Skip to the main content.
GUIDE
Mastering the Cyber Security Maturity Model: Guide for security leaders & strategists
  • Blog
  • Support
  • Login
Netenrich-Logo-2 Colors Positive
Netenrich logo
  • Solutions
    • Solutions For Google SecOps
      • SecOps Implement
      • SecOps Operate
    • Adaptive MDR
    • Digital Operations
    • Use Cases
    • Splunk Migration to Google SecOps
    • QRadar Migration to Google SecOps
    • Security Data Lake
    • Outsourced SOC, now Insourced
    • Incident Response Transformation
  • Platform
    • Resolution Intelligence Cloud
    • Featured Videos
    • How-to videos
    • Netenrich Guides
    • Managed Detection and Response (MDR)
    • Improve Detection and Response
    • Autonomic Security Operations
    • Secure Operations
    • Speed TTV
    • Integrations
    • FAQs
  • Why Netenrich
    • Why Netenrich
    • Knowledge NOW (KNOW)
    • Company
    • Meet the Team
    • Careers
    • Contact us
    • Featured Report
  • Partners
    • Overview
    • MSPs
    • Technology Partners
    • Integration Partners
    • Featured Report
  • Resources
    • All
    • Blog
    • Case Studies
    • Data Sheets
    • eBooks & Guides
    • Events & Webinars
    • Reports & Whitepapers
    • Videos
    • More
    • Google SecOps 101 Virtual Bootcamp
    • Knowledge Now (KNOW) threat intel
    • Newsroom
    • Podcasts
    • Fundamentals
    • All Resources
    • Featured Report
TALK TO OUR EXPERTS
TRY GOOGLE SECOPS FREE
TALK TO OUR EXPERTS
TRY GOOGLE SECOPS FREE
  • Solutions
    • Solutions For Google SecOps
      • SecOps Implement
      • SecOps Operate
    • Adaptive MDR
    • Digital Operations
    • Use Cases
    • Splunk Migration to Google SecOps
    • QRadar Migration to Google SecOps
    • Security Data Lake
    • Outsourced SOC, now Insourced
    • Incident Response Transformation
  • Platform
    • Resolution Intelligence Cloud
    • Featured Videos
    • How-to videos
    • Netenrich Guides
    • Managed Detection and Response (MDR)
    • Improve Detection and Response
    • Autonomic Security Operations
    • Secure Operations
    • Speed TTV
    • Integrations
    • FAQs
  • Why Netenrich
    • Why Netenrich
    • Knowledge NOW (KNOW)
    • Company
    • Meet the Team
    • Careers
    • Contact us
    • Featured Report
  • Partners
    • Overview
    • MSPs
    • Technology Partners
    • Integration Partners
    • Featured Report
  • Resources
    • All
    • Blog
    • Case Studies
    • Data Sheets
    • eBooks & Guides
    • Events & Webinars
    • Reports & Whitepapers
    • Videos
    • More
    • Google SecOps 101 Virtual Bootcamp
    • Knowledge Now (KNOW) threat intel
    • Newsroom
    • Podcasts
    • Fundamentals
    • All Resources
    • Featured Report
Solutions
  • Solutions For Google SecOps
    • SecOps Implement
    • SecOps Operate
  • Adaptive MDR
  • Digital Operations
Use Cases
  • Splunk Migration to Google SecOps
  • QRadar Migration to Google SecOps
  • Security Data Lake
  • Outsourced SOC, now Insourced
  • Incident Response Transformation
Featured Report

Pause GIF image

 

Platform
  • Resolution Intelligence Cloud™

 

Featured Videos

featured-video-plarform-nav-dropdown

Netenrich Guides
  • Managed Detection and Response (MDR)
  • Improve Detection and Response
  • Autonomic Security Operations
  • Secure Operations
  • Speed TTV
  • Integrations
  • FAQs
Why Netenrich
  • Why Netenrich
  • Knowledge Now (KNOW) threat intel
Company
  • Meet the Team
  • Careers
  • Contact us
Featured Report

Pause GIF image

Partner Programs
  • Overview
  • MSPs
Technology Partners
  • Integration Partners
Featured Report

Pause GIF image

Key Resources
  • Blog
  • eBooks & Guides
  • Case Studies
  • Data Sheets
  • Events & Webinars
  • Reports & Whitepapers
  • Videos
More
  • Google SecOps 101 Virtual Bootcamp
  • Knowledge Now (KNOW) Threat Intel
  • Podcasts
  • Newsroom
  • Fundamentals
  • All Resources
Featured Report

Pause GIF image

  • Netenrich
  • Legal
  • Netenrich Data Processing Addendum

Netenrich, Inc.

