Data Privacy and Security Agreement updated on November 29, 2016
DATA PRIVACY AND SECURITY AGREEMENT
This Data Privacy and Security Agreement (the “DPSA”), supplements (i) the Terms of Service (“TOS”) and (ii) any other valid, written agreements between you (“you”, “your” or “Client”) and Cloud Cruiser, Inc. (“Cloud Cruiser,” and any such agreements, “Cloud Cruiser Agreements”). Terms not defined herein shall have the meaning set forth in the TOS and the Cloud Cruiser Agreements, as applicable. In the event of a conflict between the DPSA, the TOS and/or Cloud Cruiser Agreements, the order of precedence in decending order is: the TOS, followed by the DPSA, followed by the Cloud Cruiser Agreements.
1.1 In this DPSA, the following words shall have the following specific meanings:
“Data Breach” shall mean any accidental, unlawful, or unauthorized destruction, alteration, disclosure, misuse, loss, compromise, or access to Client Data or any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Cloud Cruiser Personnel in Processing Client Data or otherwise providing services under the Cloud Cruiser Agreements.
“Client Data” shall mean any and all Data provided by you, your customers, authorized agents and/or subcontractors to Cloud Cruiser, or otherwise Processed by Cloud Cruiser Personnel in connection with the provision of the Service under the Cloud Cruiser Agreements, including, without limitation, (i) all non-public information and data provided to or accessed by Cloud Cruiser Personnel through Client’s network or provided to or accessed by Cloud Cruiser Personnel for hosting or outsourcing services, (ii) Highly Restricted Data, (iii) Personal Data and/or (iv) On-Line Tracking Data. Client Data shall not include any Non-Identifiable Data as such term is defined in the TOS.
“Cloud Cruiser Personnel” means Cloud Cruiser and/or any employee, officer, agent, consultant, auditor, subcontractor, outsourcer or other third party acting on behalf of Cloud Cruiser or under the apparent authority of Cloud Cruiser in connection with providing the Service.
“Directive” means the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended or superseded from time to time.
“European Economic Area” and “EEA” mean the Member States of the European Union plus Norway, Iceland and Liechtenstein.
“Highly Restricted Data” shall mean Social Security or other government-issued identification numbers, medical or health information, account security information, individual financial account information, credit/debit/gift or other payment card information, account passwords, individual credit and income information, intellectual property, proprietary business models, pricing, customer infrastructure/system information or data flows and sensitive personal data as defined under applicable Privacy Laws (including the Directive).
“On-line Tracking Data” shall mean any information or data collected in relation to on-line activities which can reasonably be associated with a particular individual, computer or other device and used to deliver behavioral advertising.
“Personal Data” shall mean any information or data that alone or together with any other information relates to an identified or identifiable natural person, or data considered to be personal data as defined under applicable Privacy Laws.
“Privacy Laws” means any law, statute, directive, or regulation (including any and all legislative and/or regulatory amendments or successors thereto) regarding privacy, data protection, information security obligations and/or the Processing of Personal Data (including the Directive).
“Processing”, “Processed” or “Process” (whether in upper or lower case) shall mean any operation or set of operations which is performed upon Client Data irrespective of the purposes and means applied, including access, collection, recording, organization, adaptation, alteration, retrieval, consultation, retention, storage, transfer, disclosure (including disclosure by transmission), dissemination or otherwise making available, alignment, combination, use, blocking, erasure and destruction.
1.2 Client instructs and authorizes Cloud Cruiser to Process the Client Data provided to, or otherwise obtained by, Cloud Cruiser under the Cloud Cruiser Agreements and/or this DPSA for the sole and exclusive purpose of performing Cloud Cruiser’s obligations under the Cloud Cruiser Agreements and/or this DPSA.
