Data Processing Agreement

1. Scope, Order of Precedence, and Term

1.1 This Data Processing Agreement ("DPA") serves as an addendum to the Customer Terms of Service ("Agreement") between North Commerce and Distribution SRO ("ofsecman.io") and the Customer. Both ofsecman.io and the Customer are referred to individually as a "party" and collectively as the "parties."

1.2 This DPA applies when, and only to the extent that, ofsecman.io processes Personal Data on behalf of the Customer in providing Services, and where such Personal Data is subject to applicable Data Protection Laws, including those of the State of California, the European Union, the European Economic Area, Switzerland, and the United Kingdom. The parties commit to complying with the terms outlined in this DPA in relation to such Personal Data.

1.3 The duration of the Processing covered by this DPA will match the duration of the Agreement.

2. Definitions

2.1 The terms defined below have the meanings assigned to them. Any capitalized terms not defined in this DPA will be understood as defined in the Agreement.

2.2 Terms like "Business," "Sell," "Service Provider," and "Third Party" hold the same meanings as in the CCPA.

2.3 "Controller" refers to the entity that decides the purposes and means of Processing Personal Data. It includes analogous terms in other Data Protection Laws, such as "Business" or "Third Party" under the CCPA, as applicable.

2.4 "Data Protection Law" includes all relevant privacy and data protection laws applicable to the Processing of Personal Data under the Agreement, such as the General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act ("CCPA").

2.5 "Data Subject" refers to any identified or identifiable natural person.

2.6 "De-identified Data" means a dataset that no longer contains Personal Data. To "De-identify" data means converting Personal Data into De-identified Data.

2.7 "EEA" means the European Economic Area.

2.8 "Standard Contractual Clauses" are the European Union standard clauses for international data transfers, as outlined in Commission Implementing Decision (EU) 2021/914, dated June 4, 2021.

2.9 "Personal Data" refers to any information that can be linked, directly or indirectly, to a specific Data Subject, including identifiers such as names, identification numbers, and other personal attributes. "Personal Data" may include similar terms from other Data Protection Laws, such as "Personal Information" under the CCPA.

2.10 "Personal Data Breach" involves any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.

2.11 "Process" or "Processing" includes any action taken with respect to Personal Data, whether automated or manual, such as collection, storage, retrieval, or deletion.

2.12 "Processor" refers to an entity that processes Personal Data on behalf of another. This term may also encompass equivalent terms in other Data Protection Laws, like "Service Provider" under the CCPA.

2.13 "Sensitive Data" includes categories of data such as racial or ethnic origin, political views, religious beliefs, genetic or biometric data, health data, and more as defined by laws like HIPAA or the Gramm-Leach-Bliley Act.

2.14 "Subprocessor" means any Processor engaged by a party that is acting as a Processor.

3. Description of the Parties' Personal Data Processing Activities and Statuses of Parties

3.1 Schedules 1-3 attached to this DPA describe the purposes of Processing, the types and categories of Personal Data involved, and the categories of affected Data Subjects.

3.2 Schedules 1-3 also define the statuses of the parties under applicable Data Protection Laws.

4. International Data Transfer

4.1 For Personal Data of Data Subjects in the EEA, Switzerland, or the UK that is transferred to or accessed by ofsecman.io, the parties agree to execute the Standard Contractual Clauses by reference to this DPA. The relevant elements of the Standard Contractual Clauses are outlined in Schedules 1-3.

5. Data Protection Generally

5.1 Compliance: Both parties will fulfill their respective obligations under Data Protection Laws and their privacy policies.

5.2 Customer Processing of Personal Data: The Customer warrants that it has the necessary legal basis, such as consent, to collect Personal Data in relation to the Services.

5.3 Cooperation:
5.3.1 Both parties agree to provide reasonable assistance to ensure compliance with Data Subject requests related to their rights under Data Protection Laws.
5.3.2 The Customer will notify ofsecman.io promptly if it receives complaints or regulatory inquiries related to ofsecman.io's compliance with Data Protection Law.
5.3.3 The parties will cooperate to meet requirements, such as conducting data protection impact assessments or consultations with authorities when necessary.

5.4 Confidentiality: The parties will ensure their personnel maintain confidentiality over Personal Data and undergo appropriate training in data privacy and security.

5.5 De-identified, Anonymized, or Aggregated Data: Both parties may convert Personal Data into De-identified Data and process this data for any purpose.

6. Data Security

6.1 Security Controls: Each party will maintain a security policy that outlines controls based on an assessment of risk to Personal Data and their respective systems. Specific security measures are detailed in Schedules 2.3 and 3.4.

7. ofsecman.io Obligations as a Processor, Subprocessor, or Service Provider

7.1 ofsecman.io will abide by the obligations in this Section 7 when acting as the Customer’s Processor or Service Provider. These obligations do not apply when ofsecman.io acts as a Controller, Business, or Third Party.

