Data Processing Agreement
Effective starting: 27 May, 2022 (Previous version 15 November, 2021)
Creative Force, Award Force, Good Grants, “us”, “we”, or “our” refers to Creative Force Ltd, Award Force Pty Ltd and any of our corporate affiliates.
This Data Processing Agreement forms part of the Software as a Service Agreement (“Principal Agreement”) between the client entity that is a party to the Principal Agreement (“Client”, “you”, “Data Controller” or “Controller”) and Award Force (“Data Processor” or “Processor”), together as the “Parties”. The Data Controller and the Data Processor are individually referred to as a “Party” and collectively referred to as the “Parties”.
- The Data Processor provides Services to the Data Controller as part of their contractual relationship regulated by one or more separate agreements, written or verbal, (“Principal Agreement”) which currently governs their relationship including that related to the protection and management of data.
- In providing the Services, the Data Processor may collect or otherwise process Personal Data sourced from the Data Controller within the meaning of Data Protection Laws.
- The Parties are aware that Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation “GDPR”), is the new global bar for privacy rights, security and compliance, entering into force on May 25 2018.
- The Parties agree to enter into this Data Processing Agreement (“DPA”), which regulates the data protection obligations of the Parties when processing the Personal Data and governs the relationship between the Parties in respect of the processing of Personal Data, and this in order to ensure compliance with the GDPR and other applicable law.
- The conditions contained within this DPA supplement any Principal Agreement in respect of the aspects related to the processing of data and supersede any provisions of the Principal Agreement in the event of a conflict.
- Any terms not defined in this DPA shall have the meaning set forth in the Principal Agreement.
NOW THEREFORE BOTH PARTIES AGREE AS FOLLOWS:
- The following definitions and rules of interpretation apply within this agreement:
- “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership of either Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- “Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.
- “Authorised Employees” means an Authorised Employee or contractor of either Party, regardless of where they are located worldwide, who has a need to know or otherwise access Personal Data to enable them to perform their obligations under this DPA or the Principal Agreement.
- “Data Protection Laws” consists in particular of the GDPR and the Data Protection Act, Chapter 586 of the Laws of Malta and any other relevant data protection and privacy legislation which is applicable during the term of this Agreement, in so far as the same relates to the provisions and obligations of this Agreement
- The terms “Data Controller”, “Data Subject”, “Personal Data Breach”, “Data Processor”, “Consent”, “Third Party” shall, from the 25th May 2018 onwards, have the same meaning given to these terms in the GDPR.
- “Data Protection Officer” means the person nominated from time to time to hold the responsibility within Data Processor related to the protection of data, where applicable.
- “EEA” means, for the purposes of this DPA, the European Economic Area and Switzerland.
- “Effective Date” means the effective date of this Data Processing Agreement shall be the date at which this Agreement has been accepted by both Parties, whichever is the earlier.
- “Instruction” means a direction or request for action, either in writing, in textual form (e.g. by email) or by using a software or online tool, issued by the Data Controller to the Data Processor and directing the Data Processor to perform an action with regard to Personal Data, including but not limited to the correction, blocking and deletion of Personal Data, which instruction may thereafter be amended, supplemented or replaced by the Data Controller by separate written or text form instruction.
- “Legitimate Business Interest” means a reason that enables the Processing of Personal Data which is necessary for the performance of a contract or provision of an agreed Service.
- “Personal Data“ means any information relating to a Data Subject which the Data Processor Processes on behalf of the Data Controller other than Anonymous Data, which is able to identify an individual and includes Special Categories of Personal Data.
- “Processing” means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. The terms “process”, “processes” and “processed” shall be interpreted accordingly.
- “Services” means any product or service provided by the Data Processor to the Data Controller pursuant to the Principal Agreement.
- “Special Categories of Personal Data” mean Personal Data which reveals:
- Racial or ethnic origin;
- Political opinions;
- Philosophical beliefs
- Trade union membership;
- Genetic data;
- Biometric data;
- Data concerning Health;
- Data concerning Sex Life;
- Data concerning Sexual Orientation.
