Data Protection Agreement

Updated 17th February 2023

Introduction

This Data Protection Agreement “DPA” becomes effective upon the later of i) the acceptance of the Terms of Service or ii) 17th February 2023.

Customer shall make available to Nevis Systems and Customer authorizes Nevis Systems to process information including personal data for the provision of the Services under the Agreement. The parties have agreed to enter into this DPA to confirm the data protection provisions relating to their relationship and so as to meet the requirements of applicable Privacy Laws.

1. Definitions

1.1 For the purposes of this DPA:

  • “Data Protection Legislation” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data by the Customer as Data Controller, including without limitation all binding (inter)national laws and other binding data protection or data security directives, laws, regulations and rulings valid at the given time including any guidance and codes of practices issued by the applicable supervisory authority;
  • “Personal Data” means any information relating to an identified or identifiable natural person (“data subject“); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
  • “(Data) Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • “Special Categories of Personal Data” means information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation or any other special category of data as is indicated within the deviations in Appendix 2 Deviations based on applicable National legislation or in the Service Order or Service Specification;
  • “Technical and organisational measures” or TOMs means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. This includes the agreed applicable security requirements and security instructions and their updates applicable at each time and described in Appendix 1 Technical and organisational measures to this DPA or in the Service Order or Service Specification;
  • The terms “data controller” and “data processor“, shall have the meanings given to them under the GDPR.

 

1.2

Capitalised terms used and not defined in this DPA have the meanings given to such terms in the Agreement.

 

2. Role of the Parties

The Parties understand that for the provision of the Services a distinction is made between two types of processing of personal data: (i) the provision of the services (i.e. the database of call data records and the logs created and managed by Nevis Systems on behalf and under the supervision of Customer) for which Nevis Systems will act as a data processor and agrees to comply with the respective obligations set out in this DPA, and (ii) the transmission of messages (i.e. A2P SMS) by Nevis Systems and other Service Providers for which Nevis Systems will act as a data controller and agrees to comply with the respective obligations set out in clause 14.

 

3. Subject matter, nature and purpose of NEVIS Systems’ processing of personal data

 

3.1

The subject matter, nature and purpose of the processing of personal data under this DPA is Nevis Systems performance of the Services pursuant to the Agreement and as further instructed by the Customer in its use of the Services (“Instructions”), unless required to do so otherwise by Data Protection Legislation and/or Relevant Laws. In such case (and if, to the extent permitted by Data Protection Legislation and/or Relevant Laws.

 

3.2

Instructions of the Customer shall be in written form (including, but not limited to, email) or can be given through settings and use of Nevis Systems’ portal(s) and/or software. In exceptional cases, Instructions may be given orally by the Customer. Such oral Instructions will be confirmed by the authorised person of Customer in writing or per email (in text form).

 

4. Duration

 

4.1

Nevis Systems shall only collect or process personal data for the duration of the Agreement to the extent, and in such a manner, as is necessary for provision of the Services and in accordance with the Agreement and Data Protection Legislation applicable to Nevis Systems in its role as data processor.

 

4.2

The processing of personal data will be carried out by Nevis Systems after the Agreement necessary to fulfil the obligations in this DPA or when necessary due to mandatory law unless otherwise agreed upon in writing.

 

5. Type of personal data processed

The following Categories of personal data may be processed to deliver the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:

  • Contact information (company, email, phone, physical address)
  • First and last name
  • ID data
  • Title
  • Position
  • Employer
  • Connection data
  • Localisation data

Other data as is defined within the Agreement as agreed upon between parties.

 

6. Type of data subjects

The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

  • Customers, business partners and vendors of the Customer (who are natural persons)
  • Employees of contact persons of the Customer’s customers, business partners and vendors
  • Employees, agents, advisors, freelancers of the Customer (who are natural persons)
  • Customer’s Service user including any user of the Services, which Customer permits using the Services

 

7. Sub-processors

 

7.1

The Customer agrees that Nevis Systems may engage Nevis Systems Affiliate or third parties to process personal data in order to assist Nevis Systems to deliver the Services on behalf of the Customer (“Sub-processors”). Nevis Systems has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor.

 

7.2

When required by law, Nevis Systems shall conclude additional agreements (for example, but not limited to, Business Associates Agreements as is required by The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and/or The Health Information Technology for Economic and Clinical Health act (“HITECH”)).

 

7.3

The current Sub-processors for the Services are set out at https://www.world-text.com/docs/sub-processors.php (“Sub-processor List”) and the Customer agrees and approves that Nevis Systems has engaged such Sub-processors to process personal data as set out in the list. The Customer may find at https://www.world-text.com/docs/sub-processors.php a mechanism to subscribe to notifications of new Sub-processors for each applicable Service, to which Customer shall subscribe, and if the Customer subscribes, Nevis Systems shall provide notification of a new Sub-processor(s) before authorising any new Sub-processor(s) to process personal data in connection with the provision of the applicable Service.

 

7.4

Nevis Systems shall notify the Customer, in accordance with the mechanism set out in clause 7.2, thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor during which period the Customer may raise objections to the Sub-processor’s appointment. Any objections must be raised promptly (and in any event no later than fourteen (14) days following Nevis Systems’ notification of the intended changes). Should Nevis Systems choose to retain the objected to Sub-processor, Nevis Systems will notify the customer at least fourteen (14) days before authorising the Sub-processor to process personal data and then the Customer may immediately discontinue using the relevant portion of the Services and may terminate the relevant portion of the Services. Nevis Systems will refund the Customer any prepaid fees covering the remainder of the term of such relevant portion of the Service following the effective date of termination and there will be no penalty on either party.

 

7.5

Nevis Systems may replace a Sub processor without advance notice where the reason for the change is outside of Nevis Systems’ reasonable control and prompt replacement is required for security or other urgent reasons, such as but not limited to (suspected) non-compliance of a Sub processor with Data Protection Legislation or the DPA between Nevis Systems and the Sub processor. In this case, Nevis Systems will inform the Data Controller of the replacement Sub processor as soon as possible following its appointment. Section 7.4 applies accordingly.

 

7.6

for the avoidance of doubt, where any Sub-processor fails to fulfil its obligations under any sub-processing agreement or under applicable law Nevis Systems will remain fully liable to the Customer for the fulfilment of its obligations under this DPA.

