Data Processing Agreement - Lexit
This data processing agreement (this ”DPA”) has from the 1st of July 2018 (the “Effective Date”) been entered into between:
(1) You, the customer as defined in the Main Agreement ["Background.1"] and any users covered by the Main Agreement (the ”Controller”)
(2) Lexit Group Norway AS, as defined in the Main Agreement (the ”Processor”).
The Controller and the Processor are jointly referred to as he “Parties”, and individually as a “Party”.
- 1 1. Background
- 2 2. Definitions and applicable laws
- 3 3. Processing of personal data
- 4 4. Sub-Processors
- 5 5. Limitations in the right to transfer personal data to a third country
- 6 6. Security measures
- 7 7. Audits
- 8 8. Disclosure of information
- 9 9. Confidentiality
- 10 10. Remuneration
- 11 11. Liability and indemnity
- 12 12. Term and termination, amendments
- 13 13. Governing law and disputes
- 14 Appendix A
- 15 Appendix B
- 16 Appendix C
1. Background
The Parties have entered into an agreement regarding General IT Services (the “Main Agreement”). Within the scope of the Main Agreement, the Processor will carry out specific processing of personal data for which the Controller is a data controller under the Data Protection Laws (the “Processing”).
Pursuant to the Data Protection Laws, a written agreement must be entered into between a data controller and a data processor and the Parties have therefore entered into this DPA. The purpose of this DPA is to ensure that the Processing is carried out in accordance with the Data Protection Laws, the Controller’s instructions and what has otherwise been agreed between the Parties.
The provisions of this DPA shall take precedence over conflicting provisions in the Main Agreement with respect to the processing and handling of personal data.
This DPA supersedes all prior data processing agreements, if any, or any existing data protection provisions in the Main Agreement, which may have been concluded between the Parties under the Main Agreement.
2. Definitions and applicable laws
The Processing shall be carried out in accordance with the Data Protection Laws.
The “Data Protection Laws” means all laws and regulations that apply to or govern the processing of personal data, including any national data protection laws and regulations (including but not limited to, laws and regulations implementing the EU Data Protection Directive 95/46/EC) and the EU General Data Protection Regulation ((EU) 2016/679), and any amendments to or replacements of such laws and regulations.
Terms used in this DPA shall have the same meaning as in the Data Protection Laws, unless otherwise stated in this DPA.
3. Processing of personal data
The Processor shall only process personal data in accordance with this DPA, the Main Agreement and its appendices, the Data Protection Laws, the relevant supervisory authority’s recommendations, and the Controller’s instructions. The Processing shall be carried out in accordance with the Controller's instructions, which are set forth in Appendix A.
The Processor may only process personal data for the purposes determined by the Controller, and not for its own or any other purposes.
The Processor may not transfer, or make available personal data to a third country, unless explicitly allowed to do so according to section 5.
The Processor shall rectify, restrict, erase, change and/or process personal data in accordance with the instructions of the Controller. If the Controller has specified that certain personal data shall be erased, erasure must be completed in accordance with the Controller’s instructions, and under no circumstances later than within 30 days.
At the Controller’s request, the Processor must promptly assist the Controller in fulfilling the Controller’s obligations in relation to the data subject’s rights, with respect to the right of access to personal data, rectification and erasure of personal data, restriction of or objection to the processing of personal data, data portability or any other rights provided for in the Data Protection Laws. The Processor must also, to the extent possible, take appropriate technical and organizational measures in order to assist the Controller in fulfilling these obligations.
The Processor must assist the Controller by providing information in order for the Controller to be able to fulfill its obligations regarding security, notification and information regarding personal data breaches, data protection impact assessments, prior consultations and other obligations set out in the Data Protection Laws.
The Controller must adhere to the Main Agreement when it comes to the prioritizing of requests and payment of any costs incurred due to labor performed by the Processor as a result of any requests made by the Controller or any of it's relations.
