2021 Standard Contractual Clauses. If applicable, the parties agree that the 2021 SCCs will apply to Personal Data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the EEA that are subject to the 2021 SCCs, the 2021 SCCs will be deemed entered into by both parties (and incorporated into this Addendum by this reference). Where the data exporter and the data importer (as such terms are defined in the SCCs, “Data Exporter” and “Data Importer” respectively) are directed to select a module, the parties acknowledge that: Module 2 (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where Client acts as a Controller and Data Exporter of Personal data and Service Provider acts as Processor and Data Importer of Personal Data. The parties agree that the following options will apply: • in Clause 7 of the 2021 SCCs, the optional docking clause will not apply; • in Clause 9(a) of the 2021 SCCs, Option 2 will apply; • in Clause 11 of the 2021 SCCs, the optional language will not apply; • in Clause 17 (Option 1), the 2021 SCCs will be governed by Irish law; • in Clause 18(b) of the 2021 SCCs, disputes will be resolved before the courts of the Republic of Ireland. This Schedule 2 forms part of the DPA, where Service Provider will apply the following technical and organizational measures: 1. Develop, implement, and maintain a comprehensive written information security program that includes appropriate administrative, technical, and physical safeguards and other security measures designed to ensure the security and integrity of Personal Data in accordance with industry standards and the Applicable Privacy Laws. 2. Strong encryption of Personal Data in transit and at rest, as applicable, that meets industry best practices, is robust against cryptanalysis, is not susceptible to interference or unauthorized access, and for which key access is limited to specific authorized individuals with a need to access Personal Data to engage in Processing. 3. Implement any data transfer mechanism as may be necessary for compliance with Applicable Privacy Laws for transfer of Personal Data to other jurisdictions for legitimate business purposes including (a) the performance of the Services as set forth in the Agreement; (b) to provide any technical and customer support, maintenance, and troubleshooting as requested by Client; and (c) to fulfil all other obligations under the Agreement with due observance of all applicable laws and regulations and preservation of the confidentiality of the information. 4. Access restrictions and procedures, including unique user identification, to limit Processing to authorized Service Provider workforce and devices authorized explicitly by Client through proper separation of duties, role-based access, on a need-to- know and least privilege basis. 5. Multi-factor authentication and use of a virtual private network for any remote access to Service Provider systems or Personal Data. 6. Physical security procedures, including the use of monitoring 24 hours /7 days a week, access controls and logs of access, and measures sufficient to prevent physical intrusions to any Service Provider facility where Personal Data is Processed. 7. Secure disposal of equipment and physical and electronic media that contain Personal Data. 8. Ongoing vulnerability identification, management and remediation of systems including applications, databases, and operating systems used by Service Provider to Process Personal Data. 9. Logging and monitoring to include security events, all critical assets that Process Personal Data, and system components that perform security functions for Service Provider’s network (e.g., firewalls, IDS/IPS, authentication servers, anti-virus and malware protection) intended to identify actual or attempted access by unauthorized individuals and anomalous behaviour by authenticated users. 10. Monitoring, detecting, and restricting the flows of Personal Data on a multi-layered basis, including but not limited to the use of network segmentation, secure configuration of firewalls, intrusion detection and/or prevention systems, web application firewalls, and denial of service protections.
Appears in 1 contract
Samples: Data Processing Addendum
2021 Standard Contractual Clauses. If applicable, the The parties agree that the 2021 SCCs Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the EEA European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the EEA European Economic Area that are subject to the 2021 SCCsStandard Contractual Clauses, the 2021 SCCs Standard Contractual Clauses will be deemed entered into by both parties (and incorporated into this Addendum DPA by this reference). Where the data exporter ) and the data importer completed as follows:
(as such terms are defined in the SCCs, “Data Exporter” and “Data Importer” respectivelya) are directed to select a module, the parties acknowledge that: Module 2 Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where Client acts as Customer is a Controller and Data Exporter controller of Personal data Data and Service Provider acts as Bluecore is processing Personal Data.
(b) Module Three (Processor and Data Importer to Processor) of the 2021 Standard Contractual Clauses will apply where Customer is a processor of Personal Data and Bluecore is processing Personal Data. The parties agree that the following options will apply: • .
(c) For each Module, where applicable:
(i) in Clause 7 of the 2021 SCCsStandard Contractual Clauses, the optional docking clause will not apply; • ;
(ii) in Clause 9(a) 9 of the 2021 SCCsStandard Contractual Clauses, Option 2 will apply; • apply and the time period for prior notice of subprocessor changes will be as set forth in Section 5 (Sub-Processors) of this DPA;
(iii) in Clause 11 of the 2021 SCCsStandard Contractual Clauses, the optional language will not apply; • ;
(iv) in Clause 17 (Option 1), the 2021 SCCs Standard Contractual Clauses will be governed by Irish law; • ;
(v) in Clause 18(b) of the 2021 SCCsStandard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland. This Schedule 2 forms part ;
(vi) in Annex I, Part A of the DPA, where Service Provider will apply the following technical and organizational measures:
1. Develop, implement, and maintain a comprehensive written information security program that includes appropriate administrative, technical, and physical safeguards and other security measures designed to ensure the security and integrity of Personal 2021 Standard Contractual Clauses: § Data in accordance with industry standards and the Applicable Privacy LawsExporter: Customer.
2. Strong encryption of Personal Data in transit and at rest, as applicable, that meets industry best practices, is robust against cryptanalysis, is not susceptible to interference or unauthorized access, and for which key access is limited to specific authorized individuals with a need to access Personal Data to engage in Processing.
3. Implement any data transfer mechanism as may be necessary for compliance with Applicable Privacy Laws for transfer of Personal Data to other jurisdictions for legitimate business purposes including (a) the performance of the Services as set forth in the Agreement; (b) to provide any technical and customer support, maintenance, and troubleshooting as requested by Client; and (c) to fulfil all other obligations under the Agreement with due observance of all applicable laws and regulations and preservation of the confidentiality of the information.
4. Access restrictions and procedures, including unique user identification, to limit Processing to authorized Service Provider workforce and devices authorized explicitly by Client through proper separation of duties, role-based access, on a need-to- know and least privilege basis.
5. Multi-factor authentication and use of a virtual private network for any remote access to Service Provider systems or Personal Data.
6. Physical security procedures, including the use of monitoring 24 hours /7 days a week, access controls and logs of access, and measures sufficient to prevent physical intrusions to any Service Provider facility where Personal Data is Processed.
7. Secure disposal of equipment and physical and electronic media that contain Personal Data.
8. Ongoing vulnerability identification, management and remediation of systems including applications, databases, and operating systems used by Service Provider to Process Personal Data.
9. Logging and monitoring to include security events, all critical assets that Process Personal Data, and system components that perform security functions for Service Provider’s network (e.g., firewalls, IDS/IPS, authentication servers, anti-virus and malware protection) intended to identify actual or attempted access by unauthorized individuals and anomalous behaviour by authenticated users.
10. Monitoring, detecting, and restricting the flows of Personal Data on a multi-layered basis, including but not limited to the use of network segmentation, secure configuration of firewalls, intrusion detection and/or prevention systems, web application firewalls, and denial of service protections.
Appears in 1 contract
Samples: Data Processing Addendum
2021 Standard Contractual Clauses. If applicable, the The parties agree that the 2021 SCCs Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the EEA European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the EEA European Economic Area that are subject to the 2021 SCCsStandard Contractual Clauses, the 2021 SCCs Standard Contractual Clauses will be deemed entered into by both parties (and incorporated into this Addendum DPA by this reference). Where the data exporter ) and the data importer completed as follows:
(as such terms are defined in the SCCs, “Data Exporter” and “Data Importer” respectivelya) are directed to select a module, the parties acknowledge that: Module 2 Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where Client acts as Customer is a Controller and Data Exporter controller of Personal data Data and Service Provider acts as Grafana Labs is processing Personal Data.
(b) Module Three (Processor and Data Importer to Processor) of the 2021 Standard Contractual Clauses will apply where Customer is a processor of Personal Data and Grafana Labs is processing Personal Data. The parties agree that the following options will apply: • .
(c) For each Module, where applicable:
(i) in Clause 7 of the 2021 SCCsStandard Contractual Clauses, the optional docking clause will not apply; • ;
(ii) in Clause 9(a) 9 of the 2021 SCCsStandard Contractual Clauses, Option 2 will apply; • apply and the time period for prior notice of subprocessor changes will be as set forth in Section 6 (Subprocessors) of this DPA;
(iii) in Clause 11 of the 2021 SCCsStandard Contractual Clauses, the optional language will not apply; • ;
(iv) in Clause 17 (Option 1), the 2021 SCCs Standard Contractual Clauses will be governed by Irish law; • ;
(v) in Clause 18(b) of the 2021 SCCsStandard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland. This Schedule 2 forms part ;
(vi) in Annex I, Part A of the DPA, where Service Provider will apply the following technical and organizational measures:
1. Develop, implement, and maintain a comprehensive written information security program that includes appropriate administrative, technical, and physical safeguards and other security measures designed to ensure the security and integrity of Personal 2021 Standard Contractual Clauses: ▪ Data in accordance with industry standards and the Applicable Privacy LawsExporter: Customer.
2. Strong encryption of Personal Data in transit and at rest, as applicable, that meets industry best practices, is robust against cryptanalysis, is not susceptible to interference or unauthorized access, and for which key access is limited to specific authorized individuals with a need to access Personal Data to engage in Processing.
3. Implement any data transfer mechanism as may be necessary for compliance with Applicable Privacy Laws for transfer of Personal Data to other jurisdictions for legitimate business purposes including (a) the performance of the Services as set forth in the Agreement; (b) to provide any technical and customer support, maintenance, and troubleshooting as requested by Client; and (c) to fulfil all other obligations under the Agreement with due observance of all applicable laws and regulations and preservation of the confidentiality of the information.
4. Access restrictions and procedures, including unique user identification, to limit Processing to authorized Service Provider workforce and devices authorized explicitly by Client through proper separation of duties, role-based access, on a need-to- know and least privilege basis.
5. Multi-factor authentication and use of a virtual private network for any remote access to Service Provider systems or Personal Data.
6. Physical security procedures, including the use of monitoring 24 hours /7 days a week, access controls and logs of access, and measures sufficient to prevent physical intrusions to any Service Provider facility where Personal Data is Processed.
7. Secure disposal of equipment and physical and electronic media that contain Personal Data.
8. Ongoing vulnerability identification, management and remediation of systems including applications, databases, and operating systems used by Service Provider to Process Personal Data.
9. Logging and monitoring to include security events, all critical assets that Process Personal Data, and system components that perform security functions for Service Provider’s network (e.g., firewalls, IDS/IPS, authentication servers, anti-virus and malware protection) intended to identify actual or attempted access by unauthorized individuals and anomalous behaviour by authenticated users.
10. Monitoring, detecting, and restricting the flows of Personal Data on a multi-layered basis, including but not limited to the use of network segmentation, secure configuration of firewalls, intrusion detection and/or prevention systems, web application firewalls, and denial of service protections.
Appears in 1 contract
Samples: Data Processing Agreement
2021 Standard Contractual Clauses. If applicable, the The parties agree that the 2021 SCCs Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the EEA European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the EEA European Economic Area that are subject to the 2021 SCCsStandard Contractual Clauses, the 2021 SCCs Standard Contractual Clauses will be deemed entered into by both parties (and incorporated into this Addendum DPA by this reference). Where the data exporter ) and the data importer completed as follows:
(as such terms are defined in the SCCs, “Data Exporter” and “Data Importer” respectivelya) are directed to select a module, the parties acknowledge that: Module 2 Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where Client acts as Customer is a Controller and Data Exporter controller of Personal data Data and Service Provider acts as Bluecore is processing Personal Data.
(b) Module Three (Processor and Data Importer to Processor) of the 2021 Standard Contractual Clauses will apply where Customer is a processor of Personal Data and Bluecore is processing Personal Data. The parties agree that the following options will apply: • .
(c) For each Module, where applicable:
(i) in Clause 7 of the 2021 SCCsStandard Contractual Clauses, the optional docking clause will not apply; • ;
(ii) in Clause 9(a) 9 of the 2021 SCCsStandard Contractual Clauses, Option 2 will apply; • apply and the time period for prior notice of subprocessor changes will be as set forth in Section 5 (Sub-Processors) of this DPA;
(iii) in Clause 11 of the 2021 SCCsStandard Contractual Clauses, the optional language will not apply; • ;
(iv) in Clause 17 (Option 1), the 2021 SCCs Standard Contractual Clauses will be governed by Irish law; • ;
(v) in Clause 18(b) of the 2021 SCCsStandard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland. This Schedule 2 forms part ;
(vi) in Annex I, Part A of the DPA, where Service Provider will apply the following technical and organizational measures:
1. Develop, implement, and maintain a comprehensive written information security program that includes appropriate administrative, technical, and physical safeguards and other security measures designed to ensure the security and integrity of Personal 2021 Standard Contractual Clauses: ▪ Data in accordance with industry standards and the Applicable Privacy LawsExporter: Customer.
2. Strong encryption of Personal Data in transit and at rest, as applicable, that meets industry best practices, is robust against cryptanalysis, is not susceptible to interference or unauthorized access, and for which key access is limited to specific authorized individuals with a need to access Personal Data to engage in Processing.
3. Implement any data transfer mechanism as may be necessary for compliance with Applicable Privacy Laws for transfer of Personal Data to other jurisdictions for legitimate business purposes including (a) the performance of the Services as set forth in the Agreement; (b) to provide any technical and customer support, maintenance, and troubleshooting as requested by Client; and (c) to fulfil all other obligations under the Agreement with due observance of all applicable laws and regulations and preservation of the confidentiality of the information.
4. Access restrictions and procedures, including unique user identification, to limit Processing to authorized Service Provider workforce and devices authorized explicitly by Client through proper separation of duties, role-based access, on a need-to- know and least privilege basis.
5. Multi-factor authentication and use of a virtual private network for any remote access to Service Provider systems or Personal Data.
6. Physical security procedures, including the use of monitoring 24 hours /7 days a week, access controls and logs of access, and measures sufficient to prevent physical intrusions to any Service Provider facility where Personal Data is Processed.
7. Secure disposal of equipment and physical and electronic media that contain Personal Data.
8. Ongoing vulnerability identification, management and remediation of systems including applications, databases, and operating systems used by Service Provider to Process Personal Data.
9. Logging and monitoring to include security events, all critical assets that Process Personal Data, and system components that perform security functions for Service Provider’s network (e.g., firewalls, IDS/IPS, authentication servers, anti-virus and malware protection) intended to identify actual or attempted access by unauthorized individuals and anomalous behaviour by authenticated users.
10. Monitoring, detecting, and restricting the flows of Personal Data on a multi-layered basis, including but not limited to the use of network segmentation, secure configuration of firewalls, intrusion detection and/or prevention systems, web application firewalls, and denial of service protections.
Appears in 1 contract
Samples: Data Processing Addendum
