viLogics Data Protection Addendum
This Data Protection Addendum, including all appendices (“DPA”) forms a part of the viLogics Master Services Agreement (“Agreement”) between ViLogics and the Customer. The parties agree that this DPA sets forth their obligations with respect to the processing and security of Customer Data in connection with Customer’s use of the Solutions. Capitalized terms defined in this DPA shall apply to this DPA and any terms not defined in this DPA shall have their meaning as defined in the Agreement.
1.1 “Adequate Country” means:
1.1.1 or data processed subject to the EU GDPR: the EEA, or a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the GDPR;
1.1.2 for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018; and/or
1.1.3 or data processed subject to the Swiss FDPA: Switzerland, or a country or territory that (i) is included in the list of the states whose legislation ensures an adequate level of protection as published by the Swiss Federal Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the Swiss FDPA.
1.2 “Alternative Transfer Mechanism” means a mechanism, other than the SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Laws;
1.3 “Customer Personal Data” means the personal data contained within the Customer Data;
1.4 “Contracted Processor” means ViLogics or a ViLogics Subprocessor;
1.5 “European Data Protection Laws” means, as applicable: (i) the GDPR; (ii) the UK GDPR; and/or (iii) the Swiss FDPA;
1.6 “GDPR” means EU General Data Protection Regulation 2016/679;
1.7 “Non-European Data Protection Laws” means all laws and regulations that apply to ViLogics processing Customer Personal Data under the Agreement that are in force outside the European Economic Area, the UK, and Switzerland;
1.8 “Security Breach” means a breach of ViLogics’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed or otherwise controlled by ViLogics;
1.9 “SCCs” means the SCCs (EU Controller-to-Processor), SCCs (EU Processor-to-Processor), and SCCs (UK Controller-to-Processor);
1.10 “Subprocessor” means other processors used by ViLogics to process Customer Data, as described in Article 28 of the GDPR;
1.11 “Swiss FDPA” means the Federal Data Protection Act of 19 June 1992 (Switzerland); and
1.12 “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under the same.
1.13 The terms “personal data”, “data subject”, “processing”, “controller”, and “processor” as used in this DPA have the meanings given in the GDPR irrespective of whether European Data Protection Laws apply.
1.14 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. PROCESSING OF CUSTOMER PERSONAL DATA.
2.1 If European Data Protection Laws apply to the processing of Customer Personal Data:
2.1.1 the subject matter and details of the processing are described in Appendix 1;
2.1.2 ViLogics is a processor of that Customer Personal Data under European Data Protection Laws;
2.1.3 Customer is a controller or processor of that Customer Personal Data under European Data Protection Laws; and
2.1.4 Each party will comply with the obligations applicable to it under the European Data Protection Laws with respect to the processing of that Customer Personal Data.
2.2 If Non-European Data Protection Laws apply to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.
2.3 ViLogics shall:
2.3.1 not process Customer Personal Data other than to provide the Solutions in accordance with the Agreement (including as set forth in this DPA and as described in Appendix 1 to this DPA), unless processing is required by applicable law to which the relevant Contracted Processor is subject (the** “Permitted Purpose”**), in which case ViLogics shall to the extent permitted by applicable law inform the Customer of that legal requirement before the relevant processing of that Customer Personal Data; and
2.3.2 immediately notify Customer if, in ViLogics’s opinion, European Data Protection Laws prohibit ViLogics from complying with the Permitted Purpose or ViLogics is otherwise unable to comply with the Permitted Purpose. This Section does not reduce either party’s rights or obligations elsewhere in the Agreement.
2.4 Customer hereby:
2.4.1 instructs ViLogics to process Customer Personal Data for the Permitted Purpose; and
2.4.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out herein on behalf of each relevant Customer Affiliate.
3.1 ViLogics will implement and maintain the technical and organizational measures set forth in Appendix 2 (the “Security Measures”). ViLogics may update the Security Measures from time to time provided that such updates do not result in a reduction of the security of the Solutions.
3.2 Without prejudice to ViLogics’s obligations under Section 3.1 above and elsewhere in the Agreement, Customer is responsible for its use of the Solutions and its storage of any copies of Customer Data outside ViLogics’s or ViLogics’s Subprocessors’ systems, including: (i) using the Solutions to ensure a level of security appropriate to the risk to the Customer Data; (ii) securing the authentication credentials, systems, and devices Customer uses to access the Solutions; and (iii) backing up its Customer Data as appropriate.
3.3 Customer agrees that the Solutions and Security Measures implemented and maintained by ViLogics provide a level of security appropriate to the risk to Customer Data.
