Effective date: 1 June 2023
DATA PROCESSING ADDENDUM
This Data Processing Addenddum with appendices (the "Agreement") has been entered between:
The Controller: Customer (the "Controller"); and
The Processor: Zenauth Ltd (trading as “Cerbos”), registered company number 13249733 (the "Processor"), each a "Party" and collectively, the "Parties".
The Agreement forms part of Zenauth Ltd's terms and conditions (the "Existing Agreement") and sets out the additional terms, requirements and conditions on which the Processor will Process Personal Data (each as defined below) when fulfilling its obligations under the Terms. The Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors (the "UK GDPR").
The Agreement contains the following appendices:
- List of sub-processors
- Technical and organizational security measures
- Contact details
The terms used in this Agreement shall have the same meaning as ascribed to them in Article 4 of the UK GDPR.
"Applicable Law" refers to the legislation applicable to the Processing of Personal Data, including the UK GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by the Supervisory Authority.
"Controller" means the company / organization that decides for what purposes and in what way Personal Data is to be processed and is responsible for the processing of Personal data in accordance with applicable data protection legislation.
"Data Subject" means the natural person whose Personal Data is processed.
"Personal Data" means any kind of information that can be derived from an identifiable natural person (in the Agreement, "Personal Data" is used synonymously with "personal data for which the Controller is responsible and that is processed by the Processor on behalf of the Controller").
"Processing" means any operation or set of operations which is performed on Personal Data, for example, storage, modification, reading, handover and similar.
"Processor" means the company / organization that processes Personal Data on behalf of the controller and can therefore only process the Personal Data according to the instructions of the controller and Applicable law.
"Supervisory Authority" means the Information Commissioner's Office or another supervisory authority which on the basis of law has the authority to conduct supervisory activities over the Controllers operation.
Unless otherwise defined herein, all capitalized terms (definitions) used in this Agreement shall have the same meaning as ascribed to them in the Existing Agreement.
3. DESCRIPTION OF PROCESSING
3.1 Categories of Data Subjects
The Controller directs the Processor to process data that identifies the Controllers':
- Business contacts
- Potential employees
- Board members
- Potential investors
3.2 Categories of Personal Data
The Processor will process the following personal data on behalf of the Controller:
- Any user information that is included within application access policies
- Any user information that is included within application access logs
The Processor will access the Personal Data from the following sources:
- User provided information via Cerbos interfaces
- Log data provided by the customer for analysis
- Resource policies provided by the customer
3.4 The purpose of the processing of Personal Data (the "Purpose")
The Processor will process the personal data for the following purposes:
- Build, compile, and test policy information
- Running analysis on the provided log data
3.5 Processing of Personal Data
The Processor will process Personal Data in the following ways:
- Aggregate metrics on log audit data to provide analysis of usage.
- Debug any issues that customers may need to get their systems running correctly.
- To understand the product usage metrics
4. SPECIFIC UNDERTAKING OF THE PROCESSOR
- The Processor undertakes to consider and observe the principles for processing Personal Data set out in Article 5 of the UK GDPR in connection with each and every Processing.
- By entering into this Agreement, the Processor guarantees that the Controller does not need to take any additional measure to ensure that the Processor meets the requirements for expertise, reliability and resources to carry out the technical and organizational measures required by Applicable law.
- The Processor undertakes to only process Personal Data in accordance with the Agreement, the purposes set out in the Existing Agreement, the Controller's documented instructions and Applicable Law.
- Upon the Controller's request, the Processor shall (i) (by using the appropriate technical and organizational measures) assist the Controller in its duty to respond to the request for the exercise of the rights of Data Subjects and (ii) with regards to the type of processing and available information, carry out Data Protection Impact Assessments (DPIA) and participate in consultations with Supervisory Authorities in accordance with Applicable Law.
- If the Processor violates Applicable Law by independently determining the purposes and means of the Processing (e.g. processing the Personal Data for purposes other than the Purpose), the Processor shall be regarded as the controller for the new Processing. To clarify, any new Processing shall not affect the Processing made in accordance with this Agreement.