 

8. International Transfer

 

8.1

Whenever Nevis Systems (or its sub-processors) processes personal data in other countries than the country in which the Nevis Systems is established, Nevis Systems will ensure an adequate level of protection for personal data by means of organisational, technical and contractual measures as is required by Data Protection Legislation and this DPA.

 

8.2

Where (i) Personal Data of an EEA, UK or Swiss based Data Controller is processed in a country outside the EEA, UK, Switzerland and any country, organisation or territory acknowledged by the European Union as safe country with an adequate level of data protection under art. 45 GDPR and no other lawful transfer mechanism such as Binding Corporate Rules (art. 47 GDPR) or Code of Conduct (art. 40 GDPR) is available, or where (ii) Personal Data of another Data Controller is processed internationally and such international processing requires an adequacy means under the laws of the country of the Data Controller and the required adequacy means can be met by entering into Standard Contractual Clauses, the transfer is made pursuant to European Commission approved Standard Contractual Clauses for the transfer of Personal Data. Customer provides a power of attorney for Nevis Systems to enter into any such European Commission approved standard contractual clauses with a Sub-processor approved as set out in clause 7 in the name and on behalf of the Customer.

 

8.3

In case that European Commission approved standard contractual clauses are concluded between Nevis Systems and the Customer, the following applies until a competent Member State supervisory authority, or an EU or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (in case if such mechanism applies only to some of the data transfers, the following clauses will remain applicable for the transfers that cannot be covered by this new lawful transfer mechanism):

 

(i)

Rights granted to data subjects under this DPA and the European Standard Contractual Clauses may be enforced by the data subject against Nevis Systems irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. These rights are personal and may not be assigned to others. The data subject may only bring a claim under this DPA and the European Standard Contractual Clauses on an individual basis, and not part of a class, collective, group or representative action.

 

(ii)

In addition to Clause 5(b) of the Standard Contractual Clauses, Nevis Systems agrees that it, at the time of concluding this Agreement, has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the customer and its obligations under the Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Standard Contractual Clauses, it will notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.

 

(iii)

For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction:

  • In case Nevis Systems receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, Nevis Systems will, where possible, redirect the third party to request data directly from Customer.
  • In case Nevis Systems receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable Member State law.

 

9. Technical and organisational measures

Nevis Systems has implemented and maintains appropriate technical and organisational measures (to act in accordance Data Protection Legislation, for example but not limited to Article 28, 3 (c) and Article 32 in particular in relation with Article 5, 1 and 2 GDPR). Such measures include but not limited to physical and IT measures, and organisational measures to protect personal data processed against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Such measures are described in Appendix 1 Technical and Organisational Measures.

 

10. Quality assurances and other duties of NEVIS SYSTEMS

 

10.1

Nevis Systems shall comply with the following requirements (often referred to by referencing articles 28 to 33 GDPR) being:

  • no processing of personal data except on instructions from the controller, unless required to do so by an authority;
  • Implementation of data processing register
  • Implement technical and organisational measures to ensure a level of data security appropriate to the level of risk presented by processing personal data;
  • Cooperation with the data protection supervisory authority in performance of its tasks
  • Notification of a personal data breach to the supervisory authority and the data subject;
  • Carrying out a data protection impact assessment when necessary according to law and consult the supervisory authority prior to data processing where the data protection impact assessment indicates that the processing would result in a high risk in absence of measures taken by the controller to mitigate the risk.

and ensures in particular compliance with the following requirements:

  • a) Appoint a data protection officer, who performs his/her duties in compliance with Data Protection legislation. The data protection officer’s contact details are available at Nevis Systems web page. If Nevis Systems contracting party is not established in the European Union, Nevis Systems will appoint a responsible contact person in the European Union and/or a data protection officer in accordance with Data Protection Legislation.

  • b) Confidentiality in accordance with Data Protection legislation. Nevis Systems entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. Nevis Systems and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Customer, which includes the powers granted in this Amendment, unless required to do so by Data Protection Legislation.

  • c) At the Customer’s cost and expense and taking into account the nature of the processing and the information available to Nevis Systems, provide such information and assistance as the Customer may reasonably require and within the timescales reasonably specified by the Customer to assist the Customer to comply with its obligations under applicable Data Protection Legislation which may include assisting the Customer to:

    • i) notify the Customer of any request Nevis Systems receives for a data subject relating to personal data processed and notify the data subject to contact the Customer if it wants to use its rights;
    • ii) comply with its security obligations;
    • iii) discharge its obligations to respond to requests relating to the exercise of Data Subject rights including right of access, right to rectification, right to erasure (“right to be forgotten”) right to restriction of processing (to the extent that personal data is not accessible to the Customer through the Services); carry out Data Protection Impact Assessment and audit Data Protection Impact Assessment compliance and consult with the supervisory authority;
    • iv) following Data Protection Impact Assessment.
  • d) For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction:
  • i) Unless prohibited by applicable law or a legally binding request of law enforcement, Nevis Systems shall promptly notify the Customer of any request by, any government official, data protection supervisory authority or law enforcement authority in respect of any personal data and, if prohibited from notifying Customer, Nevis Systems will use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible;
  • e) Nevis Systems shall periodically monitor the internal processes and the TOMs to ensure that processing within Nevis Systems area of responsibility is in accordance with the requirements of Data Protection Legislation and the protection of the rights of the data subject.

 

11 Audits and inspections

 

11.1

In the event that the Customer, a Regulator or data protection authority requires additional information or an audit related to the Services, then, Nevis Systems agrees to submit access to its data processing facilities, data files and documentation needed for processing personal data. Nevis Systems agrees to provide reasonable cooperation to during such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc., used for the performance of Services, including processing of personal data.

 

11.2

The audit right as described within clause 11.1 will become applicable for the Customer, in case Nevis Systems has not provided sufficient evidence of its compliance with the technical and organisational measures. Sufficient evidence includes providing either: (i) a certification as to compliance with ISO 27001 or other standards implemented by Nevis Systems (scope as defined in the certificate); or (ii) an audit or attestation report of an independent third party. An audit as described within clause 11.1 shall be carried out at the Customer’s cost and expense. An audit can be done by the Customer or any third party reasonably acceptable to the Nevis Systems (which shall not include any third party auditors who are either a competitor of Nevis Systems or not suitably qualified or independent)) to ascertain compliance with this DPA, subject to being given reasonable notice (30 days), compliance with Nevis Systems’ Technical and organisational measures and the auditor entering into a non-disclosure agreement directly with Nevis Systems.

