Data Processing Addendum
Supplements the MSA and is incorporated by reference into the MSA when Data Protection Laws cover your use of the Services to Process Personal Data.
This Data Processing Addendum (the DPA) forms an agreement between the Egress Software Technologies Group entity (We, Us, Our) contracting with you (you, your) under the Master Subscription Agreement (the MSA). It supplements the MSA and is incorporated by reference into the MSA when Data Protection Laws cover your use of the Services to Process Personal Data.
Except where this DPA conflicts with the MSA, all other provisions of the MSA remain unchanged. If there is any conflict between: (a) this DPA and the MSA in respect of the parties’ respective privacy and security obligations in respect of Personal Data, the terms of this DPA shall control; (b) this DPA and the terms of the SCCs, the relevant SCCs shall control.
1. Definitions
- Capitalised terms used in this DPA have the meanings given below or, where not set out below, the meanings given in the MSA.
- Adequate Country: a country or territory that the appropriate regulatory body of a relevant territory from which Personal Data in Content and/or Smart Data is to be exported has, in accordance with the relevant DPL, decided provides adequate protection for Personal Data.
- Audit Reports: either: (a) reports produced by a third-party that has audited Our compliance with third-party certification standards; or (b), where We are not permitted to disclose the full report to you, confirmation of the audit by a valid certification of compliance.
- Content of Concern: information flagged as required by legislation relating to online safety and the protection of minors.
- Data Controller: the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
- Data Protection Laws or DPL: all applicable laws and regulations relating to the Processing of Personal Data within Content and Smart Data, and privacy that may exist in jurisdictions relevant to the delivery of the Services to you under the MSA, including (where applicable): (a) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (the GDPR), together with any local enacting laws in any Member State; (b) the UK Data Protection Laws; (c) the California Consumer Privacy Act (the CCPA)(as amended, including by the California Privacy Rights Act (CPRA)); (d) the Stop Hacks and Improve Electronic Data Security Act, together with New York State’s general business law (NY GBS §899-bb) (collectively, the SHIELD Act); (e) the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); (f) the Privacy Act 1988 (Cth) of Australia, as amended (Australian Privacy Act); (g) New Zealand Privacy Act 2020, as amended (New Zealand Privacy Act); and (h) any other privacy laws or regulations applicable to the processing of Personal Data within Content and Smart Data under the MSA and your relevant Order Forms.
- Data Subject: an identified or identifiable natural person to whom Personal Data within Content or Smart Data Processed by Us in delivering the Services to you under the MSA relates.
- Personal Data Breach: a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Services within Content and/or Smart Data.
- Privacy Policy: Our then-current privacy policy available at egress.com/privacy-policy.
- Privacy Framework Principles: the principles of any Privacy Framework to which We or a relevant member of Our Group may certify or register (as may be required) during the Subscription Period.
- Process, Processed, Processing: any operation or set of operations which is performed on Personal Data within Content or Smart Data, whether or not by automated means, as may be further defined under applicable DPL.
- Processor: a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
- Regulatory Authority: any law enforcement body, court, tribunal, or other government or industry body with regulatory control over, or responsibility for, you or Us in any jurisdiction relevant to the delivery of the Services to you under an Order Form.
- Standard Contractual Clauses or SCCs: depending on the nature of the transfer, the addendum set out in Annex 4 or the EU clauses referenced therein (as applicable) (or such other updated, replacement, alternative or new text or clauses as may be approved by the European Commission or the Information Commissioner’s Office (as applicable), from time to time and which relate to and protect the transfer of Personal Data to any Third-Country.
- Third-Country: the meaning in Section 2.
- UK Data Protection Laws: the GDPR as transposed into UK national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (UK GDPR) and other data protection or privacy legislation in force from time to time in the UK. In this DPA, in circumstances where and solely to the extent that UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions, and references to ‘EU or member state laws’ shall be construed as references to UK Data Protection Laws.
- For the purposes of the CCPA: (a) Controller includes Business as defined in subdivision (d) of Cal. Civ. Code 1798.140; (b) Processor includes Service Provider as defined in subdivision (ag)(1) of Cal. Civ. Code §1798.140; (c) Data Subject includes Consumer as defined in subdivision (i) of Cal. Civ. Code §1798.140; and (d) Personal Data includes Personal Information as defined in subdivision (v) of Cal. Civ. Code §1798.140 in so far as such information relates to a Consumer within the scope of the CCPA.