- “Standard Contractual Clauses” means the standard contractual clauses set forth in (i) EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as may be amended or superseded from time to time; or (ii) EU Commission Decision 2001/497/EC; and/or (iii) EU Commission Decision 2010/87/EU of the 5 February 2010, if applicable.
- “Sub-processor” means any person (including any third party but excluding an employee of the Data Processor) engaged by the Data Processor to assist in fulfilling its obligations with respect to its obligations pursuant to this DPA.
- “Supervisory Authority” shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction in which the Personal Data subject to this DPA agreement is held.
- “Technical and Organisational Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, such measures being appropriate to the risks involved.
- “Third Party” means an individual or corporate entity other than the Parties.
- This DPA covers all Affiliates of the respective Party.
- References to clauses and schedules are to the clauses and schedules of this DPA; references to paragraphs are to paragraphs of the relevant schedule to this DPA.
- The heads given to any Clause, schedule or paragraph shall not affect the interpretation of this DPA.
- A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors or permitted assigns.
- A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
- Words in the singular shall include the plural and vice versa.
- A reference to one gender shall include a reference to the other genders.
- The word “include” shall be construed to mean include without limitation.
- A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment and includes any subordinate legislation for the time being in force made under it.
- A reference to writing or written shall be in the form of either a letter or email.
- The language of this Agreement shall be the English language and for the purposes of interpretation, the provisions as they are stated in English shall be those which are considered binding.
- This DPA shall commence on the Effective Date and shall continue throughout the entire duration of any applicable, valid agreement covering the provision of Services which is still in force between the Data Controller and the Data Processor.
- Except for the changes made by this DPA, the Principal Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
3. Type and purpose of use of data
- The Data Processor agrees to Process the Personal Data held by the Data Controller only on documented instructions of the Data Controller, unless required to do so by European Union or Malta law to which the Data Processor is subject. In this case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
- The Data Processor shall immediately inform the Data Controller if, in the Data Processor’s opinion, instructions given by the Data Controller infringe applicable European Union or Malta data protection provisions.
- The Data Processor may process the following type of Personal Data for the following purposes:
Category of Data Category of Data Subjects Purpose Contact data including but not limited to contact names, work addresses, phone numbers, email addresses, credit card details and billing details. Data Controller’s employees, advisors and contractors To administer Data Processor’s relationship with the Data Controller in the provision of the Services including administrative, financial, licensing, billing, consulting, communicating, marketing, prospecting, training and events including sign-up registration in pursuit of its contractual obligations in respect of its Legitimate Business Interests. Name, email address, mobile phone number and device identifying data. Data Controller’s program participants (“Users”) To facilitate registration, log in and identification of, and communication with, Users participating in the Data Controller’s program. Personal Data, including Sensitive Personal Data as per Instruction of the Data Controller. Data Controller’s program participants (“Users”) Through the Services the Data Controller has the facility in respect of its Legitimate Business Interests to process any type of data such as (but not limited to) Users’: identification documents; date of birth; social security number; imagery; etc.
- The Data Controller agrees that the Data Processor’s Authorised Employees shall be granted access by the Data Controller to such Personal Data in the course of the provision of the Services and, in so doing take on the role of persons acting under the authority of the Data Processor.
- Personal Data shall only be processed for the purposes listed in this DPA and shall not be further processed in a manner that is incompatible with those purposes.
4. Processing of Personal Data
- The Data Controller is solely responsible for the accuracy, quality and legality of:
- the Personal Data provided to the Data Processor by or on behalf of the Data Controller,
- the means by which the Data Controller has acquired any such Personal Data, and
- the Instructions it provides to the Data Processor regarding the Processing of such Personal Data.
- The Data Controller shall not provide or make available to Processor any Personal Data in violation of the DPA or otherwise inappropriate for the nature of the Services, and shall indemnify Processor from all claims and losses in connection therewith.