 

12 Notification of a data breach

 

12.1

In the event of Nevis Systems aware of any breach of security that results in the accidental, unauthorised or unlawful destruction or unauthorised disclosure of or access to personal data Nevis Systems shall, among other things:

  • a) Notify the Customer in writing immediately but not later than 72 hours after becoming aware of the personal data breach;
  • b) Assist the Customer with regard to the Customers obligation to provide information to the data subject and to provide the Customer with relevant information in this regard;
  • c) Support the Customer in consultations with data protection authority.

 

12.2

To the extent legally possible, Nevis Systems may claim compensation for support services under this clause 12 which are not attributable to personal data breaches caused by Nevis Systems.

 

13. Deletion of personal data

 

13.1

Nevis Systems is obliged to erase personal data as stipulated in the Agreement and in accordance with the Data Protection Legislation and/or Relevant Laws.

 

13.2

Customer has the right to request execution of the rights and obligations described in clause 13.1 during the duration of the entire DPA.

 

13.3

Statutory retention obligations or contractual obligations towards Service Providers of Nevis Systems (for example but not limited to operators) remain unaffected by the above provisions. Documentation serving as evidence for an orderly data processing in accordance with the provisions of the DPA shall be retained by Nevis Systems after termination of the DPA according to Data Protection Legislation and/or Relevant Laws.

 

14. NEVIS SYSTEMS’ Obligations as Data Controller

In situations where Nevis Systems will act as a data controller, it undertakes to comply with its obligations under applicable Data Protection Legislation in respect of any personal data processed under the SA. It shall process such personal data in connection with the transmission of messages, and to fulfil its associated obligations under the Agreement or as may be required by law, court order or any government or regulatory authority and in accordance with its privacy policy which is available at https://www.world-text.com/docs/privacy-policy.php as amended from time to time, if necessary.

 

15. customer’s Obligations

The Customer shall comply at all times with Data Protection Legislation in relation to the processing of personal data in connection with the Agreement and the Services. The Customer shall inform Nevis Systems in writing in case additional legislation is applicable on the Processing of Personal Data other than the legislation of the country where the Customer is established.

 

16. limitation of liability

 

16.1

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA.

 

16.2

Clause 16.1 shall not apply if the damage has been caused by the incorrect implementation of the commissioned service by the Customer or by an instruction given by the Customer. In such case, Customer will be liable for such damage.

 

17. Miscellaneous

 

17.1

The DPA forms an integral part of the Agreement between Customer and Nevis Systems. In case of conflict between the mandatory provisions in the European Standard Contractual Clauses and this DPA, the European Standard Contractual Clauses shall prevail. In case of other conflicts between other documents (including in case of conflict between the Agreement and this DPA), the DPA will prevail.

 

17.2

Should any provision of this DPA be or become invalid or contain a gap, the remaining provisions shall remain unaffected. Customer and Nevis Systems undertake to replace the invalid provision with legally valid provisions which come the closest to the interest of the invalid provision respectively fills out the gap.

 

APPENDIX 1 to the data protection Agreement – Technical and Organisational Measures

Nevis Systems shall implement the measures described in this appendix, provided that the measures directly or indirectly contribute or can contribute to the protection of personal data under the Agreement concluded between the Parties for the processing of data.

The Technical and Organisational measures that are implemented by Nevis Systems are based on the state of the art technology, the implementations cost and the nature, scope, circumstances and purposes of the processing and the likelihood and severity of the risk to rights and freedoms of individuals hold true. The Technical and Organisational Measures are subject to technical progress and development. In this respect Nevis Systems is permitted to implement alternative adequate measures. The level of security must align with industry security best practice and not less than, the measures set forth herein.

The Technical and Organisational Measures as are included within this Appendix are measures that are applicable on the Service(s) provided by Nevis Systems. If necessary, for the Service, Nevis Systems may include further Technical and Organisational measures in the Service Order or Service Specification.

 

1. Risk management and Procedures for validation, review and evaluation

  • i) Nevis Systems shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organisational measures to ensure a level of security which is appropriate to the risk.
  • ii) Nevis Systems shall have documented processes and routines for handling risks within its operations and when processing personal data on behalf of the Customer.
  • iii) Nevis Systems shall periodically assess the risks related to information systems and processing, storing and transmitting information.
  • iv) Nevis Systems shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organisational measures to ensure a level of security which is appropriate to the risk of the specific personal data types and purposes being processed by Nevis Systems, including inter alia as appropriate:
    • a) The pseudonymisation and encryption of personal data;
    • b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • c)The ability to restore the availability and access to the Customer’s Data in a timely manner in the event of a physical or technical incident;
  • v) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  • vi) Nevis Systems shall periodically assess the risks related to information systems and processing personal data (e.g. when storing and transmitting personal data).
  • vii) Nevis Systems shall regularly monitor, review and audit Sub-processor’s compliance with the Technical and Organisational Measures and Nevis Systems shall, at the request of the Customer, provide the Customer with evidence regarding Sub-processor’s compliance with the Technical and Organisational Measures.
  • viii) Nevis Systems will work in accordance with the principles of data protection by design and by default and has to provide sufficient documentation of the implementation of data protection by design and by default

 

2. Organisational Measures

The internal organisation of the processor shall meet the specific requirements of data protection.

  • A) Policies and Policy Management

    • i) Nevis Systems shall have a defined and documented information security management system (ISMS) including an information security policy and procedures in place, which shall be approved by Nevis Systems’ management. They shall be published within Nevis Systems’ organisation and communicated to relevant Nevis Systems Personnel.
    • ii) Nevis Systems shall periodically review Nevis Systems’ policies and procedures concerning data protection and information security and update them if required to ensure their compliance with the Technical and Organisational Measures and the data protection agreement.
  • B) Organisation of Data Protection and Information security
    • i) Nevis Systems shall appoint at least one data protection officer who has appropriate competence and who functions as the main contact person for data protection. If required by law, Nevis Systems shall appoint a data protection officer on a company level.
    • ii)Nevis Systems shall have defined and documented security roles and responsibilities within its organisation.
  • C) Organisational Requirements
    • i) Nevis Systems shall ensure that Nevis Systems personnel handles information in accordance with the level of confidentiality required under the DPA and that it has the written commitment of the employees to maintain confidentiality.
    • ii) Nevis Systems shall ensure that relevant Nevis Systems personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities, and systems under the DPA.
    • iii) Nevis Systems shall ensure that any Nevis Systems personnel performing assignments under the DPA is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification (if allowed by applicable law).
    • iv) Nevis Systems shall ensure that Nevis Systems personnel with security responsibilities is adequately trained to carry out security related duties.
    • v) Nevis Systems shall provide or ensure periodical awareness training to relevant Nevis Systems personnel. Such Nevis Systems training shall include, without limitation:
      • a) How to handle customer information security (i.e. the protection of the confidentiality, integrity and availability of information);
      • b) Why information security is needed to protect customers information and systems;
      • c) The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);
      • d) The importance of complying with information security policies and applying associated standards/procedures;
      • e) Personal responsibility for information security (such as protecting customer’s privacy-related information and reporting actual and suspected data breaches).

