Data Processing Addendum
This Data Processing Addendum (“DPA”), Annex 1, and Annex 2 form part of the Terms of Service found at https://victoury.be/dpa (“the Agreement”) between Victoury BVBA (“Victoury”) and the customer of Victoury (“Customer”).
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. Victoury and Customer may be referred to herein as a “party” and together as the “parties”.
1. DEFINITIONS IN THE FIELD OF PERSONAL DATA PROTECTION
For the purpose of processing personal data under this Agreement, the following definitions shall prevail:
CONTROLLER means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
DATA SUBJECT means the natural person to whom the data refer, respectively the persons whose personal data are processed;
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
PERSONAL DATA means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
PERSONAL DATA BREACH means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
PROCESSING means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
PROCESSOR means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
2. REPRESENTATION OF THE PARTIES
2.1 In respect to the parties’ rights and obligations under this DPA regarding the personal data, the parties hereby acknowledge and agree that the Customer is the data controller and Victoury is the data processor, and accordingly Victoury agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.
2.2 The Controller declares by this Agreement that is responsible for the processing of personal data (within the meaning of art. 4 point 7 of the GDPR), described in Annex no. 1 to this Agreement and Processor processes personal data on behalf of the Controller.
2.3 The Processor declares that has the capacity, experience, knowledge and qualified personnel to enable the proper implementation and execution of this Agreement at the highest professional level expected from the entities operating in the market in which operates. In particular, the Processor declares that is aware of the rules for the processing and security of personal data, as provided in the GDPR and any other applicable data protection regulations.
2.4 The Processor also guarantees that:
2.4.1 Persons authorized to process personal data (“Authorized Persons”), respectively the personnel of the Processor are subject to the obligation of unconditional confidentiality as to the scope, purposes and means of processing of personal data, both during this Agreement, as well as after its completion;
2.4.2 Authorized persons process personal data only in accordance with the instructions of the Processor and are sufficiently trained to be able to comply with the applicable data protection regulations;
3. OBJECT OF THE DPA
The Controller entrusts the Processor with the processing of personal data, for the purposes set out in Annex 1 to this DPA, while the Processor undertakes to process personal data in accordance with this DPA and the applicable protection regulations, including the provisions of the GDPR.
4.1 The duration of this DPA and the processing of personal data correspond to the duration of the Agreement concluded between the Parties, to which is added the duration of retention of information required by law.
4.2 This DPA may be terminated as a result of the intervention of one of the following cases:
– by the written agreement of the parties;
– by termination of the Agreement for any reason.
4.3 The parties expressly agree that the Processor’s breach of its obligations under this DPA constitutes material breach of Agreement which constitutes termination of the Agreement.
5. GENERAL OBLIGATIONS OF THE PROCESSOR
The Processor shall undertake, in particular:
5.1. to refrain from processing personal data for purposes other than those specified in Annex no. 1 to this DPA. Modification of the purpose of the processing of personal data is permitted only by modification of this DPA, which must be made in writing;
5.2 to process personal data only on the basis of documented instructions, transmitted (in writing) by the Controller.
5.3 immediately inform the Controller in electronic format if, in the opinion of the Processor, the instructions constitute a violation of the Agreement, the provisions of the GDPR or other applicable data protection regulations.
5.4 The Processor is obliged to immediately make available to the Controller the information regarding the records of the processing activities related to the services provided, according to this DPA, as the Controller to comply with the obligation to keep the records of processing.
5.5 The Processor undertakes to implement and maintain the appropriate technical and organizational measures necessary to ensure the appropriate level of security for the risk of personal data processing, in accordance with the provisions of Article 32 of the GDPR. The minimum technical and organizational measures are set out in Annex 2 to this DPA.
