This Data Processing Addendum ("DPA") sets forth the terms and conditions by which Personal Data will be transferred and Processed under the parties’ agreement (the "Agreement").
This DPA is supplemental to, and forms an integral part of, the Agreement, and is effective upon its incorporation into the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
Data Storage Site Security
The sites where Your Data is stored, including data centers, offices, and off-site storage facilities, will have appropriate and physical security controls.
The networks on which Your Data will be transmitted will be protected from unauthorized access or infiltration, either internally or externally.
The measures that will be taken to ensure this will include:
- Running periodic external and internal vulnerability scanning and informing the relevant data exporter of any issues arising.
- Maintaining perimeter defenses such as firewalls and data loss prevention solutions.
- Maintaining internal defenses such as security information event management to analyze log files to identify anomalous behavior and other threats.
The technology on which Your Data is stored, including servers, workstations and laptops, cloud service and other portable media will be protected from known threats by:
- Ensuring anti-virus or anti-malware systems are implemented and kept current for all operating systems.
- Ensuring operating systems have secure configuration.
- Ensuring vendor recommended security patches for both applications and operating systems are applied in a timely period, encrypting laptop hard drives and portable media.
- Ensuring risk assessments are performed on cloud providers using industry accepted methodologies such as Cloud Security Alliance or equivalent. SSAE16, ISO 27001 or other independent reports provide assurance on security controls and must be assessed when available.
- Ensuring mobile device management software is used to administer security controls on corporate supplied and bring your own devices.
The confidentiality of Your Data will be maintained by protecting such data wherever it is stored, and whenever it is transmitted. These processes and procedures may include:
- The secure disposal of paper, equipment, media and data.
- The security of data in transmission by means of encryption.
Your Data will accessed only by Tekion authorized personnel through such means as:
- The use of unique usernames and passwords to access the IT systems that host Your Data, including use of multiple factors of authentication to access IT systems remotely.
- Implementing security policies to ensure that passwords are not shared and that systems' passwords are changed periodically in line with recommended best practice.
- Ensuring access to Your Data is authorized and approved.
- Ensuring there is a clear segregation of duties between users.
- Ensuring access is granted on a least privilege basis.
- Terminating access where appropriate.
We will ensure that appropriate aspects of good security practice are enforced when processing any of Your Data. These processes include:
- Maintaining and enforcing policies on the secure handling and care of Data, and taking steps to ensure that such policies are known to all Tekion employees through awareness training.
- Ensuring that developers are trained and kept up to date in security coding techniques.
Staff and 3rd Party Security Procedures
We will ensure and maintain the integrity of personnel accessing Your Data by:
- Assessing the reliability of Tekion employees who will have access to Personal Data.
- Maintaining and enforcing policies on the secure handling and care of Data, and taking steps to ensure that such policies are known to all Tekion employees.
- Having employees and contractors sign confidentiality agreements prior to accessing Your Data.
- Reviewing any sub-processors which We will use, to ensure appropriate security measures are in place.
- Ensuring any third party adheres to the minimum set of controls prescribed by Our information security policies.
Third party subcontractors will be bound to adhere to similar but not necessarily identical technical and organizational measures which shall however not fall below the level of data security as agreed herein. Any technical and organizational measures are subject to change of technical standards and can be adopted. If so requested, We will provide You with a description of the then current measures.
Data Breach Procedures
We have established a set of data breach security procedures that include the following elements:
- Detection: Establishing the facts of the incident and creating a diagnostic, containment and communications plan with respect to those whose Data has been affected.
- Containment: Limiting the extent of the data compromise.
- Eradication: Removing all aspects of the hostile code/configuration, if applicable.
- Recovery: Restoring data and system to a known good state, without vulnerability.
- Review: Assessment of how to avoid similar incidents in future.
- Notification: Informing relevant interested parties of the data breach within legal and industry acceptable obligations and timeframes.