4.1 Customer specifically authorizes ViLogics to engage as Subprocessors those entities listed as of the effective date of this DPA at the URL specified in Section 4.2. In addition, and without prejudice to Section 4.4, Customer generally authorizes the engagement as Subprocessors of any other third parties (“New Subprocessors”).
4.2 Information about Subprocessors, including their functions and locations, is available at: www.viLogics.com/legal/viLogics-sub-processors (as may be updated by ViLogics from time to time in accordance with this DPA).
4.3 When any New Subprocessor is engaged while this DPA is in effect, ViLogics shall provide Customer at least thirty days’ prior written notice of the engagement of any New Subprocessor, including details of the processing to be undertaken by the New Subprocessor. If, within thirty days of receipt of that notice, Customer notifies ViLogics in writing of any objections to the proposed appointment, and further provides commercially reasonable justifications to such objections based on that New Subprocessor’s inability to adequately safeguard Customer Data, then (i) ViLogics shall work with Customer in good faith to address Customer’s objections regarding the New Subprocessor; and (ii) where Customer’s concerns cannot be resolved within thirty days from ViLogics’s receipt of Customer’s notice, notwithstanding anything in the Agreement, Customer may, by providing ViLogics with a written notice with immediate effect, terminate the Agreement and ViLogics shall refund to Customer all prepaid fees for the Solutions attributable to the subscription term (as outlined in the applicable Purchase Order under the Agreement) following the termination of the Agreement.
4.4 With respect to each Subprocessor, ViLogics shall:
4.4.1 before the Subprocessor first processes Customer Data, carry out adequate due diligence to ensure that the Subprocessor is capable of performing the obligations subcontracted to it in accordance with the Agreement (including this DPA);
4.4.2 ensure that the processing of Customer Data by the Subprocessor is governed by a written contract including terms no less protective of Customer Data than those set out in this DPA and, if the processing of Customer Personal Data is subject to European Data Protection Laws, ensure that the data protection obligations in this DPA are imposed on the Subprocessor; and
4.4.3 remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
5. INDIVIDUAL RIGHTS.
5.1 Taking into account the nature of the processing, ViLogics shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Individual rights under the Data Protection Laws.
5.2 ViLogics shall:
5.2.1 promptly notify Customer if any Contracted Processor receives a request form an Individual under any Data Protection Law with respect to Customer Personal Data to the extent that ViLogics recognizes the request as relating to Customer; and
5.2.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which the Contracted Processor is subject, in which case ViLogics shall to the extent permitted by applicable laws inform Customer of that legal requirement before the Contracted Processor responds to the request.
6. SECURITY BREACHES.
6.1 ViLogics shall notify Customer promptly and without undue delay upon becoming aware of a Security Breach for which notification to a supervisory authority or data subject is required under applicable European or Non-European Data Protection Laws, and promptly take reasonable steps to minimize harm and secure Customer Data.
6.2 ViLogics’s notification of a Security Breach will describe: the nature of the Security Breach including the Customer resources impacted; the measures ViLogics has taken, or plans to take, to address the Security Breach and mitigate its potential risk; the measures, if any, ViLogics recommends that Customer take to address the Security Breach; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, ViLogics’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
6.3 As it pertains to any Security Breach, ViLogics has no obligation to assess Customer Data in order to identify information subject to any specific legal requirements pertaining to notification or otherwise.
6.4 ViLogics’s notification of or response to a Security Breach under this Section will not be construed as an acknowledgement by ViLogics of any fault or liability with respect to the Security Breach.
7. IMPACT ASSESSMENTS AND PRIOR CONSULTATION. To the extent ViLogics is required by Data Protection Laws, ViLogics shall (taking into account the nature of the processing and the information available to ViLogics) provide reasonable assistance to Customer with any impact assessments or prior consultations with data protection regulators by providing information in accordance with Section 9.
8. DATA DELETION.
8.1 ViLogics shall promptly and in any event within sixty days of the date of cessation of providing any Solutions involving the processing of Customer Data (the “Cessation Date”), delete all copies of Customer Data, unless applicable law requires storage.
8.2 ViLogics shall provide written certification to Customer that it has complied with this Section within ten days of receiving Customer’s written request to receive such certification.
9. AUDITS AND RECORDS.
9.1 ViLogics shall allow for, and contribute to, audits, including inspections, conducted by the Customer (or an independent auditor appointed by Customer) in accordance with the following procedures:
9.1.1 Upon Customer’s request, ViLogics will provide Customer or its appointed auditor with the most recent certifications and/or summary audit report(s), which ViLogics has procured to regularly test, assess, and evaluate the effectiveness of the Security Measures.
