Data Protection Addendum
(January 31, 2020 Version)
A. DEFINITIONS
“Data Protection Authorities (DPAs)” means independent public supervisory authorities established under GDPR and United States Data Protection Laws and Regulations.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the United States, European Union, the European Economic Area and their member states, and the United Kingdom, to which Egnyte is bound in relation to its processing of Personal Data under the Agreement.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any Customer Content relating to an identified or identifiable natural person under applicable Data Protection Laws and Regulations.
“Security Breach” means the actual or suspected unauthorized acquisition, destruction, loss, misappropriation or access to, disclosure, use, or modification of the Customer Content while stored by Egnyte. A Security Breach does not include any of those events occurring due to Customer or User actions or inactions, such as a failure to adequately protect Account access information, or the transfer of Content by Customer or a User to a third party outside of Egnyte’s network, etc.
B. DATA PROCESSING
The parties acknowledge and agree that Customer is the “Controller” and Egnyte is the “Processor” with regard to the processing of Personal Data, and Egnyte agrees to:
- comply with its obligations under applicable Data Protection Laws and Regulations, as well as the confidentiality and data security provisions of this Agreement;
- only process the Personal Data for the limited purposes of performing its obligations as a data processor under this Agreement;
- process the Personal Data only in accordance with Customer's documented instructions (from time to time) and shall procure that any Egnyte personnel or other person acting under the authority of Egnyte does the same;
- assist Customer in fulfilling its obligations to respond to requests for exercising the User’s (“data subject’s”) rights under GDPR, including by implementing appropriate technical and organisational measures to enable such assistance. To the extent legally permitted, Customer shall be solely responsible for any costs arising from Egnyte’s provision of such assistance;
- promptly provide to Customer such assistance as the Customer may from time to time reasonably require to enable it to comply with its security, breach notification, impact assessment, prior consultation, record keeping and DPA cooperation responsibilities under GDPR, including assistance with Customer-initiated audits as strictly necessary to verify compliance pursuant to Article 28(3)(h), which shall not be conducted more than once annually and shall not compromise the confidentiality or security of Egnyte’s operations or systems, including the data of other Egnyte customers;
- allow for and contribute to audits and inspections conducted by DPAs having proper legal authority over Egnyte’s Services’ infrastructure;
- only store and process Content, including Personal Data, within the EEA for Customers who have notified Egnyte of this requirement in writing prior to implementation of the Services;
- maintain a record of all categories of processing activities carried out on behalf of a Customer, in accordance with GDPR;
- notify Customer of any communication, including complaints, received from Users pertaining to the privacy or security of their Personal Data; and
- purge all Content following termination of the Agreement as set forth in the termination provisions of the Agreement.
Customer shall, in its use of the Services, only submit (and ensure that Users submit) instructions to Egnyte that comply with applicable Data Protection Laws and Regulations. Customer and its Users shall have sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which they acquired Personal Data.
C. PERSONAL DATA TRANSFERS FROM EUROPE TO THE UNITED STATES
With respect to any Egnyte transfers of Personal Data from the EU, EEA, or UK to Egnyte’s facilities in the United States (per the requests of Customer or Users), Egnyte complies with the EU-U.S. Privacy Shield Framework self-certification and is committed to handling all such Personal Data in accordance with the requirements thereof. The parties agree that if the EU-Privacy Shield Framework is declared inadequate (by the relevant supervisory authorities) to secure the transfer of Personal Data from the EU, EEA, or UK to Egnyte’s facilities in the United States, the parties will cooperate in finding an alternative transfer mechanism for such processing.
D. SUBCONTRACTORS
Egnyte may subcontract portions of the Services, provided that Egnyte shall remain the primary provider of the Services and is responsible for all such subcontracted obligations under the Agreement. If Customer is located within the EEA or has Users based in the EEA, prior to Egnyte engaging a new subcontractor during the Subscription Term that will assist in the processing of Personal Data under the Agreement, Egnyte shall provide Customer with advance notice of the engagement of the subcontractor and an opportunity to object thereto. If Customer objects on reasonable grounds to the engagement of the new subcontractor, the parties will discuss in good faith the possible options for resolving the objection. Egnyte will ensure that any sub-processor agreement at least contain the same data protection obligations as set out in this Agreement.
E. INFORMATION SECURITY PROCEDURES
- General Description of Egnyte’s Information Security Program. Egnyte’s information security program is designed to:
- ensure the security, integrity and confidentiality of Customer Content (which includes Personal Data), including by implementing appropriate technical and organisational measures;
- protect against anticipated threats or hazards to the security or integrity of Customer Content;
- protect against unauthorized access to or use of the Customer Content that could result in substantial harm or inconvenience to the person that is the subject of the Customer Content; and
- ensure the proper disposal of Customer Content.
- General Procedures.
- Data Storage. Egnyte stores Customer Content on secure computers located in a physically secure and controlled data center environment. Egnyte employs technologies that are consistent with industry standards for firewalls and other security technologies to prevent Egnyte computers from being accessed by unauthorized persons. All data is encrypted at rest with AES-256 bit encryption keys.
- Data Transfers. Egnyte uses HTTPS standards to protect data integrity during transfers. In addition, subject to Section 2.a above, Egnyte will maintain at least the following security measures:
- HTTP with SSL 256-bit encryption (HTTPS); and
- encrypted passwords for the Services.
- Security and Data Protection Impact Assessments.If requested by Customer, Egnyte will cooperate with Customer in an initial security assessment, including the completion of a risk assessment questionnaire. In addition, Egnyte will provide Customer with available and relevant SSAE18-related reports from the third party data center providers utilized in the provision of the Services, as well as with the results of the penetration testing which Egnyte has periodically performed by qualified third party security consultants.
Upon Customer’s written request and provided that i. Customer does not have access to the necessary information and ii. such information is within Egnyte’s possession (that is, without Egnyte having to expend more than nominal efforts to generate the information), Egnyte shall provide Customer with the information it possesses that is needed to fulfill Customer’s obligation under GDPR to carry out a data protection impact assessment related to Customer’s use of the Services. To the extent required under GDPR, Egnyte will provide additional, reasonable cooperation to Customer in its prior consultation with a Data Protection Authority regarding the data protection impact assessment.
All such information provided by Egnyte hereunder shall be considered the Confidential Information of Egnyte and held in confidence in accordance with the terms of the Agreement. - Network and Physical Security Requirements.
- Basic Security Requirements. In addition to Section 2.a above, Egnyte will:
- maintain a working, tuned network firewall to protect Customer Content;
- regularly install security patches on the Services network;
- ensure authentication to the Services’ network web front-end is encrypted;
- where applicable, use and regularly update malware prevention tools;
- maintain a credential management process, which includes assigning a unique ID to each person with computer access and requiring periodic password changes;
- track access to systems, and generate and store audit trail and logs to help identify malicious activity;
- regularly test efficiency and health of security controls, systems and processes;
- maintain a policy that addresses information security for employees and representatives;
- restrict physical access to systems containing Customer Content;
- restrict remote access to the network / devices and employ secure remote access controls to verify the identity of users connecting to the Services; and
- protect backups from unauthorized access during transit and storage.
- Encryption. Egnyte will use cryptographic algorithms that have been published and evaluated by the general cryptographic community with sufficient strength to equate to 256-bit or better.
- Basic Security Requirements. In addition to Section 2.a above, Egnyte will:
- Security Breach.
- Notification of Security Breach. Egnyte will notify Customer in accordance with applicable law of any actual or suspected Security Breach of any Customer Content immediately following discovery of a Security Breach, and provide Customer with a detailed description of the breach. Furthermore, Egnyte, without undue delay, shall notify Customer of any breach of data security that results in a breach of confidentiality of Personal Data known by Egnyte to be within its control, and the parties shall cooperate in determining the appropriate measures to be taken to address such a breach. Additionally, Egnyte shall ensure that its representatives handling Customer’s Personal Data shall be bound by confidentiality provisions no less strict than those of this Agreement. To the extent that User notification of an actual or suspected Security Breach is legally required or is desired by Customer, Egnyte will notify Customer’s administrator and Customer shall notify all other Users of the breach.
- Investigation of Security Breach. Egnyte will:
- promptly investigate each Security Breach;
- take all reasonable steps necessary to limit, stop or otherwise remedy the Security Breach;
- promptly implement appropriate internal technical and procedural controls to reduce the likelihood of a recurrence of a Security Breach; and
- provide Customer with documentation detailing the controls implemented.
In addition, in the event of a Security Breach, Customer will have the right to conduct on-premises investigations at the third party data centers utilized by Egnyte in the provision of the Services, subject to the internal rules and processes of such data centers and only as reasonably necessary to investigate the breach.
- Backup and Business Continuity. Egnyte maintains a business continuity program, including a recovery plan, sufficient to ensure Egnyte can continue to function through an operational interruption and continue to provide Services to Customer. The program provides a framework and methodology, including a business impact analysis and risk assessment process, necessary to identify and prioritize critical business functions. In the event Egnyte experiences an event requiring recovery of systems, information or services, the recovery plan will be executed promptly. Egnyte continuously enhances the Services’ security and availability of its multi-tenant enterprise class cloud infrastructure. Egnyte maintains multiple copies of Customer’s Content across two data centers at all times to ensure availability and redundancy.
- Egnyte Encryption Key Management. Egnyte uses the Egnyte Object Store to encrypt all Customer Content “at rest” in the Services, as follows:
- The Egnyte Object Store uses an AES-256 bit symmetric key algorithm to generate the Customer encryption key. The key is (i) generated per Egnyte domain, (ii) generated at the time the Customer Egnyte domain is created, (iii) unique to each Customer Egnyte domain, and (iv) stored in a secure key vault. This secure key vault is protected by the access control policy set in Egnyte’s information security documentation regarding ISO27001 (or comparable) compliance.
- Customer may choose to use its own encryption key management by integrating with an Egnyte supported Hardware Security Module (HSM) solution.