The same definitions in other parts of the Agreement shall also apply to this DPA. Any terms not defined herein shall be given the meaning allocated to them in the Data Protection Laws from time to time. In addition, the following terms have the meanings set forth below:
a. “Agreement” means the applicable agreement between the Service Provider and the Customer, to which this DPA is an integral part.
b. “Data Controller” means the Customer.
c. “Data Processor” means the Service Provider.
d. “Data Protection Laws” means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council), other applicable EU or EU member state law, or any other applicable law that applies to the processing of the Personal Data under this DPA, including all as amended superseded or replaced from time to time.
e. “Data Subject” shall have the same meaning as defined by the Data Protection Laws.
f. “Personal Data” shall have the same meaning as defined by the Data Protection Laws.
g. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
h. “Standard Contractual Clauses” means the contractual clauses issued by the European Commission by the decision (EU) 2021/914 for international transfers of Personal Data including as amended or replaced from time to time.
i. “Supervisory Authority” means any competent authority under the Data Protection Laws.
a. The Data Processor shall process the Personal Data on behalf of the Data Controller only for the purpose of and to the extent required for providing the Services under the Agreement. The Personal Data shall be processed as long as the Services are provided under the Agreement. The categories of Personal Data processed under this DPA are specified in Annex 1 of this DPA.
a. The Data Controller shall:
a. The Data Processor shall:
b. In case the Data Subject or Supervisory Authority make a request concerning the Personal Data, including a request for restricting, erasing or correcting the Personal Data, delivering them any information or executing any other actions, the Data Processor shall, without undue delay, inform the Data Controller on all such requests prior to any response or other action concerning the Personal Data, or afterwards as soon as reasonably possible in case the Data Protection Laws prescribes an immediate response. The Data Processor may only restrict, erasure or correct the Personal Data processed on behalf of the Data Controller when instructed to do so by the Data Controller or required by the Data Protection Laws
c. In the event of a Personal Data Breach, the Data Processor shall without undue delay but no later than in forty-eight (48) hours after becoming aware of it, notify the Data Controller in writing to its designated contact details provided below. The Data Processor shall use all reasonable endeavours to protect the Personal Data after having become aware of the Personal Data Breach.
Contact for the Data Controller:The same as included in the Agreement unless provided separately in writing to the Data Processor.
Contact for the Data Processor:Cybernut Privacy Leo@Cybernut.Coma. Unless a country outside the borders of the European Economic Area (“EEA”) offers an adequate level of data protection based on a decision by the European Commission, the Data Processor is entitled to transfer the Personal Data outside the borders of the EEA only with the Data Controller’s express written consent, and provided that the Data Processor ensures that the transfer is protected by appropriate safeguards and supplementary measures as mandated from time to time by the Data Protection Laws. Where the Data Protection Laws require appropriate safeguards, the applicable Standard Contractual Clauses are incorporated and deemed entered into in respect of the transfer. By entering into this DPA, the Data Controller gives consent to the Data Processor to transfer the Personal Data outside the borders of the EEA to the sub-processors listed at Annex 1 of this DPA. Where the Data Protection Laws require supplementary measures, the Data Processor shall pseudonymize the Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject.
a. By entering into this DPA, the Data Controller agrees that the Data Processor may engage the subprocessors listed at Annex 1 of this DPA. The Data Controller acknowledges that the Data Processor may update this list of sub-processors from time to time, and that the Data Processor shall notify the Data Controller of any such update with reasonable notice. The Data Controller may object to the appointment of a new sub-processor on reasonable grounds in writing within fourteen (14) or fewer calendar days from the date of notification. In such case the Data Processor shall use reasonable endeavors to secure, within a 3 reasonable timeframe, an alternative sub-processor so as to avoid any degradation or interruption of the Services without imposing any substantial commercial burden on either Party. If the Data Processor is unable to secure an alternative sub-processor, the Data Controller may terminate the elements of the Services that cannot be delivered without the objected sub-processor. The Data Processor shall ensure that all sub-processors are bound by contractual obligations at least equivalent to this DPA with respect to the protection of the Personal Data, and the Data Processor shall remain fully liable to the Data Controller for the performance of the sub-processor data protection obligations under this DPA.
a. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions of the State of Florida, unless required otherwise by the Data Protection Laws
Categories of the Data Subjects whose Personal Data is processed
The categories of Data Subjects, which are affected by the Personal Data processing within the framework of this Agreement are the users of the Services authorized and appointed by the Data Controller.
Categories of the Personal Data processed
The categories of Personal Data processed include the following mandatory and optional items, provided at the discretion of the Data Controller:
Subject-matter, nature, and purpose of the Personal Data processing
The execution of the Services by the Data Processor as defined in the Agreement.
Frequency and duration of the Personal Data processing
Continuously, and as long as the Services are provided under the Agreement to the Data Controller.
Approved sub-processors of the Data Processor
In the below table, the “Service Data” include (i) the user reported threat data which consists of non-simulated suspected malicious emails reported by the users that may contain Personal Data, and (ii) the “User Data” which consists of the Personal Data categories stated above.
North America | |||||
---|---|---|---|---|---|
Entity | Service | Purpose | Personal Data Category Processed | Personal Data Processing Location | Security Certification |
Amazon Web Services, Inc. | Cloud Service Provider | - To provide the infrastructure - To send simulated content - To provide database service | - Service Data - User Data - IP Address - User Agent | US | ISO/IEC 27001, ISO/IEC 27701, SOC 2 |
Intercom, Inc. | Customer Support | - To provide users to contact CyberNut Support to resolve issues | User Data | US | ISO/IEC 27001, ISO/IEC 27701, SOC 2 |
EU | |||||
Entity | Service | Purpose | Personal Data Category Processed | Personal Data Processing Location | Security Certification |
Amazon Web Services EMEA SARL | Cloud Service Provider | - To provide the infrastructure - To send simulated content - To provide database service | - Service Data - User Data - IP Address - User Agent | EEA | ISO/IEC 27001, ISO/IEC 27701, SOC 2 |