DATA PROCESSING ADDENDUM
Last Modified: March 2, 2023
This Data Processing Addendum, including the annexes hereto (this “DPA”) forms a part of the Netenrich Master Subscription Agreement between Netenrich and Customer to which this addendum is attached (the “Agreement”) and sets out the parties’ agreement with respect to the Processing of Personal Data in relation to the Agreement. Terms in this DPA that are capitalized, but undefined, have the meanings given to them in the Agreement.
a. “Affiliate” of a party means any entity controlling, under common control with, or controlled by the party, where “control” means ownership of more than 50% of the equity of such entity.
b. “Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
c. “Data Protection Regulations” means the Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), Regulation (EU) 2016/679 as it forms part of the law of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”), the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance on the Federal Data Protection Act of 14 June 1993 (the “FADP”), and the California Consumer Privacy Act of 2018 (as amended from time to time, the “CCPA”).
d. “Instructions” mean any documented instructions given by Customer with respect to the lawful Processing of Personal Data. Instructions may include, without limitation, the correction, erasure and/or the blocking of Personal Data in the legal responsibility of the Controller and instructions delivered by Customer through user functionality in the Services.
e. “Personal Data” means information relating to an identified or identifiable natural person (a “Data Subject”) or that meets the definition of “personal information” under the CCPA and that, in either case, is Processed by Netenrich on behalf of Customer in connection with the Services.
f. “Processing” and/or "Process" mean any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
g. “Processor” means a natural or legal person, public authority, agency or other body that Processes Personal Data on behalf of the Controller.
h. “Service(s)” means the services Netenrich provides to Customer and/or, if applicable, Customer’s Affiliates, under the terms of the Agreement.
i. “Sub-Processor” means, as applicable, (i) Netenrich, when Netenrich Processes Personal Data on behalf of Customer where Customer itself is a Processor of such Personal Data, or (ii) third-party processors engaged by Netenrich pursuant to Section 6 below.
j. "SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. DATA PROCESSING
a. The parties acknowledge and agree that with respect to Personal Data, (i) Customer is the Controller and Netenrich is the Processor of Personal Data, or (ii) Customer is the Processor and Netenrich is the Sub-Processor of Personal Data.
b. Netenrich shall not Process Personal Data for any purpose other than providing the Services, fulfilling its contractual obligations under the Agreement and this DPA, and complying with Data Protection Regulations. Netenrich shall Process Personal Data only on behalf of Customer and in accordance with the Agreement, this DPA, and Customer’s Instructions.
c. As between Customer and Netenrich, all Personal Data are the property of Customer and Netenrich shall promptly, at Customer’s option, delete or return Personal Data to Customer upon request. Where Customer has not expressed a request with respect to the Personal Data, Netenrich shall delete the Personal Data within 30 days of the expiry or termination of this DPA and the Agreement.
d. Netenrich retains backups in accordance with its internal policies and procedures for business operation and security purposes that may contain Personal Data. Upon the expiry or termination of this DPA and the Agreement, to the extent that Netenrich’s backups contain Personal Data, such Personal Data (i) shall not be further Processed by Netenrich, (ii) shall be protected by Netenrich in accordance with the terms of this DPA so long as Netenrich retains such Personal Data, and (iii) shall be destroyed in accordance with Netenrich’s data retention policies.
3. DATA SECURITY
a. Netenrich has implemented, and shall maintain so long as Netenrich Processes Personal Data, the technical and organizational measures set out in Annex 2 to protect the confidentiality, integrity, and accuracy of Personal Data.
b. Netenrich shall ensure that its personnel who have access to Personal Data are subject to a duty of confidentiality with respect to the Personal Data.
c. Security Incidents.
i. If Netenrich becomes aware of any actual or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (each a “Security Incident), Netenrich shall, without undue delay and in any event, within 24 hours of becoming aware, notify Customer of the Security Incident, providing reasonably relevant known or suspected details of the incident.
ii. Netenrich shall take all reasonable steps consistent with good industry practices to remediate the Security Incident and mitigate its impact and to identify and remediate its cause(s).
iii. Netenrich shall provide any assistance reasonably requested or required by Customer to comply with Customer’s obligations under Data Protection Regulations including to notify regulatory authorities and/or Data Subjects impacted by a Security Incident.
