Privacy & Legal / Master Service Agreement (MSA)

Annex № 2
to the Master Service Agreement

Personal Data Processing Agreement — US

This ANNEX to the Agreement (hereinafter — «Annex II», «PDPA») is made and entered into on the effective date as set out in Engagement letter between the Parties. The Annex II shall determine applicable data processing terms and conditions. The Annex II shall constitute an integral part of the Agreement and shall continue to be in full force and effect in accordance with the provisions of the Agreement.

For the provision of the Subscription to Maestra Service the Contractor processes Personal Data on behalf of the Customer. In this capacity the Contractor is considered as the data processor (Processor) and the Customer is considered as the data controller (Controller).

  1. Obligations. The Contractor processes Personal Data only to the extent necessary for the provision of the Subscription to Maestra Service and the execution of the Agreement. The Processing of Personal Data by the Contractor is fair and lawful, compliant with United States applicable Privacy legislation and in accordance with Customers’ request for services.

  2. Personal Data transfers. The Contractor contracts an affiliated enterprise and services providers as subcontractors (Sub-processors) for the data processing according to the data sub-processor agreements. The Contractor remains fully liable to the Customer for the performance of Sub-processors’ obligations.

    The Customer generally authorises the engagement of Mindbox’ affiliated enterprise and Maestra’ service providers as Sub-processors. The list of Sub-processors is available in the privacy policy at: https://maestra.io/documents/privacy-policy/ as well as can be provided to the Customer upon request

  3. Security. The Contractor has implemented technical and organisational security measures to protect Personal Data against unauthorised or unlawful Processing, accidental or unlawful destruction or accidental loss, alteration, damage, unauthorised disclosure or unauthorised access by any person.

    The Contractor does not take knowledge of non-public information, including Personal Data, which is placed on the Maestra Service by the Customer, unless this is necessary for the proper provision of the Subscription to Maestra Service under this Agreement or this inspection is based on a legal obligation.

  4. Data Breach notification. The Contractor will immediately notify the Customer of any actual or suspected security breach involving Personal Data which can foreseeably compromise the confidentiality and/or integrity of Personal Data. The Contractor will provide the Customer upon request with all information necessary for notifying the Data Protection Authority or the Data Subjects involved in the Data Breach.

  5. Data Subject requests. The Customer always has access to the Contractor’s systems where Personal Data of Data Subjects are processed on behalf of the Customer. Should the Customer for any reason has no independent access to the information necessary for complying to Data Subject requests for access, rectification, erasure and/ or restriction of processing of their Personal Data, the Contractor will assist the Customer by providing all necessary information to respond to the request.

  6. Confidentiality. The Contractor treats Personal Data confidential. The Contractor ensures that those members of staff and third parties that have access to Personal Data maintain the confidentiality and the security of Personal Data by signing a confidentiality agreement.

    This obligation does not apply if and insofar as disclosure is required by law and / or court order, in which case the information to be disclosed will be kept as limited as possible. When the Contractor receives a request from a public authority to disclose Personal Data belonging to the Customer, the Contractor shall immediately inform the Customer.

  7. Scope of this Personal Data Processing Agreement and re-negotiation. Contractor’s obligations as set out in this Personal Data Processing Agreement will perpetuate after termination of the Agreement for as long as the Contractor still has access to Personal Data. Upon termination or receipt of notice terminating the Agreement, the Customer is responsible for the export of Personal Data from the Maestra Service. The Contractor shall utilize commercially reasonable efforts to destroy the Customer’s Account in the Maestra Service with Personal Data processed on behalf of the Customer within 30 (thirty) days after termination of this Agreement. The Contractor may deviate to the extent where a longer data retention period is necessary to demonstrate fulfilment of contractual obligations, if necessary under applicable legislation as well as authorized to keep the Personal Data backup as long as necessary according to the Contractor’s policies.

  8. CCPA Processing. To the extent that the Contractor processes Personal Data that is protected by the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (the «CCPA»), the terms of this Section 8 shall apply in addition to the terms above. In the event of any conflict or ambiguity between the terms in this Section 8 and any other terms in this Annex II, the terms of this Section 8 shall take precedence but only to the extent that they apply to the Personal Data in questions.