- For the purposes of PIPEDA, Personal Data includes Personal Information as defined in Part 1.2(1) of PIPEDA.
- For the purposes of the SHIELD Act, Personal Data includes Personal Information as defined in S. 5575- -B(a) of the SHIELD Act.
- For the purposes of the Australian Privacy Act, Personal Data includes Personal Information as defined in Part II, Division 1, 6(1).
- For the purposes of the New Zealand Privacy Act: (a) Personal Data includes Personal Information as defined in Section 7 of Subpart 2; and (b) the reference in Section 1 below to “without undue delay” shall be deemed to read “as soon as reasonably practicable” in accordance with Section 114 of the New Zealand Privacy Act.
- In this DPA: (a) the terms including, includes or any similar expression shall be construed as illustrative and will not limit the scope of words that follow them; (b) references to writing or written includes email (except that email cannot be used for serving notices connected to legal proceedings); and (c) an obligation not to do something includes an obligation not to allow that thing to be done.
2. Relationship of Parties
- Content. The parties agree that with regard to the Processing of Personal Data within Content, you may be a Controller or Processor and We will be a Processor or sub-Processor (as applicable).
- Smart Data. The parties agree that with regard to the Processing of Personal Data within Smart Data, you may be a Controller or Processor and We will be a Processor or sub-Processor (as applicable) of Personal Data within that data set which is provided, or otherwise gained, by your and your Users’ use of the Services.
- Ancillary services, Threat Data and System Data. The parties agree that with regard to this Processing We are the Controller. You may yourself be an independent Controller, not a joint Controller with Us, of certain information within these data sets but not of the data sets themselves.
- You acknowledge that We may Process Personal Data relating to the operation, support, or use of the Services for Our own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. We are the Controller for such Processing and will Process such data in accordance with Data Protection Laws.
- Each of us is individually and separately responsible for complying with its own obligations as a Controller or Processor (as applicable) under the DPL.
3. Data Processing Terms
- Details of Processing. A description of the Processing that may take place in accordance with this DPA and the MSA is set out in Annex 1B.
- Your Instructions. Details as to how We process Content and Smart Data for and on behalf of you, your Group and Users are set out in Section 5 of the MSA.
- Lawful Basis. You represent and warrant on an ongoing basis that you have, and will at all times have, a lawful basis under applicable DPL for: (a) using the Services to send, share, store and receive Content and Smart Data and for the associated Processing by Us and Our Group in accordance with Your Instructions; and (b) transferring third-party email addresses to Us and Our Group to enable your, and your Group’s and Users’, use of the Services.
- Warranty of instruction. You warrant and represent that you are, and will at all relevant times remain, authorized to give Your Instructions.
- No sale of Personal Data. We will not sell or otherwise make Personal Data in Content or Smart Data available to third-parties for Our own commercial purposes. You acknowledge that: (a) We provide access to the Services in return for the payment of the Fees and that access to, and use of, the Services is not provided in return for disclosure of Personal Data; and (b) disclosure of Personal Data by you, your Group and Users to Us and Our Group (and vice versa) in the course of delivery and use of the Services does not, and shall not, constitute a Sale (as defined in subdivisions (ad)(1) and (ah)(1) of Cal. Civ. Code §1798.140 respectively). Any sharing of Content or Smart Data is done so with Sub-Processors solely for the delivery of the Services, and limited to Our Privacy Policy and Retention policy.
- Retention and Deletion. Data is retained and deleted as described in Section 8.7 of the MSA.
4. Confidentiality
- We shall: (a) ensure that Personnel and Sub-Processors authorised by Us in relation to the Processing of Personal Data in Content and Smart Data are subject to a duty of confidentiality (or are subject to an appropriate statutory obligation of confidence); (b) restrict the involvement of such Personnel and Sub-Processors to those that need to know in order to fulfil Our obligations under this DPA, the MSA and Your Instructions; and (c) ensure that Our Personnel undergo regular training on data protection issues, obligations and responsibilities.
- In using the Services, Content may be shared by you, your Group and Users with Recipients.