 

3. Confidentiality

  • A) Access Control (Physical and environmental security)

    • i) Nevis Systems shall protect information processing facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.
    • ii) Nevis Systems shall protect goods from theft, manipulation, and destruction.
    • iii) Nevis Systems shall specify authorised individuals allowed within its processing facilities and have an access control process.
    • iv) Additional measures for Data Centres:
      • a) All Data Centres adhere to strict security procedures enforced by guards, surveillance cameras, motion detectors, access control mechanisms and other measures to prevent equipment and Data Centre facilities from being compromised.
      • b)Only authorised representatives have access to systems and infrastructure within the Data Centre facilities.
      • c) To protect proper functionality, physical security equipment (e.g., motion sensors, cameras, etc.) undergo maintenance on a regular basis.
      • d) Nevis Systems and all third-party Data Centre providers log the names and times of authorised personnel entering Nevis Systems’ private areas within the Data Centres.
  • B) Access control (Logical)
    • i) Nevis Systems shall have a defined and documented access control policy for facilities, sites, network, system, application, and information/data access (including physical, logical and remote access controls), an authorisation process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for Nevis Systems personnel in place.
    • ii) Nevis Systems shall have a formal and documented user registration and de-registration process implemented to enable assignment of access rights.
    • iii) Nevis Systems shall have a joiner-mover-leaver process for its employees.
    • iv) Nevis Systems shall assign all access privileges based on the principle of need-to-know and principle of least privilege.
    • v) Nevis Systems shall use strong authentication (multi-factor) for remote access users and users connecting from untrusted network.
    • vi) Nevis Systems shall ensure that Nevis Systems Personnel has a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.
  • C) Cryptography/Pseudonymisation/Anonymisation
    • i) Nevis Systems shall ensure proper and effective use of cryptography on information classified as confidential and secret (such as personal data).
    • ii) Nevis Systems shall protect cryptographic keys and store these in accordance with applicable legislation.
    • iii) Nevis Systems will implement adequate measure for pseudonymisation (substitution of personal identifiers with non- personal information) where appropriate.
    • iv) Nevis Systems will implement adequate measure for anonymisation (deidentify personal identifiers with non- personal information) where appropriate.
  • D) Guidelines concerning the admission to the Customer’s premises and/or Nevis Systems premise Admission to the premises and property (such as datacentre buildings, office buildings, technical sites) is subject to the following:
    • i) Nevis Systems shall follow local regulations (such as regulations for “restricted areas”) for the Customer’s premises when performing the assignments under the Agreement.
    • ii) Nevis Systems Personnel shall carry an ID card or, in case of visitors, a visitor’s badge visible at all time when working.
    • iii) After employment or completing the assignment, or when Nevis Systems personnel is transferred to other tasks, personnel shall without delay inform authorised personnel of the change and return any keys, key cards, certificates, visitor’s badges and similar items.
    • iv) Keys or key cards shall be personally signed for by Nevis Systems personnel and shall be handled according to the written rules given upon receipt.
    • v) Loss of the key or key card shall be reported without delay to the authorised personnel.
    • vi) Photographing in or at the premises without permission is prohibited.
    • vii) Goods shall not be removed from the premises without permission.
    • viii) Nevis Systems Personnel shall not allow unauthorised persons access to the premises.

 

4. Operations security

  • i) Nevis Systems shall have an established change management system in place for making changes to business processes, information processing facilities and systems. The change management system shall include tests and reviews before changes are implemented, such as procedures to handle urgent changes, roll back procedures to recover from failed changes, logs that show, what has been changed, when and by whom.
  • ii) Nevis Systems shall implement malware protection to ensure that any software used for Nevis Systems’ provision of the Services to the Customer is protected from malware.
  • iii) The company network is protected from the public network by firewalls.
  • iv) Nevis Systems shall make backup copies of critical information and test back-up copies to ensure that the information can be restored as agreed with the Customer.
  • v) Nevis Systems shall log and monitor activities, such as create, reading, copying, amendment and deletion of processed data, as well as exceptions, faults and information security events and regularly review these. Furthermore, Nevis Systems shall protect and store (for at least 6 months or such period/s set by Data Protection Legislation) log information, and on request, deliver monitoring data to the Customer. Anomalies / incidents / indicators of compromise shall be reported according to the data breach management requirements as set out below.
  • vi) Nevis Systems shall manage vulnerabilities of all relevant technologies such as operating systems, databases, applications proactively and in a timely manner.
  • vii) Nevis Systems shall establish security baselines (hardening) for all relevant technologies such as operating systems, databases, applications.
  • viii) Nevis Systems shall ensure development is segregated from test and production environment.

 

5. Integrity

  • i) Nevis Systems shall implement network security controls such as service level, firewalling and segregation to protect information systems.
  • ii) Nevis Systems reserves the right to operate a phishing and SPAM detection system with the aim to protect its customers and Nevis Systems (and the personal data of which these Parties are the Controller) against unwanted content and the spreading of SPAM/phishing and to comply with operator requirements and applicable legislation. The system retrieves the URL/s from the mobile terminated request message body and then enables URL validation by issuing a GET method request to the URL, and by expanding to the full URL as one would have it in the browser address bar. If necessary due to not sufficient information or a suspicion of non-compliant content, the entire page may be loaded and analysed, including the content of such page. This is a machine learning algorithm (with human validation) that is designed to learn from confirmed phishing and SPAM detection and that data will be used for this purpose within the Nevis Systems. Nevis Systems will not provide nor send personal data of which Customer is the controller to any third-parties outside the Nevis Systems other than to sub processors necessary to provide this functionality.
  • iii) Personal data being processed on behalf shall be processed solely in accordance with the Agreement and instructions of the controller to the processor.
  • iv) Nevis Systems will work according to written instructions or agreements and documents belonging to that agreement.