5.6 The Processor undertakes to process personal data for the duration of this DPA. Upon completion of the processing of personal data under this DPA, depending on the decision of the Controller, the Processor undertakes to permanently and irreversibly delete personal data (including existing copies) or return them to the Controller, unless the applicable law requires otherwise and before deletion Processor ensures that Controller is able to download all necessary reports and data.
6.1. The Processor shall notify the Controller, without undue delay, of the following: a) any complaints or requests received directly from a data subject (right of access, deletion, etc.) without responding to the request if not previously authorized by the Controller or applicable law does not oblige the Processor to an answer; b) any mandatory legal requests for the disclosure of personal data by a law enforcement authority, unless otherwise prohibited, or any court order or requests made by competent authorities regarding the processing of personal data subject to this DPA (the Processor shall inform the Controller before answering Authorities’ requests).
6.2. In the event of a data breach leading to the destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed or any other case of suspected breach of data privacy, covering all or any part of the personal data subject to this DPA, the Processor will make, without undue delay the Notification to the Controller of data of the data breach by email.
6.3 The notification of data breach must contain at least the elements provided by art. 33, para. (3) GDPR.
6.4 If and to the extent that the above information cannot be provided at the same time, it must be provided gradually, without undue delay.
6.5 Without prejudice to the above, the Processor shall provide the Controller all additional information necessary to comply with the Controller’s obligations regarding data breach, in accordance with the GDPR.
6.6 The Processor must document all cases of data breach affecting all or any part of the personal data, including the circumstances of the breach, its effects and the remedial measures taken.
7. SUB-PROCESSING. DATA TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA
7.1. Generally, the Processor processes personal data inside the European Economic Area.
7.2. Transfer of personal data to countries outside the EU and/or the European Economic Area (EEA) occures only with the authorization of Customer. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
7.3. Customer agrees that Victoury may engage Sub-processors to process Customer Data on Customer’s behalf. The authorized Sub-processors based outside the EU and/or the European Economic Area currently engaged by Victoury and authorized by Customer are the following:
7.3.1. Mailchimp – https://mailchimp.com/legal/privacy/
7.3.2. Intercom – https://www.intercom.com/legal/privacy
7.3.3. Hetzner – https://www.hetzner.com/rechtliches/datenschutz
7.3.4. Google – https://policies.google.com/privacy?hl=en
7.4. Victoury shall notify Customer if it adds or removes Sub-processors based outside the EU and/or the European Economic Area at least 10 days prior to any such changes.
8. COOPERATION BETWEEN THE PARTIES
8.1 The Processor undertakes, as far as possible, to:
8.1.1 to assist the Controller with information on relevant technical and organizational measures to fulfill its obligations to respond to the requests of data subjects in order to exercise their rights mentioned in Chapter III of the GDPR;
8.1.2 assist the Controller in fulfilling its obligations to respond to requests from data protection authorities and other bodies, including law enforcement agencies;
8.1.3 to assist the Controller in complying with its obligations referred to in Articles 32-36 of the GDPR.
8.2 In addition to the obligations of the Controller described in this DPA, the Processor and the Controller undertake to inform each other of any proceedings carried out by a Data Protection Authority or other public body (including law enforcement agencies) and any exchange of correspondence with these entities (including the content of correspondence) in connection with the fulfillment of the Agreement.
9. LIABILITY OF THE PROCESSOR
The Processor will compensate the Controller for all damages caused in terms of non-compliance with GDPR standards resulting from the breach of its obligations as a data processor. This form of liability does not remove or prejudice actions relating to any other form of liability.
10 CONTACT DETAILS OF PROCESSOR REGARDING NOTIFICATIONS / BREACHES RELATED TO THE PROCESSING OF PERSONAL DATA
10.1 Contact details of the Processor:
E-mail: [email protected]
11. FINAL TERMS
11.1. Subsequent modification of the terms of this DPA is allowed only by agreement of the parties, by concluding additional written documents.
