EFFECTIVE DATE OF AMENDMENT: May 25, 2018.
Fog Creek Software Inc., (Processor) provides products and/or services involving the processing (ex. accessing, storing, transmitting, etc.) of personal data subject to the GDPR (collectively, the "Agreements"). Accordingly, Fog Creek Software Inc., is acting as processor and/or subprocessor under GDPR.
This Amendment shall apply to all processing of personal data in order to provide the Services under all Agreements. This amends the Agreement(s) to reflect the arrangements between Processor and its Customers for General Data Privacy Regulation 2016/679 ("GDPR") as follows:
All capitalized terms not specifically defined in this GDPR Letter Amendment shall have the same meaning as provided for in the Agreement(s). Terms used but not defined in this Section 1 (Definitions), such as "processing", "controller", "processor" and "data subject", will have the same meaning as set forth in Article 4 of the GDPR.
The following definitions are used within this GDPR Letter Amendment:
1.1 Data Protection Laws means the GDPR and all Member State data protection laws and regulations.
1.2 Customer Personal Data means the Personal Data which Processor is processing as Processor on behalf of Customer in order to provide the services. Personal Data includes both, Personal Data controlled by Customer and Personal Data Customer is Processing on behalf of Other Controllers as Processor.
1.3 Other Controller means any entity other than Customer that is Controller of the Customer Personal Data, such as Customer's affiliated companies or Customer's client's, their customers or affiliated companies.
1.4 Personal Data Breach means a suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2. Roles and Scope.
2.1 This GDPR Letter Amendment applies if and to the extent Processor is Processing Customer Personal Data. Customer appoints Processor as Processor to process such Customer Personal Data.
2.2 Processor will Process Customer Personal Data for the sole purpose of providing the Services according to Customer's written instructions. The initial scope of Customer's instructions for the Processing of Customer Personal Data is defined by the Agreements including, in particular, this GDPR Letter Amendment. Customer may provide further instructions that the Processor has to comply with. In case Processor does not accommodate an instruction, Customer may terminate the affected part of the Service by providing Processor with a written notice. If Processor believes an instruction violates the Data Protection Laws, Processor will inform Customer without undue delay.
2.3 Processor will comply with all Data Protection Laws in respect of the services applicable to Processors and is responsible for the lawfulness of Processor's Processing of Customer Personal Data.
3. Relevant GDPR Obligations: Articles 28, 32, and 33.
3.1 Processing by Processor shall be governed by this GDPR Letter Amendment under European Union or Member State law and are binding on Processor with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of Customer are set forth in the Agreements in place between the parties, including this GDPR Letter Amendment. In particular, Processor shall:
3.1.1 process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject; in such a case, Processor shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
3.1.2 ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.1.3 take all measures required pursuant to Article 32 of the GDPR;
3.1.4 respect the conditions referred to in Section 3.1 and Section 4 for engaging another processor;
3.1.5 taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
3.1.6 assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Processor;
3.1.7 at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
3.1.8 make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and as described in this GDPR Letter Amendment and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Processor shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
4.1. The engagement of Subprocessors (including Processor Affiliates) by Processor requires Customer's explicit prior written approval. The fact that Customer has agreed to the involvement of a respective subcontractor regarding the provision of Services, cannot be considered as an approval for such subcontractor to Process Customer Personal Data as Subprocessor. Processor will provide a list of its then-current Subprocessors for Customer's review upon execution of this GDPR Letter Amendment, and Processor notify Customer in advance of any changes to Subprocessors and request Customer's explicit approval for such change.
4.2. Processor shall impose the same data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor Processing any Customer Personal Data, and ensure that the relevant obligations (including but not limited to the information and audit rights) can be directly enforced by Customer or Other Controllers against the Processor's Subprocessors.
4.3. Processor remains responsible for its Subprocessors and liable for their acts and omissions as for its own acts and omissions and any references to Processor's obligations, acts and omissions in this DPA shall be construed as referring also to the Processor's Subprocessors.
5. Technical and Organizational Measures. Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
5.1. the pseudonymisation and encryption of Personal Data;
5.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
5.3. the ability to restore the availability and access to Personal Data immediately in the event of a physical or technical incident; and
5.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5.5. Additional technical and security measures are as set forth in Exhibit 1 of this GDPR Letter.
5.6. If changes to the technical and organizational measures are required by Customer, such changes shall be implemented by the Processor following Customer's instructions.
6. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
7. Processor shall take steps to ensure that any natural person acting under the authority of Processor who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law.
8. Breach Notification.
Processor shall notify Customer without undue delay (and in no event less than 24 hours) after becoming aware of a Personal Data Breach. Such notice will, at a minimum:
8.1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
8.2. communicate the name and contact details of the data protection officer or other contact where more information can be obtained;
8.3. describe the likely consequences of the personal data breach; and
8.4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
9. Assisting Customer Response to Requests from Data Subjects.
9.1. To the extent permitted by law, Processor will inform Customer without undue delay of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Processor regarding Customer Personal Data. If Customer is obliged to provide information regarding Customer Personal Data to Other Controllers or third parties (e.g. Data Subjects or the Supervisory Authority), Processor shall assist Customer in doing so by providing all required information. If Customer or Other Controllers are obliged to provide information about the processing of Customer Personal Data to a Data Subject, Processor shall assist Customer in making the required information available.
