Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation is the End User, as defined in the End User License EULA (the “EULA”) made by and between End User and Code42 Software, Inc. End User shall be referred to herein as the data exporter. Code42 Software, Inc. shall be referred to herein as the data importer or Code42. Data importer and data exporter may each be referred to herein as a “party” or collectively, as the “parties”. These Contractual Clauses (these “Clauses”) shall be incorporated into and become a part of the EULA by reference therein.
The parties HAVE AGREED on the following Clauses in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is (please specify briefly your activities relevant to the transfer):
Data exporter is a individual or small business located within the European Union who has selected data importer as its end point storage provider.
The data importer is (please specify briefly activities relevant to the transfer):
The data importer is a Delaware corporation headquartered in Minnesota. The data importer is a global enterprise SaaS provider of endpoint data protection and security.
The personal data transferred concern the following categories of data subjects (please specify: data exporter account information and encrypted endpoint data selected by data exporter to be transmitted and stored in an encrypted state within data importer’s SaaS solution.
Categories of data
The personal data transferred concern the following categories of data (please specify):
first name, last name, email address, and any encrypted personal or business information identified by data exporter for storage in data importer’s solution
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
first name, last name, email address, and any encrypted personal or business information identified by data exporter for storage in data importer’s solution
The personal data transferred will be subject to the following basic processing activities (please specify):
cloud based endpoint secondary storage, retrieval, support and authentication of encrypted data designated by data exporter
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
The description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Any capitalized term not otherwise defined herein shall have the meaning given in the EULA.
This Addendum, in addition to the information security standards set forth in the EULA, describes the minimum information security standards that Code42 shall have and maintain in order to protect Confidential Information and User Data from unauthorized use, access, disclosure, theft, manipulation, reproduction, Security Incident or otherwise during the term of services outlined in the EULA and for any period thereafter during which Code42 has possession of or access to any Confidential Information and/or User Data. Code42’s ongoing adherence to a security program based on an Industry Recognized Framework, as defined below, is a condition to End User doing business with Code42. The requirements set forth in this Security Exhibit are in addition to any set forth in the EULA. To the extent of any conflicts, this Addendum shall govern.
- Business Continuity Plan:A collection of procedures and information that is developed, compiled and maintained in readiness for use in the event of an emergency or disaster.
- Change Management: A formal process used to ensure that changes to Code42 hardware, software, and other systems are introduced in a controlled and coordinated manner. This reduces the possibility that unnecessary changes will be introduced, that faults or vulnerabilities are introduced, or that unauthorized changes made by other users are introduced.
- Confidential Information: I nformation which may be considered confidential and/or trade secret information which includes information: (i) regarding the Code42 Software and Code42 Subscription Services; (ii) that is clearly and conspicuously marked as “confidential” or with a similar designation at time of disclosure; (iii) that is identified as confidential and/or proprietary before, during, or promptly after presentation or communication; and (v) that should be reasonably understood to be confidential or proprietary to a disclosing party, given the nature of the information and the context in which disclosed. The term “Confidential Information” does not include User Data.
- Data Breach: Any use, disclosure, loss, acquisition of, or access to, User Data that is not in accordance with the terms of the EULA.
- Industry Recognized Framework: A global industry recognized information security management system (“ISMS”), such as but not limited to ISMS standard ISO/IEC 27001– Information technology – Security techniques – Information security management systems – Requirements, as published by the International Organization for Standardization and the International Electrotechnical Commission (“ISO 27001”).
- Security Incident : means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- SOC2: A third-party AICPA report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization. These reports are performed using the AICPA Guide: Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:
- Oversight of the organization;
- Vendor management program;
- Internal corporate governance and risk management processes; and
- Regulatory oversight
- System: An assembly of components that supports an operational role or accomplishes a specific objective. This may include a discrete set of information resources (network, server, computer, software, application, operating system or storage devices) organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
- Vendor : Collectively and individually, any third party to whom Code42 intends to grant access to Confidential Information and User Data in accordance with the EULA and this Addendum, including any contractor, offshore service provider, outsourcer, cloud service providers or any platform service provider that may have access to Confidential Information and User Data.
- Disclosure of Confidential Information and User Data.
Code42 shall not use, access, or disclose Confidential Information and User Data in any manner that would constitute a violation of Applicable Law or EULA terms (including, without limitation, by means of outsourcing, sharing, retransfer, access, or use) to any person or entity, except to: (1) Employees who actually and legitimately need to access or use Confidential Information and User Data in the performance of Code42’s duties under the EULA; or (2) Vendors or contractors after such Third Party has been vetted though an appropriate vendor due diligence process.
- Use of, Storage of, or Access to, Confidential Information and User Data.
Code42 shall only use, store, or access Confidential Information and User Data: (1) In accordance with and only to the extent permissible under the EULA (including this Addendum); and (2) In full compliance with any and all Applicable Laws.
- Safeguarding Code42 Data.
Code42 agrees that the use, storage, and access to Confidential Information and User Data shall be performed with the degree of skill, care, and judgment customarily accepted as sound, quality, and professional practices. Code42 shall implement and maintain safeguards necessary to ensure the confidentiality, integrity, and availability of Confidential Information and User Data.