4. ASSISTANCE AND COOPERATION
b. Netenrich shall provide reasonable assistance to Customer with respect to (a) requests from Data Subjects exercising their rights to access, rectify, erase or object to processing of Personal Data pursuant to Data Protection Regulations; and (b) privacy (including transfer) impact assessments carried out by Customer. Netenrich reserves the right to charge a fee to Customer, consistent with Data Protection Regulations, for complying with a request for assistance requiring significant effort and/or resources.
c. Netenrich shall allow for and contribute to reasonable and customary remote documentary review audits (including reasonable interviews of relevant Netenrich management) by Customer, or a third party designated by Customer, in each case, as reasonably requested and required to demonstrate Netenrich’s compliance with this DPA, at Customer’s expense and with reasonable prior notice to Netenrich and, except where required by a data protection authority or in response to a Security Incident, no more than once per calendar year. All audits, and any findings or reports resulting from any audit, will be subject to the confidentiality obligations set forth in the Agreement.
d. Netenrich shall promptly notify Customer if, in Netenrich’s reasonable opinion, any Instructions violate Data Protection Regulations.
a. Netenrich may engage Netenrich Affiliates and other third parties as Sub-Processors to provide services subject to this DPA. A list of Netenrich’s Sub-processors as of the initial effective date of this DPA is provided in Annex 3.
b. Netenrich shall permit Sub-Processors to Process Personal Data only as necessary to perform the services Netenrich has engaged them to provide to Netenrich and shall prohibit Sub-Processors from Processing Personal Data for any other purpose.
c. Prior to making any Personal Data available to a Sub-Processor, Netenrich or a Netenrich Affiliate shall have entered into a written agreement with the Sub-Processor containing data protection obligations substantially as protective of Personal Data as those in this DPA.
d. Netenrich shall notify Customer of each intended additional or replacement Sub-Processor at least thirty (30) days prior to such addition or replacement (the “Sub-Processor Notice Period”) during which period Customer may object by notice to Netenrich to the use of the Sub-Processor in which case the parties shall promptly negotiate in good faith to reach a mutually acceptable resolution. If the parties are unable to reach a mutually acceptable resolution within a reasonable period following the objection (not to exceed 15 days, or as extended by mutual agreement), Customer may terminate the Services or specific feature of the Services that cannot reasonably be provided by Netenrich without the use of the objected-to Sub-Processor.
e. Netenrich shall remain at all times responsible to Customer for the Sub-Processors’ compliance with this DPA.
6. CROSS-BORDER DATA TRANSFERS
a. To the extent any Personal Data subject to the GDPR, the UK GDPR, or the FADP is Processed by Netenrich outside the European Economic Area or a country deemed adequate by the European Commission, such Personal Data will be transferred and Processed in accordance with Sections 6.b– 6.d below.
b. Where a transfer of Personal Data is subject to the GDPR or the FADP, the SCCs will apply. The SCCs are hereby incorporated by reference into this DPA and completed as follows:
i. The text of module 2 (Controller to Processor) will apply where Customer is the Controller, and Netenrich is the Processor. The text of module 3 (Processor to Processor) will apply where Customer is the Processor, and Netenrich is the Sub-Processor;
ii. The optional docking clause of clause 7 will apply;
iii. In clause 9(a), option 2 will apply. The time period for providing advance notice of any intended changes to the list of Sub- Processors will be thirty (30) days;
iv. In clause 11(a), the optional language will not apply;
v. In clause 17, option 1 will apply, and the SCCs will be governed by the laws of Ireland;
vi. In clause 18(b), any dispute arising from the SCCs will be resolved by the courts of Ireland; and
vii. The information required by Annex I and Annex II of the SCCs is as set out in Annex 1 and Annex 2 of this DPA, respectively.
c. Where a transfer of Personal Data is subject to the UK GDPR, the SCCs will apply, as amended by the UK Addendum to the SCCs issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 and attached hereto as Annex 4.
d. Where a transfer of Personal Data is subject to the FADP, in addition to the provisions of Section 6.b above, the terms set forth on Annex 5 will apply.