4. Sub-Processors
The Processor may retain or substitute a subcontractor(s) for the processing of personal data in accordance with this DPA (”Sub-Processors”), if the following requirements are met:
The Processor has the right to retain subcontractors according to the Main Agreement;
The Controller has approved in writing that a service requiring a subcontractor be engaged; and
The Processor and the approved Sub-Processor have concluded a written agreement regarding the processing of personal data, whereby the Processor’s obligations according to this DPA are imposed on the Sub-Processor.
When engaging a Sub-Processor for the purpose of carrying out the Processing, the Processor undertakes to inform the Controller in writing prior to engaging a Sub-Processor, save for the Sub-Processors listed in Appendix B to this DPA. Notwithstanding the foregoing, the Processor must still conclude a written agreement with such Sub-Processor, in accordance with section 1(iii).
The Processor must ensure that the Controller is aware of which Sub-Processors that are processing personal data by providing, at the Controller’s request and without undue delay, the Controller with complete, accurate and updated information regarding all Sub-Processors, where the following information must be specified in relation to each Sub-Processor:
a definition of the Sub-Processor, including its contact information, legal form of business activity and geographic location;
the type of services that the Sub-Processor performs;
the guarantees given for how compliance with the Data Protection Laws will be maintained; and
the place where the Sub-Processor processes the personal data which falls within the scope of this DPA.
The Processor may not engage a Sub-Processor if such an engagement entails a transfer of personal data to a third country, unless the requirements in section 5 are met.
In relation to the Controller, the Processor is liable for the Sub-Processor’s processing of personal data. If the Sub-Processor does not fulfil its obligations regarding data protection, the Processor will be fully responsible to the Controller for performing the obligations of the Sub-Processor.
5. Limitations in the right to transfer personal data to a third country
The Processor does not have the right to transfer personal data to a third country (i.e. a country outside of the EU/EEA), unless the Controller has approved such transfer in writing, and at least one of the following requirements are met:
the receiving country has an adequate level of security;
the data subject has given its consent to the transfer;
the Data Protection Laws provide a legal ground for the transfer;
agreements including certain standard contractual clauses issued by the European Commission (2010/87/EU) have been entered into, without any changes or amendments which contradict the clauses;
the Processor has adopted binding corporate rules which have been approved by the relevant supervisory authority and the recipient of the personal data in the third country is subject to these rules; or
for transfers to the U.S.A., the recipient has self-certified to the EU-U.S. Privacy Shield Principles under the EU-U.S. Privacy Shield Framework and registered on the Privacy Shield List managed by the U.S. Department of Commerce.
For transfers of personal data to a third country, the Processor must, before the transfer is carried out, present documentation in order to demonstrate compliance with the provisions of section 1.
Notwithstanding sections 1 and 5.2, potential limitations in the Main Agreement and its appendices regarding transfers of personal data outside of the EU/EEA shall take precedence over this DPA.
6. Security measures
The Processor shall implement appropriate technical and organizational measures in order to protect the personal data processed, in accordance with the Data Protection Laws. The Controller may, in its instructions, supplement the provisions of this section 6, based on the outcome of the Controller’s risk analysis and legal review under the Data Protection Laws.
The Processor shall protect the personal data against erasure, illegitimate dissemination and unauthorized access. The personal data shall also be protected against every other type of illegitimate Processing. The measures shall secure a level of security that is appropriate in relation to the risks of the Processing, which may take the form of (i) pseudonymization and encryption of personal data, (ii) the ability to ensure the continuous confidentiality, integrity, availability and resilience of IT systems and services, (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
The Processor shall take steps to ensure that all individuals working or acting under its authority comply with the provisions of this Agreement and the Controller’s instructions and that they are kept informed about the content of the Data Protection Laws. The Processor shall limit access to the personal data to individuals working under its authority and those who need the personal data in order to perform their tasks for the fulfillment of any agreements concluded between the Parties. The Processor shall ensure that the individuals who have access to the personal data are subject to confidentiality in accordance with section 9 and that they are informed about how they are allowed to process the personal data. The Processor shall use an authority control system that prevents unauthorized Processing or unauthorized access to personal data. The Processor uses the default logging systems provided by the various software used to provide services to enable the tracking of the Processing performed. This logging might not be sufficient to detail access of data in a identifiable manner.
