Annex № 2
to the Master Service Agreement
Personal Data Processing Agreement — US
This ANNEX to the Agreement (hereinafter — «Annex II», «PDPA») is made and entered into ___ day of _____, _____ between the Parties. The Annex II shall determine applicable data processing terms and conditions. The Annex II shall constitute an integral part of the Agreement and shall continue to be in full force and effect in accordance with the provisions of the Agreement.
For the provision of the Subscription to Mindbox Service the Contractor processes Personal Data on behalf of the Customer. In this capacity the Contractor is considered as the data processor (Processor) and the Customer is considered as the data controller (Controller).
Obligations. The Contractor processes Personal Data only to the extent necessary for the provision of the Subscription to Mindbox Service and the execution of the Agreement. The Processing of Personal Data by the Contractor is fair and lawful, compliant with United States applicable Privacy legislation and in accordance with Customers’ request for services.
Personal Data transfers. The Contractor contracts an affiliated enterprise and services providers as subcontractors (Sub-processors) for the data processing according to the data sub-processor agreements. The Contractor remains fully liable to the Customer for the performance of Sub-processors’ obligations.
Security. The Contractor has implemented technical and organisational security measures to protect Personal Data against unauthorised or unlawful Processing, accidental or unlawful destruction or accidental loss, alteration, damage, unauthorised disclosure or unauthorised access by any person.
The Contractor does not take knowledge of non-public information, including Personal Data, which is placed on the Mindbox Service by the Customer, unless this is necessary for the proper provision of the Subscription to Mindbox Service under this Agreement or this inspection is based on a legal obligation.
Data Breach notification. The Contractor will immediately notify the Customer of any actual or suspected security breach involving Personal Data which can foreseeably compromise the confidentiality and/or integrity of Personal Data. The Contractor will provide the Customer upon request with all information necessary for notifying the Data Protection Authority or the Data Subjects involved in the Data Breach.
Data Subject requests. The Customer always has access to the Contractor’s systems where Personal Data of Data Subjects are processed on behalf of the Customer. Should the Customer for any reason has no independent access to the information necessary for complying to Data Subject requests for access, rectification, erasure and/ or restriction of processing of their Personal Data, the Contractor will assist the Customer by providing all necessary information to respond to the request.
Confidentiality. The Contractor treats Personal Data confidential. The Contractor ensures that those members of staff and third parties that have access to Personal Data maintain the confidentiality and the security of Personal Data by signing a confidentiality agreement.
This obligation does not apply if and insofar as disclosure is required by law and / or court order, in which case the information to be disclosed will be kept as limited as possible. When the Contractor receives a request from a public authority to disclose Personal Data belonging to the Customer, the Contractor shall immediately inform the Customer.
Scope of this Personal Data Processing Agreement and re-negotiation. Contractor’s obligations as set out in this Personal Data Processing Agreement will perpetuate after termination of the Agreement for as long as the Contractor still has access to Personal Data. Upon termination or receipt of notice terminating the Agreement, the Customer is responsible for the export of Personal Data from the Mindbox Service. The Contractor shall utilize commercially reasonable efforts to destroy the Customer’s Account in the Mindbox Service with Personal Data processed on behalf of the Customer within 30 (thirty) days after termination of this Agreement. The Contractor may deviate to the extent where a longer data retention period is necessary to demonstrate fulfilment of contractual obligations, if necessary under applicable legislation as well as authorized to keep the Personal Data backup as long as necessary according to the Contractor’s policies.
CCPA Processing. To the extent that the Contractor processes Personal Data that is protected by the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (the «CCPA»), the terms of this Section 8 shall apply in addition to the terms above. In the event of any conflict or ambiguity between the terms in this Section 8 and any other terms in this Annex II, the terms of this Section 8 shall take precedence but only to the extent that they apply to the Personal Data in questions.
For the purposes of this Section 8, the Customer is a «Business» (within the meaning of the CCPA) and appoints the Contractor as a «Service Provider» (within the meaning of the CCPA) to process Personal Data on behalf of the Customer. The Customer is responsible for compliance with the requirements of the CCPA applicable to Businesses.
The Contractor will not: (i) «sell» (within the meaning of the CCPA) Personal Data; (ii) process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, the Contractor will not process Personal Data outside of the direct business relationship between the Customer and the Contractor; or (iii) attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of the Customer.
The parties acknowledge that Personal Data that has been de-identified is not «personal information» (within the meaning of the CCPA). The Contractor may de-identify Personal Data only if it: (i) has implemented technical safeguards that prohibit re-identification of the Data Subject to whom the information may pertain; (ii) has implemented business processes that specifically prohibit re-identification of the information; (iii) has implemented business processes to prevent inadvertent release of deidentified information; and (iv) makes no attempt to re-identify the information.
The Contractor hereby certifies that it understands its restrictions and obligations set forth in this Section 8 and will comply with them.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The following measures apply to transfer of personal data from the Customer to the Contractor.
Access control policy is implemented
Employee training on data protection and information security
Monitoring the composition of hardware software and information security tools
Rules for using email and spam protection
Information security risk analysis is conducted annually
Information security policy is implemented
Differentiation of access rights
A registry of information assets is maintained
Inventory of information assets is carried out annually
Risk management policy
Areas of responsibility for information security are defined and distributed
Information security provisions are included in contracts with counterparties
MDM tool combined with anti-virus software and enforced updates
NDAs with employees are signed
Employees have access to the training material on information security
NDAs with counterparties are signed
When an employee quits, they need to complete the steps concerning infosecurity set out in the checklist (Trello)
System of accounting of hardware in the infrastructure
Used components from data centers are transported by the employees of the Company
Accounting and reporting of OS on workstations and servers
Security logs from MacOS are collected in Graylog
Data in a product are masked
Protection against brute-force attack while entering password (blocking after 5 failed attempts)
1Password is used to ensure password security
CCTV at the entrance to company’s office
Equipment is sited as recommended by respective manufacturers and security regulations
Clean desk policy
Clean screen policy
Lock screen policy
Protection of computers with Microsoft Defender
Master Data Management tools are implemented
Daily data backup
Additional off-site backup storage shall be in place
Log of Information security incidents
Logging of user workstations is carried out by the built-in means of the OS
Users’ and administrators’ activities in the information system are logging by the built-in tools of the OS and the information system
External web application scanning for vulnerabilities
The network equipment supports the firewall features
Testing of new versions of information systems in an isolated environment
Network management and control is performed by Dlink DFL firewalls
An ACL is configured between VLANs
Rules are set up to filter incoming traffic; all ports are blocked
The recommended data transfer channels are given in the product instruction
App sessions are protected with tokens
Sessions are protected with unique links signed keys sent by email and more
License Agreements are signed with counterparties
Journal of familiarization with the rules of processing personal data for employees
Formalized list of positions allowed to process personal data
External information security audits
Logins and exits to the admin account are logged
Granting accesses are logged
The administrator can differentiate access rules for personnel
The customer can view the actions of a support employee in the action log
Personal data are masked for Mindbox employees
Customer can set retention period for storing personal data
Backups of deleted data are stored for 6 months
Customer can set the password expiration date
Customer can choose to mask personal data in the accounts of its particular employees
Data encryption type is chosen by the customer in their account
DETAILS AND SIGNATURES OF THE PARTIES
|MindBox USA, LLC a Delaware limited liability company Registered address: One Broadway, 14th floor, Cambridge, MA 02142
|Registration number: EIN 30-1286779
|Contractor’s email domains:
|@mindbox-app.cloud as well as other domains that are listed on the website www.mindbox.cloud
|Name: Ivan Borovikov,