11.2. If one or more clauses of this DPA become inapplicable, the remaining contractual clauses shall remain valid, the execution of the DPA not being affected by this situation. In such a case, the Parties may replace, if necessary, the null or void clause with a new clause corresponding to the object and spirit of this DPA.
ANNEX No. 1 – The types of personal data processed, the categories of data subjects and the purpose of processing personal data
1.1 The categories of data subjects whose personal data may be the subject of this Agreement include:
The legal representatives and employees of the Controller and the Processor;
Final beneficiaries of services (Customers of the Travel agencies)
1.2 Personal data (information about an identified or identifiable natural person) that is the subject of this agreement may include categories of personal data, not limited to:
Employees/Legal representatives of the Controller and the Processor: Family Name, Middle Name, Personal Name, Position, Phone number, E-mail address, Signature, Username, Full Name, Email, Role, Password, Brand
Customers of the Travel Agencies: Title, Family name, Middle Name, Personal Name, Gender, Birthdate, Birth Place, Preffered Language, Nationality, Email Address, Address, Skill level (for specific cases, eg. scuba diving), Phone Number, Brand, VIP or Blacklister, Passport data, travel data ( reserved destination, period etc), other profile data (eg. disability, culinary preferences or other relevant data given to Travel Agency)
1.3 Processor undertakes to process personal data by:
(I) erasure or destruction
1.4 The Processor shall only process Personal Data for the permitted purposes, which shall include:
processing as necessary to provide the service in accordance with the Agreement;
processing initiated by Customer in its use of the service;
processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
ANNEX No. 2 – MINIMUM SECURITY MEASURES REQUIRED
Taking into account the nature, scope, context and purposes of the processing, the costs of implementation as well as the risks with varying degrees of probability and seriousness for the rights and freedoms of individuals, the Processor implements appropriate technical and organizational measures to guarantee and to be able to demonstrate that the processing is performed in accordance with specific legislation (GDPR). Also, the technical and organizational measures adopted by the Processor are necessary to protect personal data against accidental or illegal destruction, loss, modification, disclosure or unauthorized access. Those measures shall be reviewed and updated as necessary.
Technical and Organizational Measures implemented by the Processor are listed below:
Victoury SaaS Technical and Organizatorical Measures
1 Servers are located at Hetzner Germany. Hetzner is a professional web hosting provider and experienced data center operator. Since 1997 this company has been providing private and business clients with high-performance hosting products as well as the necessary infrastructure for the efficient operation of websites. It is a combination of stable technology and flexible support and services. The company owns several data centers in Germany and Finland.
2 As a performance Hetzner Online uses well-known hardware and software manufacturers to be at the highest level of quality. Customers can reach our qualified data center technicians 24/7. Data center parks are in Nuremberg, Germany; Falkenstein/Vogtland, Germany and Helsinki, Finland which provide us multi-redundant network connections to important Internet exchanges. More details about Hetzner datacenter at https://www.hetzner.com/unternehmen/rechenzentrum/
3 Victoury SaaS systems has been using Hetzner services since 2015. We are using both dedicated servers infrastructure and cloud servers.
4 The Customer will access the Victoury application using a web browser and the URL provided to them. Once securely logged in, the Customer can perform administrative tasks such as adding and deleting users, booking, managing invoices etc.
5 Victoury offers the following core SaaS support and operational services
6 – Functional on Software-as-a-Service
7 – Service Support
8 The Customer may contact Victoury through a variety of methods such as online support tickets, chat or telephone. The Victoury Team will either provide support to the Customer directly or coordinate delivery of this support. Online chat support is available inside of the application.
9 Victoury for the moment does not offer 24x7x365 Service Operations Center, but we are available in GMT+3 timezone during working hours (09:00 to 17:00). All tickets will be answered in 24 hours during Monday to Friday.
10 Victoury monitors the application and connected services on Software-as-a-Service solution components 24×7 availability. Victoury uses a centralized notification system to deliver proactive communications about application changes, outages and scheduled maintenance. Alerts and notifications are available in the application and via email.