Such safeguards shall include as appropriate, and without limitation, the following:
- Access Control. Code42 must ensure controls restrict unauthorized user access to Confidential Information and User Data. Code42 must use authentication and authorization services to access Confidential Information and User Data. Code42 must provide and ensure IT administrators use separate and unique accounts for administration and non-administration responsibilities.
- User Access Management. End User authorizes access to Confidential Information and User Data on a need-to-know basis. When the data resides physically or logically within End User-managed environments, Code42 access will be subject to End User’s access management policies and procedures. End User must authorize all decisions for access to Confidential Information and User Data residing within End User-managed environments. Code42 may not extend access to Confidential Information and User Data residing within End User-managed environments to third parties without prior written consent. All user accounts used to access Confidential Information and User Data must be unique and clearly associated with an individual user. Code42 must ensure unique assignment of User IDs, tokens, or physical access badges provided to employee or contingent staff. Code42 must ensure all user, System, service, and administrator accounts and passwords are never shared. Code42 is responsible for reviewing authorization privileges assigned to its employees and contingent staff on a quarterly basis to ensure that access is appropriate for the user’s functioning role. Access authorization should follow “principles of least privilege.” Code42 must ensure procedures exist for prompt modification or termination of access rights in response to organizational changes. Code42 must identify and disable inactive user accounts within 10 business days. Code42 must immediately notify End User in writing if a Code42 employee or Code42 contractor with access to End User-managed Systems terminates, no longer requires access to the End User account, or requires changes to the user account. Notification must include name and User ID of the accounts or Systems the person has access to.
- Password management & authentication controls. Code42 must ensure Systems that access Confidential Information and User Data have a secure authentication method. Code42 must ensure that access to Confidential Information and User Data meet the following additional requirements at all times: Code42 must encrypt authentication credentials during storage and transmission, Code42 must prohibit its users from sharing passwords, and Code42 must change passwords immediately for accounts suspected of compromise.
- Remote Access Control. If, in providing agreed upon Support, Code42 requires remote access to End User’s Systems, Code42 must always use an End User approved method when connecting. Connecting equipment must implement controls to ensure that Systems maintain current patch levels, have anti-virus software installed with current signatures and scanning engines, and have an operable personal firewall. Remote access equipment must have the capability of meeting End User’s security requirements for remote management, encryption, certificate authentication, and credential storage before connecting to End User’s network.
- Network, Operating System, and Application Control. All Code42 Systems or networks connecting to End User networks and/or accessing Confidential Information and User Data must employ safeguard controls capable of monitoring and blocking unauthorized network traffic. Code42 must enable logging on network activity for audit, incident response, and forensic purposes. Where such controls are not available, Systems or networks used to access Confidential Information and User Data must be physically or logically separate from other Code42 networks.
- Logging of System Use. Code42 must configure all Code42 systems used to access, process, or store Confidential Information and User Data to enable basic forensic accountability. In the case of a Security Incident involving Code42-supplied laptops, desktops, or removable or portable data storage media used to access, process, or store Confidential Information and User Data, Code42 must provide access to the equipment or media to End User or End User’s representatives upon request, along with all relevant encryption/decryption keys necessary to enable forensic analysis, except when the Security Incident involves the actual loss or destruction of the equipment or media. Code42 servers used to access, process, or store Confidential Information and User Data must maintain sufficient audit logging to enable forensic analysis, including logging of Security Incidents, connectivity to services and sessions, and modification to user and configuration settings. Audit logs must be maintained for a minimum of three months. In the case of a Security Incident involving Code42 Systems used to access, process, or store Confidential Information and User Data, Code42 must provide access to the relevant audit logs to End User or End User’s representatives upon request to enable forensic analysis.
- System Security. A System that is owned or supported by Code42 and contains Confidential Information and User Data will be secured as follows:
- Code42 must establish and maintain configuration standards, which address currently known security vulnerabilities and industry best practices, for all network devices and hosts. These standards must address configuration with all applicable security parameters to prevent misuse. Code42 must remove or disable any non-essential functionality such as scripts, drivers, features, subsystems, or file systems (e.g. unnecessary web servers, default or sample files, etc.). Code42 must ensure that software used in operational systems maintain current level of patching support by its supplier.
- Code42 must validate and test Software and related application source code against vulnerabilities and weaknesses before deploying code to production. All software development done on behalf of End User must follow a documented software development process or life cycle (SDLC) with appropriate security checkpoints.
- Code42 warrants that its System is free of any System settings or defects that would create a potential Data Breach.
- Code42 shall provide to End User in writing the specifications and configuration settings of the System, including: hardware, operating system, applications, communication ports and protocols.
- The System shall use secure protocols (e.g. SSH, SSL, SFTPS, TLS, IPSec) to safeguard Confidential Information and User Data in transit.
- If the System may be placed on a public network, the System must be sufficiently protected from compromises and attacks.
- The System shall not be deployed with default passwords and shall allow the changing of System and user passwords.
- System Maintenance and Support
- Code42 will timely review, test, and install patches essential for safeguarding the confidentiality, integrity, or availability of the System or Confidential Information and User Data.