    For the purposes of this Section 8, the Customer is a «Business» (within the meaning of the CCPA) and appoints the Contractor as a «Service Provider» (within the meaning of the CCPA) to process Personal Data on behalf of the Customer. The Customer is responsible for compliance with the requirements of the CCPA applicable to Businesses.

    The Contractor will not: (i) «sell» (within the meaning of the CCPA) Personal Data; (ii) process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, the Contractor will not process Personal Data outside of the direct business relationship between the Customer and the Contractor; or (iii) attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of the Customer.

    The parties acknowledge that Personal Data that has been de-identified is not «personal information» (within the meaning of the CCPA). The Contractor may de-identify Personal Data only if it: (i) has implemented technical safeguards that prohibit re-identification of the Data Subject to whom the information may pertain; (ii) has implemented business processes that specifically prohibit re-identification of the information; (iii) has implemented business processes to prevent inadvertent release of deidentified information; and (iv) makes no attempt to re-identify the information.

    The Contractor hereby certifies that it understands its restrictions and obligations set forth in this Section 8 and will comply with them.

  9. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

    The following measures apply to transfer of personal data from the Customer to the Contractor.

    • Access control policy is implemented
    • Employee training on data protection and information security
    • Monitoring the composition of hardware software and information security tools
    • Rules for using email and spam protection
    • Information security risk analysis is conducted annually
    • Information security policy is implemented
    • Differentiation of access rights
    • A registry of information assets is maintained
    • Inventory of information assets is carried out annually
    • Risk management policy
    • Areas of responsibility for information security are defined and distributed
    • Information security provisions are included in contracts with counterparties
    • MDM tool combined with anti-virus software and enforced updates
    • NDAs with employees are signed
    • Employees have access to the training material on information security
    • NDAs with counterparties are signed
    • When an employee quits, they need to complete the steps concerning infosecurity set out in the checklist (Trello)
    • System of accounting of hardware in the infrastructure
    • Confidentiality policy
    • Used components from data centers are transported by the employees of the Company
    • Network segmentation
    • Accounting and reporting of OS on workstations and servers
    • Security logs from MacOS are collected in Graylog
    • Data in a product are masked
    • Protection against brute-force attack while entering password (blocking after 5 failed attempts)
    • Two-factor authentication
    • 1Password is used to ensure password security
    • CCTV at the entrance to company’s office
    • Equipment is sited as recommended by respective manufacturers and security regulations
    • Clean desk policy
    • Clean screen policy
    • Lock screen policy
    • Protection of computers with Microsoft Defender
    • Master Data Management tools are implemented
    • Daily data backup
    • Additional off-site backup storage shall be in place
    • Log of Information security incidents
    • Logging of user workstations is carried out by the built-in means of the OS
    • Users’ and administrators’ activities in the information system are logging by the built-in tools of the OS and the information system
    • External web application scanning for vulnerabilities
    • The network equipment supports the firewall features
    • Testing of new versions of information systems in an isolated environment
    • Network management and control is performed by Dlink DFL firewalls
    • An ACL is configured between VLANs
    • Rules are set up to filter incoming traffic; all ports are blocked
    • The recommended data transfer channels are given in the product instruction
    • App sessions are protected with tokens
    • Sessions are protected with unique links signed keys sent by email and more
    • License Agreements are signed with counterparties
    • Journal of familiarization with the rules of processing personal data for employees
    • Formalized list of positions allowed to process personal data
    • External information security audits
    • Logins and exits to the admin account are logged
    • Granting accesses are logged
    • The administrator can differentiate access rules for personnel
    • The customer can view the actions of a support employee in the action log
    • Personal data are masked for Mindbox employees
    • Customer can set retention period for storing personal data
    • Backups of deleted data are stored for 6 months
    • Customer can set the password expiration date
    • Customer can choose to mask personal data in the accounts of its particular employees
    • Data encryption type is chosen by the customer in their account

Annex № 2 Maestra Service Rates, version 5.0