Capacity and Performance Management
11 The architecture provided and selected by Victoury allows to expand capacity to applications, databases and storage.
Operational Change Management
12 Victoury follows a set of standardized methodologies and procedures for efficient and prompt handling of changes to SaaS infrastructure and application, which enables beneficial changes to be made with minimal disruption to the service.
Solution Data Backup and Retention
13 The data backup and retention described in this section are part of Victoury’s overall business continuity management practices designed to attempt to recover availability to Customer on Software-as-a-Service and access to the Software-as-a-Service Customer data, following an outage or similar loss of service.
14 The following types of Customer-specific data are included in the Victoury Software-as-aService database that resides in the Victoury SaaS environment:
15 – Customer inserted data. The Data Backup Frequency is one (1) day and Victoury performs that daily backup of the Software-as-a-Service files and Software-as-a-Service database (including configuration data). The Backup Retention Time is seven (5) days, meaning Victoury retains each daily backup for the most recent seven (7) days (“Data Retention Time”).
16 Victoury’s standard storage and backup measures are Victoury’s only responsibility regarding the retention of this data, despite any assistance or efforts provided by Victoury to recover or restore Customer’s data. Customers may request via a service request for Victoury to attempt to restore such data from Victoury’s most recent backup. Victoury will be unable to restore any data not included in the database (not properly entered by the user, or lost or corrupted etc.) at the time of backup or if Customer´s request comes after the Data Retention Time of such backup.
1. Business Continuity Plan
17 Victoury SaaS continuously evaluates different risks that might affect the integrity and availability of Victoury SaaS. As part of this continuous evaluation, Victoury SaaS develops policies, standards and processes that are implemented to reduce the probability of a continuous service disruption. Victoury documents its processes in a business continuity plan (“BCP”) which includes a disaster recovery plan (“DRP”). Victoury utilizes the BCP to provide core Victoury SaaS and infrastructure services with minimum disruption. The DRP includes a set of processes that Victoury SaaS implements and tests Victoury SaaS recovery capabilities to reduce the probability of a continuous service interruption in the event of a service disruption.
18 Victoury SaaS performs both on-site and off-site backups with a 24 hours recovery point objective (RPO). Backup cycle occurs daily where a local copy of production data is replicated on-site between two physically separated storage instances. The backup includes a snapshot of production data along with an export file of the production database. The production data is then backed up at a remote site. Victoury uses storage and database replication for its remote site backup process. The integrity of backups are validated by (1) real time monitoring of the storage snapshot process for system errors.
19 Process to assure the same number of bits exists on both source and destination storage systems, and (3) and annual restoration of production data from an alternate site to validate both data and restore flow integrity.
20 Victoury maintains an information and physical security program designed to protect the confidentiality, availability and integrity of Customer Personal Data and confidential information (the “Victoury Security Program”).
Technical and Organizational Measures
21 This section describes Victoury´s standard technical and organizational measures, controls and procedures, which are intended to help protect the Customer-provided SaaS Data.
22 Victoury regularly tests and monitors the effectiveness of its controls and procedures. No security measures are or can be completely effective against all security threats, present and future, known and unknown. The measures set forth in this section may be modified by Victoury, but represent a minimum standard.