Data Processing Addendum

Last Modified: March 2, 2023

This Data Processing Addendum, including the annexes hereto (this “DPA”) forms a part of the Netenrich Master Subscription Agreement between Netenrich and Customer to which this addendum is attached (the “Agreement”) and sets out the parties’ agreement with respect to the Processing of Personal Data in relation to the Agreement.  Terms in this DPA that are capitalized, but undefined, have the meanings given to them in the Agreement.

  • 1. Definitions

    a.   “Affiliate” of a party means any entity controlling, under common control with, or controlled by the party, where “control” means ownership of more than 50% of the equity of such entity.

    b.   “Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

    c.   “Data Protection Regulations” means the Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), Regulation (EU) 2016/679 as it forms part of the law of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”), the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance on the Federal Data Protection Act of 14 June 1993 (the “FADP”), and the California Consumer Privacy Act of 2018 (as amended from time to time, the “CCPA”).

    d.   “Instructions” mean any documented instructions given by Customer with respect to the lawful Processing of Personal Data. Instructions may include, without limitation, the correction, erasure and/or the blocking of Personal Data in the legal responsibility of the Controller and instructions delivered by Customer through user functionality in the Services.

    e.   “Personal Data” means information relating to an identified or identifiable natural person (a “Data Subject”) or that meets the definition of “personal information” under the CCPA and that, in either case, is Processed by Netenrich on behalf of Customer in connection with the Services.

    f.   “Processing” and/or "Process" mean any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    g.   “Processor” means a natural or legal person, public authority, agency or other body that Processes Personal Data on behalf of the Controller.

    h.   “Service(s)” means the services Netenrich provides to Customer and/or, if applicable, Customer’s Affiliates, under the terms of the Agreement.

    i.   “Sub-Processor” means, as applicable, (i) Netenrich, when Netenrich Processes Personal Data on behalf of Customer where Customer itself is a Processor of such Personal Data, or (ii) third-party processors engaged by Netenrich pursuant to Section 6 below.

    j.   "SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

    1.  
  • 2. Data Processing

    a.   The parties acknowledge and agree that with respect to Personal Data, (i) Customer is the Controller and Netenrich is the Processor of Personal Data, or (ii) Customer is the Processor and Netenrich is the Sub-Processor of Personal Data.

    b.   Netenrich shall not Process Personal Data for any purpose other than providing the Services, fulfilling its contractual obligations under the Agreement and this DPA, and complying with Data Protection Regulations. Netenrich shall Process Personal Data only on behalf of Customer and in accordance with the Agreement, this DPA, and Customer’s Instructions.

    c.   As between Customer and Netenrich, all Personal Data are the property of Customer and Netenrich shall promptly, at Customer’s option, delete or return Personal Data to Customer upon request. Where Customer has not expressed a request with respect to the Personal Data, Netenrich shall delete the Personal Data within 30 days of the expiry or termination of this DPA and the Agreement.

    d.   Netenrich retains backups in accordance with its internal policies and procedures for business operation and security purposes that may contain Personal Data. Upon the expiry or termination of this DPA and the Agreement, to the extent that Netenrich’s backups contain Personal Data, such Personal Data (i) shall not be further Processed by Netenrich, (ii) shall be protected by Netenrich in accordance with the terms of this DPA so long as Netenrich retains such Personal Data, and (iii) shall be destroyed in accordance with Netenrich’s data retention policies.

  • 3. Data Security

    a.   Netenrich has implemented, and shall maintain so long as Netenrich Processes Personal Data, the technical and organizational measures set out in Annex 2 to protect the confidentiality, integrity, and accuracy of Personal Data.

    b.   Netenrich shall ensure that its personnel who have access to Personal Data are subject to a duty of confidentiality with respect to the Personal Data.

    c.   Security Incidents.

      1. If Netenrich becomes aware of any actual or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (each a “Security Incident), Netenrich shall, without undue delay and in any event, within 24 hours of becoming aware, notify Customer of the Security Incident, providing reasonably relevant known or suspected details of the incident.