 

6. Data breach management

  • i) Nevis Systems shall have established procedures for data breach management.
  • ii) Nevis Systems shall inform the Customer about any data breach (including but not limited to incidents in relation to the processing of personal data) as soon as possible but no later than within 72 hours after the data breach has been identified.
  • iii) All reporting of security related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods.
  • iv) The data breach report shall contain at least the following information:
    • a) The nature of the data breach,
    • b) The nature of the personal data affected,
    • c) The categories and number of data subjects concerned,
    • d) The number of personal data records concerned,
    • e) Measures taken to address the data breach,
    • f) The possible consequences and adverse effect of the data breach, and
    • g) Any other information the Customer is required to report to the relevant regulator or data subject.
  • v) To the extent legally possible, Nevis Systems may claim compensation for support services under this clause which are not attributable to failures on the part of Nevis Systems

 

7. Business continuity management

  • i) Nevis Systems shall identify business continuity risks and take necessary actions to control and mitigate such risks.
  • ii) Nevis Systems shall have documented processes and routines for handling business continuity.
  • iii) Nevis Systems shall ensure that information security is embedded into the business continuity plans.
  • iv) Nevis Systems shall periodically assess the efficiency of its business continuity management, and compliance with availability requirements (if any).

 

8. System/software development and maintenance (when software development or system development is provided to the Customer by Nevis Systems)

  • i) Nevis Systems shall implement rules for development lifecycle of software and systems including change and review procedures.
  • ii) Nevis Systems shall test security functionality during development in a controlled environment.
  • iii) Security patch management is implemented to provide regular and periodic deployment of relevant security updates.
  • iv) Nevis Systems will work in accordance with the principles of data protection by design and by default and must provide sufficient documentation of the implementation of data protection by design and by default

 

Appendix 2 to the data protection Agreement – Deviations based on applicable National legislation

 

1. Spain

In case the Controller/Processor is situated in Spain, the technical and organisational measures to be taken by the Processor are subject to the Spanish data protection laws. In this case, the preamble of Appendix 1 of this DPA shall be complemented as follows:

“The Processor shall make sure that the following technical and organisational measures are in compliance with the “high level security” measures according to Spanish Royal Decree 1720/2007 Title VIII, Art. 80 ff. Processor shall implement in particular the requirements of section three (Art. 89 ff.) of Spanish Royal Decree 1720/2007, in case the requirements in this Appendix 1 are not in compliance with these requirements. In such case, Processor shall inform Controller and submit any amendments or deviations from this Appendix 1 it deems necessary for a prior approval by the Controller.”

 

2. Canada

The definition “Special Categories of Personal Data” in Clause 1 of this DPA shall be amended as follows:

“Special Categories of Personal Data” shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life or any other personal that may be considered as sensitive data based on applicable legislation.”

In addition to what is agreed upon in this DPA, the following is applicable concerning the transfer of Data:

“Controller acknowledges that Processor may transfer, store, and process Personal Data to territories outside of Canada, where it will be subject to the laws of the foreign jurisdictions in which it is held. Processor shall not, and shall make sure that any Affiliate or any third party with whom it contracts to Process Personal Data on its behalf in connection with the relevant Service(s) shall not:

  • transfer Personal Data to a territory outside of Canada except on terms substantially similar to terms herein, which are agreed to prior to such transfer; or
  • operate in relation to that Personal Data in any way which will put Controller in breach of its obligations under applicable privacy laws.”

In addition to what is agreed upon in this DPA:

“Controller acknowledges that it possesses all necessary consents and legal authority from data subjects that would allow Processor to process the data.”

In addition to what is agreed upon in Section 7 of this DPA:

“Parties will also cooperate with respect to any data breach notifications to Canadian regulatory authorities, individuals and other organisations that are required by law or otherwise advisable in the Controller’s sole discretion.”

Without limiting the terms and conditions of the DPA for Canada and the Agreement as far as it is applicable on Canada, the following apply:

“Processor will comply with all Canadian federal and provincial privacy and anti-spam legislation applicable to Controller and Processor in the course of processing any Data in connection with the Services, including all applicable notice, consent, content and unsubscribe requirements in connection with the sending of electronic messages and the installation of computer programs on another person’s device.

Processor will provide that access to the Data is limited only to those employees and authorised agents of Processor who need to have access to the Data solely for the purposes of Processor rendering the Services.”

 

3. Australia

Following the Australian Data Protection guidelines (Australian Privacy Principles; APP) from Schedule 1 of the “Privacy Amendment (Enhancing Privacy Protection) Act 2012”, which is a Supplement to the “Privacy Act 1988”, the following is applicable on the processing of personal data:

(i) “Controller” means a person who, alone or together with other persons, establishes the purposes and the manner of processing personal data; and “Processor” means any person (other than an employee of the Controller) who, on behalf of the Controller, personal data processes.

(ii) Where a Controller or its Authorised Users in Australia intend to collect Personal Data in the Cloud Service, the Controller undertakes to obtain the prior consent of each Data Subject to an International Transfer pursuant to this Schedule if and to the extent that is required according to the Privacy Act. The Controller hereby confirms that he has received the personal data and has informed the persons concerned about the disclosure of the personal data in accordance with the APP and the Privacy Act 1988. On this basis, the requirement of “Informed Consent” within 8.1 APP is deemed to have been met due to the exception of the “Informed Consent”. Provided that the Informed Consent does not apply, this Schedule provides the framework for the protection of the personal data of the affected persons in Australia insofar as it provides at least essentially the same privacy as the APP, and Processor and its sub-processors commit themselves to a level of data protection which is the same level as set out in Sections 2, 3 and 6 of this schedule (exception of “Substantially Similar Law” under APP 8.2 (a)). With this, the in APP 8.1 stated requirement of “Substantially Similar Law” for this purpose is seen as fulfilled.

 

4. UK

Insofar as a Data Protection Act (including the new EU Data Protection Basic Regulation or its successor after Great Britain leaves the European Union) comes into force after the date of entry into force of this DPA and it is contrary to the terms of this DPA or otherwise requires an amendment to this DPA, a Party may notify the other party in order to start to negotiate the necessary amendments to this DPA in accordance with the principle of good faith.