7.2 Scope of Processing:
7.2.1 ofsecman.io will process Personal Data to deliver services under the Agreement and comply with applicable laws. It will notify the Customer of any legal changes that impact its ability to comply with the Agreement.

7.3 Data Subjects’ Requests:
7.3.1 ofsecman.io will inform the Customer if it receives any requests from Data Subjects regarding their Personal Data. The Customer will handle the response to these requests, with ofsecman.io offering reasonable assistance if requested.

7.4 Subprocessors:
7.4.1 Existing Subprocessors: The Customer consents to the use of the Subprocessors listed in Schedule 3.
7.4.2 New Subprocessors: The Customer grants ofsecman.io general authorization to engage new Subprocessors, provided they meet the data protection obligations in this DPA.
7.4.3 Objections to Subprocessors: The Customer may object to new Subprocessors within 30 days of notice. If no resolution is found within 15 days, the Customer may terminate the Agreement.
7.4.4 Liability: ofsecman.io remains liable for the actions of its Subprocessors as if it performed their tasks directly.

7.5 Personal Data Breach: ofsecman.io will notify the Customer without undue delay if there is a breach involving Personal Data. It will provide necessary information to enable the Customer to meet legal obligations for reporting the breach.

7.6 Deletion and Return of Data: Upon termination of the Services, ofsecman.io will delete or return all Personal Data, except where legal obligations require retention.

7.7 Audits:
7.7.1 ofsecman.io will maintain records of its security standards and provide relevant documentation upon request.
7.7.2 If the Standard Contractual Clauses apply and additional audits are necessary, the Customer may request an audit, subject to specific conditions like covering costs and minimizing disruption.

Schedule 1: Description of the Processing and Subprocesses

Processing Activity

Status of the Parties

Categories of Personal Data Processed

Categories of Sensitive Data Processed

Frequency of Transfer

Applicable SCCs Module

Customer discloses Personal Data to ofsecman.io to provide, operate, and maintain ofsecman.io Services.

• The Customer is a Controller.

• ofsecman.io is a Controller.

Account registration, payment information, user content, communications, cookies, and other tracking technologies, usage of Services, and third-party accounts.

None

Continuous

Module 1

The Customer discloses personal data to improve, analyze, and personalize ofsecman.io Services.

The Customer is a Controller.

ofsecman.io is a Controller.

Account registration, payment information, user content, communications, cookies, and other tracking technologies, usage of Services, and third party accounts.

None

Continuous

Module 1

Customer contacts ofsecman.io for support.

Customer is a Controller.

ofsecman.io is a Controller.

Account registration, payment information, user content, communications, usage of Services, and third party accounts.

None

Continuous

Module 1

The customer stores end-user data on ofsecman.io Services.

ofsecman.io is a Processor.

The customer is a Controller or processor to a controller.

As determined by Customer.

As determined by Customer.

As determined by Customer.

Module 2

or Module 3 (if Customer is a processor to another controller)

Schedule 2: Controller-to-Controller Information for International Data Transfers

1. Retention Periods

ofsecman.io retains Personal Data it collects as a Controller for as long as ofsecman.io has a business purpose for it or for the longest time allowable by applicable law.

2. Information for International Transfers

For the purposes of the Standard Contractual Clauses:

Clause 11(a), Module 1: The parties do not select the independent dispute resolution option.

Clause 17, Module 1: The parties select Option 1. The Member State is the Netherlands.

Clause 18(b), Module 1: The Parties agree that those shall be the courts of the Netherlands.

Annex I(A): The data exporter is the Customer. The data importer is ofsecman.io. Contact details for Customer are the email address(s) designated by Customer in Customer's ofsecman.io account. Contact detail for ofsecman.io https://www.ofsecman.io/privacy-policy

Annex I(B): The parties agree that Schedule 1 describes the transfer.

Annex I(C): The competent supervisory authority is the supervisory authority of The Dutch Data Protection Authority (Authorities Persona ge evens)

Annex II: The parties agree that Schedule 2.3 describes the technical and organizational measures applicable to the transfer.

For definitions of these terms, please review our Privacy Policy (Section 1)

3. Technical and Organizational Measures

Technical and Organizational Security Measure

Evidence of Technical and Organizational Security Measure

Measures of pseudonymization and encryption of personal data

ofsecman.io databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data is encrypted in transit between the Customer's software application and ofsecman.io using TLS v1.2.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

ofsecman.io uses a variety of tools and mechanisms to achieve high availability and resiliency. ofsecman.io infrastructure spans multiple fault-independent availability zones in geographic regions physically separated from one another. ofsecman.io infrastructure is able to detect and route around issues experienced by hosts or even whole data centers in real-time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup. ofsecman.io also leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. ofsecman.io is also immediately notified in the event of any suboptimal server performance or overloaded capacity.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

ofsecman.io has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of customers' systems. The Customer Data Use Policy governs the requirements for the use of customer data in accordance with several industry standards.

ofsecman.io conducts a variety of regular internal and external audits that are inclusive of security operations. 

Measures for User Identification and Authorization

Access control policies require that access to ofsecman.io assets be granted based on business justification, with the asset owner's authorization and limits based on "need to know" and "least-privilege" principles. In addition, the policy also addresses requirements for the access management lifecycle, including access provisioning, authentication, access authorization, removal of access rights, and periodic access reviews. Documentation of these requirements is recorded and provided to external auditors for security certification testing.

Measures for the Protection of Data During Transmission

Measures for the protection of data during storage

Ofsecman.io databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data stored by ofsecman.io is encrypted in transit between the Customer's software application and ofsecman.io using TLS v1.2.

Measures for ensuring the physical security of locations at which personal data are processed

ofsecman.io data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with restricted access through badge-controlled gates.

CCTV is used to monitor physical access to data centers and information systems. Cameras are positioned to monitor perimeter doors, facility entrances, and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facilities.

Measures for Ensuring Events Logging

Logging of service, user, and security events (web server logs, FTP server logs, etc.) is enabled and retained centrally. ofsecman.io restricts access to audit logs to authorized personnel based on job responsibilities.

Audit logging procedures are reviewed as part of external audits for security standards.

Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products

ofsecman.io has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of customers' systems. ofsecman.io performs an annual internal review of all security management policies and procedures. External auditors perform an annual review of these policies and procedures.

ofsecman.io conducts a variety of regular internal and external audits that are inclusive of security operations. 

Measures for ensuring data minimization

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

Measures for allowing data portability and ensuring erasure

More information about how ofsecman.io processes personal data is set forth in the Privacy Policy available at: https://www.ofsecman.io/privacy-policy

Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer.

When ofsecman.io engages a Subprocess or, ofsecman.io and the Subprocess or, enter into an agreement with data protection obligations substantially similar to those contained in this Schedule. Each Subprocess or agreement must ensure that ofsecman.io is able to meet its obligations to the Customer. In addition to implementing technical and organizational measures to protect personal data, sub-processors must (a) notify ofsecman.io in the event of a Security Incident so ofsecman.io may notify the Customer; (b) delete personal data when instructed by ofsecman.io in accordance with Customer's instructions to ofsecman.io; (c) not engage additional sub-processors without ofsecman.io authorization; (d) not change the location where personal data is processed; or (e) process personal data in a manner which conflicts with Customer's instructions to ofsecman.io.

Schedule 3: Controller-to-Processor and/or Processor-to-Processor Information for International Data Transfers

1. Subprocesses

ofsecman.io uses Subprocesses when it acts as a Processor. The Customer authorizes Digital Ocean to use these Subprocesses consistent with Section 7.4. 

2. Retention Periods

ofsecman.io retains Personal Data it collects or receives from Customer as a Processor for the duration of the Agreement and consistent with its obligations in this DPA.

3. Information for International Transfers

For the purposes of the Standard Contractual Clauses:

Clause 9, Module 2(a): The parties select Option 2. The time period is five days.

Clause 11(a): The parties do not select the independent dispute resolution option.

Clause 17, Module 2: The parties select Option 2. The Member State of the data exporter is EU Member State the Customer is located in.

Clause 18(b), Module 2: The Parties agree that those shall be the courts of the EU Member State Customer is located in.

Annex I(A): The data exporter is the Customer. The data importer is ofsecman.io. Contact details for Customer are the email address(s) designated by Customer in Customer's ofsecman.io account. 

Annex I(B): The parties agree that Schedule 1 describes the transfer.

Annex I(C): The competent supervisory authority is the supervisory authority of the Customer, who acts as a data exporter.

Annex II: The parties agree that Schedule 3.4 describes the technical and organizational measures applicable to the transfer.

4. Technical and Organizational Measures

Technical and Organizational Security Measure Evidence of Technical and Organizational Security Measure

Measures of pseudonymization and encryption of personal data

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Customer responsibility. 

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Customer responsibility: It is the Customer's responsibility to backup and utilize redundancy mechanisms to protect their content data.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Measures for user identification and authorization

Measures for the protection of data during transmission

Measures for the protection of data during storage

Customer responsibility. 

Measures for ensuring the physical security of locations at which personal data are processed

ofsecman.io data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with restricted access through badge-controlled gates.

CCTV is used to monitor physical access to data centers and information systems. Cameras are positioned to monitor perimeter doors, facility entrances, and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots, and other areas of the facilities.

Measures for ensuring event logging

Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products

Measures for ensuring data minimization

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

Customer responsibility. 

Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer.