1.Definitions
2.Details Of The Processing
3.Processing Of Client Personal Data
4.Confidentiality
Security Measures
5.Appointment Of Sub-Processors
6.Assistance
7.Personal Data Breaches
8.Deletion or Return of Client Personal Data
9.Information
10.Limitation of Liability
Annex A - EU Annex
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Instabug’s Clients (the data exporter)
Instabug, Inc. (the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1 - Definitions
For the purposes of the Clauses:
Clause 2 - Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 - Third-party beneficiary clause
Clause 4 - Obligations of the data exporter
The data exporter agrees and warrants:
Clause 5 - Obligations of the data importer
The data importer agrees and warrants:
Clause 6 - Liability
Clause 7 - Mediation and jurisdiction
Clause 8 - Cooperation with supervisory authorities
Clause 9 - Governing Law
Clause 10 - Variation of the contract
Clause 11 - Subprocessing
Clause 12 - Obligation after the termination of personal data processing services
Appendix 1 - To the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The data exporter is the entity identified as “Client” in the Addendum.
The data importer is Instabug, Inc., identified as Company in the Addendum.
The personal data transferred concern the following categories of data subjects (please specify): Data subjects are defined in Section 2.1of the Addendum.
The personal data transferred concern the following categories of data (please specify): Categories of personal data are defined in Section 2.2 of the Addendum.
The personal data transferred concern the following special categories of data (please specify): None.
The personal data transferred will be subject to the following basic processing activities (please specify): The processing activities defined in Section 2 of the Addendum and in the Agreement.
Appendix 2 - To the Standard Contractual Clauses
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Technical and Organizational Security Measures
The data importer is committed to maintaining the privacy, confidentiality and security of personal data of the data exporter’s personal data. The data importer uses industry best practices, technology and security measures to protect any and all personal data that is transferred to it and to secure its networks, data centers and servers. The security measures adopted by the data importer (and its subcontractors) include, without limitation:
The maintenance of physical, electronic and procedural measures to safeguard the confidentiality of personal data in compliance with applicable data protection, privacy and data security laws and regulations. These include, without limitation, restricting access by the data importer’s personnel and subcontractors on a role-based, need to know basis, background checks on data importer personnel; The implementation and enforcement of corporate policies and standards relating to the protection of information and security, which are strictly enforced. Failure to adhere to these policies and the standards will result in disciplinary action, which can include dismissal; Adopting a multi-layered approach to information security controls, which enable the data importer to protect against security breach; Compliance with applicable laws, regulations and security standards applicable to information security; The employment of highly trained staff who have relevant and up to date knowledge of data protection and data security risk management practices; and Regular reviews and controls against compliance with the above mentioned technical and organizational security measures.
The data importer uses Amazon Web Services (“AWS”) for processing and storing of data. Data on AWS is only accessible when the data exporter requests it. All AWS security and data privacy compliance can be reviewed at https://aws.amazon.com/compliance/programs/. The use of AWS provides the data importer with an industry-leading environment for the protection of its customers’ data.
Data processing systems shall be prevented from being used without authorization. All systems are protected by the use of personally identifiable access keys that are expired on employee change of role or departure from the organization.
Persons authorized to use a data processing system have access only to those data they are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording.
Personal data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities. As the systems are located in Amazon Web Services, the data importer has no direct access to any of the physical media on which the personal data is stored. AWS compliance with physical media protection standards can be viewed at https://aws.amazon.com/compliance/programs/.
Personal data processed on behalf of a data exporter are processed strictly in compliance with the data exporter’s instructions. Data importer shall encrypt all personal data that it possesses, including electronic messages and attachments, strictly in compliance with the data exporter’s instructions.
Data must be protected against accidental destruction or loss.
Data collected for different purposes can be processed separately.
Any personnel of data importer entrusted with processing data exporter’s personal data have undertaken to comply with the principle of confidentiality in accordance with statutory law. The undertaking to confidentiality shall continue after the termination of the above-entitled activities. Prior to providing access to personal data, the data processor shall train its personnel concerning the implementation of, compliance with and enforcement of, the data processor’s security program and the handling of the personal data.
The technical and organizational security measures are subject to technical progress and development, and data importer may implement adequate alternative measures. Any material changes to technical and organizational measures must be documented. Data importer must provide data exporter with reasonable information in order to support data exporter’s reporting upon written request by the data exporter. Data importer will provide to data exporter any security assessments/certifications previously performed (and if data importer has not previously performed security assessments/certifications, it shall perform and provide such assessments/certifications at data exporter’s request).