23 Customers remain responsible for determining the sufficiency of these measures.
Physical Access Controls
24 Victoury maintains physical security standards designed to prohibit unauthorized physical access to the Victoury equipment and facilities used to provide SaaS and include Victoury data centers and data centers operated by third parties. This is accomplished through the following practices provided by Hetzner Online:
25 · presence of on-site security personnel on a 24×7 basis;
26 · use of intrusion detection systems;
27 · use of video cameras on access points and along perimeter;
28 · monitoring access to facilities, including restricted areas and equipment within the data center
29 Victoury maintains the following standards for access controls and administration designed to make Customer-provided SaaS Data accessible only by authorized Victoury personnel who have a legitimate business need for such access:
30 · secure user identification and authentication protocols
31 · Customer provided SaaS data is accessible only by authorized Victoury personnel who have a legitimate business need for such access, with user authentication, sign-on and access Controls
32 · employment termination or role change is conducted in a controlled and secured manner;
33 · administrator accounts should only be used for the purpose of performing administrative activities;
34 · each account with administrative privileges must be traceable to a uniquely-identifiable Individual;
35 · all access to computers and servers must be authenticated and within the scope of an employee’s job function;
36 · collection of information that can link users to actions in the Victoury SaaS environment;
37 · collection and maintenance of log audits for the application, OS, DB, network and security devices according to the baseline requirements identified;
38 · restriction of access to log information based on user roles and the “need-to-know;” and
39 · prohibition of shared accounts.
40 Victoury SaaS environments are segregated logically by Victoury SaaS access control mechanisms. Internet-facing devices are configured with a set of access control lists (ACLs), which are designed to prevent unauthorized access to internal networks. Victoury uses security solutions on the perimeter level such as: firewalls, IPS/IDS, proxies and content based inspection in order to detect hostile activity in addition to monitoring the environment’s health and availability.
41 Victoury SaaS uses industry standard techniques to encrypt Customer-provided SaaS Data in transit. All inbound and outbound traffic to the external network is encrypted via secure layers.
Victoury Employees and Subcontractors
42 Victoury requests that all employees involved in the processing of Customer-provided SaaS Data are authorized personnel with a need to access the Customer-provided SaaS Data, are bound by appropriate confidentiality obligations and have undergone appropriate training in the protection of customer data. Victoury requests that any affiliate or third party subcontractor involved in processing Customer-provided SaaS Data enters into a written agreement with Victoury, which includes confidentiality obligations substantially similar to those contained herein and appropriate to the nature of the processing involved.
Data Subject Requests
43 Victoury will, within three (3) business days of receipt, refer to Customer any queries from data subjects in connection with Customer-provided SaaS Data.
44 To enable Customers to plan for scheduled maintenance by Victoury, Victoury reserves predefined time frames to be used on an as-needed basis. Victoury reserves a weekly two (2) hours window (Sunday 00:00 to 02:00 Pacific Standard Time) and one (1) monthly four (4) hour window (Sunday in the 00:00 to 08:00 Pacific Standard Time block). These windows will be used on an as-needed basis.
45 Planned windows will be scheduled at least two (2) weeks in advance when Customer action is required, or at least four (4) days in advance otherwise.
Scheduled Version Updates
46 “SaaS Upgrades” are defined as both major version updates, minor version updates and binary patches applied by Victoury to Customer’s Victoury Functional on Software-as-a-Service solution in production. These may or may not include new features or enhancements. Victoury determines whether and when to develop, release and apply any SaaS Upgrade. Customer is entitled to SaaS Upgrades as part of Victoury Functional on Software-as-a-Service service unless the SaaS Upgrade introduces new functionality that Victoury offers on an optional basis for an additional fee.
47 Victoury will use the Scheduled Maintenance windows defined above to apply the most recent service packs and hotfixes and to perform upgrades to minor versions of Victoury Functional on Software-as-a-Service solution. To enable Customers to plan for scheduled major version updates by Victoury, Victoury will be scheduling major version updates at least two (2) weeks in advance.
48 Customers may cancel Victoury SaaS by providing Victoury with thirty (30) days written notice prior to the expiration of the SaaS Order Term (“Cancellation”) or cancel the credit card payment of the monthly subscription. Such Cancellation shall be effective upon the last day of the then current SaaS Order Term. Upon Cancellation, expiration, or termination of the SaaS Order Term, Victoury may disable all Customer access to Victoury Functional on Software-as-a-Service solution, and Customer shall promptly return to Victoury (or at Victoury’s request destroy) any Victoury Materials.