9.1.2 ViLogics will reasonably cooperate with Customer by providing available additional information concerning the Security Measures to help Customer better understand such Security Measures.
9.1.3 If further information is needed by Customer to comply with its own or other controller’s audit obligations or a competent supervisory authority’s request, Customer will inform ViLogics to enable ViLogics to provide such information or to grant access to it.
9.2 ViLogics may object in writing to an auditor appointed by Customer if the auditor is, in ViLogics’s reasonable opinion, not suitably qualified or independent, a competitor of ViLogics, or otherwise manifestly unsuitable, and any such objection will require Customer to appoint another auditor or conduct the audit or inspection itself.
9.3 All requests under this Section 9 shall be made in writing to ViLogics at support@viLogics.com
10. RESTRICTED TRANSFERS.
10.1 The parties acknowledge that European Data Protection Laws do not require SCCs or an Alternative Transfer Mechanism in order for Customer Personal Data to be processed in or transferred to an Adequate Country (“Permitted Transfers”).
10.2 If the processing of Customer Personal Data involves any transfers that are not Permitted Transfers, and European Data Protection Laws apply to those transfers (“Restricted Transfers”), then:
10.2.1 if ViLogics announces its adoption of an Alternative Transfer Solution for any Restricted Transfers, ViLogics will ensure that such Restricted Transfers are made in accordance with that Alternative Transfer Solution; or
10.2.2 if ViLogics has not adopted an Alternative Transfer Solution for any Restricted Transfers, then:
10.2.2.1 the SCCs (EU Controller-to-Processor) and/or (EU Processor-to-Processor) will apply (according to whether Customer is a controller and/or processor) with respect to Restricted Transfers between ViLogics and Customer that are subject to the EU GDPR and/or the Swiss FDPA; and
10.2.2.2 the SCCs (UK Controller-to-Processor) will apply with respect to Restricted Transfers between ViLogics and Customer that are subject to the UK GDPR.
11. GENERAL TERMS.
11.1 Without prejudice to clause 18 of the Standard Contractual Clauses, (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of it nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
11.2 Nothing in this DPA reduces ViLogics’s obligations under the Agreement in relation to the protection of Customer Data or permits ViLogics to process (or permit the processing of) Customer Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
11.3 Subject to Section 11.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
11.4 Any liability associated with failure to comply with this DPA will be subject to the limitations of liability provisions stated in the Agreement.
11.5 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
Subject matter and duration of processing
ViLogics will process Customer Personal Data as necessary to provide the Solutions pursuant to the Agreement. The duration of the processing will be until 60 days after the Cessation Date.
Nature and purpose of processing
ViLogics will process Customer Personal Data only to the extent reasonably necessary to provide Customer the Solutions and associated Support.
Categories of Data
ViLogics processes the Customer Personal Data described below in relation to the Solution(s) a Customer contracts for:
ViLogics may process the following categories of Customer Personal Data in connection with the TSO Platform:
user and endpoint data: agent ID, endpoint name, customer active directory user ID, user name, installed applications – installation time, size, publisher and version, SMTP user name, configuration data related to active directory integration;
full file path: will include personal data only if file name as named by Customer includes data;
in cases of suspected threats, the ViLogics agent collects for each process (file metadata, hash, file type, certificate, command line arguments, network access metadata (IP address, protocol), registry (created keys, deleted keys, modified key names);
network data (internal network IP address, public IP address (if running cloud-based Management Console);
threat information (file path, agent IDs, SMS messages content (which may include user names, IP addresses, file names);
live network monitoring (URLs, URL headers, time stamps); and
where Customer utilizes ViLogics’s File Fetching feature: any Data contained in files fetched by Customer’s administrators.
Dataset and XDR Ingest. ViLogics may process the following categories of Customer Personal Data in connection with Dataset and/or XDR Ingest:
data relating to individuals provided to ViLogics by (or at the direction of) Customer in any data ingested by Customer to Dataset and/or XDR Ingest.
Special Categories of Data
Customer Personal Data does not include special categories of personal data or data relating to criminal convictions or offenses, except where such data is uploaded by Customer in connection with the Dataset or XDR Ingest Services or accessed by Customer using the File Fetching feature of the ViLogics Solutions.
Data subjects include the individuals about whom data is provided to ViLogics via the Solutions by (or at the direction of) Customer.
ViLogics maintains an information security program that is designed to protect the confidentiality, integrity, and availability of Customer Data (the “ViLogics Information Security Program”). The ViLogics Information Security Program will be implemented on an organization-wide basis and will be designed to ensure ViLogics’s compliance with data protection laws and regulations applicable to ViLogics’s performance under the Agreement. The ViLogics Information Security Program shall include the safeguards set forth below which substantially conform to the SSAE 18 Type II framework.