      2. Netenrich shall take all reasonable steps consistent with good industry practices to remediate the Security Incident and mitigate its impact and to identify and remediate its cause(s).

      3. Netenrich shall provide any assistance reasonably requested or required by Customer to comply with Customer’s obligations under Data Protection Regulations including to notify regulatory authorities and/or Data Subjects impacted by a Security Incident.

  • 4. Assistance and Cooperation

    a.   For the term of the Agreement and taking into account the nature of the Processing, Netenrich shall provide Customer with the ability to correct, delete, or block Processing of Personal Data, or, upon Customer’s Instructions, make such corrections, deletions, or blockages on Customer’s behalf.

    b.   Netenrich shall provide reasonable assistance to Customer with respect to (a) requests from Data Subjects exercising their rights to access, rectify, erase or object to processing of Personal Data pursuant to Data Protection Regulations; and (b) privacy (including transfer) impact assessments carried out by Customer. Netenrich reserves the right to charge a fee to Customer, consistent with Data Protection Regulations, for complying with a request for assistance requiring significant effort and/or resources.

    c.   Netenrich shall allow for and contribute to reasonable and customary remote documentary review audits (including reasonable interviews of relevant Netenrich management) by Customer, or a third party designated by Customer, in each case, as reasonably requested and required to demonstrate Netenrich’s compliance with this DPA, at Customer’s expense and with reasonable prior notice to Netenrich and, except where required by a data protection authority or in response to a Security Incident, no more than once per calendar year. All audits, and any findings or reports resulting from any audit, will be subject to the confidentiality obligations set forth in the Agreement.

    d.   Netenrich shall promptly notify Customer if, in Netenrich’s reasonable opinion, any Instructions violate Data Protection Regulations.

  • 5. Sub-processors

    a.   Netenrich may engage Netenrich Affiliates and other third parties as Sub-Processors to provide services subject to this DPA. A list of Netenrich’s Sub-processors as of the initial effective date of this DPA  is provided in Annex 3.

    b.   Netenrich shall permit Sub-Processors to Process Personal Data only as necessary to perform the services Netenrich has engaged them to provide to Netenrich and shall prohibit Sub-Processors from Processing Personal Data for any other purpose.

    c.   Prior to making any Personal Data available to a Sub-Processor, Netenrich or a Netenrich Affiliate shall have entered into a written agreement with the Sub-Processor containing data protection obligations substantially as protective of Personal Data as those in this DPA.

    d.   Netenrich shall notify Customer of each intended additional or  replacement Sub-Processor at least thirty (30) days prior to such addition or replacement (the “Sub-Processor Notice Period”) during which period Customer may object by notice to Netenrich to the use of the Sub-Processor in which case the parties shall promptly negotiate in good faith to reach a mutually acceptable resolution. If the parties are unable to reach a mutually acceptable resolution within a reasonable period following the objection (not to exceed 15 days, or as extended by mutual agreement), Customer may terminate the Services or specific feature of the Services that cannot reasonably be provided by Netenrich without the use of the objected-to Sub-Processor.

    e.   Netenrich shall remain at all times responsible to Customer for the Sub-Processors’ compliance with this DPA.

  • 6. Cross-border Data Transfer

    a.   To the extent any Personal Data subject to the GDPR, the UK GDPR, or the FADP is Processed by Netenrich outside the European Economic Area or a country deemed adequate by the European Commission, such Personal Data will be transferred and Processed in accordance with Sections 6.b– 6.d below.

    b.   Where a transfer of Personal Data is subject to the GDPR or the FADP, the SCCs will apply. The SCCs are hereby incorporated by reference into this DPA and completed as follows:

      1. The text of module 2 (Controller to Processor) will apply where Customer is the Controller, and Netenrich is the Processor.  The text  of module 3 (Processor to Processor) will apply where Customer is the Processor, and Netenrich is the Sub-Processor;
      2. The optional docking clause of clause 7 will apply;
      3. In clause 9(a), option 2 will apply. The time period for providing advance notice of any intended changes to the list of Sub- Processors will be thirty (30) days;
      4. In clause 11(a), the optional language will not apply;
      5. In clause 17, option 1 will apply, and the SCCs will be governed by the laws of Ireland;
      6. In clause 18(b), any dispute arising from the SCCs will be resolved by the courts of Ireland; and
      7. The information required by Annex I and Annex II of the SCCs is as set out in Annex 1 and Annex 2 of this DPA, respectively.