49 Victoury will make available to Customer such data in the format generally provided by Victoury. The target time frame is set forth below in the Termination Data Retrieval Period SLO section. After such time, Victoury shall have no obligation to maintain or provide any such data, which will be deleted in the ordinary course.
Service Level Objectives
50 Victoury provides clear, detailed, and specific Service Level Objectives (SLOs) for the services that SaaS provides to its customers. These SLOs are targets used by Victoury to deliver the service and are provided as guidelines. They in no way create a legal requirement or obligation for Victoury to always meet these objectives.
51 Victoury will provide self-service access to Customer to the Service Level Objectives Provisioning Time SLO Solution Provisioning is defined as the Victoury Functional on Software-as-a-Service solution being available for access over the internet. Victoury targets to make Victoury Functional on Software-as-a-Service available within one (1) business days of the customer’s purchase order (PO) being booked within the Victoury order management system.
52 Customer is responsible for installing and configuring any additional onsite components for his applications. Any onsite components of the solution are not in scope of the Solution Provisioning Time SLO.
Solution Availability SLO
53 Solution Availability is defined as the Victoury Functional on Software-as-a-Service production application being available for access and use by Customer and its Authorized Users over the Internet. Victoury will provide Customer access to the Victoury Functional on Software-as-a-Service production application on a twenty-four hour, seven days a week (24×7) basis at a rate of 99 % (“Solution Uptime”).
54 Solution Uptime shall be measured by Victoury using Victoury monitoring software running from a minimum of four global locations with staggered timing.
55 On a quarterly basis, Solution Support Uptime will be measured using the measurable hours in the quarter (total time minus planned downtime, including maintenance, upgrades, etc.) as the denominator. The numerator is the denominator value minus the time of any outages in the quarter (duration of all outages combined) to give the percentage of available uptime (2,178 actual hours available / 2,200 possible available hours = 99% availability).
56 An “outage” is defined as two consecutive monitor failures within a five-minute period, lasting until the condition has cleared.
Boundaries and Exclusions
57 Solution Uptime shall not apply to any of the following exceptions:
58 Overall Internet congestion, slowdown, or unavailability
59 Unavailability of generic Internet services (e.g. DNS servers) due to virus or hacker attacks
60 Force majeure events as described in the terms of the SaaS agreement
61 Actions or omissions of Customer (unless undertaken at the express direction of Victoury) or
62 third parties beyond the control of Victoury Unavailability due to Customer equipment or third-party computer hardware, software, or network infrastructure not within the sole control of Victoury.
Initial SaaS Response Time SLO
63 The Initial SaaS Response Time refers to the Service Support. It is defined as the acknowledgment of the receipt of a customer request and the assignment of a case number for tracking purposes. Initial SaaS Response will come as an email to the requester and include the case number and links to track it using Victoury online customer portal. The Initial SaaS Response Time covers both service requests and support requests. Victoury targets to provide the Initial SaaS Response no more than one hour after the successful submission of a customer request
SaaS Support SLOs
64 There are two types of SaaS Support SLOs: Service Request and Support Request SLOs.
65 • The Service Request SLO applies to the majority of routine system requests. This includes functional system requests (product add/move/change), informational, and administrative requests.
66 • The Support Request SLO applies to issues that are not part of the standard operation of the service and which causes, or may cause, an interruption to or a reduction in the quality of the service.
67 The Response and Resolution Targets are provided as guidelines and represent typical request processing by Victoury SaaS support teams. They in no way create a legal requirement or obligation for Victoury to always respond in the stated time.
Termination Data Retrieval Period SLO
68 The Termination Data Retrieval Period is defined as the length of time in which the customer can retrieve a copy of their customer Victoury Functional on Software-as-a-Service data from Victoury. Victoury targets to make available such data for download in the format generally provided by Victoury for 30 days following the termination of the SaaS Order Term.