The Processor shall provide for and implement technical and practical solutions in order to investigate suspicions regarding unauthorized processing of or access to personal data. In the event of unauthorized processing, unauthorized access, or unauthorized disclosure, destruction or alteration of personal data, or such attempted conduct, the Processor shall immediately notify the Controller in writing.
If the Processor processes sensitive personal data or special categories of personal data, as defined in the Data Protection Laws, or in any other way processes privacy invasive personal data, which for example is subject to confidentiality, particularly high security requirements can be imposed at the Controllers expense, including for e.g. two-factor authentication and encryption.
The Controller may give further instructions regarding security measures, which the Processor must comply with at the Controllers expense. The Controller has the right to take steps to verify that the technical and organizational security measures in question are, in fact, implemented during the term of the DPA.
If the Processor lacks any instructions from the Controller that the Processor deems necessary in order to perform the Processing, or if the Processor deems the Controller’s instructions to, wholly or partly, violate the Data Protection Laws, the Processor shall without delay notify the Controller, and await any further instructions that the Processor deems necessary.
7. Audits
The Controller has the right to, by itself or through a third party designated by the Controller, verify that the Processor meets the Controller’s requirements on the Processing within the frames of the services provided as per the Main Agreement. The Processor can not ensure that the Controller has the same rights in relation to any engaged Sub-Processors as these are third-party services delivered through or by the Processor. The Processor has the right to offer other procedures for or ways of verification, e.g. by audits performed by an independent third party. In such event, the Controller has the right, but no obligation, to carry out this other procedure in order to follow up on the Processing.
If the relevant supervisory authority or any other public authority initiates an audit of the Controller’s processing of personal data, or if an individual brings a lawsuit against the Controller due to such processing, and the processing is deemed to have been carried out by the Processor, the Processor shall to a reasonable extent assist the Controller in providing documentation and other information regarding the processing, for the Controller to accommodate the authorities in their audits and to handle any claims made.
8. Disclosure of information
If the data subject, the relevant supervisory authority, any other public authority or any other third party request information from the Processor regarding the processing of personal data, the Processor shall refer to the Controller. The Processor may not disclose personal data or other information regarding the processing of personal data without the Controller’s prior written approval.
The Processor shall without undue delay notify the Controller in writing if approached by the data subject, the relevant supervisory authority or another public authority with any matters regarding, or which may be of relevance for, the Processing. The Processor is not entitled to represent the Controller or act on behalf of the Controller in relation to the data subject, the relevant supervisory authority or any other public authorities regarding issues relating to, or which may be of relevance for, the Processing. Section 9.3 shall apply, if the Processor by operation of law or injunction is obliged to disclose personal data.
9. Confidentiality
The Processor and the individuals working under its authority must maintain confidentiality in all respects when processing personal data. This means that personal data may not be unduly disclosed to a third party. The Processor undertakes to ensure that the individuals working under its authority and who will process personal data comply with the Processor’s confidentiality undertaking according to this section 9.
Personal data, information, instructions, technical solutions, descriptions or other documents that the Processor receives through the exchange of information under this DPA, or any other agreement between the Parties, may not, neither directly nor indirectly, be used or disclosed for any other purposes than those stipulated in this DPA or any other agreement between the Parties, without the Controller’s prior written approval.
The Processor may disclose personal data without being in breach of this DPA, if the Processor by operation of law or injunction is obliged to disclose such personal data. The Processor must, however, immediately notify the Controller in writing about this and request, at the time of disclosure, that the personal data in question is subject to confidentiality.
The confidentiality undertaking under this section 9 should remain in force following the termination of this DPA.