5. Security
- Technical measures. We have implemented and will maintain appropriate technical and organizational measures in relation to the Services taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the likelihood and severity of risk to the rights and freedoms of Data Subjects. This includes measures relating to: (a) the physical security of facilities used to deliver them, measures to control access rights to assets and relevant networks, and processes for testing these measures, certain details of which can be found in Annex 2 to this DPA; (b) employee training; and (c) Personal Data retention and disposal, details of which can be found in Our data retention policy available at egress.com/legal from time to time. You are responsible for reviewing any information made available by Us relating to data security and making an independent determination as to whether the Services meet your requirements.
6. Security Incidents
- Personal Data Breach. We will, to the extent permitted by applicable law, notify you without undue delay if We become aware of a Personal Data Breach affecting Content and/or your Smart Data. Taking into account the nature of the Services, We will provide, where known: (a) a description of the Personal Data Breach, Data Subjects, Content and Smart Data concerned; (b) the likely consequences of the Personal Data Breach; and (c) the reasonable steps taken or proposed to be taken by Us to address, and where appropriate mitigate, any adverse effects of the Personal Data Breach. Where sent by email, any notice shall be deemed to be served 1 hour after transmission or, if not sent on a Business Day, at 9am on the next Business Day provided that no failure or other DNS message is received by Us.
- Contacting you. To provide any notification under Section 6.1 above, We will use the contact details for you that We have on record and that you provide in respect of your DPO contact below. You must ensure these are kept up-to-date.
- Contacting regulators and Data Subjects. Except where any DPL requires Us to do so, We will not inform any third-party of your involvement in any Personal Data Breach without first obtaining your prior written consent. The foregoing will not prevent, restrict or inhibit Our, Our Group’s and Sub-Processors ability to notify other customers and users of any affected Service of the Personal Data Breach, or complying with Our obligations under other applicable laws, provided that in each case We do not disclose your involvement. We will assist you in relation to any breach notifications to Regulatory Authorities and Data Subjects as reasonably required as a result of a Personal Data Breach affecting your Content and/or your Smart Data.
- No admission. Any notification of a Personal Data Breach is not, and will not be construed as, acknowledgement by Us, a member of Our Group or any Sub-Processor of any fault or liability in respect of it.
- Our Data Protection Officer. Contact details and the name of Our Data Protection Officer can be found at egress.com/legal/your-rights.
- Unsuccessful Security Incidents. We will have no obligation to notify you under Section 1 or otherwise under this DPA, the MSA of any Unsuccessful Security Incident.
- Reporting Content of Concern. We will make available for reporting and notification of any content of concern brought to Our attention as soon as reasonably practicable.
7. Sub-processors
- Use of Sub-Processors. You agree that We may engage Our Group companies and the Sub-Processors to fulfil Our obligations under this DPA and/or, the MSA. Our up-to-date list of Sub-Processors is always set out at egress.com/subcontractors.
- Responsibility. We remain fully responsible for the acts, omissions, and defaults of the Sub-Processors as if they were Our own. We have in place contracts with each Sub-Processor that require them to protect Personal Data to the standard required by the DPLs.
- Changes to Sub-Processors. You can subscribe to notifications of changes to Sub-Processors on Our website. If you have done so, We shall endeavor to give email notice at least 30 days prior to any change to those Processing Personal Data within the Services. If you object to a change within 30 calendar days of the date of Our email for bona fide compliance or data security concerns, we will discuss commercially reasonably alternative solutions in good faith. If we cannot agree such alternatives within 30 calendar days of your written objection, you may as your sole and exclusive remedy in respect of changes to Sub-Processors, terminate the affected Service under the MSA through not less than 30 calendar days’ written notice and We will refund pro-rata any Fees paid in advance for the terminated Service for the remainder of its current Subscription Period after the effective date of termination. If you do not object within the notice period, you will be deemed to accept the change. We may use a new or replacement Sub-Processor whilst the procedure in this Section is in process. Any termination under this Section shall be without fault of either party.
- Emergency replacement. We may replace a Sub-Processor without prior notice if the need for change is urgent and the reason for the change is beyond Our reasonable control. In such circumstances, We will make a notify you as soon as reasonably possible and you shall retain your right to object as set out in Section 7.3 above.
8. Data Subject Rights
- Respect. We respect the rights of a Data Subject provided for in the DPL. Details on how Data Subjects can exercise these rights are set out at egress.com/legal/your-rights. If We receive a Data Subject request in respect of Personal Data in Content and/or Smart Data, We will notify you and in Our role as a Processor or sub-Processor confirm that their request relates to you and attempt to re-direct the Data Subject to exercise that right through you (and may provide your basic contact information to enable them to do this this).
- Assistance. Taking into account the nature of the Processing and Personal Data available to Us: (a) We will assist with any legally required data protection impact assessments and prior notifications that you are required to carry out under the DPLs by providing you with any publicly available documentation for the relevant Services; (b) where We hold Personal Data about a Data Subject that you are the Controller of, We will provide assistance in relation to Data Subject requests in so far as this is technically possible and where you do not have the ability to address the request without Our assistance (including access, erasure, objection and rectification requests). You are responsible for verifying that the requestor is the Data Subject whose information is being sought. We bear no responsibility for information provided in good faith to you in reliance on this Section. After a Data Subject’s Personal Data has been deleted from Our active systems, parts of it may continue to exist in back-ups and logs for a period of time until these are overwritten in the normal course of Our business and in accordance with Our documented data retention and destruction policies. You shall cover all reasonable costs incurred by Us in connection with Our provision of such assistance.
9. Audits
- Your right of audit. Following a written request and subject to the confidentiality obligations set out in the MSA, We will make the Audit Reports or a bridging letter available to you (provided that neither you nor your auditor are a competitor of Us or a company in Our Group). You may use the Audit Reports only for the purposes of meeting your audit obligations under DPL and/or confirming Our compliance with this DPA. Subject to Section 9.2 below, if you can, acting reasonably, provide evidence that this information is not sufficient in the circumstances to reasonably enable you to do so, you will be entitled to inspect and audit (or appoint representatives to inspect and audit) at your cost Our premises that relate directly to the Processing of Personal Data in Content and/or Smart Data (subject to all involved signing suitable confidentiality terms and complying with all applicable security, access and other site policies). The rights of audit granted under this paragraph do not extend to a right to audit any Sub-Processor or Sub-Processor premises. We will co-operate and provide assistance at your cost (including the provision of any reports provided to Us by Sub-Processors where available and where We are permitted to disclose those to you). Audits may be conducted no more than once every 12 months (unless required by Regulatory Authority) whilst this DPA remains in force, during Our normal working hours, and shall be subject to: (a) a written request submitted to Us at least 30 calendar days in advance of the proposed audit date; (b) a detailed written audit plan reviewed and approved by Our security team. Such audits will take place in the presence of a representative of Our security team or other person designated by Us. You will use reasonable endeavours to avoid causing (and to ensure that any of your representatives avoid causing) damage, injury or disruption to Our premises, Personnel and business whilst conducting an audit. Audits shall not be permitted to disrupt Our Processing activities or to compromise the security and confidentiality of Our Services and Processing pertaining to Our other customers and users. You will provide a copy of your audit report to Us which shall be treated as Our Confidential Information.
- If your requested audit scope is addressed in the Audit Reports that were completed within the 12 months prior to your audit request and We confirm that there are no known material changes in the controls audited, you agree to accept the Audit Reports in lieu of requesting an audit of the controls covered by the relevant Audit Report(s).
10. Transfers of Personal Data
- Your use of the Services. Content and/or Smart Data will be hosted in the region agreed with you. You acknowledge that the Services are provided as a software-as-service and that Content and Smart Data may be accessed and Processed by you, your Group, Users and Recipients outside of that region or the country you or they are located in.
- International Transfers – Privacy Framework. To the extent that We are self-certified or registered with a Privacy Framework that protects transfers of Personal Data under applicable DPL: (a) to the extent they would otherwise have been relied upon, the relevant SCCs shall not apply to any transfer of Personal Data in Content or Smart Data (including any, for example in support tickets) that is transferred between the relevant territories applicable under that Privacy Framework; (b) Our relevant Group company/ies certified or registered with that Privacy Framework agree(s): (i) to provide at least the same level of protection as is required by the relevant Privacy Framework Principles; (ii) to notify you if it/they make(s) a determination that it/they can no longer meet its/their obligation to provide the same level of protection as required by the relevant Privacy Framework Principles; and (iii) upon notice, to work with you to take reasonable and appropriate steps to stop and remediate any unauthorised Processing of Personal Data. In the event that a Privacy Framework is declared invalid or is not applicable to a relevant international transfer, any relevant SCCs shall apply to that transfer.
- International Transfers – SCCs. Subject to Section 10.2 above, the SCCs in Annex 4 or 5 will apply to any Personal Data in Content or Smart Data that is transferred through use of the Services and Support outside of the EEA and/or the UK, either directly or via onward transfer, to any country not recognized by the European Commission and/or the UK as providing an adequate level of protection for Personal Data (a Third Country). The following terms shall apply to the SCCs: (a) you may exercise your right of audit under clause 8.9 of the SCCs as set out in and subject to Section 9 of this DPA; and (b) We may appoint Sub-Processors as set out in, and subject to, Sections 7 and 10 of this DPA. Without prejudice to Section 10 of the MSA, if We as the data importer receive a legally binding request for access to Personal Data in Content and/or Smart Data by a public authority in the destination country, We will promptly notify you of such request by email to your DPO contact listed in Annex 1 to enable you as data exporter to seek relief from such disclosure (unless We are prohibited from providing such notice). If We are prohibited: (i) We will use Our commercially reasonable efforts to obtain the right to waive this prohibition in order to communicate with you; and (ii) if, having used Our commercially reasonable efforts, We remain prohibited from notifying you, We will where permitted by law make available to you and/or your competent supervisory authority on an annual basis general information on the requests We have received relating to your Personal Data in the previous 12-months; (b) not make any disclosures that are disproportionate, indiscriminate or in a manner that would go beyond what is necessary in a democratic society.
- Adequacy. In the event that a territory to which Personal Data in Content and/or Smart Data may be transferred in delivering the Services is deemed adequate in accordance with relevant DPL by the territory from which it is being exported, or another mechanism is provided that protects transfers of Personal Data, then Sections 10.2 and 10.3 above shall not apply.
- Replacement SCCs. We reserve the right to amend the terms of this DPA by adding to, changing or replacing, SCCs to ensure continued compliance with applicable DPLs. We may do this by providing a link to you, directly or through Our website, which enables you to sign such additional, replacement or alternative SCCs.
- Sharing. To operate Our Group effectively We use shared systems, resources and Sub-Processors. CRM Information, Threat Data and System Data may be transferred, shared and Processed between and by these parties which may involve it being transferred, stored or Processed outside the country where you or a User is located. We will ensure that any such transfer is subject to appropriate legal and technical safeguards.
11. General
- We reserve the right to transfer Our obligations, rights and permissions under this DPA and/or the MSA to any organisation to which We may transfer Our business or assets (including if We, or a relevant part of Us or Our assets, are proposed to be purchased or acquired by a third-party).
- This DPA shall remain in force until the earlier of: (i) the termination or expiry of the MSA; (ii) Us ceasing to Process Personal Data as a Processor on your behalf.
- Nothing in this DPA or elsewhere in the MSA shall limit, exclude, restrict or prohibit the ability of a Data Subject or Regulatory Authority to bring a claim, or take regulatory action, against either of us.
- If any part of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other terms shall remain in force. Any invalid, unenforceable or illegal term will be interpreted to give effect to the parties’ commercial intention. If that is not possible, it will be severed but the rest shall remain in full force.
- Except where provided in the DPL and/or SCCs there are no third-party beneficiaries under this DPA.
- Our liability under or in connection with this DPA (including under the SCCs and Annexes to it) is subject to the limitations on liability contained in the MSA. Notwithstanding anything to the contrary in this DPA and/or the MSA, neither party shall be responsible for any DPL fines issued or levied against the other party by a regulatory authority or governmental body in connection with the other party’s violation of the DPL.
- This DPA and the MSA shall be interpreted as broadly as necessary to implement and comply with the mandatory provisions of the DPL. Both parties agree that this DPA shall be interpreted in favour of their intent to comply with the DPL and therefore any ambiguity shall be resolved in favour of a meaning that complies and is consistent with the DPL.
- This DPA together with the MSA and any documents referred to in each of them is the final, complete and exclusive agreement of the parties with respect to the subject matter of it and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
- Amendments to this DPA may not be made orally. This DPA may be amended by Us from time to time where necessary to comply with changes to applicable law or to reflect how Our Services operate (provided that We may not detract or diminish the protections afforded under the preceding version). Changes will be effective once posted on Our website. This Section shall not apply to any document or information referred to at a URL within the terms of this DPA which may be updated from time to time by Us.
- This DPA shall be governed by the governing law and jurisdiction as set out in the MSA EXCEPT in respect of any claim relating to an obligation or right under the SCCs where the terms of the relevant SCCs in respect of governing law shall control.
Annex 1A: Parties
The parties to this DPA are:
Exporter |
Importer |
||
Entity Name: |
Your entity entering into the Order Form for Subscriptions to Services for which this DPA is relevant |
Egress Software Technologies Limited Egress Software Technologies Limited – Dutch Branch Egress Software Technologies, Inc. (United States) Egress Software Technologies Inc. (Canada) Egress Software Technologies Pty Ltd (Australia) |
|
Date: |
Date of signature of the Order Form for Subscriptions to Services for which this DPA is relevant |
Date: |
Date of signature of the Order Form for Subscriptions to Services for which this DPA is relevant |
Privacy Information |
|||
Please submit details of your privacy contact (name, email and phone number) via this form.
|
DPO Name |
||
Contact Information |
Annex 1B: Description of Processing and Transfer
Identity of Controller of categories of Personal Data |
You are the Controller, and We are the Processor of Personal Data in the Content and Smart Data in each case as described in Sections 2.1 and 2.2 of this DPA. For ancillary services and Threat Data, We are the Controller. |
Subject matter of Processing |
Processing of Content, Smart Data, and Threat Data as part of the Services subscribed to by you. |
Duration of Processing |
The duration of Processing of Content and Smart Data will be for the duration of this DPA and the MSA. |
Hosting Location |
Customer chosen region hosting options: United Kingdom United States European Union Australia Hosting will otherwise default to the customer country location above, or the United Kingdom if not listed. |
Nature of Processing |
Personal Data in Content and Smart Data is Processed by Us, Our Group and Sub-Processors in Our role as a Processor to provide the Services (including computing, storage, support and such other services) as determined by you, your Group and Users under, and described in, this DPA and the MSA. |
Purpose of Processing |
The provision of the Services in accordance with this DPA and the MSA, and the other purposes set out in the Privacy Policy. |
Type of Personal Data |
Personal, Special Category and confidential Personal Data. |
Categories of Data Subjects |
|
Protect and Prevent |
Email Correspondence of all possible categories that may include: Smart Data. your Users authorised by you to access and use the Services, and other third parties who exchange or receive Content from the foregoing (including Recipients). Content. As determined by you, your Group and Users, and by other end users of the Services who exchange or receive Content from the foregoing (including Recipients). This may include within email data and meta data Personal Data, in each case relating to Data Subjects, the extent of which is determined and controlled by the Data Exporter and its Group and Users in their sole discretion. |
Workspace and Webforms |
User submitted Content of all possible categories |
Defend and Human Risk |
Email analysis Threat Data |
Categories of data
|
All categories of data that may include the below table based on the product(s) in use. Any other data is Processed by way of encryption and the Importer cannot state what categories of Personal Data may exist in email encryption Processing as a result. |
Protect |
|
Prevent |
|
Defend |
|
Webforms |
User chosen content uploaded to collaboration platforms |
Workspace |
User chosen content uploaded to collaboration platforms |
Human Risk (Threat Data) |
|
Annex 1C: Data Protection Authorities
United Kingdom
Egress entity |
Address |
DPA registered number |
DPO Details |
Egress Software Technologies Limited |
12th Floor, The White Collar Factory, 1 Old Street Yard, London, EC1Y 8AF |
ZA021578 |
Data Protection Authority |
Address |
Contact information |
The Information Commissioner’s Office |
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
Australia
Data Protection Authority |
Address |
Contact information |
Office of the Australian Information Commissioner |
GPO Box 5288 Sydney NSW 2001 |
European Union and European Economic Area
Egress representative |
Address |
Registered number |
DPO Details |
Egress Software Technologies Limited – Dutch branch |
Herengracht 420, 1017 BZ, Amsterdam, The Netherlands |
74110462 |
Data Protection Authority |
Address |
Contact information |
Autoriteit Persoonsgegevens |
P.O. Box 93375, 2509 AJ, The Hague |
Annex 2: Technical and Organisational Measures
Physical access controls
- The Egress Software Technologies Group (the Group) leverages industry-leading data centre and cloud infrastructure providers. Access to all third-party data centres is strictly controlled by the Sub-Processor. All third-party data centres are equipped by the Sub-Processor with 24x7x365 surveillance and biometric access control systems. Additionally, all relevant third-party data centre Sub-Processors are SOC 2 Type II audited and/or ISO 27001 certified.
- Third-party data centres are equipped with at least N+1 redundancy for power, networking, and cooling infrastructure.
- Within a region, data processing occurs across at least 2 availability zones offered by the relevant third-party Sub-Processor. Services are designed to withstand the failure of an availability zone without disruption.
System access controls
- Administrative access to the Group systems and Services follows the principle of least privilege. Administrative accounts are unique accounts, separate from standard user accounts. Access is regularly reviewed.
- Access to systems is based on job role and responsibilities. The Group uses unique usernames or identifiers which are not permitted to be shared or re-assigned to others. Access is regularly reviewed.
- Access to wired office corporate networks is restricted to managed devices. Guest Wi-Fi is available but has no access to the internal network.
- VPN and multi-factor authentication is used for access to all internal infrastructure.
- Network access control lists (ACLs) and security groups are used to limit traffic to and from internal and product infrastructure.
- Intrusion detection systems (IDS) are used to detect potential unauthorized access.
- Network protection has been deployed to mitigate the impact of distributed denial of service (DDoS) attacks.
- Employee onboarding and offboarding processes are documented and enforced consistently to ensure access is properly managed.
Data access controls
- The Group utilises a password management system that enforces minimum password length, complexity, history, and restricts re-use of passwords.
- Workstations and servers automatically lock after a period of inactivity. Systems log users out after a period of inactivity.
- Logs are centrally stored and indexed.
- Patch management process ensures systems are patched regularly.
- Regular monitoring, alerting, and vulnerability scanning is carried out.
- Antivirus software is utilized across endpoints and servers to ensure assets are protected against known viruses. This software is updated regularly.
- Firewall and logical network segregation are in place to prevent unwanted traffic.
- All resources are protected by NSGs and direct administrative access over the internet is prevented.
Data transmission controls
- Data is stored encrypted-at-rest through AES-256 encryption.
- Backups are encrypted in transit and at rest.
- Use of TLS 1.2 or higher is used to encrypt network traffic.
- The Group regularly utilises third-party penetration tests and vulnerability scanning to remediate discovered vulnerabilities.
- All non-public facing resources use private IP addresses where possible (note this is not possible on all Azure SaaS services).
Data input controls
- Systems are monitored for security events to ensure quick resolution.
- Logs can be tracked to individual logins and are kept in line with our retention policies.
Availability controls
- Systems infrastructure are monitored for security events to ensure quick resolution.
- Logs can be tracked to individual logins and are kept in line with our retention policies.
Law enforcement requests
We publish an external law enforcement request policy which reflects Our detailed internal policy documents. Given Our role as a Processor/sub-Processor in the delivery of the Services, and the context of those Services providing you with the ability to apply classification and encryption controls to your Content, Our law enforcement policy combined with those additional security measures provides any transferred Personal Data with a high degree of protection from access by destination country’s law enforcement and public authorities in a manner contrary to the protections afforded under relevant DPLs.
Data Residency
We provide customers with the ability to host Content and/or Smart Data in specific territories. More details are available from Us on request. You are reminded that no matter where your Content is stored, We do not control or limit the locations from which you, your Group and Users and recipients may access it and it is your responsibility to ensure that neither you, nor your Group or Users accesses or uses the Software, Services or Support in any country with data localization laws that would require your environment or Content and/or Smart Data to be hosted in that country.
Data minimisation, necessity and proportionality
We have no control over the Content transmitted to or from the Services by you, your Group and Users (including the volume, type and necessity of that Content). You are responsible for ensuring that your use of the Services complies with these principles and for identifying and ensuring that you have a lawful basis for: (a) using the Services to send, share, store and receive Content and for the associated Processing by Us and Our Group in accordance with Your Instructions; and (b) transferring third-party email addresses to Us and Our Group to enable your, and your Group’s and Users’, use of the Services.
Classification, encryption and advice
You acknowledge that due to the nature of the Services, you and your Users are responsible for determining the level of protection afforded to Content transmitted by them through the Services through your Users use of the tools, advice and functionality provided by the Services (e.g. classification of Content, application of encryption, granting access and rights to Users and Recipients and response to prompts, alerts and guidance).
Annex 3: Sub-Processors
You authorise Us to engage Sub-Processors to fulfil Our obligations under the MSA and this DPA. We set out the latest list of the Sub-Processors We engage at www.egress.com/legal/subcontractors (as amended from time to time). We provide a mechanism for you to subscribe to notifications of changes to Sub-Processors at this URL and you are responsible for completing the relevant webform. If you have subscribed to such notifications, We will provide details of any change in Sub-Processors in accordance with Section 7 of this DPA.
Annex 4: UK to Third Country Transfers
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
Addendum |
This International Data Transfer Addendum is made up of this Addendum and incorporates the Addendum EU SCCs by reference. |
Addendum EU SCCs |
The version of the approved EU SCCs is set out in the ANNEX to Commission Implementing Decision (EU) 2021/914. |
Appendix Information |
See Annexes 1A, 1B, 1C, 2 and 3 to this DPA. |
Appropriate Safeguards |
The standard of protection of Personal Data and data subjects’ rights as required by UK Data Protection Laws when a Restricted Transfer is made in reliance on the SCCs in accordance with Article 46(2)(d) of UK GDPR, including the use of those measures set out in the Security Requirements. |
Approved Addendum |
The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 as revised under Section 18. |
Approved EU SCCs |
The version of the approved EU SCCs is set out in the ANNEX to Commission Implementing Decision (EU) 2021/914. |
ICO |
The Information Commissioner. |
Restricted Transfer |
A transfer which is covered by Chapter V of the UK GDPR. |
Security Requirements |
The technical and organisational measures in place to protect Transferred Personal Data under this Addendum are as described in Annex 2. |
Sub-Processors |
As described in Annex 3. |
Transferred Personal Data |
For a description of the type of Personal Data that may be transferred under this Addendum, see Annex 1B. |
UK |
The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws |
All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR |
As defined in section 3 of the Data Protection Act 2018. |
Ending this Addendum when the Approved Addendum Changes |
We may: (a) end this Addendum when the Approved Addendum Changes; or (b) otherwise amend the terms of this Annex 4 in accordance with the terms of Section 10.5 of this DPA. |
In this Addendum, both you and Us are each a Party, and we are collectively the Parties.
Purpose and scope
- Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
- Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties for the purposes of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
- Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the terms shown above in Table 1 shall have the meanings described in Table 1.
- This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
- If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
- If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
- Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Clause 10 of this Addendum will prevail.
- Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
- Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
- This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that: (a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; (Clauses 9 to 10 of this Addendum override Clause 5 (Hierarchy) of the Addendum EU SCCs); and, (c) this Addendum (including the Addendum EU SCCs incorporated into it) is (i) governed by the laws of England and Wales; and, (ii) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
- Unless the Parties have agreed alternative amendments which meet the requirements of Clause 12 of this Addendum, the provisions of Clause 15 of this Addendum will apply.
- No amendments to the Approved EU SCCs other than to meet the requirements of Clause 12 may be made.
- The following amendments to the Addendum EU SCCs (for the purpose of Clause 12) are made:
- references to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
- in Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
- Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
- Clause 8.8(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
- references to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
- references to Regulation (EU) 2018/1725 are removed;
- references to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
- Clause 13(a) and Part C of Annex I are not used;
- the “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
- in Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
- Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
- Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
Amendments to this Addendum
- The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
- If the Parties wish to change the format of the information included in the Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
- From time to time, the ICO may issue a revised Approved Addendum which: (a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or, (b) reflects changes to UK Data Protection Laws. The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
- If the ICO issues a revised Approved Addendum under Clause 17, if any Party selected in Table 1 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: (a) its direct costs of performing its obligations under the Addendum; and/or, (b) its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
- The Parties do not need the consent of any third-party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Annex 5 – EU Commission Standard Contractual Clauses
Commission Implementing Decision (EU) 2021/914
The version of the approved EU SCCs is set out in the ANNEX to Commission Implementing Decision (EU) 2021/914 and are incorporated into this DPA by reference.