- If there is a conflict between the Controller's instructions and Applicable law, the Processor has the right to refrain from complying with such instructions. The Processor shall inform the Controller immediately if it considers that the instructions provided by the Controller are incomplete, inadequate or incorrect.
5. SPECIFIC UNDERTAKINGS OF THE CONTROLLER
- The Controller determines the purpose and means for the Processing of the Personal Data. The Controller has full ownership and the formal control of the Personal Data Processed by the Processor.
- The Controller is responsible to the Data Subject for the Processing of the Personal Data.
- The Controller is responsible for ensuring that the Personal Data is accurate and up to date.
6. PERSONAL DATA BREACH
In the event of a situation leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed ("Personal Data Breach"), the Processor shall, without undue delay, and no later than hours after having become aware of the Personal Data Breach, notify the Controller by sending a written notice to the address provided in Appendix 3 (Contact details). The information shall, to the extent that it is available to the Processor, contain the following at least:
- A description of the circumstances surrounding the Personal Data Breach
- A description of the nature of the Personal Data Breach, and, if possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data concerned
- A description of the likely consequences of the Personal Data Breach
- A description of the measures taken or proposed to address the Personal Data Breach, and, where appropriate, measures to mitigate its potential adverse effects
- Contact information to the Data Protection Officer or other contact person who can provide more information to the Controller
If it is not possible for the Processor to provide all the information at once, the information may be provided in installments without undue delay.
7. AUDIT RIGHTS
Upon the Controller's request, the Processor shall give access to all information necessary to show that the Processor's obligations under Applicable Law and this Agreement have been fulfilled.
If the information provided in accordance with the previous paragraph cannot reasonably demonstrate that the Processor's obligations under Applicable law have been fulfilled, the Controller is entitled to carry out physical audits.
The Processor shall enable and contribute to audits and inspections carried out by the Controller or by an impartial third party appointed by the Controller. The Controller shall notify the Processor in writing of the planned audit at least business days in advance.
The audit shall be carried out:
- During normal business hours
- After the Controller has ensured that the person conducting the review is subject to a confidentiality agreement appropriate in relation to the Personal Data and information to be reviewed
- In accordance with the Processor's internal policies and security procedures
- When engaging a sub-processor, the Processor shall ensure that the sub-processor comply with the Processor's obligations in the Agreement by entering into a contract or other legal act (the "Sub-processor agreement"). The foregoing shall be particularly observed in respect of the Processor's obligation to provide sufficient guarantees regarding implementing appropriate technical and organizational measures as required to comply with Applicable Law.
- The Controller is always entitled to a copy of the Sub-processor agreement (strictly commercial information may be edited).
- The Processor must keep an updated record of the sub-processors. The record shall be made available to the Controller upon request.
- Processor shall be exclusively responsible towards the Controller if the sub-processor fails to, or omits from, fulfilling its obligations under the Sub-processor agreement.
9. RECORD OF PROCESSING AND DATA PROTECTION OFFICER
- The Processor undertakes to keep a written record of the processing of Personal Data according to Article 30 (2) of the UK GDPR. The record shall be available to the Controller upon request.
- If the Processing or the nature of the Controller's business requires the Controller to appoint a Data Protection Officer in accordance with Article 37 of the UK GDPR, the Data Protection Officer's contact details shall be included in the appendix Contact details.
10. CONTACT WITH SUPERVISORY AUTHORITY AND THE DATA SUBJECT
- The Processor shall promptly inform the Controller of all contact it may have with the Data Subject, a Supervisory Authority or any other third party concerning the Personal Data that the Processor is Processing.
- In the event a Data Subject makes a request to the Processor regarding his / her rights in respect of the Processing, the Processor shall refer the Data Subject to the Controller.
- The Processor shall allow any inspections that the Supervisory Authority may require to perform in accordance with Applicable law.
- The Processor is not entitled to represent the Controller or otherwise act on behalf of the Controller in respect of the Data Subject, a Supervisory Authority or any other third party.
11. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
- The Processor shall take the appropriate organizational and technical security measures to ensure that the Personal Data included in the scope of this Agreement is protected against any unauthorized or illegal access. This includes ensuring the adequate capacity, technical solutions, skills, financial and human resources, procedures and methods.
- The appropriateness of the technical and organizational security measures shall be assessed taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the Processing as well as the risks (of varying likelihood and severity) for rights and freedoms of natural persons posed by the Processing.
- If the Controller assesses that the Processing operation is of high risk to the rights and freedoms of the Data subject and conducts a DPIA, the Controller shall share the results of the DPIA with the Processor to ensure that this can be taken into account in when determining what constitutes appropriate security measures.
- The Processor must comply with any decisions and consultation opinions that the Supervisory Authority announces regarding measures for complying with the security requirements and all other requirements relating to the Processor under Applicable Law.
- The Processor shall ensure that employees (of the Processor or their sub-contractors) are only allowed access to Personal Data to that extent necessary and that those who have access to Personal Data have undertaken to respect the confidentiality of such information (e.g. by signing an individual non-disclosure agreement).
- Only persons employed/engaged as consultants by the Processor and who have been deemed to have the adequate level of knowledge of the nature and extent of the Processing of Personal Data may process the Personal Data.
- Computer equipment, storage media and other equipment used in the Processing of Personal Data carried out by the Processor must be kept where/or in such manner that no unauthorized persons can access them.
- The security at the Processor's facilities where Personal Data is Processed must be appropriate and secure in regards of locking equipment, functioning alarm equipment, protection against fire, water and burglary, protection against power outages and power disturbances. The equipment used to process Personal Data must have good protection against theft and events that may destroy the equipment and / or Personal Data.
12. CONTROL OVER THE PERSONAL DATA
- The Processor shall ensure that Personal Data processed is not accidentally or unlawfully destroyed, altered or corrupted. All Personal Data shall be protected against any unauthorized access during storage, transfer and other Processing.
- No Personal Data may be provided to the Controller before the identity of the recipient has been duly verified.
13. TRANSFER OF DATA OUTSIDE THE EU/EEA
In the event that the Processor transfers Personal data outside the EU/EEA, the Processor ensures that the level of protection is adequate and in accordance with Applicable Law by controlling that at least one of the following requirements are fulfilled:
- The level of protection is adequate in the third country where the data is processed.
- The Processor has signed up to the EU Commission's standard contract clauses (SCCs) and the International data transfer addendum.
- The Processor has taken other appropriate safeguards prior to the transfer and that such safeguards comply with Applicable Law.
- No Party is liable for any delay or failure to perform due to extraordinary circumstances beyond the control of the Party, which the Party could not reasonably expect and which consequences the Party could not reasonably have avoided or overcome.
- Each Party's liability, taken together and in aggregate is subject to the limitations of liability in the Existing Agreement and any reference to the liability of a Party in the Existing Agreement means the aggregate liability of that Party under the Existing Agreement and this Agreement together.
- The Processor agrees to indemnify, keep indemnified and defend at its own expense the Controller against all costs, claims, damages or expenses incurred by the Controller or for which the Controller may become liable due to any failure by the Provider or its employees, subcontractors or agents to comply with any of its obligations under this Agreement and/or the Data Protection Legislation.
- Any limitation of liability set forth in the Existing Agreement will not apply to this Agreement's indemnity or reimbursement obligations.
- The Processor may not use information or other material to which it is granted access in connection with entering into this Agreement or the Existing Agreement for any other purpose than fulfilling its obligations under this Agreement or the Existing Agreement.
- The Processor may not disclose information to third parties or any other unauthorized persons about the Processing of Personal Data or the content of Personal Data covered by this Agreement or other information to which the Processor has been granted access as a result of, or in connection with entering into, this Agreement. This undertaking does not apply to information that the Processor is required to disclose under mandatory law.
16. TERM AND TERMINATION
- The Agreement is valid and in force from the date that the Processor first processes Personal Data on behalf of the Controller to the date when it ceases such Processing or until this Agreement is replaced by another Data Processing Agreement.