e. To the extent any provision of this DPA contradicts or is inconsistent with the terms of the SCCs with respect to the transferred Personal Data or otherwise, the terms of the SCCs will prevail and the inconsistent provision of this DPA will be deemed amended accordingly.
f. If, at any time:
i. the laws or regulatory procedures of any jurisdiction require any further steps to be taken in order to permit the transfer of Personal Data as contemplated under this DPA (including, without limitation, executing or re-executing the SCCs as a separate document setting out the proposed transfers of Personal Data, and entering into additional cross-border transfer clauses); and/or
ii. the transfer mechanisms in this Section 6 are amended, replaced or repealed under Data Protection Regulations;
iii. declared invalid by a court of competent jurisdiction; or
iv. otherwise terminated, annulled, replaced or repealed under Data Protection Regulations;
then the parties shall work together to take all steps reasonably required and negotiate in good faith any other solution to enable a transfer in compliance with Data Protection Regulations.
7. CALIFORNIA CONSUMER PRIVACY ACT
To the extent the CCPA applies to the Processing of Personal Data, the parties acknowledge and agree that Customer has engaged Netenrich as a service provider and Netenrich shall comply with the obligations of a service provider under the CCPA with respect to Netenrich’s Processing of Personal Data and Netenrich shall notify Customer within the 5 days following the date on which Customer determines that Netenrich can no longer meet its obligations under the CCPA and/or this DPA. Netenrich shall provide the same level of privacy protection for Personal Data as is required of a “business” under the CCPA and shall cooperate with Customer in responding to and complying with consumer requests made pursuant to the CCPA. Netenrich authorizes Customer to take reasonable and appropriate steps to stop and remediate Netenrich’s unauthorized use of Personal Data. Netenrich shall not, and shall ensure that any third party to which Netenrich provides access to Personal Data for Processing does not:
b. Retain, use or disclose Personal Data:
8. THIRD PARTY REQUESTS FOR ACCESS
Unless prohibited by applicable law, Netenrich shall promptly inform Customer of any request, correspondence, inquiry, or complaint received by Netenrich from a Data Subject, regulatory authority, or other third party in connection with Netenrich’s Processing of Personal Data. Netenrich shall not directly respond to such requests without Customer’s prior consent except where legally required.
9. LIMITATION OF LIABILITY
The liability of each party and its respective Affiliates arising out of or related to this DPA and the Agreement will not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
10. CUSTOMER RESPONSIBILITIES AND UNDERTAKINGS
Customer warrants that the Personal Data have been collected, Processed, and transferred by Customer in accordance with the laws applicable to Customer, including Data Protection Regulations, as applicable and Customer is solely responsible for the accuracy, quality, and such legal compliance relating to the Personal Data as and when made available to Netenrich for Processing under this DPA. Customer acknowledges that Netenrich has no control over the nature, scope, or origin of, or the means by which Customer acquires the Personal Data. Without limiting Netenrich’s obligations under this DPA, Customer retains responsibility for responding to any Data Subject requests or inquiries regarding the Personal Data. Customer shall not use the Services to Process any sensitive or special categories of Personal Data where such Processing would impose on Netenrich any data security or data protection obligations that differ from or are in addition to those set out in the Agreement and this DPA.
a. If any provision in this DPA is found to be ineffective or void, it will not affect the remaining provisions. The parties shall endeavor in good faith to replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. The parties shall similarly add necessary and appropriate provisions where such provisions are missing.
b. The governing law of this DPA will be the same as the governing law identified in 6.b.vi of this DPA.
c. This DPA prevails over any additional, conflicting, or inconsistent terms and conditions appearing in the Agreement and/or any document submitted by either party regarding the Processing of Personal Data.
d. This DPA will become effective upon the parties’ execution of the Agreement (the “DPA Effective Date”) and will remain in effect for so long as Netenrich has in its possession or otherwise Processes Personal Data.
e. This DPA may not be modified except in a writing executed by the parties or otherwise in accordance with its terms.