- Proper Change Management procedures, as defined in the EULA or as otherwise agreed upon by the Parties in writing shall be followed.
- Code42 shall ensure that the System is supported. Code42 shall provide advanced notice of End of Life and Support as set forth in Code42’s Product End of Life Policy accessible via https://support.code42.com/Terms_And_Conditions/Product_Lifecycle_Policy before the System or any components become unsupported.
- If necessary, Code42 shall provide remote support via a mutually agreed upon secure connection method. Remote access shall be limited to an as needed or as requested basis.
- On occasion, End User may be required to exchange with Code42 databases or other files containing personally identifiable information, encryption keys, and/or other sensitive information. End User agrees that this exchange will be done in a secure fashion determined by Code42, limited in its use to only support, and promptly disposed of once the issue precipitating the exchange is resolved. End User, or its administrator or agent, submitting such information: (i) shall be knowledgeable of the information being transmitted, including any sensitivities related thereto, (ii) shall be authorized by End User to submit any such information, and (iii) will consult with End User’s internal advisors so as to comply with all Applicable Laws related to the exchange of any such information.
- Data Protections
- Code42 shall only use, store, disclose, or access Confidential Information and User Data: i) in accordance with, and only to the extent permissible under the EULA; and ii) in full compliance with any and all Applicable Laws.
- Code42 shall have documented policies and procedures to prevent unauthorized use, disclosure loss, or acquisition of, or access to, Confidential Information and User Data. This includes, but is not limited to, personnel security measures, such as background checks.
- All transmission of Confidential Information and User Data between parties shall be performed using a mutually agreed upon secure file transfer method that includes a detailed audit log of events (e.g., who, what, where, when).
- If any physical media is used by Code42 or its Vendors to store Confidential Information and User Data, Code42 shall protect the Confidential Information and User Data stored on any damaged or physically replaced media by: (i) physically destroying said media device through crushing, shredding, incineration and/or melting, prior to transferring the media device from its location, or (ii) using a digital sanitization tool to sanitize said media device, prior to transferring the media device from its location.
- Physical and Environmental Security.
Code42 must require that its Vendors implement controls that restrict unauthorized physical access to the data centers that contain equipment used to access Confidential Information and User Data.Code42 must (or require its Vendors to) monitor all areas containing equipment used to access Confidential Information and User Data for attempts at unauthorized access. All secure areas must be enclosed by a perimeter that will deter unauthorized personnel from gaining access, causing damage to or interference with the business processes that take place within that area.Personnel working in secure areas must be easily identified as authorized to work in that area. Code42 must implement and maintain processes to verify that only authorized personnel with an approved business need may be permitted to work in secure areas. Code42 must not allow visitors access to secure areas unescorted.Code42 must ensure proper disposal of all sensitive information using appropriately secured containers for shredding or other approved means.Locked “shred-it” bins must be available in all areas where sensitive information is used in physical form.
- Incident Response.
- Discovery, Investigation and Notification of Incident. Upon discovery or notice of any Security Incident, Code42 will:
- immediately investigate such Security Incident; and
- notify End User of such Security Incident within a commercially reasonable time following the commencement of its investigation or receipt of notice of such Security Incident.
- Discovery, Investigation and Notification of Incident. Upon discovery or notice of any Security Incident, Code42 will:
- Action Following a Security Incident. Promptly following discovery or notice of any Security Incident, Code42 will take:
- corrective action to mitigate any risks or damages involved with such Security Incident and to protect the Systems and Confidential Information and User Data from any further compromise; and
- any other actions that may be required by Applicable Law as a result of such Security Incident.
- No Surreptitious Code.
Code42 warrants that it will not knowingly introduce, via any means, spyware, adware, ransomware, rootkit, keylogger, virus, trojan, worm, or other code or mechanism designed to permit unauthorized access to Confidential Information and User Data, or which may restrict End User’s access to or use of Confidential Information and User Data.
- Personnel & Human Resources Security Background & Screening Checks.
To the extent allowed by law and prior to employment only, Code42 will conduct employee background screening. Background checks must be completed and the results deemed satisfactory prior to the employee being assigned to perform Professional Services under the EULA for End User where those Professional Services will involve having access to End User’s facilities, Confidential Information or User Data. Upon End User’s written request and to the extent allowed by local law, Code42 will attest in writing to its compliance with this paragraph. Code42 should not expose End User to a level of risk which is commercially unreasonable or which is higher than that to which Code42 would be comfortable exposing itself. Individuals whose background checks reveal convictions for violations including computer crimes, fraud, theft, identity theft, or excessive financial defaults will not be permitted access to Confidential Information and User Data.
- Termination Procedures.
Upon expiration or earlier termination of the EULA, Code42 shall endeavour to ensure that no Security Incident occurs and shall promptly follow the data destruction requirements for Confidential Information and User Data set forth in the EULA. For the avoidance of doubt, the method of destruction shall be accomplished by “purging” or “physical destruction”, in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-88. Upon written request, Code42 will promptly certify in writing to End User that such return or destruction has been completed.