- The obligations of the Processor under the Agreement shall continue to apply, regardless of whether the Agreement has been replaced, as long as the Processor processes Personal Data on behalf of the Controller.
17. ERASURE AND RETURNING OF PERSONAL DATA
- Upon the termination of the Agreement, the Processor and any sub-processor shall, at the request of the Controller, either erase or return the Personal Data processed within the scope of this Agreement.
- If the Controller has not requested the return or deletion of the Personal Data within 60 days of the Agreement being terminated, the Processor may delete the Personal Data.
18. GOVERNING LAW AND JURISDICTION
- This Agreement, and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with the law of England and Wales.
- Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).
EXISTING AND APPROVED SUB-PROCESSORS
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Processor has taken technical and organizational measures to ensure that Personal Data is processed securely and protected from loss, misuse and unauthorized access.
Where applicable, this Appendix 2 will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding Cerbos' technical and organizational security measures set forth below.
Technical and Organizational Security Measures:
MODULE TWO: Transfer controller to processor
Cerbos as data importer will implement the following types of security measures:
Encryption: All data traffic to and from Cerbos is transmitted over Secure HTTP (HTTPS) using TLS v1.2 or better. All volumes underlying Cerbos data stores are encrypted using the industry standard AES-256 encryption algorithm to encrypt Customer data. GCP is used for key management and cryptographic operations.
Multi-tenancy: We have adopted a multi-tenancy model to ensure that one customer’s data is never available to another customer. Customer data separation is logical. Each customer is assigned a unique Workspace ID and customer data is separated by this ID.
Logical separation between control and data plane: The control plane manages the configuration of our customer’s sources and destinations, while the data is owned by customer and only processed in transit by Cerbos.
Control plane access control and authentication: The platform supports role-based access control which allows access to data based on access privileges associated with the user's user ID. Cerbos Cloud version supports 2-Factor Authentication via email or phone verification using a one-time password (OTP).
Monitoring: A monitoring utility is configured to track and monitor changes to resources and services used within AWS. Alerts sent by the monitoring utility are investigated and timely addressed.Security groups are assigned to EC2 instances using the AWS Management Console to implicitly deny and explicitly allow incoming traffic. AWS WAF and AWS GuardDuty provide continuous monitoring of the company's and enable early detection of potential security breaches, which are handled in accordance with defined incident response procedures.
Backup and recovery: We maintain backups of the production version of the Cerbos Cloud platform. Backups of the databases supporting the Cerbos Cloud platform are performed using GCP automatic snapshots, which has been configured to perform backups according to an established schedule of daily incremental backups and weekly full backups and retain 7 days of rolling backups. Backups are encrypted at rest.
Personnel security: All personnel go through background screening, and are bound by privacy and confidentiality obligations as part of their contract and non-disclosure agreement with Cerbos. All personnel are also required to undertake relevant security and privacy training.
Audits: We are in the process of attaining Service Organization Controls (SOC) 2 Type 2 assessment through a third-party auditor. The SOC 2 Type 2 report will validate that Cerbos meets the requirements of customers in highly controlled industries who need expert evaluation about how vendors handle the principles of security.
Contractual measures: Our contractual measures are set out in the DPA we sign with our customers. We are obligated under the SCCs (incorporated within the DPA) to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority.
Cerbos' hosted solution is running on GCP with the cluster spanning multiple availability zones within the European Union. As our subprocessor, any data sent to GCP is subject to equal enforcement of the terms of the DPA we sign with our customers. Our agreement with GCP is supplemented with GCP's DPA, incorporating the new SCCs. GCP has also set out the key technical, contractual and organizational supplementary measures that GCP takes and makes available to protect customer data and support the effectiveness of the SCCs.
We will promptly inform Customer if we are unable to comply with the terms of SCCs, in which case Customer is entitled to suspend the transfer of Customer Personal Data.
Zenauth Ltd, 103 Albert Bridge Road, London, SW11 4PF, United Kingdom