    c.   Where a transfer of Personal Data is subject to the UK GDPR, the SCCs will apply, as amended by the UK Addendum to the SCCs issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 and attached hereto as Annex 4.

    d.   Where a transfer of Personal Data is subject to the FADP, in addition to the provisions of Section 6.b above, the terms set forth on Annex 5 will apply.

    e.   To the extent any provision of this DPA contradicts or is inconsistent with the terms of the SCCs with respect to the transferred Personal Data or otherwise, the terms of the SCCs will prevail and the inconsistent provision of this DPA will be deemed amended accordingly.

    f.   If, at any time:

      1. the laws or regulatory procedures of any jurisdiction require any further steps to be taken in order to permit the transfer of Personal Data as contemplated under this DPA (including, without limitation, executing or re-executing the SCCs as a separate document setting out the proposed transfers of Personal Data, and entering into additional cross-border transfer clauses); and/or

      2. the transfer mechanisms in this Section 6 are amended, replaced or repealed under Data Protection Regulations;

      3. declared invalid by a court of competent jurisdiction; or

      4. otherwise terminated, annulled, replaced or repealed under Data Protection Regulations;
        then the parties shall work together to take all steps reasonably required and negotiate in good faith any other solution to enable a transfer in compliance with Data Protection Regulations.

  • 7. California Consumer Privacy Act

    To the extent the CCPA applies to the Processing of Personal Data, the parties acknowledge and agree that Customer has engaged Netenrich as a service provider and Netenrich shall comply with the obligations of a service provider under the CCPA with respect to Netenrich’s Processing of Personal Data and Netenrich shall notify Customer within the 5 days following the date on which Customer determines that Netenrich can no longer meet its obligations under the CCPA and/or this DPA. Netenrich shall provide the same level of privacy protection for Personal Data as is required of a “business” under the CCPA and shall cooperate with Customer in responding to and complying with consumer requests made pursuant to the CCPA.  Netenrich authorizes Customer to take reasonable and appropriate steps to stop and remediate Netenrich’s unauthorized use of Personal Data. Netenrich shall not, and shall ensure that any third party to which Netenrich provides access to Personal Data for Processing does not:

      1. Sell or share Personal Data as “sell” and “share” are defined in the CCPA; or

      2. Retain, use or disclose Personal Data:

        1. for any purpose other than for the purposes described under the “nature and purposes of processing” in Annex 1 (the “Business Purpose”) and in accordance with the Agreement and the Instructions;
        2. for (x) any commercial purpose other than the Business Purpose or (y) for the benefit of any third party outside the Agreement; or
        3. outside the direct business relationship between Customer and Netenrich.

    Netenrich For purposes of this Section 7, the terms “business”, “consumer”, “service provider”, “commercial purposes”, “sell”, and “share” have the definitions ascribed to them in the CCPA.

  • 8. Third Party Request for Access

    Unless prohibited by applicable law, Netenrich shall promptly inform Customer of any request, correspondence, inquiry, or complaint received by Netenrich from a Data Subject, regulatory authority, or other third party in connection with Netenrich’s Processing of Personal Data. Netenrich shall not directly respond to such requests without Customer’s prior consent except where legally required.

  • 9. Limitation of Liability

    The liability of each party and its respective Affiliates arising out of or related to this DPA and the Agreement will not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.

  • 10. Customer Responsibilities and Undertakings

    Customer warrants that the Personal Data have been collected, Processed, and transferred by Customer in accordance with the laws applicable to Customer, including Data Protection Regulations, as applicable and Customer is solely responsible for the accuracy, quality, and such legal compliance relating to the Personal Data as and when made available to Netenrich for Processing under this DPA.  Customer acknowledges that Netenrich has no control over the nature, scope, or origin of, or the means by which Customer acquires the Personal Data.  Without limiting Netenrich’s obligations under this DPA, Customer retains responsibility for responding to any Data Subject requests or inquiries regarding the Personal Data. Customer shall not use the Services to Process any sensitive or special categories of Personal Data where such Processing would impose on Netenrich  any  data  security  or  data  protection obligations that differ from or are in addition to those set out in the Agreement and this DPA.

  • 11. Miscellaneous

    a.   If any provision in this DPA is found to be ineffective or void, it will not affect the remaining provisions. The parties shall endeavor in good faith to replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. The parties shall similarly add necessary and appropriate provisions where such provisions are missing.

    b.   The governing law of this DPA will be the same as the governing law identified in 6.b.vi of this DPA.

    c.   This DPA prevails over any additional, conflicting, or inconsistent terms and conditions appearing in the Agreement and/or any document submitted by  either  party  regarding  the  Processing  of Personal Data.

    d.   This DPA will become effective upon the parties’ execution of the Agreement (the “DPA Effective Date”) and will remain in effect for so long as Netenrich has in its possession or otherwise Processes Personal Data.

    e.   This DPA may not be modified except in a writing executed by the parties or otherwise in accordance with its terms.

  • ANNEX 1: Details of Data Processing

    A. LIST OF PARTIES
    Data exporter:

    Name: Customer’s entity name as identified in the Agreement

    • Address: Customer’s address as specified in the Agreement
    • Contact person’s name, position and contact details: Customer’s contact details as specified in the Agreement
    • Activities relevant to the data transferred under these Clauses: Receipt of the Services
    • Signature and date: The SCCs will be deemed executed and entered into by Customer as of the DPA Effective Date.
    • Role: The data exporter’s role will be Controller or Processor as specified in Section 2.a of the DPA.
    Data importer:

    Name: Netenrich’s entity name as identified in the Agreement

    • Address: Netenrich’s address as specified in the Agreement
    • Contact person’s name, position and contact details: Netenrich’s contact details as specified in the Agreement
    • Activities relevant to the data transferred under these Clauses: Provision of the Services
    • Signature and date: The SCCs will be deemed executed and entered into by Netenrich as of the DPA Effective Date.
    • Role: The data importer’s role will be Processor as specified in Section 2.a of the DPA.
     
    B. DESCRIPTION OF TRANSFER
    Categories of Data Subjects

    Employees, contractors, agents, advisors and users authorized by Data Exporter to use the Services.

    Employees, contractors, agents and advisors of Data Exporter’s customers, prospects, business partners and vendors. Categories of Personal Data Processed

    Categories of Personal Data
    Types of Personal Data Processed will include email addresses, IP addresses and other Personal Data within network data that is relevant to monitoring IT infrastructure and network security.

    Special Categories of Data
    The Personal Data does not include special categories of Personal Data.

    Duration and Frequency of the Processing
    Processing will take place on a continuous basis so long as Netenrich continues to provide the Services to Customer in accordance with the Agreement.

    Nature and Purpose of the Processing
    Personal Data is Processed for the purpose of providing the Services as set out in the Agreement.

    Personal Data Retention Period
    Personal Data will be retained by Netenrich for the duration of the Agreement.

    Sub-Processors
    A list of Netenrich’s current Sub-processors can be found in Annex 3.

     

    C. COMPETENT SUPERVISORY AUTHORITY

    The competent supervisory authority will be as determined by the GDPR except insofar as the data transfer is subject to the FADP, in which case the competent supervisory authority will be the Federal Data Protection and Information Commissioner of Switzerland.

  • ANNEX 2: Summary of Technical and Organizational Measures

    PRODUCT SECURITY
    Data Classification and Handling

    All customer device data provided to Resolution Intelligence Cloud is classified according to sensitivity. Data classified as customer-sensitive includes essential device identification information such as hostname/IP address, Operational Telemetry, Security Telemetry, as well as the health and performance metric data associated with each resource. Customer-confidential data includes resource metadata (such as operating system versions, SNMP community strings, API passwords, etc.), ActOns™ data, network flow data, and any personally identifiable information about customer’s accountholders.

    Network Transport Protections

    Access to the Resolution Intelligence Cloud platform — whether via a web browser, Resolution Intelligence Cloud APIs, or a Resolution Intelligence Cloud Collector — is conducted over HTTPS using Transport Layer Security (TLS) encryption. TLS is a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. Resolution Intelligence cloud platform supports the most up-to-date version of the protocol (TLS 1.2 and TLS 1.3), long encryption keys (2048-bit) or above, and complex ciphers.

    End-User  Authentication

    User accounts are authenticated to the Resolution Intelligence Cloud platform either using Netenrich’s in-built authentication system (Auth0) along with MFA or via Federated authentication that supports various Identity Providers (ADFS, Okta, etc.). The Netenrich authentication system does not store passwords in cleartext. Passwords are encrypted, hashed and salted using bcrypt.

