the order processor:

Freshworks Inc.

Subject of performance:

Customer support requests

Company head office and country:

1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA

Appropriate protection level (Art. 44 et seqq. GDPR):

Standard Contract Clauses * (Art. 46 (2)(c) and (d) GDPR)

Technical and organisational measures:

See Appendix 1, Section “B. Subcontractors”, “3. Freshworks Inc.”

* According to Commission Decision of February 5, 2010 on Standard Contract Clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, 2010/87