10. Remuneration
For the avoidance of doubt, the remuneration for the Processor’s undertakings under this DPA are not included in the remuneration paid by the Controller under the Main Agreement. The Controller will be charged for all and any labor incurred due to requests or tasks necessary to comply with this DPA.
11. Liability and indemnity
The Processor shall fully indemnify and hold harmless the Controller should the Controller be liable to pay damages to a data subject, provided that the processing of such a data subject’s personal data have been carried out by the Processor in breach of this DPA.
The Processor will only hold the Controller harmless against and in respect of the Controller’s liability to pay damages due to the Processor’s processing of personal data in breach of this DPA if the breach is not caused by the Controller or any entities or devices under the Controllers control or ownership.
A Party shall not be liable for loss of profit or any other indirect or consequential damage under this DPA. For the avoidance of doubt, damages referred to in section 1 shall be considered direct damages for the Controller.
12. Term and termination, amendments
This DPA shall enter into force upon the Effective Date and shall remain in force for as long as the Processing under the Main Agreement continues. Upon termination of the DPA, the Processor shall upon request of Controller (i) ensure that all personal data is delivered to the Controller by means designated by the Controller or (ii) erase all personal data in compliance with section 12.2.
The Processor undertakes to erase all personal data that has been processed under this DPA in accordance with the Controller’s instructions, and under no circumstance later than within 60 days from the time of termination of the Agreement or Main Agreement.
If the Main Agreement is terminated or expires and a new agreement covering any processing of personal data is concluded between the Parties, without a new data processing agreement being concluded, this DPA will remain in force in relation to the services provided under the new agreement.
This DPA may only be amended, changed or modified by an instrument in writing duly executed by the Parties. This section 4 does not hinder the Controller from amending current instructions or issuing additional instructions in accordance with this DPA.
13. Governing law and disputes
This DPA shall be governed by and construed in accordance with the governing law of the jurisdiction in which the Controller is located.
Any dispute, controversy or claim arising out of or in connection with this DPA shall be settled in accordance with the dispute resolution clause of the Main Agreement.
_______________________
SIGNATURE PAGE TO FOLLOW
This Agreement has been duly executed in electronic form of which the Parties will each receive a copy to the e-mail address registered in the Main Agreement.
Place: | Place: | |
Date: | Date: | |
[APPLICABLE CONTROLLER ENTITY] |
| [SUPPLIER/PROCESSOR] |
Name: | Name: | |
Appendix A
Instructions regarding the Processing
The Processor shall, in addition to complying with the provisions in the Agreement, carry out the Processing under the Agreement in accordance with the instructions below.
Purpose | The Processor’s Processing may only be performed in order to provide the services according to the Main Agreement, i.e. for the purpose of providing general IT services. The personal data may not be processed or used for the Processor’s own or any other purposes. |
---|---|
Types of processing | The Processor may use the types of Processing that is necessary in order to provide the services according to the Main Agreement, including registration, organization, storage and erasure of personal data. |
Types of personal data | The Processor may only process the following types of personally identifiable information; All information and types of data related to the services delivered if necessary to provide these services according to the Main Agreement. |
Categories of data subjects | The Processing shall primarily only concern the customers and employees that the Controller provides, but may also concern other data provided by the Controller. |
Duration of processing | The personal data shall be erased by the Processor as set out in the Agreement. Furthermore, personal data shall be erased from time to time, in accordance with the instructions of the Controller. If no instructions are provided to the Processor, the data will be kept as per the Main Agreement as long as it does not interfere with the GDPR. |
Place of processing | The Processing is primarily only performed within the EU/EEA, using such equipment and/or infrastructure that the Processor is in direct or indirect (through approved subcontractors) control over. Some services, however, will process data outside of EU/EEA and will be covered by a sub processor DPA. |
Contact information to the Controller’s representative [and data protection officer] | If the DPO is not the same person who signed the Main Agreement, please provide contact details to the DPO here (full name, phone number, e-mail address) |
Contact information to the Processor’s representative [and data protection officer] | Lexit Group Norway DPO contact information Vebjørn Spikkerud For general inquires |
Appendix B
Sub-Processors approved by the Controller
The Controller accepts and recognizes that the Processor engages the following Sub-Processors in accordance with section 4.2 of the DPA.
Any companies which, at any given time, belong to the Processor’s group of companies, provided that such a group company is established within the EU/EEA.
Any companies which, at any given time, perform services to the Processor's necessary for the Processor to deliver the services as per the Main Agreement with the Controller.
In addition to the above clauses, the following Sub Processors might apply to this Agreement depending on the services chosen and accepted in the Main Agreement.
Due to the extensive list of Sub Processors, certain information must be located by visiting the homepage of the producer of the software. If you are unable to locate the information, contact the Processor for assistance using the general inquiries contact information provided above.
Due to the extensive information provided per Sub Processor's service, please see Appendix C for information on what type of data is processed and why by looking up the related service.
Sub Processor | Used in services (See Appendix C for more information) | Country where data is processed |
Sentinel One | Lex:epp SentinelOne | EU/EEA |
Microsoft | Lex:mail, Office 365 | EU/EEA |
Cisco | Lex:epp Cisco Umbrella | EU/EEA |
GSG Handyman | Lex:handyman | Norway |
Zirius | Lex:zirius | Norway |
Wazuh | Lex:epp, Lex:SIEM, Lex:desktop, Lex:mail, Lex:hosting | EU/EEA |
Appendix C
Services delivered, the information processed and why
The following is a list of all the services provided by Lexit Group Norway where data is processed.
If Sub Processor is not listed - Lexit Group Norway is the Processor.
This list will be updated when a service is added, changed or removed. If there is an update that alters or adds a service or Sub Processor related to any services the Controller has selected in the Main Agreement, a new signing and acceptance will be required by that Controller.
Service | Sub Processor | What personally identifiable information ("PII") is processed, why does this service process PII data |
---|---|---|
User authentication ("UA") | Required to access the majority of services provided by Processor. E.g. an Active Directory account usually identifies a user by name, number and e-mail. | |
Lex:epp SentinelOne Lex:monitoring Lex:epp Antivirus Predictive NextGen | SentinelOne | SentinelOne is a behaviour based protection system continuously monitoring all processes and actions on a system. This is to enable it to react to suspicious behaviour and truly stop Zero Day threats. Per July 1st. 2018 it is the only software in the world capable of stopping the newest threats. Contact the Processor for more information. The SentinelOne Endpoint Protection Platform (EPP) protects Windows, OS X, and Linux-based endpoint devices against advanced malware, exploits and live/insider attacks. It monitors all activity on the endpoint via an autonomous lightweight agent, leverages dynamic behavior-based threat detection, offers fully integrated, automated mitigation and remediation capabilities, and generates real-time forensics. The service has a function enabled by default named "Deep Visibility" enabling it to monitor and map file, DNS, internet, IP and website activity to provide an image of the machines behaviour and warn of suspect data flow, data leak, theft of files etc. Most of the information that SentinelOne collects through the Solutions is not Personal Information and relates to the computing processes and the devices guarded against malware infection by the SentinelOne Services. Such information includes device or network usage, endpoint login data, types and versions of operating systems and browsers, computer name, file execution information, and information about installed software applications. The data is processed on the Sub Processor systems and is considered a cloud security service with local offsite capability. Sub Processor can only see anonymized data. The Processor can see all data. |
Lex:epp Cisco Umbrella | Cisco Umbrella | Cisco Umbrella monitors and maps websites and IP addresses the client machine connects to, including but not limited to through a website or through an application. Cisco Umbrella purpose is to block malicious destinations before a connection is ever established and is designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The data is processed on the Sub Processor systems and is considered a cloud security service. Sub Processor can only see anonymized data. The Processor can see all data. |
Lex:SIEM | Wazuh | SIEM purpose is to monitor all activity on all devices from all users. The Processor has access to view all data, but the Controller will only receive sufficiently anonymized and relevant data to their inquiry. |
Office 365 | Microsoft | The Processor only manages the service for the Controller. The Controller must themselves have a separate DPA with the service provider. |
Lex:utm Lex:vpn Lex:wifi Lex:switch | UTM - Unified Threat Manager system whose purpose is to protect all services in the Processors datacenter and / or the Controllers physical locations. VPN purpose is to connect physical locations for communication. WiFi and switch purpose is to provide internet connectivity to devices. The service / system gives the Processor the ability to monitor all network traffic between devices. Logging is usually enabled on all devices to provide tracking in case of security breaches. Wifi and switch is usually exempt from this except if the Controller requests such features to be enabled. | |
Lex:desktop Lex:hosting Lex:server Lex:OMS | Lex:desktop and hosting creates a personal profile disk related to the UA to provide a personal remote desktop and saving of application data. The service uses a UA to authenticate. The service uses Lex:epp sentinelone. The service uses Lex:epp cisco umbrella. The service uses Lex:utm. | |
Lex:mail | Microsoft | Lex:mail stores all e-mail sent and received to the users personal account. When an item or account is deleted it is retained for 30 days to provide the possibility to recover deleted items. All e-mail is transferred through the Sub Processors systems for security measures; antispam, antivirus, authentication. The service uses a UA to authenticate. |
Lex:storage | Lex:storage is private access to a folder on a server to store data. The service uses a UA to authenticate. The service uses Lex:epp sentinelone. | |
Lex:filecloud Lex:cloud | Lex:filecloud provides access to Lex:storage to synchronize files between multiple devices. The service logs all actions performed to provide tracking of actions performed by the user and others on files and folders; Open, Save, Delete, Share, Upload, Download, Change. The service uses a UA to authenticate. The service uses Lex:storage. The service uses Lex:epp sentinelone. The service uses Lex:utm. The service uses Lex:SQL. | |
Lex:SQL | Lex:SQL provides database functionality for various services. All data the Controller stores about customers and employees in various applications usually end up in a database hosted using this service. The Processor has full access to all data, the Controller has access to the data relevant for them. | |
Lex:app Lex:server e.g. Access to an application on Lex:desktop | Lex:app provides access to applications hosted on servers in the Processors datacenters; If the Controller requests it, the Processor will provide access to the vendor of the application. The Controller must sign their own DPA with the application vendor. The service uses Lex:storage. The service uses Lex:desktop. The service uses Lex:epp sentinelone. The service uses Lex:epp cisco umbrella. The service uses Lex:utm. The service uses Lex:mail. The service usually uses Lex:SQL. The service uses a UA to authenticate. | |
Lex:handyman | GSG Handyman | Handyman stores the data the Controller saves about customers and employees. The Sub Processor has full access to all data related to the application and any data produced by the application to provide seamless and quick support. The service uses Lex:storage. The service uses Lex:desktop. The service uses Lex:epp sentinelone. The service uses Lex:epp cisco umbrella. The service uses Lex:utm. The service uses Lex:mail. The service uses Lex:SQL. The service uses a UA to authenticate. |
Lex:zirius | Zirius | Zirius stores the data the Controller saves about customers and employees. The Sub Processor has full access to all data related to the application and any data produced by the application to provide seamless and quick support. The service uses Lex:storage. The service uses Lex:desktop. The service uses Lex:epp sentinelone. The service uses Lex:epp cisco umbrella. The service uses Lex:utm. The service uses Lex:mail. The service uses Lex:SQL. The service uses a UA to authenticate. |
Lex:mdm | Mobile Device Management stores data about all devices, who uses them and their activity with the purpose of securing the usage of the devices and delivering a tailored and secure user experience. The service uses Lex:utm. The service uses Lex:SQL. The service uses Lex:epp sentinelone. The service uses a UA to authenticate. |
For ytterligere informasjon, se; lexit.no