Perception Point Data Protection Agreement
This Data Processing Addendum (“DPA”) is incorporated by reference into the agreement (“Agreement”) between the Customer (the “Controller”) and Perception Point Ltd (the “Processor”), as required by EU General Data Protection Regulation 2016/679 (“GDPR”), the California Consumer Privacy Act (Cal. Civ. Code §1798) (“CCPA”), and any other data protection or privacy laws, all as applicable. Capitalized terms not otherwise defined herein or in the Agreement, shall take the meaning ascribed to them by applicable data protection laws.
Processor shall comply with the following in respect of Personal Data:
- Controller’s Compliance. Controller’s instructions for processing of Personal Data shall comply with all applicable privacy and data protection laws. Controller shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Controller acquired Personal Data.
- Details of Processing. Processor will process Personal Data only pursuant to Controller’s documented instructions unless processing is required by applicable laws to which Processor is subject, in which case Processor shall inform Controller of that legal requirement before the relevant processing of that Personal Data, unless prohibited from doing so by law. The details of the processing activities to be carried out by Processor in respect of the Services are specified in Appendix 1. For the avoidance of doubt, the duration of the processing is for the term of the services unless terminated earlier in writing.
- Data Subjects Rights. Processor shall assist Controller, by using appropriate technical and organizational measures, in the fulfillment of Controller’s obligations to respond to requests by data subjects in exercising their rights under applicable laws.
- Confidentiality. Processor shall ensure that its personnel engaged in the processing of Personal Data are bound by a confidentiality undertaking.
- Data Breach. Processor will promptly notify Controller after becoming aware of any suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (“Data Breach”).
- Records. Processor will maintain up-to-date written records of its processing activities, including, inter alia, Processor’s and Controller’s contact details, details of data protection officers (where applicable), the categories of processing, transfers of Personal Data across borders and the technical and organizational security measures implemented by the Processor. Upon request, Processor will provide an up-to-date copy of these records to Controller.
- Sub-Processors. Controller acknowledges and agrees that Processor may engage any of the third-party sub-processors in connection with the provision of the services, or to fulfil its contractual obligations under this DPA, or to provide certain services on its behalf, such as providing support services to Controller. A list of sub-processors used by Processor is available at https://perception-point.io/sub-processors-list/ (as may be updated by Processor from time to time in accordance with this DPA). Such sub-processors shall be bound by a written contract including terms which set data protection obligations no less protective than those in this DPA to the extent applicable to the nature of the Services provided by such sub-processor.
- Assistance. Processor will assist Controller in ensuring compliance with Controller’s obligations related to the security of the processing, notification and communication of Data Breaches, conduct of data protection impact assessments and any inquiry, investigation or other request by a supervisory authority.
- Possible Violation. Where Processor believes that an instruction would result in a violation of any applicable data protection laws, Processor shall notify the Controller thereof.
- Information. Processor will make available to Controller, upon request, information necessary, and reasonably available to Processor, to demonstrate compliance with the obligations set forth in this DPA, GDPR Article 28, and under other applicable data protection laws.
- Audits. Upon Controller’s request, Processor shall cooperate with audits and inspections of its compliance with the requirements and obligations herein and/or under applicable law. Such audits and inspections may be conducted by Controller or by any third party designated by Controller.
- Technical and Organizational Measures.
12.1 Processor shall implement and maintain all technical and organizational measures that are required for protection of the Personal Data and ensure a level of security that is appropriate to for dealing with and protecting against any risks to the rights and freedoms of the data subjects, and as required in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to Personal Data and/or as otherwise required pursuant to applicable data protection laws, including, inter alia, the measures set forth in Appendix 2. When complying with Section 12 hereof, Processor shall take into consideration the state of technological development existing at the time and the nature, scope, context and purposes of processing as well as the aforementioned risks.12.2. Processor shall regularly monitor its compliance with this DPA and will provide Controller, upon request, with evidence that will enable verification of such monitoring activities. Processor shall promptly implement all changes to Appendix 2, as requested by Controller. Processor shall ensure that all persons acting under its authority or on its behalf and having access to the Personal Data, do not process the Personal Data except as instructed by Controller and permitted herein.
- Transfer of Personal Data to Third Countries. Processor will not transfer Personal Data to a recipient located in a country that is not a Member State of the European Union or European Economic Area, unless that country is considered by the European Commission to have an adequate level of protection or pursuant to an EU standard contractual clauses (“SCCs”) for the transfer of personal data to processors established in third countries (Commission Decision (EU) 2021/914), before such transfer. For the purposes of the SCCs (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN), module two (controller to processor) shall apply. In Clause 9, Option 2 (general authorization) applies. The time period is 14 days. In Clause 11 the optional language will not apply. In Clause 17 governing law will be the Irish law; In Clause 18 disputes shall be resolved by the courts of Ireland. In Annex I Controller is the ‘Data exporter’, processor is the ‘Data importer’; the ‘Data subjects’, ‘Categories of data’, ‘Frequency of the transfer’, ‘Nature of processing’, ‘Purpose’, ‘Retention period’ and ‘subject matter, nature and duration of the processing’ are as described in the Agreement and in Appendix 1. The ‘competent supervisory authority’ is the Irish DPC. In Annex II, the technical and organizational measures are as described in Appendix 2.
- Return and Deletion of Personal Data. On the Controller’s request, Processor shall return or destroy Personal Data to the extent allowed by applicable law.
Appendix 1- Processing Details
- Nature, purpose and subject matter of the Processing. The nature, purpose and subject matter of the Processing is the provision of the Services set forth in the Agreement.
- Categories of Data Subjects. Email users, data subjects coincidentally identified in email content or in shared file (as applicable); contact person at Controller.
- Types of Personal Data. Customer data scanned to find malicious content, including Personal Data found in emails and shared files (as applicable), email/file metadata, email addresses and IP addresses.
Appendix 2 - Technical and Security Measures
- The encryption of Personal Data. All data is encrypted at rest and in transit using AES-256 and TLS 1.2.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Privacy of Personal Data is ensured through service monitoring levels SLA signed by customer that define the level of Personal Data exposure allowed to security personnel in order to handle malicious incidents.
- Clean emails/files are kept only for a very short period of up to 48 hours to allow review in case of reporting by end users. malicious content and all metadata are retained for a longer time, as needed for professional or legal purposes.
- Access to Personal Data is restricted to approved personnel only, who needs to monitor the service, and this list is constantly reviewed. Personnel may access the content of emails only in case of review of suspicious emails.
- Logging and monitoring. Systems are logged and monitored in order to detect unusual activity. Customer may access logs including any action taken place in regards to Customer data.
- Business continuity. A formal Business Continuity plan is maintained. The plan is reviewed and a table read scenario is conducted at least annually.
- Regular vulnerability scans and annual third-party penetration tests on relevant infrastructure is used to identify vulnerabilities. Results are evaluated by appropriate personnel and remediation actions are performed, where deemed appropriate.
- Changes are tested by appropriate personnel for functionality and, where applicable, security prior to being implemented in production.
- Physical security. Amazon Web Services is used as a subservice organization which is responsible for implementing and maintaining proper controls over its underlying system infrastructure (e.g., servers, storage devices, network devices, operating systems). This includes relevant controls over physical access.
- Security awareness training is provided to all new employees upon hire, and to all company personnel at least once per calendar year and remedial training as deemed necessary, to help employees understand their obligations and responsibilities to comply with the company’s policies and procedures, including the identification and reporting of incidents.