2. CLOUD CRUISER OBLIGATIONS
2.1 Cloud Cruiser undertakes and warrants that:
(a) Cloud Cruiser Personnel shall only Process Client Data in accordance with the TOS, U.S. Privacy Laws (where applicable) and the terms of this DPSA;
(b) Cloud Cruiser Personnel shall limit the disclosure and Processing of the Client Data to the extent necessary to provide the Service, or as otherwise permitted under this DPSA or by Client in writing, and shall only disclose Client Data on a need to know basis related to the provision of the Service;
(c) Cloud Cruiser shall take all reasonable steps to ensure the reliability of Cloud Cruiser Personnel that have access to the Client Data (including carrying out appropriate background checks) and shall ensure such Cloud Cruiser Personnel are appropriately trained in the care and handling of Client Data including Personal Data and their obligations under applicable Privacy Law;
(d) Upon written request from Client to delete the Client Data or any part thereof, Cloud Cruiser shall use commercially reasonable efforts to promptly delete the Client Data and all copies thereof. If applicable law does not permit Cloud Cruiser Personnel to destroy the Client Data, Cloud Cruiser Personnel shall not use such Client Data for any purpose other than the purpose required by such applicable law, the Cloud Cruiser TOS, and this DPSA, and shall remain bound at all times by the provisions of the DPSA with respect to any Client Data that remains in its possession, custody or control until such Client Data has been destroyed;
(e) Cloud Cruiser shall ensure that Cloud Cruiser Personnel who are authorized to process Client Data use substantially equivalent restrictions and conditions that apply to Cloud Cruiser under this DPSA;
(f) Cloud Cruiser will assist Client with all reasonable requests (including requests for access to Client Data) and/or notifications which may be received from data subjects or any third parties (including regulatory authorities) and will perform all acts reasonable and necessary to enable Client to comply with such requests and/or notifications at Client’s expense. Cloud Cruiser shall promptly notify Client of any such request or notification and, unless required by law, shall not respond to such request or notification unless instructed to do so in writing by Client.
2.2 Where Cloud Cruiser Personnel engage in or facilitate the tracking of consumers’ online activities, the obligations and requirements set out in this DPSA in relation to Personal Data shall also extend to On-Line Tracking Data.
3. INTERNATIONAL TRANSFERS
3.1 For transfers to countries outside the EEA: Cloud Cruiser may transfer Personal Data to countries outside the EEA with the prior written consent of Client.
3.2 With respect to any transfer of Personal Data, Client and Cloud Cruiser may require that additional requirements shall be met prior to such transfer taking place in order to comply with applicable law. Client shall be responsible for the reasonable costs of Cloud Cruiser complying with any such requirements provided that such costs have been pre-approved in writing by Client.
4. CLOUD CRUISER’S DATA SECURITY OBLIGATIONS
4.1 Cloud Cruiser warrants and undertakes that Cloud Cruiser Personnel have in place and shall maintain appropriate industry standard physical, organizational and technical processes and procedures to protect against any Data Breach, in particular where the Processing involves the transmission of data over a network or storage of data at rest, and against all other unlawful forms of Processing of Client Data.
4.2 Cloud Cruiser shall, and shall ensure that all applicable Cloud Cruiser Personnel shall implement and maintain:
(a) Risk Management policies, procedures and tools which periodically evaluate organizational, administrative, system and technical risks.
(b) Asset Management policies, procedures and tools which (a) identify equipment and media used in the storage or Processing of Client Data; (b) assign responsibility for equipment and media to one or more custodians; and (c) require regular reviews of the asset inventory for accuracy and to identify missing equipment and media.
(c) Access Control and Identity Management policies, procedures and tools in which (a) data and system access rights are assigned to individuals according to their documented responsibilities and the principle of least privilege; (b) user and administrator accounts are assigned to individuals and required to have passwords, password rotation, failed authentication locks, and session timeouts; (c) issuance of privileged access accounts (e.g. administrator or root) require management approval and are held to strict security standards.
(d) Awareness and Training policies, procedures, and tools which address (a) information security threats and best practices; (b) information security policies, procedures, and controls in place to protect Client Data; and (c) each Cloud Cruiser Personnel’s roles and responsibilities in the protection of Client Data.