9.2. If a Data Subject brings a claim directly against Customer for damages suffered in relation to Processor's breach of this GDPR Letter Agreement or Data Protection Laws with regard to the processing of Customer Personal Data, Processor will indemnify Customer for any reasonable cost, charge, damages, expenses or loss arising from such a claim, provided that Customer has notified Processor about the claim and is giving the Processor the possibility to cooperate with Customer in the defense and settlement of the claim.
10. Transborder Data Processing
10.1. In case Processor is established in a country that is neither a Member State nor considered by the European Commission to have adequate protection, by agreeing to this GDPR Letter Amendment, Processor is entering into EU Standard Contractual Clauses with Customer as set out here
10.2. At Customer's choice, Other Controller(s) may agree to the EU Standard Contractual Clauses as additional Data Exporter(s) and Processor declares in advance to accept such accession. Customer shall inform the Processor about the accession of such additional Data Exporters.
11. Records of Processing Activities.
Processor shall maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer, make them available to Customer upon request.
Processor agrees that it shall be responsible for all costs associated with its compliance of such obligations. Processor is responsible and liable for its acts and omissions under this DPA. All damages arising under this GDPR Letter Amendment shall be deemed direct damages.
Except as amended herein, all other terms and conditions of the subject Agreement(s) shall remain in full force and effect.
Customer acknowledges that they have read this GDPR Letter Amendment, understand it, and agree to be bound by its terms and conditions. Further, they agree that this GDPR Letter Amendment and the subject Agreement are the complete and exclusive statement of the agreement between the parties, superseding all proposals or other prior agreements, oral or written, and all other communications between the parties relating to this subject.
Technical and Organizational Measures
Processor has implemented and will maintain the appropriate technical and organizational security measures in accordance with either option a) Independent Attestation of Security, or b) GDPR Data Security Principles, for the purpose of protecting Customer or Personal Data (collectively, "Customer Personal Data,") against accidental loss, destruction, alteration, unauthorized disclosure or access, or unlawful destruction. Processor agrees that, based on Customer or Customer Client requirements or the nature of the engagement, Customer may require Processor to agree to additional technical and organizational measures. Those terms may require a separate executed agreement.
GDPR Data Security Principles
1. Data Protection
a. Security measures for each Processor deliverable or service are designed to protect Customer Personal Data and to maintain the availability of such Customer Personal Data pursuant to the Agreement, including applicable Attachments, Statements of Work or other transaction documents, (collectively "Agreement Documents"). Customer is the sole controller for any personal data, and appoints Processor as a processor to process such personal data (as those terms are defined in EU General Data Protection Regulation). Processor will treat all Customer Personal Data as confidential by not disclosing Customer Personal Data except to Processor employees, contractors, and subprocessors, and only to the extent necessary to deliver the Service, unless otherwise specified in Agreement Documents.
b. Processor will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST), guidelines for media sanitization.
2. Security Policies
a. Processor will maintain and follow IT security policies and practices that are integral to Processor's business and mandatory for all Processor employees, including supplemental personnel.
b. Processor will review its IT security policies at least annually and amend such policies as Processor deems reasonable to maintain protection of Services and Customer Personal Data processed therein.
c. Processor will maintain and follow its standard mandatory employment verification requirements for all new hires, including supplemental employees, and extend such requirements to wholly owned Processor subsidiaries. In accordance with Processor internal process and procedures, these requirements will be periodically reviewed and include, but may not be limited to, criminal background checks, proof of identity validation, and additional checks as deemed necessary by Processor. Each Processor company is responsible for implementing these requirements in its hiring process as applicable and permitted under local law.
d. Processor employees will complete security and privacy education annually and certify each year that they will comply with Processor's ethical business conduct, confidentiality, and security policies, as set out in Processor's employee code of conduct. Additional policy and process training will be provided to persons granted administrative access to Service components that is specific to their role within Processor's operation and support of the Service, and as required to maintain compliance and certifications stated in the relevant Agreement Documents.
3. Security Incidents
a. Processor will maintain and follow documented incident response policies consistent with NIST guidelines for computer security incident handling, and will comply with data breach notification terms of the Agreement.
b. Processor will investigate unauthorized access and unauthorized use of Customer Personal Data of which Processor becomes aware (security incident), and, within the Service scope, Processor will define and execute an appropriate response plan. Customer may notify Processor of a suspected vulnerability or incident by submitting a technical support case for Processor evaluation.
c. Processor will promptly (and in no event later than 24 hours) notify Customer of a security incident or Personal Data Breach that is known or reasonably suspected by Processor to affect Customer. Processor will provide Customer with reasonably requested information about such security incident and status of any Processor remediation and restoration activities.
4. Physical Security and Entry Control
a. Processor will maintain appropriate physical entry controls, such as barriers, card controlled entry points, surveillance cameras, and manned reception desks, to protect against unauthorized entry into Processor facilities used to host the Service (data centers). Auxiliary entry points into data centers, such as delivery areas and loading docks, will be controlled and isolated from computing resources.
b. Access to data centers and controlled areas within data centers will be limited by job role and subject to authorized approval. Use of an access badge to enter a data center and controlled areas will be logged, and such logs will be retained for not less than one year. Processor will revoke access to controlled data center areas upon a) separation of an authorized employee or b) the authorized employee no longer has a valid business need for access. Processor will follow formal documented separation procedures that include, but are not limited to, prompt removal from access control lists and surrender of physical access badges.
c. Any person duly granted temporary permission to enter a data center facility or a controlled area within a data center will be registered upon entering the premises, must provide proof of identity upon registration, and will be escorted by authorized personnel. Any temporary authorization to enter, including deliveries, will be scheduled in advance and require approval by authorized personnel.
d. Processor will take precautions to protect the Service's physical infrastructure against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.
5. Access, Intervention, Transfer and Separation Control
a. Processor will maintain documented security architecture of networks managed by Processor in its operation of the Service. Processor will separately review such network architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense in depth standards prior to implementation. Processor may use wireless networking technology in its maintenance and support of the Service and associated components. Such wireless networks, if any, will be encrypted and require secure authentication and will not provide direct access to Service networks. Service networks do not use wireless networking technology.
b. Processor will maintain measures for a Service that are designed to logically separate and prevent Customer Personal Data from being exposed to or accessed by unauthorized persons.
c. To the extent described in the relevant Agreement Documents, Processor will encrypt Customer Personal Data not intended for public or unauthenticated viewing when transferring Customer Personal Data over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, and FTPS, for secure transfer of Customer Personal Data to and from the Service over public networks.
d. Processor will encrypt Customer Personal Data at rest when specified in Agreement Documents. If the Service includes management of cryptographic keys, Processor will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.
e. If Processor requires access to Customer Personal Data, Processor will restrict and limit such access to least level required to provide and support the Service. Such access, including administrative access to any underlying components (privileged access), will be individual, role based, and subject to approval and regular validation by authorized Processor personnel following the principles of segregation of duties. Processor will maintain measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner's separation or request of authorized Processor personnel, such as the account owner's manager.
f. Consistent with industry standard practices, and to the extent natively supported by each component managed by Processor within the Service, Processor will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.
g. Processor will monitor use of privileged access and maintain security information and event management measures designed to a) identify unauthorized access and activity, b) facilitate a timely and appropriate response, and c) to enable internal and independent third party audits of compliance with documented Processor policy.
h. Logs in which privileged access and activity are recorded will be retained in compliance with Processor's records retention policy. Processor will maintain measures designed to protect against unauthorized access, modification and accidental or deliberate destruction of such logs.
i. To the extent supported by native device or operating system functionality, Processor will maintain computing protections for systems containing Customer Personal Data and all end-user systems that include, but may not be limited to, endpoint firewalls, full disk encryption, signature based antivirus and malware detection and removal that shall a) be regularly updated by central infrastructure and b) logged to a central location, time based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.
6. Service Integrity and Availability Control
a. Processor a) performs penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter, b) enlists a qualified independent third-party to perform penetration testing at least annually, c) performs automated management and routine verification of underlying components' compliance with security configuration requirements, and d) remediates identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Processor will take reasonable steps to avoid Service disruption when performing its tests, assessments, scans, and execution of remediation activities.
b. Processor will maintain policies and procedures designed to manage risks associated with the application of changes to its Services. Prior to implementation, changes to a Service, including its systems, networks and underlying components, will be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, a risk statement addressing impact to the Service and its clients, expected outcome, rollback plan, and documented approval by authorized personnel.
c. Processor will maintain an inventory of all information technology assets used in its operation of the Service. Processor will continuously monitor the health and availability of the Service and underlying components.
d. Each Service will be separately assessed for business continuity and disaster recovery requirements pursuant to documented risk management guidelines. Each Processor Service will have, to the extent warranted by such risk assessment, separately defined, documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices. Recovery point and time objectives for the Service, if provided, will be established with consideration given to the Service's architecture and intended use, and will be described in the relevant Agreement Documents.
e. Processor will a) backup systems containing Customer Personal Data daily, b) ensure at least one backup destination is at a remote location, separate from production systems, c) encrypt backup data stored on portable backup media and d) validate backup process integrity by regularly performing data restoration testing.
f. Processor will maintain measures designed to assess, test, and apply security advisory patches to the Service and its associated systems, networks, applications, and underlying components within the Service scope. Upon determining that a security advisory patch is applicable and appropriate, Processor will implement the patch pursuant to documented severity and risk assessment guidelines. Implementation of security advisory patches will be subject to Processor change management policy.
The parties hereby agree:
Entity: Fog Creek Software, Inc.
Name: Jordan Harris
Date: May 25, 2018
Title: Chief Operating Officer