 

5. Switzerland

In accordance with Art. 3 lit. b of the Swiss Federal Act of 19 June 1992 on Data Protection (FADP), the definitions in clause 1 of this DPA shall be amended as follows:

“Data Subject”: natural or legal persons whose data is processed.

 

6. Italy

In accordance with Article 29 of the Italian Personal Data Protection Code states it is necessary to appoint the data processor conform Italian law and to describe the specific tasks that they have in accordance with the Italian Data Protection Code. By signing this DPA the Controller appoints the Processor as a Data Processor. The Data Processor shall process data in accordance with the regulations and safety measures provided by Legislative Decree no. 196/2003 and identified in Appendix B thereto “Technical specifications regarding minimum security measures” and the regulations and safety measures that will be provided as updates to those contained therein. The, to be taken, measures are described within this DPA and its Appendixes.

Specifically Data Processor agrees to perform his duties strictly in accordance with Instructions given to him by the Data Controller, and shall, pursuant to art. 29, paragraph 5 of Legislative Decree no. 196/2003, supervise the timely compliance of the tasks given to Data Processor.

The Data Processor undertakes to:

  • provide the Data Processing services described in the DPA, particularly undertakes to complete any processing operation or set of operations, with or without the aid of electronic means, with respect to the collection, recording, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blockage, communication, dissemination, cancellation and destruction of data, even if not registered in a database;
  • perform the Services in accordance with the data protection requirements and only for the intended purposes as described in the DPA. The Data Processor is obliged to safeguard data secrecy according to Data Protection Legislation, particularly the Data Processor undertakes to complete the data processing operations referred to herein in a lawful and proper manner, that provides for maximum confidentiality and which will also provide for timely and full compliance with the applicable laws and regulations;
  • apply measures that all personnel charged with handling data do so in compliance with current law and regulations, as well as any Instructions provided thereon;
  • monitor that its processing of personal data complies with the requirements established by Legislative Decree no. 196/2003,
  • store personal data collected in compliance with the security measures provide art. 31 et seq. of Legislative Decree 196/2003, ensuring the observance of minimum-security measures.

Both, Controller and Processor acknowledge that the Technical and Organisational Measures of Appendix 1 of the DPA are currently sufficient to comply with the measures of art 31 et seq. of Legislative Decree 196/2003.

If necessary, a system administrator will be appointed within a separate Appointment letter for System administrator.

 

7. USA

The following definitions in clause 1 of this DPA shall be amended as follows:

“Personal data (in the USA the term Personally Identifiable Information is used): any individual element of information concerning the personal or material circumstances of an identified or identifiable individual;

Sensitive data (also known as “Special Categories of Personal Data”): information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, social security number, driver’s license number or state or federally issues identification card number, account number or credit or debit card number, or an account number in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or any other information the unauthorised disclosure of which may require Controller to notify affected individuals.”

 

8. Singapore

In the case the Controller is situated in Singapore, the following text will be added to clause 4 of this DPA:

“The Processor will comply in a timely manner with the directions or decisions of any competent data protection and privacy authority in relation to the Data. The Processor will give the Controller such co-operation, assistance and information as the Controller reasonably requests to comply with its obligations under Data Protection Legislation.”

 

9. Malaysia

In the case the Controller is situated in Malaysia, the definition of Special Categories of data (“Special Categories of Personal Data” shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life) in clause 1 of this DPA (Definitions) will be replaced with the following: “Special Categories of Personal Data” shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, the commission or alleged commission of any offence, physical or mental health or sex life.

In the case the Controller is situated in Malaysia, the following text of clause 8 of this DPA will be supplemented with “The Processor will implement the technical and organisational measures as specified in Data Protection Legislation and in Appendix 1 to protect the Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, use or access and against all other unlawful forms of processing”.

In the case the Controller is situated in Malaysia, the following text will be added to clause 9.1(b) of this DPA:

“Both Parties agree to observe secrecy regarding any information acquired within the framework of the Agreement and this DPA, especially regarding the Data, taking into account the Controller’s secret. This obligation continues to apply after termination of the DPA.”

In the case the Controller is situated in Malaysia, the following text will be added to clause11of this DPA ”The report will cover the objectives of the technical and organisational measures set out in Appendix 1 and Data Protection Legislation.”

 

10. India

The following definitions in clause 1 of this DPA shall be amended as follows:

“Personal Data” means any individual element of information concerning the personal or material circumstances of an identified or identifiable individual. Personal information which is any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

“Special Categories of Personal Data” shall mean Sensitive personal data or information of a person; this means such personal information which consists of information relating to;—(i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

The following text will be added to clause 8 of this DPA:

“The Processor shall comply with the reasonable security practices and procedures prescribed by the Controller and/or the privacy policy of the Controller shall constitute reasonable security practices and procedures under section 43A of the (Indian) Information Technology Act 2000 and the rules issued by the Indian Government under such provision shall accordingly not be applicable.”

 

11. China

The following text will be added to clause 16 of this DPA:

”Legal liability according to the laws of the People’s Republic of China may apply depending on the agreements of the Controller with its customer.”

 

Appendix 3 to the data protection Agreement: European Standard Contractual Clauses [1]

 

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii) Clause 9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1   Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2   Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose

8.9   Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a)

1. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

2. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

3. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)

The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1   Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2   Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of England, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of England.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of England.

(b) The Parties agree that those shall be the courts of England.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

 

ANNEX I

A.   LIST OF PARTIES

Data exporter(s): 

Name: Customer, who is concluding this agreement to cover any data transfer that will take place necessary for the provisioning the services as described within the SA. The contact information is listed on the cover page of the SA and within the DPA that is concluded between parties.

Activities relevant to the data transferred under these Clauses: Customer uses the services of Nevis Systems as described within the SA as part of their services to end-customers, partners or employees.

Controller or Processor (when concluding the agreement on behalf of other legal entities that are the Controller in accordance with the GDPR)

 

Data importer(s):

Name: The Nevis Systems legal entity who is concluding this agreement to cover data transfer that will take place necessary for provisioning the services as described within the SA. The contact information is listed on the cover page of the SA and within the DPA that is concluded between parties.

Activities relevant to the data transferred under these Clauses: Customer uses the services of Nevis Systems as described within the SA as part of their services to end-customers, partners or employees.

Processor (or Sub processor, when the Customer is processing personal data on behalf of other legal entities that are considered the Controller in accordance with the GDPR).

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described within clause 6 of the DPA, or separately within the order form belonging to the service.