5. Data retention
- Personal Data will be retained by the Data Processor in accordance with the Data Retention Policy of the Data Processor applicable at the time, currently available at https://www.creativeforce.team/privacy-policy/, however any changes to this policy are to be notified to the Controller at least 10 days prior to such change, and the Controller shall have the right to terminate the Services without penalty.
- The Data Processor shall hold the Controller’s Personal Data only as long as is necessary to provide the Services, including administration, accounting, marketing and reporting in the context of a Legitimate Business Interest, and subject to:
- the rights of a Data Subject in terms of the Data Protection Law, such as requests for data access or deletion;
- any legal requirement for data retention as specified in any other law of the Republic of Malta;
- a request by an authorised Governmental or regulatory authority for an additional retention period.
- The table below identifies the current Data Processor data retention policy as it relates to different data types:
Category of Data Retention Policy Personal Data of the Data Controller’s employees, advisors and contractors. Data is retained for the lifetime of the Data Processor’s relationship (where there is an ongoing Legitimate Business Interest) with the Data Controller. Personal Data of Users. Data is retained until:
- The User issues an Instruction to have their data permanently removed, or
- The Data Controller issues an Instruction to permanently remove data. Once data deletion is actioned per an Instruction, data is fully deleted including from all backup records, in 28 days.
Log files which may include device identifying data of Users. Retained for 12 months from time of log record creation.
6. Data Controller’s obligations & rights
- The Data Controller shall be responsible for assessing whether Personal Data can be processed lawfully and for safeguarding the rights of the Data Subjects. The Data Controller shall ensure in its area of responsibility that the necessary legal requirements are so that the Processor can provide the agreed services in a way that does not violate any legal regulations.
- In case the Data Controller intends to conduct (or mandate a third party to conduct) an audit at Processor’s working premises, the Data Controller shall give reasonable notice of at least two (2) working days to Processor. The time and duration of the audit shall be agreed to by both Parties. The results of the audit shall be recorded by both Parties in writing.
7. Data Processor’s obligations
- In fulfilling its obligations, the Data Processor shall:
- Ensure that persons authorised to Process the Personal Data (including but not limited to the Data Processor’s Authorised Employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that the said confidentiality obligations are effectively implemented and enforced;
- Not engage any Sub-Processors to perform any processing of Personal Data, except for the current Sub-Processors listed at https://www.creativeforce.team/sub-processors, without informing the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object and terminate their Service;
- Where the Data Processor engages a Sub-Processor for carrying out specific processing activities on behalf of the Controller, it shall do so by way of a contract which imposes on the Sub-Processor the same data protection obligations set out in this DPA;
- Where that Sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of that Sub-processor’s obligations and for any breach of this DPA, and shall notify the Data Controller of any failure by the Sub-Processor to fulfil its contractual obligations;
- Assist the Data Controller, by way of appropriate Technical and Organisational Measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR, taking into account the nature of the processing;
- Inform the Data Controller of any Personal Data Breach (including any suspected Personal Data Breach) that the Data Processor becomes aware of, irrespective of whether or not the Personal Data Breach was caused directly or indirectly by the Data Processor;
- At the choice of the Data Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing in terms of the DPA, and delete existing copies unless EU or Maltese law requires storage of the Personal Data;
- Make available to the Data Controller all reasonable information necessary to demonstrate compliance with the obligations laid down in this DPA;
- Carry out regular tests and self-audits ensuring that the processing of the Data Controller’s Personal Data conforms with the provisions of this DPA;
- Allow for and contribute to reasonable audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller for the purpose of and to the extent required for verifying whether the Data Processor complies with Data Protection Laws and the contractually agreed measures in this DPA;
- Inform the Data Controller, as soon as possible, in text form (including by email) of any requests from any third parties (including the concerned Data Subjects or from a Supervisory Authority) in any way relating to the Data Controller‘s Personal Data. In case the Data Processor receives any Data Subject access requests and/or any other claims on the basis of any rights under Data Protection Law in connection with the Personal Data covered by this DPA, the Data Processor shall refer the concerned data subject directly to the Controller.