(e) Accountability policies, procedures, and tools which ensure that (a) account actions can be traced to the individual using the account, (b) the time, date, and type of action is recorded for privileged account actions and account actions affecting Client Data, (c) recorded account actions are actively monitored and can be easily retrieved for analysis, and (d) consequences for policy violations are established, communicated, and acted upon.
(f) Contingency Planning policies, procedures, and tools which define roles and responsibilities and provide clear guidance and training on the proper handling of contingency events including: (a) natural threat events such as floods, tornadoes, earthquakes, hurricanes, and ice storms; (b) accidental threat events such as chemical spills, and mechanical or electrical failures; and (c) intentional acts such as privacy and security breaches, bomb threats, assaults, and theft.
(g) System Maintenance policies, procedures, and tools, including controls related to: (a) structured vulnerability management, including: regular scanning, penetration testing, risk analysis, and timely patching; (b) change management, including documentation of the purpose, security impact analysis, testing plan and results, and authorization for changes; (c) configuration management, including secure baseline configurations; and (d) monitoring to detect and generate alerts for unauthorized changes.
(h) System and Communications Protection policies, procedures, and tools to preserve the confidentiality, integrity, and availability of Client Data, including: (a) physical controls that restrict and monitor access to systems that Process Client Data; (b) technical and administrative controls that protect against malicious software (e.g. viruses, spyware, etc.); (c) technical and administrative controls that protect against malicious actors (e.g. social engineering, phishing, etc.); (d) encryption of data in transit across untrusted and public networks and, in the case of Highly Restricted Data, at rest in all locations where it is stored; (e) periodic encryption key rotation and management; (f) prohibition of Highly Restricted Data and Personal Data being Processed in non-production environments; (g) regular security control reviews and effectiveness testing; and (h) technical and administrative controls regarding remote access and mobile devices.
(i) Media Protection policies and procedures that implement controls to ensure that media containing Client Data is securely handled, including (a) encryption of Client Data on all mobile devices and removable storage; (b) requirement for secure sanitization and destruction methods for media that at any time held Client Data; and (c) requirement that all media, including paper, containing unencrypted Client Data be stored in a secure location.
(j) Reporting policies, procedures, and tools which provide Client with access to relevant documentation and reporting on the implementation, effectiveness, and remediation, if necessary, of the Appropriate Safeguards in place.
4.3 Cloud Cruiser Personnel shall regularly, but in no event less than annually, evaluate, test and monitor the effectiveness of the safeguards set forth in Section 4.2 and shall promptly adjust and/or update such safeguards as reasonably warranted.
4.4 In addition, at any point during the term of the Service, Cloud Cruiser shall, upon request, provide Client with a copy of Cloud Cruiser Personnel’s applicable security policies and procedures.
4.5 Payment Card Information: Prior to Processing any payment card information for the Service, Cloud Cruiser Personnel must comply, and remain in compliance at all times during the term of the Cloud Cruiser Agreements, at its own expense, with the Payment Card Industry Data Security Standards (“PCI DSS”). Before Processing any payment card information and annually thereafter, Cloud Cruiser Personnel may submit an attestation to Client stating that they are current in their applicable PCI Report on Compliance/Self-Assessment Questionnaire and PCI Quarterly Network Scan filings and that they remain PCI compliant, as well as any documentation supporting such attestation as reasonably requested by Client from time to time. If at any point Cloud Cruiser Personnel are not in compliance with the PCI DSS or are unable or unwilling to produce adequate evidence of compliance, Client may immediately terminate the Service without liability to Client other than the payment of fees due at the time of termination.
5. INFRASTRUCTURE SECURITY & CONNECTIVITY
5.1 Connection and mechanism to transmit Client Data between Cloud Cruiser Personnel and Client shall be through a Client I/T approved secure solution. Duration of access shall be restricted to only when access is required. Cloud Cruiser Personnel shall use commercially reasonable safeguards to protect against any compromise, unauthorized access or other damage to Client’s network and to secure the Cloud Cruiser Personnel’s networks and IT environments associated with the Service being provided to Client.
5.2 Upon request during the term of the Service, Cloud Cruiser Personnel shall provide Client with a network diagram that outlines Cloud Cruiser’s I/T network supporting the Service.
5.3 Upon request during the term of the Service, Cloud Cruiser shall provide a controls review report and remediation effort as applicable to the Service. The report shall include an assessment of Cloud Cruiser’s applicable general controls and security processes and procedures to ensure compliance with applicable Privacy Laws and industry standards, including if applicable the PCI DSS. The report should be performed at Cloud Cruiser’s expense as part of Cloud Cruiser’s ongoing information security program to evaluate Cloud Cruiser’s general security controls.
5.4 In addition to Cloud Cruiser’s internal control programs, Cloud Cruiser may have independent penetration tests and security vulnerability scans performed on their environment as relevant to this DPSA on a regular basis. Cloud Cruiser commits to remediate all vulnerabilities identified in a timeframe commensurate with the risk.
6. DATA BREACH
In the event of an actual or reasonably suspected Data Breach, Cloud Cruiser shall notify Client promptly (not later than 24 hours) after becoming aware of a Data Breach. Such notification shall be provided, at a minimum, by email to Cloud Cruiser’s primary business contact within Client. In facilitating investigation and remediation of a Data Breach, Cloud Cruiser Personnel shall reasonably cooperate with Client. Cloud Cruiser Personnel shall not inform any third party of any Data Breach except as may be strictly required by applicable Privacy Laws, without first obtaining Client’s prior written consent which consent shall not be unreasonably withheld. Details of any complaint received by Cloud Cruiser Personnel related to Processing of Highly Restricted, Personal Data or On-Line Tracking Data shall be promptly sent to a Cloud Cruiser’s Client business contact. Cloud Cruiser shall take all necessary and commercially reasonable corrective actions, including as may be instructed by Client and applicable Privacy Laws, to remedy or mitigate any Data Breach.
7. PERSONAL DATA REVIEWS
On reasonable notice and during normal business hours, Cloud Cruiser shall: (a) promptly and properly respond to all reasonable inquiries from Client with respect to Cloud Cruiser’s handling of Personal Data in connection with the Service or Cloud Cruiser’s compliance with the DPSA; and (b) permit Client or its designee to inspect any Personal Data in the custody or possession of Cloud Cruiser in connection with the Service and to review Cloud Cruiser’s compliance with its obligations described in the DPSA including the security measures used to protect Personal Data..
8. CLOUD CRUISER PERSONNEL
8.1 Cloud Cruiser processing of Client Data by any subcontractor, outsourcer or third-party shall meet the following requirements.
(a) All Cloud Cruiser Personnel meets the requirements of Paragraph 2.1(e);
(b) Cloud Cruiser takes reasonable steps to ensure the Cloud Cruiser Personnel complies with its obligations in respect of the Processing of the Client Data and shall review the Cloud Cruiser Personnel on a regular basis in respect of such Processing, which shall be at least annually and more frequently in the event of a Data Breach or other incident involving Client Data; and
(c) If the review conducted under clause 8.1(b) above reveals any deficiencies, breaches and/or failures on the part of the Cloud Cruiser Personnel to comply, or which may affect Cloud Cruiser Personnel’s ability to comply, with the requirements of this clause 8.1, Cloud Cruiser shall use all commercially reasonable efforts to work with the Cloud Cruiser Personnel to remedy such deficiencies, breaches and/or failures promptly and if a satisfactory remedy cannot be implemented within a reasonable period of time (as determined by Cloud Cruiser), Cloud Cruiser shall no longer be permitted to use such Cloud Cruiser Personnel to provide the Service in which case Cloud Cruiser Personnel shall be required to promptly delete any Client Data in its possession or control.
8.2 Cloud Cruiser shall comply with the provisions of the International Transfers section set out above as if Cloud Cruiser were Client and the Cloud Cruiser Personnel were the Cloud Cruiser.
9. THIRD PARTY RIGHTS
9.1 Nothing in this DPSA shall confer any benefits or rights on any person or entity other than Cloud Cruiser and Client.