Categories of personal data transferred

As described within clause 5 of the DPA, or separately within the order form belonging to the service.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Whenever determined between the Customer and Nevis Systems, where the Customer has the responsibility to inform Nevis Systems, as a first step. Any additional relevant security measures are then to be decided between parties, if necessary. When determined this should be described within clause 5 of the DPA, or separately within the order form belonging to the service.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The transfer may occur on a continuous or one-off basis depending on the services provided by Nevis Systems on request of the Customer.

Nature of the processing

Customer uses the services of the Nevis Systems as described within the SA as part of their services to end-customers, partners or employees.

Purpose(s) of the data transfer and further processing

The transfer supports the services provided by the Customer, as described within the SA, the order form and the service description.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The data will be processed as long as necessary for the purposes determined between Parties, until deleted by the Customer or until Nevis Systems deletes the data on request of the Customer. The duration of the processing will be no longer than the provision of Services unless required by applicable law and/or legitimate interest of Nevis Systems. In this case, when allowed by law, Nevis Systems will inform the Customer in accordance with what is determined within the DPA and its appendices.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As described within the SA, the DPA and their respective appendices.

C.   COMPETENT SUPERVISORY AUTHORITY

For Nevis Systems: The Information Commissioners Office in United Kingdom.

For Customer: as is determined in accordance with Clause 13.

 

ANNEX II

 

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

 

The Technical and Organisational Measures as are included within this Annex are measures that are applicable on the Service(s) provided by Nevis Systems. If necessary, for the Service, Nevis Systems may include further Technical and Organisational measures in the Service Order or Service

 

1. Risk management and Procedures for validation, review and evaluation

i) Nevis Systems shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organisational measures to ensure a level of security which is appropriate to the risk.

ii) Nevis Systems shall have documented processes and routines for handling risks within its operations and when processing personal data on behalf of the Customer.

iii) Nevis Systems shall periodically assess the risks related to information systems and processing, storing and transmitting information.

iv) Nevis Systems shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organisational measures to ensure a level of security which is appropriate to the risk of the specific personal data types and purposes being processed by Nevis Systems, including inter alia as appropriate:

a) The pseudonymisation and encryption of personal data;

b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) The ability to restore the availability and access to the Customer’s Data in a timely manner in the event of a physical or technical incident;

v) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

vi) Nevis Systems shall periodically assess the risks related to information systems and processing personal data (e.g. when storing and transmitting personal data).

vii) Nevis Systems shall regularly monitor, review and audit Sub-processor’s compliance with the Technical and Organisational Measures and Nevis Systems shall, at the request of the Customer, provide the Customer with evidence regarding Sub-processor’s compliance with the Technical and Organisational Measures.

viii) Nevis Systems will work in accordance with the principles of data protection by design and by default and has to provide sufficient documentation of the implementation of data protection by design and by default

 

2. Organisational Measures

The internal organisation of the processor shall meet the specific requirements of data protection.

A) Policies and Policy Management

i) Nevis Systems shall have a defined and documented information security management system (ISMS) including an information security policy and procedures in place, which shall be approved by Nevis Systems’ management. They shall be published within Nevis Systems’ organisation and communicated to relevant Nevis Systems Personnel.

ii) Nevis Systems shall periodically review Nevis Systems’ policies and procedures concerning data protection and information security and update them if required to ensure their compliance with the Technical and Organisational Measures and the data protection agreement.

B) Organisation of Data Protection and Information security

i) Nevis Systems shall appoint at least one data protection officer who has appropriate competence and who functions as the main contact person for data protection. If required by law, Nevis Systems shall appoint a data protection officer on a company level.

ii) Nevis Systems shall have defined and documented security roles and responsibilities within its organisation.

C) Organisational Requirements

i) Nevis Systems shall ensure that Nevis Systems personnel handles information in accordance with the level of confidentiality required under the DPA and that it has the written commitment of the employees to maintain confidentiality.

ii) Nevis Systems shall ensure that relevant Nevis Systems personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities, and systems under the DPA.

iii) Nevis Systems shall ensure that any Nevis Systems personnel performing assignments under the DPA is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification (if allowed by applicable law).

iv) Nevis Systems shall ensure that Nevis Systems personnel with security responsibilities is adequately trained to carry out security related duties.

v) Nevis Systems shall provide or ensure periodical awareness training to relevant Nevis Systems personnel. Such Nevis Systems training shall include, without limitation:

a) How to handle customer information security (i.e. the protection of the confidentiality, integrity and availability of information);

b) Why information security is needed to protect customers information and systems;

c) The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);

d) The importance of complying with information security policies and applying associated standards/procedures;

e) Personal responsibility for information security (such as protecting customer’s privacy-related information and reporting actual and suspected data breaches).

 

3. Confidentiality

A) Access Control (Physical and environmental security)

i) Nevis Systems shall protect information processing facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.

ii) Nevis Systems shall protect goods from theft, manipulation, and destruction.

iii) Nevis Systems shall specify authorised individuals allowed within its processing facilities and have an access control process.

iv) Additional measures for Data Centres:

a) All Data Centres adhere to strict security procedures enforced by guards, surveillance cameras, motion detectors, access control mechanisms and other measures to prevent equipment and Data Centre facilities from being compromised.

b)Only authorised representatives have access to systems and infrastructure within the Data Centre facilities.

c) To protect proper functionality, physical security equipment (e.g., motion sensors, cameras, etc.) undergo maintenance on a regular basis.

d) Nevis Systems and all third-party Data Centre providers log the names and times of authorised personnel entering Nevis Systems’ private areas within the Data Centres.

B) Access control (Logical)

i) Nevis Systems shall have a defined and documented access control policy for facilities, sites, network, system, application, and information/data access (including physical, logical and remote access controls), an authorisation process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for Nevis Systems personnel in place.

ii) Nevis Systems shall have a formal and documented user registration and de-registration process implemented to enable assignment of access rights.

iii) Nevis Systems shall have a joiner-mover-leaver process for its employees.

iv) Nevis Systems shall assign all access privileges based on the principle of need-to-know and principle of least privilege.

v) Nevis Systems shall use strong authentication (multi-factor) for remote access users and users connecting from untrusted network.

vi) Nevis Systems shall ensure that Nevis Systems Personnel has a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.

C) Cryptography/Pseudonymisation/Anonymisation

i) Nevis Systems shall ensure proper and effective use of cryptography on information classified as confidential and secret (such as personal data).

ii) Nevis Systems shall protect cryptographic keys and store these in accordance with applicable legislation.

iii) Nevis Systems will implement adequate measure for pseudonymisation (substitution of personal identifiers with non- personal information) where appropriate.

iv) Nevis Systems will implement adequate measure for anonymisation (deidentify personal identifiers with non- personal information) where appropriate.

D) Guidelines concerning the admission to the Customer’s premises and/or Nevis Systems premises Admission to the premises and property (such as datacentre buildings, office buildings, technical sites) is subject to the following:

i) Nevis Systems shall follow local regulations (such as regulations for “restricted areas”) for the Customer’s premises when performing the assignments under the Agreement.

ii) Nevis Systems Personnel shall carry ID card or, in case of visitors, a visitor’s badge visible at all time when working.

iii) After employment or completing the assignment, or when Nevis Systems personnel is transferred to other tasks, personnel shall without delay inform authorised personnel of the change and return any keys, key cards, certificates, visitor’s badges and similar items.

iv) Keys or key cards shall be personally signed for by Nevis Systems personnel and shall be handled according to the written rules given upon receipt.

v) Loss of the key or key card shall be reported without delay to the authorised personnel.

vi) Photographing in or at the premises without permission is prohibited.

vii) Goods shall not be removed from the premises without permission.

viii) Nevis Systems Personnel shall not allow unauthorised persons access to the premises.

 

4. Operations security

i) Nevis Systems shall have an established change management system in place for making changes to business processes, information processing facilities and systems. The change management system shall include tests and reviews before changes are implemented, such as procedures to handle urgent changes, roll back procedures to recover from failed changes, logs that show, what has been changed, when and by whom.

ii) Nevis Systems shall implement malware protection to ensure that any software used for Nevis Systems’ provision of the Services to the Customer is protected from malware.

iii) The company network is protected from the public network by firewalls.

iv) Nevis Systems shall make backup copies of critical information and test back-up copies to ensure that the information can be restored as agreed with the Customer.

v) Nevis Systems shall log and monitor activities, such as create, reading, copying, amendment and deletion of processed data, as well as exceptions, faults and information security events and regularly review these. Furthermore, Nevis Systems shall protect and store (for at least 6 months or such period/s set by Data Protection Legislation) log information, and on request, deliver monitoring data to the Customer. Anomalies / incidents / indicators of compromise shall be reported according to the data breach management requirements as set out below.

vi) Nevis Systems shall manage vulnerabilities of all relevant technologies such as operating systems, databases, applications proactively and in a timely manner.

vii) Nevis Systems shall establish security baselines (hardening) for all relevant technologies such as operating systems, databases, applications.

viii) Nevis Systems shall ensure development is segregated from test and production environment.

 

5. Integrity

i) Nevis Systems shall implement network security controls such as service level, firewalling and segregation to protect information systems.

ii) Nevis Systems operates a phishing and SPAM detection system with the aim to protect its customers and Nevis Systems (and the personal data of which these Parties are the Controller) against unwanted content and the spreading of SPAM/phishing and to comply with operator requirements and applicable legislation. The system retrieves the URL/s from the mobile terminated request message body and then enables URL validation by issuing a GET method request to the URL, and by expanding to the full URL as one would have it in the browser address bar. If necessary due to not sufficient information or a suspicion of non-compliant content, the entire page may be loaded and analysed, including the content of such page. This is a machine learning algorithm (with human validation) that is designed to learn from confirmed phishing and SPAM detection and that data will be used for this purpose within the Nevis Systems. Nevis Systems will not provide nor send personal data of which Customer is the controller to any third-parties outside the Nevis Systems other than to sub processors necessary to provide this functionality.

iii) Personal data being processed on behalf shall be processed solely in accordance with the Agreement and instructions of the controller to the processor.

iv) Nevis Systems will work according to written instructions or agreements and documents belonging to that agreement.

 

6. Data breach management

i) Nevis Systems shall have established procedures for data breach management.

ii) Nevis Systems shall inform the Customer about any data breach (including but not limited to incidents in relation to the processing of personal data) as soon as possible but no later than within 72 hours after the data breach has been identified.

iii) All reporting of security related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods.

iv) The data breach report shall contain at least the following information

a) The nature of the data breach,

b) The nature of the personal data affected

c) The categories and number of data subjects concerned,

d) The number of personal data records concerned,

e) Measures taken to address the data breach,

f) The possible consequences and adverse effect of the data breach, and

g) Any other information the Customer is required to report to the relevant regulator or data subject.

v) To the extent legally possible, Nevis Systems may claim compensation for support services under this clause which are not attributable to failures on the part of Nevis Systems

 

7. Business continuity management

i) Nevis Systems shall identify business continuity risks and take necessary actions to control and mitigate such risks.

ii) Nevis Systems shall have documented processes and routines for handling business continuity.

iii) Nevis Systems shall ensure that information security is embedded into the business continuity plans.

iv) Nevis Systems shall periodically assess the efficiency of its business continuity management, and compliance with availability requirements (if any).

 

8. System/software development and maintenance (when software development or system development is provided to the Customer by Nevis Systems)

i) Nevis Systems shall implement rules for development lifecycle of software and systems including change and review procedures.

ii) Nevis Systems shall test security functionality during development in a controlled environment.

iii) Security patch management is implemented to provide regular and periodic deployment of relevant security updates.

iv) Nevis Systems will work in accordance with the principles of data protection by design and by default and must provide sufficient documentation of the implementation of data protection by design and by default

 

Additional to the above:

The Technical and Organisational measures that are implemented by Nevis Systems are based on the state of the art, the implementations costs and the nature, scope, circumstances and purposes of the processing and the likelihood and severity of the risk to rights and freedoms of individuals hold true. The Technical and Organisational Measures are subject to technical progress and development. In this respect Nevis Systems is permitted to implement alternative adequate measures. The level of security must align with industry security best practice and not less than, the measures set forth herein. All major changes are to be agreed with the Customer and documented.

Add text messaging and two-way text messaging into your business.

Over 1100+ networks worldwide.


Market leading coverage and specialist support, HTTP, SMPP and SMTP (Email) interfaces.

Easy Use APIs
HTTP, SMPP & SMTP

Premium Support
20+ Years Experience

Free Cloud SMS Software
Communicator Pro

Auto Responder
Auto SMS Processing