- The Data Controller acknowledges, agrees and is hereby providing a general written authorisation allowing the Processor to engage Sub-Processors to access and Process Personal Data in connection with the Services and solely on the instructions of the Data Processor in line with Article 28 GDPR.
- A list of the Data Processor’s current Sub-Processors is listed at https://www.creativeforce.team/sub-processors.
- In line with the same Article 28, GDPR, at least ten (10) days before instructing any Third Party, other than the current Sub-Processors, to access or participate in the Processing of Personal Data as Sub-Processors, the Data Processor will notify the Data Controller of such a change and:
- Should the Data Controller object, Data Processor warrants to allow the Controller to terminate its use of the Services without loss as long as this is done within ten (10) days of receipt by Controller of the aforementioned notice;
- Termination shall not relieve Data Controller of any fees previously owed to Data Processor under the Principal Agreement or any other Agreement signed between the Parties.
- If the Data Controller does not object to the engagement of a Sub-Processor in accordance with this Section of the DPA within ten (10) days of notice by the Data Processor, such Third Party will be deemed a Sub-Processor for the purposes of this DPA.
- In any case, the objection by the Data Controller to the engagement of a potential Sub-Processor shall be based on reasonable grounds relating to data protection.
- The Data Processor shall, through implementation of a contract with the Sub-Processor, ensure that every Sub-Processor is subject to obligations regarding the Processing of Personal Data that are equal to, and no less onerous than, those to which the Data Processor is subject under this DPA.
- At the Data Controller’s request, the Data Processor shall provide a copy of the agreement in place with the Sub-Processor and any subsequent amendments to the Data Controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the Data Processor may redact the text of the agreement prior to sharing the copy of the same.
- The Data Processor shall agree a third party beneficiary clause within the agreement with the Sub-Processor whereby – in the event that the Data Processor has factually disappeared, ceased to exist in law or has become insolvent – the Data Controller shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the Personal Data.
9. Rights of Data Subjects
- The Parties recognise and acknowledge the rights of Data Subjects to their Personal Data as defined within Data Protection Law including rights of access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection (such requests individually and collectively “Data Subject Request(s)”).
- The Data Processor shall, to the extent permitted by law, promptly notify the Controller upon receipt of a request by a Data Subject to exercise any of these Data Subject’s rights.
- The Data Processor shall, at the request of the Controller, and taking into account the nature of the Processing applicable to any Data Subject request, subject to a charge based on its then current charge rates, apply appropriate Technical and Organisational Measures to assist the Controller in complying with the Controller’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that:
- The Controller is itself unable to respond without the Data Processor’s assistance and
- The Data Processor is able to do so in accordance with all applicable laws, rules, and regulations.
10. Transferring data outside the EEA
- The Data Processor is located within the European Economic Area (EEA), and shall endeavour to process the Data Controller’s Personal Data within the EEA. The Data Controller however authorises the storage of Personal Data to locations outside of the EEA, as set out within Schedule A to this DPA.
- Where the Personal Data is processed by the Data Processor and/or Sub-Processors in a manner which constitutes a transfer in accordance with the terms of the GDPR, the Data Processor shall ensure that such transfer of data to a third country or an international organisation shall be done only on the basis of documented instructions from the Data Controller or in order to fulfil a specific requirement under EU or Malta law to which the Data Processor is subject.
- The Data Controller agrees that where the Data Processor engages a Sub-Processor in accordance with Clause 8, for carrying out specific processing activities on behalf of the Data Controller, and those processing activities involve a transfer of Personal Data outside of the EEA, the Data Processor and Sub-Processor shall ensure compliance with the provisions of the GDPR by using Standard Contractual Clauses, provided the conditions for the use of those Standard Contractual Clauses are met.
