We are writing to place on record our appreciation for the manner in which our recent claim was handled by your firm and its associates.
THE PROCESSING OF PERSONAL DATA: AGREEMENT
(GDPR and EU Standard Contractual Clauses)
This Agreement is made between:
You (including Your Authorised Affiliates) as Customer and as Controller of Personal Data
Us as Processor of Personal Data
for Your purchase from Continuity Coach Pty. Ltd. of Our online products and services (including any associated offline or mobile components), (the Services), and constitutes the Parties’ agreement with regard to the use of Our Website and the Processing of Personal Data.
All capitalised terms shall have the meanings set out within this Agreement.
In consideration of the mutual obligations set out below, the Parties hereby agree to the terms and conditions of this Agreement.
You enter into the Agreement on behalf of Yourself and, to the extent required under applicable Data Protection Laws and Regulations (including Applicable Laws as defined herein), in the name and on behalf of Your Authorized Affiliates, if and to the extent We process Personal Data for which such Authorized Affiliates qualify as Controller. For the purposes of this Agreement only, unless indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates.
The Parties acknowledge and agree, as regards the use of Our Website and Processing of Personal Data, to comply with the following provisions regarding Personal Data, and act reasonably and in good faith:
- Your Processing of Personal DataIn using Our Services and Website, You will Process Personal Data in accordance with the requirements of all relevant Data Protection Laws and Regulations and all Applicable Laws. That is, Your instructions for Processing of Personal Data shall comply with all such Laws and Regulations. You have sole responsibility for the accuracy, quality and legality (including obtaining all relevant consents) of Personal Data and the method You acquired Personal Data.
- Our Processing of Personal DataIn providing the Services to You under this Agreement, We may Process Personal Data on Your behalf. We shall treat Your Personal Data as confidential information and only Process Personal Data on Your behalf to allow You to assess and manage Your risks and in accordance with instructions You provide in writing to Us and/or by Your access and/or use of Our Services as agreed with Us. We do not engage sub-processors to undertake any of Our processing operations under this Agreement.
- Details of the ProcessingThe subject matter of Processing of Personal Data by Us in performing the Services under this Agreement, as well as the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this Agreement are specified in Schedule 1 (Details of the Processing of Your Personal Data) of this Agreement.
- Data Subject RequestTo the extent legally permitted, We shall promptly notify You if We receive a request from a Data Subject to exercise its right of access, right to rectification, restriction of Processing, right of erasure (that is, to be forgotten), data portability, object to Processing, or right not to be subject to automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, We shall assist You with appropriate technical and organisational measures, as far as possible, to fulfil Your obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. Also, to the extent that You, in using the Services, are unable to address a Data Subject Request, We shall on Your request, provide commercially reasonable efforts to assist You in responding to such Data Subject Request, to the extent We are legally permitted, and the response to such Data Subject Request is required under Data Protection Laws and Regulations. You are responsible for any costs of Our provision of such assistance to the extent legally permitted.
- ConfidentialityWe shall ensure that Our personnel engaged in Processing of Personal Data are informed of the confidential nature of that Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. We shall also ensure such confidentiality obligations survive termination of Our relevant personnel’s engagement.
- ReliabilityWe shall take commercially reasonable steps to ensure the reliability of Our personnel engaged in Processing of Personal Data.
- Limitation of AccessWe shall ensure Our access to Personal Data is limited to the personnel requiring such access to perform their duties under this Agreement.
- Data Protection OfficerOur data protection officer, appointed under the Data Protection Laws and Regulations, may be reached at email: DPO@LMIGroup.com
- Security: controls for protection of Personal DataWe maintain physical, administrative and technical safeguards designed to protect the security (such as protection against: unauthorised or unlawful Processing accidental or unlawful destruction, loss or alteration or damage, unauthorised access or disclosure of Customer Data), as well as confidentiality and integrity of Customer Data, including Personal Data, in accordance with Schedule 2 (Standard Contractual Clauses). During the term of this Agreement, We will not materially decrease the overall security of the Services.
- Security: breach management and notificationWe maintain security incident management policies and procedures. We shall notify You without undue delay, after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure of, Customer Data, including Personal Data, stored, transmitted or otherwise Processed by Us, of which We become aware (“Customer Data Incident”). We shall undertake reasonable endeavours to identify the cause of any Customer Data Incident and take such steps as We deem reasonable and necessary to remediate that cause (to the extent the remediation is within Our reasonable control). Our obligations shall not apply to incidents caused by You or Your Users.
