The following parties
1. Carv.com B.V., a Dutch limited liability company, having its statutory seat in Amsterdam, TheNetherlands and its office at (1012 WP) Amsterdam at Singel 459. Carv isregistered with the Chamber of Commerce under registration number 84849738, (hereinafter referred to as “Carv.com” and “Processor”);
2. The Client, (hereinafter referred to as “Client” and “Controller”).
Jointly hereinafter also referred to as “Parties”,
have agreed as follows
Article 1 Definitions
1.1 In this Data Processing Agreement, terms, indicated with a capital letter, shall have the following meaning, regardless of the usage in single or plural form:
Agreement: the agreement concluded between Carv.com and Client for the usage of the service Carv.com offers, including any additional concluded agreements.
Annex: addendum to the Data Processing Agreement, which forms an inseparable part of the Data Processing Agreement.
Data Processing Agreement: this agreement, which is an integral part of the Agreement.
Terms and Conditions: the Terms and Conditions of Carv.com, which form an integral part of the Agreement.
Personal Data: all data directly or indirectly identifiable to a natural person as referred to in Article 4 introductory phrase and under 1 GDPR.
Personal Data Breach: personal data breach as referred to in Article 4 introductory phrase and under 12 GDPR.
Processing: the processing of Personal Data as referred to in Article 4 introductory phrase and under 2 GDPR.
Service: the service Carv.com offers to Client, as defined in the Agreement.
Sub-processor: the subcontractor engaged by Carv.com, which processes Personal Data pursuant to this Processor Agreement on behalf of Client as referred to in article 28 paragraph 4 GDPR.
1.2 The provisions of the Agreement shall apply in their entirety to the Data Processing Agreement. In case the Agreement contains any provisions regarding Personal Data, the provisions in this Data Processing Agreement will prevail.
Article 2 Controller and Processor of the data
2.1 Carv.com, acting as Processor, commits under this Data Processing Agreement to Process Personal Data at the instructions of the Client, acting as Controller. An overview of the categories of Personal Data, data subjects and Processing purpose of the Personal Data is attached in Annex 1. Controller warrants that the in Annex 1 mentioned Personal Data, data subjects and Processing purpose of the Personal Data are complete and correct, and indemnifies Processor against any defects and claims resulting from an incorrect representation by Processor.
2.2 The Processor is solely responsible for the Processing of Personal Data under this Data Processing Agreement, in accordance with the legitimate instructions of Controller and under the explicit (final) responsibility of Controller. For all other Processing of Personal Data, including but not limited to the collection of the Personal Data by Processor, Processing for purposes not notified to Processor by Controller, Processing by third parties and/or for other purposes, Processor is not responsible. Responsibility for this Processing rests solely with Controller.
2.3 The Controller is solely liable for the Processing of Personal Data within the scope of the Agreement and warrants that the content, use and ordered Processing of such Personal Data complies with all applicable laws and regulations and does not infringe any rights of third parties. The Controller shall indemnify Processor against all claims of third parties, in particular the supervisory authority, arising in any way from non-compliance with this guarantee. In this regard the Controller is for example aware that regarding the processing of personal data of attendees of meetings in which the Service is used by (employees of) the Controller, it needs to have a legal basis for lawful processing of personal data of these attendees and that attendees need to be informed following the transparency obligations of the Controller.
2.4 Processor commits to only Process Personal Data for the purposes of the activities specified in this Data Processing Agreement and/or the Agreement, with the exception of the processing as described in Article 2.5. The Processor warrants that, without the explicit and written consent of the Controller, it will not use the Personal Data processed under this Processor Agreement, unless a legal provision applicable to Processor obliging it to do such processing. In that case, Processor shall notify the Controller, prior to the Processing, of that statutory provision, unless that legislation prohibits such notification for substantial reasons of public interest.
2.5 Processor shall process limited, pseudonymised, and/or aggregate data about use of the Service, for statistical and analytical purposes to improve the Service, such as for example how many people are using Carv.com tools at a certain moment, as described in the Privacy Statement of Carv.
Article 3 Technical and Organisational Measures
3.1 Taking into account the nature of the processing and to the extent reasonably possible, the Processor shall assist the Controller in complying with its duty under the GDPR to implement appropriate technical and organisational measures to ensure a risk-appropriate level of security.
3.2 Taking into account the state of the art and the costs of implementation, these measures will ensure an appropriate level of security, given the risks posed by the Processing and the nature of the data to be protected. In any event, the Processor shall take measures to secure Personal Data against destruction, whether accidental or unlawful, against accidental and intentional loss, falsification, unauthorised disclosure or access, or against any other form of unlawful Processing.
3.3 The technical and organisational measures taken by the Processor will be described in Annex 2. Controller acknowledges to have taken full knowledge of the relevant measures and by signing this Data Processing Agreement, the Controller consents to the measures taken by the Processor.