- Where the Data Processor effects a data transfer outside the EEA in accordance with Clause 10.2, the Data Processor binds itself that this Personal Data will be stored and processed in conformity with Data Protection Laws and that all appropriate Technical and Organisational Measures are taken by the Data Processor and its Sub-Processors.
- Through this DPA, the Data Controller is consenting to the storage of Personal Data in all the locations as defined in Schedule A to this DPA.
11. Third party requests for disclosure of Personal Data
- Unless prohibited by applicable law, the Data Processor shall promptly notify the Data Controller of:
- Any request for the transfer of Personal Data covered by the DPA, by any governmental, regulatory, Supervisory Authority;
- Any request for access received directly from a Third Party;
- Any requirement by law, court order, warrant, subpoena, or other legal judicial process to disclose any Personal Data to any person or entity other than the Controller.
- The Data Processor shall provide all reasonable assistance to the Data Controller, subject to a charge based on its then current charge rates, to enable the Data Controller to respond, object or challenge any such demands, inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate Technical and Organisational Measures to protect any Personal Data that may be processed on behalf of the Data Controller against accidental destruction or loss or unlawful forms of processing, which Measures are listed in Schedule B of this DPA.
- The Data Controller is responsible for reviewing the information made available by the Data Processor relating to data security and making and independent determination as to whether the Measures meet the Data Controller’s requirements and legal obligations under Data Protection Laws. The Data Controller acknowledges that the Technical and Organisational Measures are subject to technical progress and development and that the Data Processor may update or modify the Technical and Organisational Measures it has in place provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- The Data Processor shall keep the Data Controller’s Personal Data logically separate to Personal Data Processed on behalf of any other Third Party or its own behalf.
13. Reliability of personnel
- The Parties shall take all reasonable steps to ensure the reliability of any Authorised Employees and staff of Sub-Processors who may have access to the Data Controller’s Personal Data, ensuring in each case that access is limited to those individuals who need to know and to access the relevant Personal Data, as necessary for the purposes of the Principal Agreement.
- The Data Processor shall ensure that all Authorised Employees and Sub-Processors are made aware of the confidential nature of the Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with the Data Processor, any Personal Data except in accordance with their obligations in connection with the Services and as may be enforced by relevant laws.
14. Personal Data breach and notification
- In the event of a Personal Data Breach, the Data Processor shall cooperate with and assist the Data Controller for the Data Controller to comply with its obligations as arising under the GDPR.
- In the event of a Personal Data Breach concerning Personal Data processed by the Data Controller, the Data Controller shall agree to inform the Data Processor in writing upon it becoming aware of any Personal Data Breach within 72 hours, and the Data Processor shall assist the Data Controller in notifying the Personal Data Breach to the relevant Supervisory Authority.
- In the event of a Personal Data Breach concerning Personal Data processed by the Data Processor, the Data Processor shall without undue delay inform the Controller in writing upon it or any Sub-Processor becoming aware of any Personal Data Breach.
- The notification as considered in Clause 14.3 shall include:
- a detailed description of the Personal Data Breach;
- the type of data that was the subject of the Personal Data Breach;
- the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned);
- the name and contact details of the Data Processor’s Data Protection Officer, where applicable, or other point of contact where more information can be obtained;
- a description of the likely consequences of the Personal Data Breach;
- a description of the measures taken or proposed to be taken by the Data Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
- The Data Processor agrees to provide the Controller with any and all information reasonably necessary for the compliance with the Controller’s own obligations pursuant to the GDPR.
- The Data Processor agrees to cooperate with the Controller or their representatives and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- The Parties shall not release or publish any filing, communication, notice, press release, or report concerning any Personal Data Breach without the other Party’s written approval.
15. Modifications & notices
- Notices sent in pursuit of this DPA are to be effected in writing, sent to the official place of business of the Party concerned or to its then current registered office address, or via email addressed to the principle contact of record for the Controller.
- The Parties undertake to keep each other informed of any change in the contact details of the person to whom notices are to be sent.
16. Non-compliance & termination
- In the event that the Data Processor is in breach of its obligations under this DPA, the Data Controller may instruct the Data Processor to suspend the processing of the Personal Data until the latter complies with the Clauses of this DPA or the DPA is terminated. The Data Processor shall promptly inform the Data Controller in case it is unable to comply with the Clauses of this DPA, for whatever reason.
- The Data Controller shall be entitled to terminate the DPA insofar as it concerns the processing of personal data in accordance with these Clauses if:
- The processing of Personal Data by the Data Processor has been suspended by the Data Controller pursuant to Clause 16.1. and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
- The Data Processor is in substantial or persistent breach of these Clauses or its obligations under the GDPR;
- The Data Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or the GDPR.
- The Data Processor shall be entitled to terminate the DPA insofar as it concerns processing of personal data under these Clauses where, after having informed the Data Controller that its instructions infringe applicable legal requirements in accordance with Clause 3.2, the Data Controller insists on compliance with the instructions.
- On termination of the Services or termination of the DPA in accordance with Clause 16, the Data Processor shall:
- Upon the Data Controller’s request, furnish the Data Controller with all of the Data Controller’s Personal Data under its control in a format priorly agreed by the Parties which is appropriate to facilitate its use by the Data Controller and taking into consideration the format agreed and the amount of Personal Data, subject to a charge based on the Data Processor’s then current charge rate for such a service.
- Subject to the then applicable data retention policy, securely delete any of the Data Controller’s Personal Data in its possession.
17. Force majeure
- The Parties shall have no liability to each other under this DPA if they are prevented from or delayed in performing their obligations under this Agreement, or from carrying on their business, by acts, events, omissions or accidents beyond their reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes, failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or subcontractors, provided that the other Party is notified of such an event and its expected duration.
- If any provision (or part of a provision) of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.
- If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the Parties.
20. Governing law, jurisdiction and dispute resolution
- This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the laws of the Republic of Malta.
- Both Parties agree that any dispute, controversy or claim arising out of or relating to this DPA, or the breach, termination or invalidity thereof, shall be settled by arbitration in accordance with the rules of the Malta Arbitration Centre in force at the time of the dispute. It is also agreed that:
- the appointing authority and administrator shall be the Malta Arbitration Centre;
- the number of arbitrators shall be one;
- the place of arbitration shall be Malta;
- the applicable substantive law shall be the laws of Malta.
Type of processing
The table below defines a list of types of processing related to Personal Data, and the storage location for that processing.
|Type of processing||Location of storage and processing|
|Application hosting and data storage||
Per Data Controller’s Instruction upon account creation, may be located in:
|Email sending||Germany (Frankfurt)|
United States (rendering)
Various edge nodes (caching)
|Capture screenshots from URLs||United States|
|Push notifications||United States|
|Application monitoring||United States|
|Support infrastructure||Australia, Germany and United States|
Technical & organisational measures
Following are technical and organisational measures the Data Processor has implemented and will maintain for the processing of Personal Data.
- Intrusion prevention
- Network firewall to protect Data accessible via the internet.
- Systems and software are kept up-to-date with the latest available upgrades, updates, bug fixes, new versions and other modifications necessary to ensure security of Data.
- Anti-malware software, kept up-to-date.
- Physical access control
- Services and data are hosted in Amazon Web Services (“AWS”) facilities in Australia, Canada, Europe and the USA, and protected by AWS in accordance with their security protocols.
- Logical access controls
- A unique ID is assigned to each of the Data Processor’s Authorised Employees, and Identity Providers are used to manage their access to systems processing Data.
- Multi Factor Authentication (MFA) is used to protect all systems processing Data.
- Access to Data is restricted to only those people with a “need-to-know” for a permitted purpose and following least privileges principles.
- Reviews at least annually of the list of people and systems with access to Data, and removal of accounts upon termination of employment or a change in job status that results in employees no longer requiring access to Data.