- Return and Deletion of Customer DataTo the extent legally permitted, We shall return (where applicable) and delete all Customer Data within twelve (12) months from the expiry date of Our agreement with You or in accordance with any other timeframe and procedures which may be agreed with You.
- Additional Terms for Standard Contractual Clauses (SCC) Services
- Customers covered by the Standard Contractual Clauses (SCC)The SCC and the additional terms set out in this Clause (a) apply to: (i) the legal entity that has entered into the SCC as a data exporter and its Authorized Affiliates and, (ii) all Affiliates of Customer established within the European Economic Area, Switzerland and the United Kingdom, which have agreed to the SCC Services. For the purposes of the SCC and this Clause the above entities are deemed “data exporters”.
- InstructionsThis Agreement constitutes the Customer’s complete and final instructions at the time of entering the Agreement with Us for Processing Personal Data. Any other instructions must be agreed separately. For the purposes of Clause 5(a) of the SCC the following is deemed an instruction by the Customer to process Personal Data: (a) Processing pursuant to the Agreement; (b) Processing initiated by Users in using the SCC Services and (c) Processing to comply with other reasonable instructions provided by Customer (such as via email) which are consistent with the terms of the Agreement.
- Audits and CertificationsThe Parties agree that the audits described in Clause 5(f) and Clause 11(2) of the SCC shall be carried out in accordance with the following provisions: Upon the Customer’s request, and subject to the confidentiality obligations in the Agreement, We shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Ours and has signed a nondisclosure agreement reasonably acceptable to Us) information regarding Our compliance with the obligations under this Agreement. Following any notice by Us to the Customer of an actual or reasonably suspected unauthorised disclosure of Personal Data, upon Customer’s reasonable belief that We are in breach of Our obligations of protection of Personal Data under this Agreement or if such audit is required by the Customer’s Supervisory Authority, the Customer may contact Us via email: DPO@LMIGroup.com to request an audit at Our premises of the procedures relevant to the protection of Personal Data. Any such request shall occur no more than once annually, save for any actual or reasonably suspected unauthorised access to Personal Data. Customer shall reimburse Us for any time expended for such on-site audit at Our then-current professional services rates, which shall be provided to Customer on request. Before commencement of any such on-site audit, We and Customer shall mutually agree upon the audit’s scope, timing, and duration as well as reimbursement rate for which Customer shall be responsible. Reimbursement rates shall be reasonable, taking account of the resources expended by Us. Customer shall promptly notify Us with information regarding any non-compliance discovered in the course of an audit.
- Certification of DeletionThe Parties agree that the certification of deletion of Personal Data as described in Clause 11(1) of the SCC shall be provided by Us to Customer only upon Customer’s request.
- ConflictIn the event of any conflict or inconsistency between this Agreement and any of its Schedules (not including the SCC) and the SCC in Schedule 2 (refer above LINK), the SCC shall prevail.
- DefinitionsIn this Agreement, the following terms shall have the meanings set out below and similar terms shall be construed accordingly.Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.Applicable Laws means (a) European Union or member state laws with respect to Personal Data which is subject to EU Data Protection Laws; and (b) any other applicable law with respect to Personal Data which is subject to any other Data Protection Laws.Authorized Affiliate means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Us, but has not signed an agreement with Us and is not a “Customer” as defined in the Agreement.
Continuity Coach Pty. Ltd. means Us as the Processor of Personal Data under this Agreement.
Controller means the entity which determines the purposes and means of Processing of Personal Data.
Customer Data means what is defined in the Agreement as Customer Data or Your Data.
Data Protection Laws and Regulations means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under this Agreement.
Data Subject means the individual to whom Personal Data relates.
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Parties means You and Us.
Personal Data means any information relating to (a) an identified or identifiable natural person and (b) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (a) or (b), such data is Customer Data.
Processing means any operation or set of operations which is performed upon Personal Data, whether by automatic means or otherwise, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Processor means the entity which Processes Personal Data on behalf of the Controller.
Standard Contractual Clauses and SCC means the contractual clauses set out in Schedule 2 which are entered into by Customer and Us pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Supervisory Authority means an independent public authority which is established by an EU member state pursuant to the GDPR.
We, Us, Our means Continuity Coach Pty. Ltd.
You, Your, Yours means the Customer and Controller and includes Your Users, related entities and Authorised Affiliate(s).
The terms “commission” and “member state” shall have the same meaning as in the GDPR, and their like terms shall be construed accordingly.
- Legal EffectThis Agreement shall only become legally binding between the Parties when You have carefully considered and accepted all its provisions and You have provided your consent and acceptance via Continuity Coach Pty. Ltd.’s online registration process.As Processor, Continuity Coach Pty. Ltd. confirms that this Agreement commences upon the due and proper completion of Your online registration.
