This Data Processing Agreement between TitanHQ and the Partner is an amendment to the existing License Agreement (“License Agreement”) between the two parties and aims to clarify the roles and responsibilities for data protection from both parties.
In the context of this agreement, the Partner is the Data Controller and TitanHQ is the Data Processor for all the data collected by TitanHQ from TitanHQ Software as defined and based on obligations imposed by the EU Regulation 2016/279 (GDPR).
In the Data Processing Agreement the following definitions from the GDPR Regulation will apply:
The Subject matter results from the License Agreement between the two contracting parties. The duration of this Amendment corresponds to the duration of the License Agreement
The processing of personal data by the Data Processor for the Data Controller is made for the sole purpose of ensuring network and information security for the data subjects of the Data Controller.
The processing includes all operations performed on the collected personal data, mainly by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, alignment or combination, restriction, erasure or destruction.
The data collected for the purposes includes only technical data sent automatically to the Data Processor.
The data below includes relevant technical data that could be classified as personal data, usually only in connection with other data collected. Depending on your specific product use or service provided some of the categories of data or only some of this data, but not limited to, may be collected by TitanHQ:
The information that TitanHQ Software could obtain through the use of data collection technology, could include a device name or ID, serial number, MAC address, IP address, unique identifier for the device, logged username, EC2 instance ID, FQDN,
In the course of its operation the TitanHQ software may be send the following to the Data Processor: file name and path, registry paths, process name, source URL, abstract file signature for suspicious Portable Executable files, files parts or file hashes (only when required by the remote scanning engines), file attributes, quarantined file names and paths and other anonymized data.
The Data Processor records all URL addresses of internet traffic sent, the blocked or malicious websites. Customer IP addresses, user names, company names.
Additionally, for TitanHQ customers using our email solutions, some additional technical data could be send to us, including email sender, recipient, subject, attachments, mail-server IPs, timestamp, mailbox, mailbox path, content type, domain name.
The categories of data subjects are customers of the Data Controller.
The Data Controllers instructs the Data Processor on collecting all personal data specified in article 3 in order to provide the services in the License Agreement. This includes using the data for correct and efficient operation of its services, according to the technical specifications, and for their improvement and adaptation, including analyzing the reported security and products issues. This would also include delivering and customizing the related services to the data controllers or its data subject needs and updating and developing new technologies.
The Data controller agrees with the usage of sub-processors by the Data Processors for hosting purposes. The Data Controller gives a general authorization to the Data Processor to share personal data to future Sub-Processors under the following conditions:
The Data Processor must implement appropriate technical and organizational measures to ensure standard industry security measures appropriate to the risk. In assessing the appropriate level of security, Data Processor must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Data Processor shall take steps to ensure that any person acting under its authority who has access to personal data is bound by enforceable contractual or statutory confidentiality obligation.
Upon prior written request by Data Controller, Data Processor agrees to cooperate and within reasonable time provide to Data Controller with:
(a) a summary reports demonstrating Data Processor’s compliance with its obligations under this agreement, after redacting any confidential and commercially sensitive information; and
(b) confirmation that the report has not revealed any material vulnerability in Data Processor’s systems, or to the extent that any such vulnerability was detected, that Data Processor has fully remedied such vulnerability.
If the above measures are not sufficient to confirm compliance with GDPR or reveal some material issues, subject to the strictest confidentiality obligations, Data Processor allows Data Controller to request an audit of Data Processor’s data protection compliance program by external independent auditors, which are jointly selected by the parties. The external independent auditor cannot be a competitor of Data Processor, and the parties will mutually agree upon the scope, timing, and duration of the audit. The audit may not start with less than 30 days from the first request of the Data Controller. Data Processor will make available to Data Controller the result of the audit of its data protection compliance program. Data Controller must fully reimburse Data Processor for all expenses and costs for such audit.
Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation of GDPR
If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. For that purpose, both parties agree that Data Controller will be liable to data subjects for the entire damage resulting from a violation of GDPR with regard to processing of personal data for which it is a Data Controller, and that Data Processor will only be liable to data subjects for the entire damage resulting from a violation of the obligations of GDPR directed to the Data Processor or where it has acted outside of or contrary to Data Controller’s lawful instructions.
Data Processor will be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
This Exhibit will enter into force on 25.08.2018 and may be changed by agreement of both parties.