Organization of Information Security
Security Ownership. ViLogics has appointed a senior security officer responsible for coordinating and monitoring the ViLogics Information Security Program.
Security Roles and Responsibilities. ViLogics personnel with access to Customer Data are subject to confidentiality obligations.
Risk Management Program. ViLogics has implemented a security risk management program which is based on the requirements of SOC2. The Program defines a systematic and consistent process to ensure that security risks to Customer Data are identified, analyzed, evaluated, and treated. Risk treatment and the risk remaining after treatment (i.e., residual risk) is communicated to risk owners, who decide on acceptable levels of risk, authorize exceptions to this threshold, and drive corrective action when unacceptable risks are discovered.
Human Resource Security
Background Checks. ViLogics takes reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Customer Data, including by conducting background checks on all new employees to the extent permitted by applicable law in the jurisdiction where the employee is located.
Security Training. ViLogics informs its personnel about the ViLogics Information Security Program and applicable data privacy laws upon hire and annually thereafter. ViLogics also informs its personnel of possible consequences – up to and including termination – of breaching the ViLogics Information Security Program.
Inventory Maintenance. Assets utilized to process Customer Data are identified and an inventory of these assets is listed and maintained. Assets maintained in the inventory are assigned an owner. Company-provided assets are governed by ViLogics’s acceptable use policy.
Return. All employees and external party users are required to return organizational assets in their possession upon termination of their employment, contract, or agreement.
Internal Data Access. ViLogics’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Customer Data. ViLogics employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. ViLogics requires the use of unique user IDs, strong passwords, two factor authentication, and monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on the authorized personnel’s job responsibilities, job duty requirements necessary to perform authorized tasks, and a need to know basis. The granting or modification of access rights must also be in accordance with ViLogics’s internal data access policies and training. Access to systems is logged to create an audit trail for accountability.
VPN and Zero Trust. Employees must be in a ViLogics office or connected via VPN or zero trust network (authenticated with user id + password + pin/token), then login to an internal portal via SSO, before connecting to any system storing Customer Data.
Encryption Practices. Customer Data is encrypted in transit and at rest using a minimum of AES-256 bit ciphers.
Datacenter Security. The standard physical security controls at each geographically-distributed data center utilized to host Customer Data are comprised of reliable, well-tested technologies that follow generally accepted industry best practices: custom-designed electronic card access control systems, alarm systems, biometric identification systems, interior and exterior cameras, and a 24x7x365 presence of security guards.
Office Access. Access to ViLogics offices is protected via card access control systems including individually-assigned keycards, access logging, and interior and exterior surveillance and alarm systems.
Operational Policy. ViLogics maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.
Network Security. Customer management console servers are isolated to help ensure that no access is possible among servers of different customers. The ViLogics network is protected by redundant firewalls, commercial-class router technology, and a host intrusion detection system on the firewall that monitors malicious traffic and network attacks.
Vulnerability Assessment and Penetration Testing. ViLogics conducts annual, comprehensive penetration testing by a third party service. This includes testing of the management console and agents (black and grey box), corporate infrastructure penetration testing and social targeted attack, and public website automatic testing for open vulnerabilities. Quarterly network vulnerability assessments are conducted on all servers in the corporate network as well as the production environment.
Event Logging. ViLogics logs access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Approval Process. Before onboarding any supplier to process Customer Data, ViLogics conducts an audit of the security and privacy practices of the supplier to ensure the supplier provides a level of security and privacy appropriate to their proposed access to Customer Data and the scope of the services they are engaged to provide. Once ViLogics has assessed the risks presented by the supplier, the supplier is required to enter into appropriate security, confidentiality, and privacy terms prior to processing any Customer Data in accordance with the DPA.
Information Security Incident Management
Incident Response Process. ViLogics has put in place a security incident management process for managing security incidents that may affect the confidentiality, integrity, or availability of its systems or data, including Customer Data. The process specifies courses of action, procedures for notification, escalation, mitigation, post-mortem investigations after each incident, response actions, periodic testing, and documentation.
Security Operations Center. ViLogics has a dedicated SOC function which manages and monitors for Security Information Events.
Business Continuity Management
Customer Data Backups. ViLogics conducts a daily backup of all Customer Data in the data center location chosen by the Customer to host Customer Data. Where available, backups are physically located in a different availability zone from where Customer Data is hosted (but within the same region). A monitoring process is in place to ensure successful ongoing backups, with an RTO of 4 hours and a RPO of 24 hours.