List of Schedules/Appendices
Schedule 1: Details of the Processing of Your Personal Data
Schedule 2: Standard Contractual Clauses
Appendix 1 to the Standard Contractual Clauses
Appendix 2 to the Standard Contractual Clauses
SCHEDULE 1 – DETAILS OF THE PROCESSING OF YOUR PERSONAL DATA
Nature and Purpose of Processing
Continuity Coach Pty Ltd (We/Us) will process Personal Data as necessary to perform the Services pursuant to this Agreement and as instructed by You, including the provision to You of Our online storage vault which enables You to:
- Input, record and manage Your data in a private and secure online environment.
- Enter details including Personal Data of Your employees and third parties for retrieval and use as and when You require, such as Your assignment of specific tasks to employees, the management and mitigation of Your business risks.
- Access Your own safe online environment for other purposes without the need to input Personal Data if required.
Duration of Processing
We will Process Personal Data for the duration of this Agreement, unless otherwise agreed with You in writing.
Categories of Data Subjects
You may submit Personal Data to Us (as determined and controlled by You in Your sole discretion) which may include (but is not limited to) Personal Data relating to the following categories of data subjects:
- You, Your business partners, vendors and subcontractors (who are natural persons);
- Employees or contact persons of Your customers, business partners, vendors and subcontractors;
- Employees, agents, advisors and contractors of Yours (who are natural persons); and
- Your Users, as authorized by You to use the Services.
Type of Personal Data
You may submit Personal Data to Us (as determined and controlled by You in Your sole discretion) which may include (but is not limited to) the following categories of Personal Data:
- First and Last name
- Contact information (company, email, phone, physical business address)
SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSES
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
You, as Controller and Customer pursuant to the Agreement with Us and as fully identified by You on entering this Agreement via the details of Your online Registration
(the data exporter)
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
DefinitionsFor the purposes of the Clauses:
- ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- ‘the data exporter’ means the controller who transfers the personal data;
- ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
- ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transferThe details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (h), Clause 5(a) to (e), and (g), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 11 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 11, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporterThe data exporter agrees and warrants:
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
- that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2;
- that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- that it will ensure compliance with the security measures;
- that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- to forward any notification received from the data importer pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, unless the Clauses contain commercial information, in which case it may remove such commercial information; and
- that it will ensure compliance with Clause 4(a) to (h).
Obligations of the data importerThe data importer agrees and warrants:
- to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
- that it will promptly notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
- any accidental or unauthorised access, and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
- to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
- to make available to the data subject upon request a copy of the Clauses, unless the Clauses contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 by any party is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer of any of their obligations referred to in Clause 3, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against its third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it preventing the conduct of an audit of the data importer pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Governing LawThe Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contractThe parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer warrants that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
These Contractual Clauses shall only become legally binding between the parties when the data exporter has carefully considered and accepted them and has provided its consent and acceptance via Continuity Coach Pty. Ltd.’s online registration process.
As the data importer, Continuity Coach Pty. Ltd. confirms its acceptance of the Contractual Clauses upon the data exporter’s due and proper completion of the online registration.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and entered into by the parties via the data importer’s (Continuity Coach Pty. Ltd.’s) online registration process.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter will access the data importer’s online storage vault service for any (or all) of the following purposes:
- Input, record and manage its data in a private and secure online environment.
- Enter details including personal data of its employees and third parties for retrieval and use as and when required, such as the assignment of specific tasks to employees, the management and mitigation of its business risks.
- Access its own safe online environment for other purposes without the need to input personal data if required.
The data importer (Continuity Coach Pty. Ltd.) is a provider of the abovementioned online storage vault service which processes personal data upon the instruction of the data exporter in accordance with the terms of the parties’ Agreement.
The personal data transferred concern the following categories of data subjects:
At the data exporter’s sole discretion and may include (but not limited to) Personal Data relating to:
- Prospects, customers, business partners, vendors and subcontractors of the data exporter (who are natural persons)
- Employees or contact persons of the data exporter’s customers, business partners, vendors and subcontractors
- Employees, agents, advisors, freelancers of the data exporter (who are natural persons), and their family members
- The data exporter’s Users authorised by the data exporter to use the Services
Categories of data
The personal data transferred concern the following categories of data: The data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include (but not limited to) the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- Localisation data
The personal data transferred will be subject to the following basic processing activities:
The objective of Processing of Personal Data by data importer is the performance of the SCC Services pursuant to the Agreement.
The provisions of this Appendix 1 shall only become legally binding between the parties when the data exporter has carefully considered and accepted them and has provided its consent and acceptance via Continuity Coach Pty. Ltd.’s online registration process.
As the data importer, Continuity Coach Pty. Ltd. confirms its acceptance of the provisions of this Appendix 1 upon the data exporter’s due and proper completion of the online registration.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and entered into by the parties via the data importer’s (Continuity Coach Pty. Ltd.’s) online registration process.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
- General Controls. Continuity Coach Pty. Ltd. shall implement measures designed to:
- deny unauthorised persons access to data-processing equipment used for processing Personal Data (equipment access control);
- prevent the unauthorised reading, copying, modification or removal of data media containing Personal Data (data media control);
- prevent the unauthorised input of Personal Data and the unauthorised inspection, modification or deletion of stored Personal Data (storage control);
- prevent the use of automated data-processing systems by unauthorised persons using data communication equipment used to process Personal Data (user control);
- ensure that persons authorised to use an automated data-processing system only have access to the Personal Data covered by their access authorisation (data access control);
- ensure that it is possible to verify which individuals Personal Data have been or may be transmitted or made available using data communication equipment (communication control);
- ensure that the functions of the system used to process Personal Data perform, that the appearance of faults in the functions is reported (reliability) and to prevent stored Personal Data from corruption by means of a malfunctioning of the system (integrity).
- Personnel. Continuity Coach Pty. Ltd. shall take reasonable steps to ensure that no person shall be appointed by Continuity Coach Pty. Ltd. to process Personal Data unless that person:
- is competent and qualified to perform the specific tasks assigned to him by Continuity Coach Pty. Ltd.;
- has been authorised by Continuity Coach Pty. Ltd.; and
- has been instructed by Continuity Coach Pty. Ltd. in the requirements relevant to the performance of the obligations of Continuity Coach Pty. Ltd. under these Clauses, in particular the limited purpose of the data processing.
- Copy Control. Continuity Coach Pty. Ltd. shall not make copies of Personal Data, provided, however, that Continuity Coach Pty. Ltd. may retain copies of Personal Data provided to it for backup and archive purposes.
- Security Controls. The Service includes a variety of security controls. These controls include:
- Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual.
- Controls to revoke access after several consecutive failed login attempts.
- The ability to specify the lockout time period.
- Controls on the number of invalid login requests before locking out a User.
- Controls to ensure generated initial passwords must be reset on first use.
- Controls to terminate a User session after a period of inactivity.
- Password history controls to limit password reuse.
- Password length controls.
- Password complexity requirements (requires letters and numbers).
- Email verification before resetting password.
- Security Procedures, Policies and Logging. The Services are operated in accordance with the following procedures to enhance security:
- User passwords are stored using a one-way hashing algorithm (SHA-256) and are never transmitted unencrypted.
- User access log entries will be maintained, containing date, time and User ID.
- Passwords are not logged under any circumstances.
- Processor’s personnel will not set a defined password for a User. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting User.
- Intrusion Detection. Continuity Coach Pty. Ltd., or an authorised third party (subject to the terms of these Clauses), will monitor the Services for unauthorised intrusions using network-based intrusion detection mechanisms.
- User Authentication. Access to the Services requires a valid User ID and password combination, which are encrypted via SSL while in transmission. Following a successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
- Incident Management. Continuity Coach Pty. Ltd. maintains security incident management policies and procedures. Continuity Coach Pty. Ltd. will promptly notify Customer in the event Continuity Coach Pty. Ltd. becomes aware of an actual or reasonably suspected unauthorised disclosure of Personal Data.
- Viruses. The Services will not introduce any viruses to Customer’s systems; however, the Services do not scan for viruses that could be included in attachments or other Personal Data uploaded into the Services by Customer. Any such uploaded attachments will not be executed in the Services and therefore will not damage or compromise the Service.
- Data Encryption. The Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, Customer Data is encrypted during transmission between data centres for replication purposes.
- System Changes and Enhancements. Continuity Coach Pty. Ltd. plans to enhance and maintain the Services during the term of the Agreement. Security controls, procedures, policies and features may change or be added. Continuity Coach Pty. Ltd. will provide security controls that deliver a level of security protection that is not materially lower than that provided as of the Effective Date.
The provisions of this Appendix 2 shall only become legally binding between the parties when the data exporter has carefully considered and accepted them and has provided its consent and acceptance via Continuity Coach Pty. Ltd.’s online registration process.
As the data importer, Continuity Coach Pty. Ltd. confirms its acceptance of the provisions of this Appendix 2 upon the data exporter’s due and proper completion of the online registration.