    Resolution Intelligence Cloud platform uses two-factor authentication, bot detection, suspicious IP throttling, brute force protection, and breached password detection.

    Role-Based  Authorization

    Once authenticated, end-user access is controlled by a role-based access control (RBAC) system. Alternately, roles can be deployed to limit individuals’ access to modify monitoring alert rules or configurations. Roles may be applied such that they control access to an individual account and its associated API tokens.

    Secure Alert Transmission

    Resolution Intelligence Cloud supports ingestion of alerts into the platform using webhook. The ingestion end points are exposed over a HTTPS channel and are protected with customer-specific JWT tokens. The platform also has polling-based integrations for alert ingestion where it also only supports secure channels.

    Testing

    Netenrich maintains a security defect testing regimen that includes automated static code analysis and manual source code analysis. Any security defects discovered are escalated to Netenrich’s development team for highest priority remediation.

    Netenrich conducts annual penetration testing to validate the defensive security measures taken within Netenrich’s software development lifecycle.

    Shared Security Responsibilities

    The Resolution Intelligence Cloud platform provides security controls designed to be managed by customer account administrators to enable them to help ensure the security and integrity of their account. These include certain end-user authentication measures configurable by the customer account administrators, such as use of either standard authentication or SAML, provisioning unique accounts for each end-user, use of two-factor authentication, assignment of end-user roles based on the principle of least privilege, and restriction of administrator access to as few individuals as possible.

     

    OPERATIONAL SECURITY
    Platform  Architecture

    Resolution Intelligence Cloud uses multi-tenancy architecture, by which each customer account is created as an independent entity. Each customer account is logically separated from every other account.

    Vulnerability Management

    Each application server runs intrusion detection software, which scans for system vulnerabilities from within the production network. Vulnerability scans are conducted on an ongoing basis with commercial tools using both “internal” and “external” perspectives.  Any detected vulnerabilities are evaluated for risk and prioritized for remediation accordingly.

    Incident  Management

    Netenrich has a formal incident management process for security events that may affect the confidentiality, integrity, or availability of its systems or data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Following remediation, incidents undergo post-mortem investigations as necessary to determine the root cause for single events, trends spanning multiple events over time, and to develop new strategies to help prevent recurrence of similar incidents.

     

    ORGANIZATIONAL SECURITY
    Personnel  Security

    Netenrich employees are required to conduct themselves in a manner consistent with the company’s policies regarding confidentiality, business ethics, and professional standards. Netenrich conducts pre-hire reference and background checks, to the extent permitted by local labor laws and regulations. Upon acceptance of employment at Netenrich, all employees are required to execute a confidentiality agreement and must acknowledge receipt of and compliance with policies in Netenrich’s Employee Handbook, including those relating to security. As part of new-hire orientation, employees receive baseline security training, with additional training provided based on an individual’s role.

    Authentication Controls

    Netenrich requires the use of a unique User ID for each of its employee, which is used to identify each person’s activity on Netenrich’s corporate network. All Netenrich business systems are configured such that they are accessible only by this unique account.

    Access to any systems that contain customer data requires authentication via a centrally managed Single Sign-On (SSO) service. Netenrich’s SSO system enforces the use of strong password policies, including password expiration, restrictions on password reuse, and minimum password strength. Two-factor authentication is enforced to further protect against unauthorized access.

    Upon hire, each employee is assigned an account by Netenrich’s People Operations unit and is granted the minimum privileges required by their role as described below. At the end of an individual’s employment with Netenrich, a policy-based workflow ensures that account access is disabled.

    Access and Authorization Controls

    Access rights and levels are based on an employee’s job function and role, using the concepts of least privilege and need-to-know to match access privileges to defined responsibilities. Netenrich employees are granted only a limited set of default permissions to access common corporate resources. Requests for additional access follow a formal process that involves a request and approval from a data or system owner, manager, or other executives. Approvals are managed by workflow tools that maintain auditable records of all changes.

    Accounting

    Netenrich’s policy is to log each authentication transaction and sign-on request to each business system. These logs are maintained off-site and are reviewable on an as-needed basis.

     

    THIRD-PARTY AUDIT AND COMPLIANCE

    The operation of the platform has been certified to meet the ISO/IEC 27001:2013 standard for security programs.

