DATA PROCESSING AGREEMENT
Last Updated: May 24th, 2018
This Data Processing Agreement (“DPA”) is made and entered into as of the date of last signature below (“Effective Date”) by and between you, our Customer (hereinafter referred to as “Client”, or “Controller”), and us Cloud4WI (referred to as “Processor”). This Data Processing Agreement is a supplement to and made a part of the Customer Terms of Service (“Agreement”).
If you are accepting these Data ProcessingAgreement on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Data ProcessingAgreement; (b) you have read and understand these Data ProcessingAgreement; and (c) you agree, on behalf of Customer, to this Data Processing Agreement. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.
All capitalized terms used in this DPA shall have the meanings given to them below:
1.1 Applicable Data Protection Law: means all applicable international, federal, national and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the DPA (including, where applicable, European Data Protection Law).
1.2 Controller: means the entity that determines the purposes and means of the processing of Personal Data, and for the purposes of this DPA means Client.
1.3 European Data Protection Law: means: (i) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC, and any applicable national implementation of it; and (ii) on and after 25 May 2018, the EU General Data Protection Regulation 2016/679 ("GDPR") and any applicable national laws made under the GDPR.
1.4 Personal Data (“Data”): means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.5 Processor: means an entity that processes Personal Data on behalf of the Controller, and for the purposes of this DPA means Cloud4Wi.
1.6 Service (“Services”): means any product or service provided by the Processor to the Client pursuant to the DPA and the Agreement.
1.7 Data Protection Officer (”DPO”): Professional figure, provided for in the EU Regulation, acts as a reference with the Guarantor for the protection of personal data. The DPO must guarantee independence and autonomy from the organization in which it operates, during the performance of its functions, and the absence of conflict of interests. It oversees compliance with the EU Regulation and collaborates to conduct a preliminary assessment of the Processing of Data so that there are no negative impacts on fundamental rights and freedoms; it is also a support for keeping the personal data activity register.
The definitions not present have the same meaning as in the General Data Protection Regulation of 2016/679.
2. GENERAL DATA PROTECTION OBLIGATIONS
2.1 Relationship of the Parties: As between the Parties, Client is the Controller and appoints Cloud4WI as a Processor to process the Personal Data described in section 1.4.
2.2 Purpose limitation: Processor shall process the Data as a Processor only for the purposes described in Annex 1 and strictly in accordance with the documented instructions of the Client (the "Permitted Purpose") and processing outside the scope of these instructions (if any) shall require prior written agreement between Client and Cloud4Wi.
2.3 International transfers of Data: Processor shall, at all times provide, an adequate level of protection for the Data, wherever processed, in accordance with the requirements of Applicable Data Protection Law. Processor shall not process or transfer any Data originating from the European Economic Area (EEA) in or to a territory which has not been designated by the European Commission as providing an adequate level of data protection unless it has first obtained Client's prior written consent.
2.4 Confidentiality of processing: The Processor shall keep strictly confidential all Personal Data that it processes on behalf of Client. The Processor shall ensure that any person that it authorises to process the Data (including the Processor's staff, agents and subcontractors) (each an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Processor shall ensure that only Authorised Persons will have access to, and process, the Data, and that such access and processing shall be limited to the extent strictly necessary to achieve the Permitted Purpose. Processor accepts responsibility for any breach of this DPA caused by the act, error or omission of an Authorised Person.
2.5 Security: Processor shall implement appropriate technical and organisational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, unauthorized alteration, unauthorised disclosure of, or unauthorized access to the Data. At a minimum, such measures shall include the security measures identified in Annex 2 to this DPA.
Client acknowledges that the Service is not intended or designed for the Processing of Sensitive Information, and the Client agrees not to provide any Sensitive Information through the Service.
2.6 Subcontracting: Controller consents to Processor engaging third party sub-Processors, including Certified Partners of Processor, to process the Data provided that:
- Processor will provide to Client an up-to-date list of its then-current sub-Processors upon request;
- Processor provides at least thirty (30) days' prior written notice of the addition or removal of any sub-Processor (including the categories of Data processed, details of the processing it performs or will perform, and the location of such processing).
In all cases, Processor shall impose the data protection terms on any sub-Processor it appoints that at a minimum meets the requirements provided for by this DPA and Processor shall remain fully liable for any breach of this DPA that is caused by an act, error or omission of its sub-Processor.
2.7 Cooperation and individuals' rights: To the extent permitted by Applicable Law, Processor shall provide reasonable and timely assistance to Client to enable Client to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from an individual, regulator, court or other third party in connection with the processing of the Data. In the event that any such communication is made directly to Processor, Processor shall instruct such individual to contact Client directly.
2.8 Data Protection Impact Assessment: If Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of individuals, it shall promptly inform Client of the same. Processor shall provide Client with all such reasonable and timely assistance as Client may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
2.9 Security incidents: Upon becoming aware of a Security Incident, Processor shall inform Client without undue delay (and, in any event, within 32 hours) and shall provide such timely information and cooperation as Client may require in order for Client to fulfil its data breach reporting obligations under (and in accordance with the timeliness required by) Applicable Data Protection Law and relevant contractual obligations owed by Client to its subscribers. Processor shall cooperate with Client in taking all appropriate measures and actions as are necessary to remedy or mitigate the effects of the Security Incident, shall manage and modify its systems to remedy or mitigate such Security Incident and the likelihood of future similar Security Incidents, and shall keep Client informed of all developments in connection with the Security Incident. Processor shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (a) Client has agreed to such notification, and/or (b) notification is required to be made by Processor under Applicable Data Protection Laws.