DETAILS OF DATA PROCESSING
A. LIST OF PARTIES
- Name: Customer’s entity name as identified in the Agreement
- Address: Customer’s address as specified in the Agreement
- Contact person’s name, position and contact details: Customer’s contact details as specified in the Agreement
- Activities relevant to the data transferred under these Clauses: Receipt of the Services
- Signature and date: The SCCs will be deemed executed and entered into by Customer as of the DPA Effective Date.
- Role: The data exporter’s role will be Controller or Processor as specified in Section 2.a of the DPA.
- Address: Netenrich’s address as specified in the Agreement
- Contact person’s name, position and contact details: Netenrich’s contact details as specified in the Agreement
- Activities relevant to the data transferred under these Clauses: Provision of the Services
- Signature and date: The SCCs will be deemed executed and entered into by Netenrich as of the DPA Effective Date.
- Role: The data importer’s role will be Processor as specified in Section 2.a of the DPA.
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects
Employees, contractors, agents, advisors and users authorized by Data Exporter to use the Services.
Employees, contractors, agents and advisors of Data Exporter’s customers, prospects, business partners and vendors. Categories of Personal Data Processed
Categories of Personal Data
Types of Personal Data Processed will include email addresses, IP addresses and other Personal Data within network data that is relevant to monitoring IT infrastructure and network security.
Special Categories of Data
The Personal Data does not include special categories of Personal Data.
Duration and Frequency of the Processing
Processing will take place on a continuous basis so long as Netenrich continues to provide the Services to Customer in accordance with the Agreement.
Nature and Purpose of the Processing
Personal Data is Processed for the purpose of providing the Services as set out in the Agreement.
Personal Data Retention Period
Personal Data will be retained by Netenrich for the duration of the Agreement.
A list of Netenrich’s current Sub-processors can be found in Annex 3.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority will be as determined by the GDPR except insofar as the data transfer is subject to the FADP, in which case the competent supervisory authority will be the Federal Data Protection and Information Commissioner of Switzerland.
SUMMARY OF TECHNICAL AND ORGANIZATIONAL MEASURES
Data Classification and Handling
All customer device data provided to Resolution Intelligence Cloud is classified according to sensitivity. Data classified as customer-sensitive includes essential device identification information such as hostname/IP address, Operational Telemetry, Security Telemetry, as well as the health and performance metric data associated with each resource. Customer-confidential data includes resource metadata (such as operating system versions, SNMP community strings, API passwords, etc.), ActOns™ data, network flow data, and any personally identifiable information about customer’s accountholders.
Network Transport Protections
Access to the Resolution Intelligence Cloud platform — whether via a web browser, Resolution Intelligence Cloud APIs, or a Resolution Intelligence Cloud Collector — is conducted over HTTPS using Transport Layer Security (TLS) encryption. TLS is a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. Resolution Intelligence cloud platform supports the most up-to-date version of the protocol (TLS 1.2 and TLS 1.3), long encryption keys (2048-bit) or above, and complex ciphers.
User accounts are authenticated to the Resolution Intelligence Cloud platform either using Netenrich’s in-built authentication system (Auth0) along with MFA or via Federated authentication that supports various Identity Providers (ADFS, Okta, etc.). The Netenrich authentication system does not store passwords in cleartext. Passwords are encrypted, hashed and salted using bcrypt.
Resolution Intelligence Cloud platform uses two-factor authentication, bot detection, suspicious IP throttling, brute force protection, and breached password detection.
Once authenticated, end-user access is controlled by a role-based access control (RBAC) system. Alternately, roles can be deployed to limit individuals’ access to modify monitoring alert rules or configurations. Roles may be applied such that they control access to an individual account and its associated API tokens.
Secure Alert Transmission
Resolution Intelligence Cloud supports ingestion of alerts into the platform using webhook. The ingestion end points are exposed over a HTTPS channel and are protected with customer-specific JWT tokens. The platform also has polling-based integrations for alert ingestion where it also only supports secure channels.
Netenrich maintains a security defect testing regimen that includes automated static code analysis and manual source code analysis. Any security defects discovered are escalated to Netenrich’s development team for highest priority remediation.
Netenrich conducts annual penetration testing to validate the defensive security measures taken within Netenrich’s software development lifecycle.
Shared Security Responsibilities
The Resolution Intelligence Cloud platform provides security controls designed to be managed by customer account administrators to enable them to help ensure the security and integrity of their account. These include certain end-user authentication measures configurable by the customer account administrators, such as use of either standard authentication or SAML, provisioning unique accounts for each end-user, use of two-factor authentication, assignment of end-user roles based on the principle of least privilege, and restriction of administrator access to as few individuals as possible.
Resolution Intelligence Cloud uses multi-tenancy architecture, by which each customer account is created as an independent entity. Each customer account is logically separated from every other account.
Each application server runs intrusion detection software, which scans for system vulnerabilities from within the production network. Vulnerability scans are conducted on an ongoing basis with commercial tools using both “internal” and “external” perspectives. Any detected vulnerabilities are evaluated for risk and prioritized for remediation accordingly.
Netenrich has a formal incident management process for security events that may affect the confidentiality, integrity, or availability of its systems or data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Following remediation, incidents undergo post-mortem investigations as necessary to determine the root cause for single events, trends spanning multiple events over time, and to develop new strategies to help prevent recurrence of similar incidents.
Netenrich employees are required to conduct themselves in a manner consistent with the company’s policies regarding confidentiality, business ethics, and professional standards. Netenrich conducts pre-hire reference and background checks, to the extent permitted by local labor laws and regulations. Upon acceptance of employment at Netenrich, all employees are required to execute a confidentiality agreement and must acknowledge receipt of and compliance with policies in Netenrich’s Employee Handbook, including those relating to security. As part of new-hire orientation, employees receive baseline security training, with additional training provided based on an individual’s role.
Netenrich requires the use of a unique User ID for each of its employee, which is used to identify each person’s activity on Netenrich’s corporate network. All Netenrich business systems are configured such that they are accessible only by this unique account.
Access to any systems that contain customer data requires authentication via a centrally managed Single Sign-On (SSO) service. Netenrich’s SSO system enforces the use of strong password policies, including password expiration, restrictions on password reuse, and minimum password strength. Two-factor authentication is enforced to further protect against unauthorized access.
Upon hire, each employee is assigned an account by Netenrich’s People Operations unit and is granted the minimum privileges required by their role as described below. At the end of an individual’s employment with Netenrich, a policy-based workflow ensures that account access is disabled.
Access and Authorization Controls
Access rights and levels are based on an employee’s job function and role, using the concepts of least privilege and need-to-know to match access privileges to defined responsibilities. Netenrich employees are granted only a limited set of default permissions to access common corporate resources. Requests for additional access follow a formal process that involves a request and approval from a data or system owner, manager, or other executives. Approvals are managed by workflow tools that maintain auditable records of all changes.
Netenrich’s policy is to log each authentication transaction and sign-on request to each business system. These logs are maintained off-site and are reviewable on an as-needed basis.
Third-Party Audit and Compliance
The operation of the platform has been certified to meet the ISO/IEC 27001:2013 standard for security programs.
Netenrich maintains an audit program using the AICPA’s Service Organization Controls (SOC) Trust Services Principles. Netenrich’s processes relating to service infrastructure, software, people, procedures, and data handling meet SSAE 18 criteria.
We maintain a SOC 2 Type 2 report as certification in which the following areas are assessed on a regular basis:
1. Security Management Process
2. Security Official
3. Workforce Security
4. Information Access Management
5. Security Awareness and Training
6. Security Incident Procedures
7. Contingency Plan
9. Business Associate Contracts and Other Arrangements
10. Facility Access Controls
11. Workstation Use
12. Workstation Security
13. Device and Media Controls
14. Access Controls
15. Report Controls
17. Person or Entity Authentication
18. Transmission Security
19. Business Associate Monitoring Process
20. Policies and Procedures
LIST OF SUB-PROCESSORS
A list of Netenrich’s current Sub-processors can be found here. As of the effective date of this DPA, the Sub-processors are, depending on the specific Services, some or all of the following:
UK ADDENDUM TO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES
I. Part 1: Tables
Table 1: Parties
Table 2: Selected SCCs, Modules and Selected Clauses
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in Annexes 1-3 of this DPA.
Table 4: Ending this Addendum when the Approved Addendum Changes
II. Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses.