DESCRIPTION OF TRANSFER Categories of data subjects whose personal data is transferred Data exporter may submit Personal Data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: ● Customers, business partners, and vendors of the data exporter (who are natural persons) ● Employees or contact persons of data exporter customers, business partners, and vendor ● Employees, agents, advisors, contractors, or any user authorized by the data exporter to use the Service (who are natural persons) Categories of personal data transferred Data exporter may submit Personal Data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data: ● First and last name ● Business contact information (company, email, phone, physical business address) ● Personal contact information (email, cell phone) ● Title ● Position ● Employer ● ID data ● Professional life data ● Personal life data (in the form of security questions and answers) ● Connection data ● Localization data Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Data exporter may submit special categories of data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include Personal Data concerning health information. If applicable, data exporter agrees that it has reviewed and assessed the restrictions and safeguards applied to the special categories of Personal Data, including the measures described in the Trust & Compliance Documentation (as defined by this DPA) and Documentation (as defined in the Agreement), and has determined that such restrictions and safeguards are sufficient. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) Subject to Customer’s use of the Service, Personal Data will be transferred on a continuous basis during the term of the Agreement. Nature of the processing Identity and access management and related services pursuant to the Agreement. Purpose(s) of the data transfer and further processing The objective of Processing of Personal Data by the data importer is the performance of the Service pursuant to the Agreement and as instructed by data exporter in its use of the Service. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period Data exporter may retain Personal Data in the Service for the duration of the Agreement. Personal Data within the Service post-termination of the Agreement will be retained and deleted in accordance with the Documentation. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing Sub-processors may only Process Personal Data as necessary for the performance of the Service pursuant to the Agreement and for the duration of the Agreement. Sub-processor information are made available on Okta’s ‘Agreements’ webpage (accessible via xxx.xxxx.xxx/xxxxxxxxxx under the “Trust & Compliance Documentation” link).