Article 4 Confidentiality
4.1 The Processor shall have all employees who are involved in the execution of the Agreement sign a confidentiality agreement - whether or not resulting from or included in the employment contract with those employees - which states that these employees must observe confidentiality with regard to the Processing of the Personal Data. The Processor shall take all necessary measures, such asscreening of employees and security of data carriers, to ensure that confidentiality is maintained.
Article 5 Sub-processors
5.1 The Processor is, regarding to this Data Processing Agreement and the Agreement, entitled to engage with other third parties, acting as Sub-processors. These Sub-processors are detailed in Annex 3. If Processor wishes to engage with a different Sub-processor, the Processor shall inform the Controller about the intended change.
5.2 Incase the Processor wishes to engage a different Sub-processor as mentioned inArticle 6.1, the Controller may object to this intended change within five (5)working days.
5.3 The Processor will contractually bind each Sub-processor to comply with the confidentiality obligations, notification obligations and security measures in relation to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Data Processing Agreement. These obligations will subsequently be laid down in a binding DataSub-processors Agreement.
Article 6 Dataprocessing outside the European Economic Area (EEA)
6.1 Data can only be Processed outside of the EEA in accordance with the applicable legal provision as set in the GDPR regarding such Processing. In this regard, theProcessor can transfer Personal Data to the Sub-Processors listed in Annex 3.
Article 7 Liability
7.1 In respect of the Processor's liability under the Data Processing Agreement as well as in respect of the Processor's indemnification obligations contained in the Data Processing Agreement, the limitation of liability rules contained in the Agreement shall apply in full.
7.2 Notwithstanding Article 7.1 of this Data Processing Agreement, the Processor shall only be liable for the damage caused by Processing when this Processing failed to comply with the obligations of the GDPR specifically aimed towards the Processor or acted in breach of the lawful instructions of the Controller.
Article 8 PersonalData Breaches
8.1 In case the Processor becomes aware of a Personal Data Breach, the Processor shall notify the Controller without undue delay and will take all reasonable measures to prevent and/or limit (further) violation of the GDPR.
8.2 The Processor shall, to a reasonable extent, provide its assistance to the Controller and support the Controller in carrying out its legal obligations in respect of the identified incident.
8.3 Processor shall, to the extent reasonable, support the Controller in its obligation to notify the Personal Data Breach to the data protection authority and/or the data subject, as referred to in Article 33(3) and 34(1) GDPR.
8.4 Processor is in no case liable for the Controllers duty to report (adequately or timely) the Personal Data Breach as referred to in Article 33 and 34 GDPR.
Article 9 Cooperation
9.1 Taking into account the nature of the Processing the Processor will, and insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Article15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR),restriction (Article 18 GDPR), data portability (Article 20 GDPR) and the right to object (Article 21 and 22 GDPR).
9.2 Processor shall forward as soon as possible to the Controller, the complaint or request of a data subject regarding the Processing of Personal Data.
9.3 Processor shall provide the Controller, to a reasonable extent, assistance with the Controllers duty to perform a Data Protection Impact Assessment (Article 35 and36 GDPR). Parties shall make further (written) arrangements in that case.
9.4 Processor shall make available to the Controller all information reasonably necessary to demonstrate the Processor's compliance with its obligations under the GDPR.
9.5 Processor shall enable the Controller to review compliance with the Processor Agreement and, in particular, the security measures taken by the Processor, at most once per calendar year, upon reasonable notice and with the consent of the Processor. Any such audit shall, at all times, be conducted in a manner that causes the least possible interference with the normal business operations of the Processor and shall be at the expense of the Controller. If the Processor believes that, an instruction in relation to the provisions of this paragraph constitute a breach of the GDPR or other privacy laws applicable to it, the Processor shall immediately notify the Controller.
9.6 The audit in article 9.5 shall only take place after the Controller has reviewed similar audit reports made available by the Processor and presents reasonable arguments justifying an audit initiated by the Controller. Such an audit shall be justified when the similar audit reports present with Processor provide no or insufficient conclusive evidence of compliance with this Data Processing Agreement.
9.7 The Controller shall, to a reasonable extent, reimburse all costs arising from the assistance by the Processor as detailed in this Article.
Article 10 Deletion or return of Personal Data
10.1 The provisions of the Agreement regarding cancellation and/or termination of this Data Processing Agreement, will apply in full to this Data Processing Agreement.
10.2 If this Data Processing Agreement and/or the Agreement end in any manner whatsoever, the Processor will, unless mandatory law provides otherwise:
a) cease all use or other Processing of the Personal Data, unless the Controller requests Processor to continue the Processing; and
b) ensure, within a period agreed Parties, that all documents and/or other information carriers which contain and/or relate to Personal Data (including all copies in any form whatsoever) are:
i. Returnedto the Controller in a format specified by the Processor; and/or
ii. Deletedat the Controller’s request.