    Netenrich maintains an audit program using the AICPA’s Service Organization Controls (SOC) Trust Services Principles. Netenrich’s processes relating to service infrastructure, software, people, procedures, and data handling meet SSAE 18 criteria.

    We maintain a SOC 2 Type 2 report as certification in which the following areas are assessed on a regular basis:

    1. Security Management Process
    2. Security Official
    3. Workforce Security
    4. Information Access Management
    5. Security Awareness and Training
    6. Security Incident Procedures
    7. Contingency Plan
    8. Evaluation
    9. Business Associate Contracts and Other Arrangements
    10. Facility Access Controls
    11. Workstation Use
    12. Workstation Security
    13. Device and Media Controls
    14. Access Controls
    15. Report Controls
    16. Integrity
    17. Person or Entity Authentication
    18. Transmission Security
    19. Business Associate Monitoring Process
    20. Policies and Procedures
  • ANNEX 3: List of Sub-processors

    A list of Netenrich’s current Sub-processors can be found here.  As of the effective date of this DPA, the Sub-processors are, depending on the specific Services, some or all of the following:

    Sub-processors name Description of Processing Activities Countries in which Personal Data are Processed
    Infrastructure Platforms    
    Google Cloud Cloud platform hosting certain portions of Resolution Intelligence Cloud software. USA
    Google Chronicle Chronicle product for security analysis. USA/EU
    Amazon Web Services Cloud platform hosting certain portions of Resolution Intelligence Cloud software. USA
    Microsoft, Inc. Microsoft Office 365, including Microsoft Outlook, Microsoft Teams, and Microsoft Azure. USA
    Product Specific Tools    
    Okta, Inc. Auth0 product for identity management. USA
    Zendesk Zendesk product for documentation and customer support. USA
    Proofpoint, Inc. Email security services USA
    Abnormal Security Corp. Email security services USA
    Sophos Ltd. Email security services USA
    Wordpress Email security services USA
    Pendo Product and user experience analysis USA
    Cloudflare, Inc. Content delivery network USA
    Carbon Black, Inc. Cloud-native endpoint security software USA
  • ANNEX 4: UK Addendum to the EU Commission Standard Contractual Clauses

    I. Part 1: Tables

    Table 1: Parties
    Start Date DPA Effective Date as defined in Section 11.d of the DPA
    The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
    Parties' Details
    Full legal name: See Annex 1
    Trading name (if different): See Annex 1
    Main address (if a company registered address): See Annex 1
    Full legal name: See Annex 1
    Trading name (if different): See Annex 1
    Main address (if a company registered address): See Annex 1
    Key Contact
    Full name: See Annex 1
    Job Title: See Annex 1
    Contact contact details including email: See Annex 1
    Full name: See Annex 1
    Job Title: See Annex 1
    Contact contact details including email: See Annex 1
    Signature (if required for the purposes of Section 2)
    This UK addendum shall be deemed executed and entered into by Customer as of the DPA Effective Date.
    This UK addendum shall be deemed executed and entered into by Customer as of the DPA Effective Date.

     

    Table 2: Selected SCCs, Modules and Selected Clauses
    Addendum EU SCCs The version of the Approved EU SCCs to which this Addendum is appended is as described in Section 6.b of this DPA.

     

    Table 3: Appendix Information

    “Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in Annexes 1-3 of this DPA.

    Table 4: Ending this Addendum when the Approved Addendum Changes
    Ending this Addendum when the Approved Addendum Changes
    Which Parties may end this Addendum as set out in Section 19 of the Mandatory Clauses referenced in Part 2 below:
      Importer
      Exporter
       Neither Party

     

    II. Part 2: Mandatory Clauses

    Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses.

SOLUTIONS
  • Solutions for Google SecOps
  • SecOps Implement
  • SecOps Operate
  • Adaptive MDR
  • Digital Operations
PLATFORM
  • Resolution Intelligence Cloud
RESOURCES
  • All
  • Blog
  • Case Studies
  • Events & Webinars
  • Podcasts
  • Guides
COMPANY
  • About us
  • Contact us
  • Newsroom
  • Careers
  • Partners
Netenrich Logo - 2 Colors Negative
  • Privacy Policies
  • Terms & Conditions
  • Legal
  • Compliance
  • Support

© 2025 Copyright - All Rights Reserved by Netenrich

FacebookLinkedInYouTube
Return to Top