2.10 Deletion or return of Data: Upon termination or expiry of the DPA, Processor shall (at Client's request) destroy all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing); provided, however, that customer data (including Data) may be retained on backup for a period of up to eighteen (18) months for legal and compliance purposes. Notwithstanding the foregoing, Processor shall not reduce the security measures at any time until such Data is permanently deleted.
2.11 Audit: Processor shall permit Client (or its appointed third-party auditors) to audit Processor's compliance with this DPA, and shall make available to Client all information, systems and staff necessary for Client (or its third-party auditors) to conduct such audit. Processor acknowledges that Client (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Client gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Processor's operations. Client will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Client believes a further audit is necessary due to a Security Incident suffered by Processor. Processor shall also respond to any written audit questions submitted to it by Client.
2.12 Indemnity: Processor (the "Indemnifying Party") shall defend and fully indemnify Client from and against all loss, harm, cost (including reasonable attorney's fees), fines, expense, and liability that Client may suffer or incur arising as a result of Processor's breach or non-compliance with this DPA. The foregoing shall be subject to the indemnification procedures set forth in the Agreement.
2.13 General cooperation to remediate: In the event that Applicable Data Protection Law, or a data protection authority or regulator, provides that the transfer or processing of Personal Data under this DPA is no longer lawful or otherwise permitted, then the Parties shall agree to remediate the processing (by amendment to this DPA or otherwise) to the extent practical in order to meet the necessary standards or requirements. If Processor is unable to remediate the processing, then Client will be entitled to terminate the DPA (and any other agreement between the Parties relating to the provision of services by Processor to Client) without penalty.
3.1 The obligations placed upon the Processor under this DPA shall survive so long as Processor and/or its sub-Processors Process Personal Data on behalf of Client.
DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Controller Personal Data
The subject matter and duration of the Processing of the Controller Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Controller Personal Data
Cloud4Wi will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Service Documentation, and as further instructed by Client in its use of the Services.
The categories of Data Subject to whom the Controller Personal Data relates
The Client may collect Personal Data with the Service, the extent of which is determined and controlled by Client, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Any individual accessing and/or using or managing the Services through the Client's Service Account ("Users")
- Any individual: (i) whose personal data is included in the Client’s Service Account; (ii) whose personal data is stored on or collected via the Services, or (iii) to whom Users send communication or otherwise engage or communicate with via the Services, (ii) whose device identifier is collected via the Services using Tracking Technologies (collectively, "Subscribers")
The types of Personal Data to be Processed
The Client may collect and submit Personal Data of Users and Subscribers to the Cloud4Wi services, the extent of which is determined and controlled by Client, and which may include, but is not limited to the following categories of Personal Data:
- User's Contacts and Profile data
- First name
- Last name
- Phone number
- Company name and address
- Subscriber's Contacts and Profile data
- Subscriber identifier
- First name
- Last name
- Phone number
- ZIP code
- Identification data (ex. passport number)
- Subscribers's Device details
- Subscriber identifier
- Device identifier (WiFi MAC Address)
- Device model
- Device operative system
- Subscriber's WiFi Authentication and Connections data
- Subscriber identifier
- Device identifier (WiFi MAC Address)
- IP Address
- Subscriber's credentials (Username and Password)
- Connection location data (Access Point and Venue of the connection)
- Timestamps of the beginning and end of connection
- Duration of the connection
- Subscriber's Location data
- Identifier of a Data Subject
- Device identifier (such as WiFi or BLE MAC address)
- Timestamps of the location record
- Location data (venue identifier and address, coordinates on the floor plan map, zone or floor of a building, proximity to a point of interest - when applicable)
- Subscriber's Activity data
- Subscriber identifier
- Type of activity (for example redeem offer, response to a survey, click on a call to action, etc...)
- Content and details of the activity (for example survey responses)
- Timestamp of the activity
- Venue where the activity is performed (where applicable)
Client may also upload content to Client’s Service Account which may include Personal Data and special categories of data, the extent of which is determined and controlled by the Client in its sole discretion.
DESCRIPTION OF THE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
This Annex 2 includes the description of the technical and organizational security measures implemented by the Data Processor.
Cloud4Wi currently observes the security practices described in this Annex 2. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, Cloud4Wi may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in this DPA.
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: Cloud4Wi hosts its Service with outsourced cloud infrastructure providers. Additionally, Cloud4Wi maintains contractual relationships with vendors in order to provide the Service in accordance with this DPA. Cloud4Wi relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Cloud4Wi hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: Cloud4Wi implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Cloud4Wi’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key
ii) Preventing Unauthorized Product Use
Cloud4wi implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: Cloud4Wi implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Security reviews of code stored in Cloud4Wi’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: Cloud4wi maintains relationships with industry recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of Cloud4Wi’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are performed periodically. Employee roles are reviewed at least once every six months.
Background checks: All Cloud4Wi employees undergo a background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: Cloud4Wi makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for every Splash Page hosted on the Cloud4Wi products. Cloud4Wi HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Cloud4Wi stores user passwords following policies that follow industry standard practices for security. With effect 25 May 2018, Cloud4Wi has implemented technologies to ensure that stored data is encrypted at rest.
c) Input Control
Detection: Cloud4Wi designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities.Cloud4Wi personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Cloud4Wi maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Cloud4Wi will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Cloud4Wi becomes aware of unlawful access to Customer data stored within its products, Cloud4Wi will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Cloud4Wi is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Cloud4Wi deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Cloud4Wi selects, which may include via email or telephone.
d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power and network.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Cloud4Wi’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Cloud4Wi operations in maintaining and updating the product applications and backend while limiting downtime.