Article 11 Miscellaneous
11.1 The Controller and the Processor will amend this Data Processing Agreement by written agreement if this is required under applicable laws and regulations(including any laws and regulations applicable in the future) or because of an adjustment to the provision of services.
11.2 The provisions of the Agreement regarding choice of law and competent court, will apply in full to this Data Processing Agreement.
ANNEX 1 DESCRIPTION OF PROCESSING ACTIVITIES
TYPE OFPERSONAL DATA:
CATEGORIESOF DATA SUBJECTS:
ANNEX 2. SPECIFICATION OF THE SECURITY MEASURES
1. Security Organization and Program.
Carv.com maintains a risk-based assessment security program. The framework for Carv.com’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Carv.com’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Carv.com’s business operations. Carv.com’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management,Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance,Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Carv.com employees for their reference.
Carv.com has controls in place to maintain the confidentiality of Customer Data in accordance with the Agreement. All Carv.com employees and contract personnel are bound by Carv.com’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
3.1 Employee Background Checks.
Carv.com performs background checks on relevant new employees at the time of hire in accordance with applicable local laws. Carv.com currently verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, Carv.com may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.
3.2 Employee Training.
At least once (1) per year, Carv.com employees must complete a security and privacy training which covers Carv.com’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Carv.com’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Carv.com has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.
4. ThirdParty Vendor Management
4.1 Vendor Assessment.
Carv.com may use third party vendors to provide the Services. Carv.com carries out a security risk-based assessment of prospective vendors before working with them to validate they meet Carv.com’s security requirements. Carv.com periodically reviews each vendor in light of Carv.com’s security and business continuity standards, including the type of access and classification of data being accessed (ifany), controls necessary to protect data, and legal or regulatory requirements. Carv.com ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors or third-party vendors of Carv.com.
4.2 Vendor Agreements.
Carv.com enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
5.Hosting Architecture and Data Segregation
5.1 Google Cloud Platform.
The Carv.com Services are hosted on Google Cloud Platform (“GCP") in the EEA. The production environment within GCP where the Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC). Customer Data stored within GCP is encrypted at all times. GCP does not have access to unencrypted Customer Data. More information about GCP security is available athttps://cloud.google.com/architecture#security.
For the Services, all network access between production hosts is restricted, using access control lists to allow only authorized services to interact in the production network. Access control lists are in use to manage network segregation between different security zones in the production and corporate environments. Access control lists are reviewed regularly. Carv.com separates Customer Data using logical identifiers. Customer Data is tagged with a unique customer identifier that is assigned to segregate Customer Data ownership. The Carv.com APIs are designed and built to identify and allow authorized access only to and from Customer Data identified with customer specific tags. These controls prevent other customers from having access to Customer Data.
6. Physical Security.
GCP is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Carv.com headquarters and office spaces have a physicalsecurity program that manages visitors, building entrances, closed circuit televisions, and overall office security. All employees, contractors, andvisitors are required to wear identification badges.
7. Security by Design.
Carv.com follows security by design principles when it designs the Services. Carv.com also applies the Carv.com Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before deploying new Services or code; (b) penetration tests of new Services by independent third parties; and (c) threat models for new Services to detect potential security threats and vulnerabilities.
8.1 Provisioning Access.
To minimize the risk of data exposure, Carv.com follows the principles of least privilege through a team-based-access-control model when provisioning system access. Carv.com personnel are authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments that are not time-based are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access including training on the relevant team’s systems. Carv.com logs high risk actions and changes in the production environment. Carv.com leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.
8.2 Password Controls.
Carv.com’s current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication, but not require special characters or frequent changes. When a customer logs into its account, Carv.com hashes the credentials of the user before it is stored. A customer may also require its users to add another layer of security to their account by using two-factor authentication (2FA).
9. Change Management.
Carv.com has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a testenvironment, are documented using a formal, auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.
10. Vulnerability Management.
Carv.com maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable timeframe that balances risk and the business/operational requirements. Carv.com uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Carv.com’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the Carv.com cluster over a predefined schedule. For high-risk patches, Carv.com will deploy directly to existing nodes through internally developed orchestration tools.
11. Penetration Testing.
Carv.com performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly.
12. Security Incident Management.
Carv.com maintains security incident management policies and procedures and assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions.
13. Discovery, Investigation, and Notification of a Security Incident.
Carv.com will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, Carv.com will notify Customer of a Security Incident in accordance with the Data Protection Addendum. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.
14. Customer Data Backups.
Carv.com performs regular backups of Customer Data, which is hosted on GCP’s data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using the Advanced Encryption Standard.
ANNEX 3. OVERVIEWSUB-PROCESSORS