- System-enforced “strong passwords” in accordance with the best practices described below, on all systems hosting, storing, processing, or that have or control access to Data.
- All employee passwords and access credentials are required to be kept confidential and not shared.
- User passwords must contain at least 12 characters.
- Account lockout when a User exceeds five consecutive incorrect password log in attempts.
- Virtual Private Network (“VPN”), strong passwords and MFA, are requirements for access to Data Processor resources, by Authorised Employees only.
- Monitoring of production systems, with security controls and procedures designed to prevent, detect and respond to identified threats and risks.
- Strict privacy controls exist in the application code that are designed to ensure Data privacy and to prevent one Client from accessing another Client’s data (i.e. logical separation).
- Storage and transmission security
- All Data in transit is encrypted using TLS 1.3.
- All Data at rest is encrypted using AES 256-bit encryption.
- All datastores used to process Data are configured and patched using commercially reasonable methods according to industry-recognised system-hardening standards.
- Disaster recovery and backup controls
- Data is permanently stored in either Australia, Canada, Europe or the USA and is backed up for disaster recovery.
- Leveraging AWS, a reputable Infrastructure-As-A-Service provider, and their portfolio of globally redundant services to ensure Services run reliably. Our implementation of AWS services allows us to dynamically scale up, or completely re-provision infrastructure resources on an as-needed basis, across multiple geographical areas, using the same vendor, tools, and APIs. Our infrastructure scales up and down on demand as part of day to day operations and does so in response to any changes in our Clients’ needs. This includes compute resources, storage and database resources, networking, security, and DNS. Every component in our infrastructure is designed and built for high availability.
- Implementation of AWS services is designed to ensure high availability, built-in redundancy and protection of Data from accidental loss or destruction. Our Disaster Recovery Plan incorporates geographic failover between regional data centers. Service restoration is within commercially reasonable efforts and is performed in conjunction with AWS’s ability to provide adequate infrastructure at the prevailing failover location. Recovery and resilience mechanisms are tested regularly and processes are updated as required.
- Incident management process for 24×7 on-call response to mitigate critical issues impacting Clients.
- No reliance on specific office locations to sustain operations. All operational access to production resources can be exercised at any location with internet access. Our employees are all remote worker and leverage our toolkit of best-of-breed technologies and cloud tools.
- Disaster recovery from ground zero to full operation of all platforms, applications and architecture is tested to be achievable within a 4 hour period.
- All Data deleted by Instruction is fully expunged from AWS datastores and our Data backups within 28 days.
- Business continuity and security incident response plan
- Formal procedure for handling security events. When security events are detected, relevant parties are notified and assembled online to rapidly address the event. After a security event is contained and mitigated, relevant teams document an analysis of the event, which is reviewed and distributed across the company and includes action items to prevent repeat or similar events in the future.
- Audits and risk assessments
- Information Security Management Systems (“ISMS”) audited internally and externally by a 3rd party certifier, annually, to ensure compliance with ISO 27001.
- Penetration testing carried out by independent 3rd party security experts every 3-6 months.
- Application vulnerability scans carried out internally every month. Vulnerability remediation is prioritised based on risk.
- Prior to engaging new 3rd party service providers or vendors who will have access to Data, Data Processor conducts a risk assessment of vendors’ data security practices.
- Change and configuration management
- Continuous automation for application and operating systems deployment for new releases. Integration testing and unit testing are done upon every build with safeguards in place to ensure availability and reliability.
- Process for critical fixes to be deployed within minutes.
- Personnel security
- Criminal background checks are carried out on all Data Processor employees.
- Security and privacy training for all Data Processor’s employees with access to Data.
- Contracts with employees that ensure:
- adherence to Data Processor policies, including security and data protection policies;
- non-disclosure of information.
- Secure disposal
- Permanent and secure deletion of all online and network accessible instances of Data within 28 days of Client’s Instruction.