logo
TitanHQ

Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement between TitanHQ and the Partner is an amendment to the existing License Agreement (“License Agreement”) between the two parties and aims to clarify the roles and responsibilities for data protection from both parties.

In the context of this agreement, the Partner is the Data Controller and TitanHQ is the Data Processor for all the data collected by TitanHQ from TitanHQ Software as defined and based on obligations imposed by the EU Regulation 2016/279 (GDPR).

In the Data Processing Agreement the following definitions from the GDPR Regulation will apply:

  • "Data Protection Laws” means the laws applicable to the processing of Personal Data, including, as relevant, the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 (the “GDPR”), including any amendments thereto, and any applicable consequential national data protection legislation and any guidance and/or codes of practice issued by any relevant European supervisory authority, including without limitation the European Data Protection Board, in each case as amended, supplemented or replaced from time:
  • “Data Subject” means an individual who is the subject of Personal Data;
  • “Effective Date” means 25 May 2018;
  • “Personal Data” has the meaning given to that term in Article 4 of the GDPR and includes Special Categories of Personal Data and in the context of this Agreement, means the data which is provided to the Processor by the Controller or its authorised agents;
  • “Personal Data Breach” has the meaning given to that term in Article 4(12) of the GDPR;
  • “Processing” has the meaning assigned to it in Article 4(2) of the GDPR and the term “process” shall be construed accordingly;
  • “Special Categories of Personal Data” has the meaning assigned to it in Article 9 of the GDPR;
  • “Services” means any services provided by the Processor to the Controller under the terms of this Agreement and / or the Services Agreement including but not limited to past and future agreements.

1. Subject matter and duration

The Subject matter results from the License Agreement between the two contracting parties. The duration of this Amendment corresponds to the duration of the License Agreement

2. Nature and Purpose of the processing of Data

The processing of personal data by the Data Processor for the Data Controller is made for the sole purpose of ensuring network and information security for the data subjects of the Data Controller.

The processing includes all operations performed on the collected personal data, mainly by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, alignment or combination, restriction, erasure or destruction.

3. Collected data

The data collected for the purposes includes only technical data sent automatically to the Data Processor.

The data below includes relevant technical data that could be classified as personal data, usually only in connection with other data collected. Depending on your specific product use or service provided some of the categories of data or only some of this data, but not limited to, may be collected by TitanHQ:

The information that TitanHQ Software could obtain through the use of data collection technology, could include a device name or ID, serial number, MAC address, IP address, unique identifier for the device, logged username, EC2 instance ID, FQDN,

In the course of its operation the TitanHQ software may be send the following to the Data Processor: file name and path, registry paths, process name, source URL, abstract file signature for suspicious Portable Executable files, files parts or file hashes (only when required by the remote scanning engines), file attributes, quarantined file names and paths and other anonymized data.

The Data Processor records all URL addresses of internet traffic sent, the blocked or malicious websites. Customer IP addresses, user names, company names.

Additionally, for TitanHQ customers using our email solutions, some additional technical data could be send to us, including email sender, recipient, subject, attachments, mail-server IPs, timestamp, mailbox, mailbox path, content type, domain name.

4. Categories of data subjects

The categories of data subjects are customers of the Data Controller.

5. Specific Instructions

The Data Controllers instructs the Data Processor on collecting all personal data specified in article 3 in order to provide the services in the License Agreement. This includes using the data for correct and efficient operation of its services, according to the technical specifications, and for their improvement and adaptation, including analyzing the reported security and products issues. This would also include delivering and customizing the related services to the data controllers or its data subject needs and updating and developing new technologies.

6. Obligations of the Data Controller

  • Confirms and guarantees that, in relation to the processing of personal data for this contract, it acts as a Data Controller
  • Complies with GDPR when processing personal data, and only gives lawful instructions to Data Processor;
  • Guarantees that data subjects have been informed of the uses of personal data as required by GDPR, including about sharing their data with the Data Processor, if required;
  • Confirms it relies on a valid legal ground for the processing of personal data under GDPR, including if required obtaining consent from data subjects;
  • Complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of processing, and objection to the processing;
  • Implements appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of personal data is performed in accordance with GDPR, including for securing the transfer of data from its data subjects to the Data Processor;
  • Cooperates with Data Processor to fulfill their respective data protection compliance obligations in accordance with GDPR.

7. Obligations of the Data Processor

  • The Data Processor only processes personal data on behalf of Data Controller in accordance with its specific instructions as mentioned in Point 5 and not for any other purposes than those specified in Point 2 or as otherwise agreed by both parties in writing. For the avoidance of doubt, Data Controller authorizes Data Processor to anonymize any personal data collected and process it for other Data Processor’s product development, product improvement, benchmarking, security, and analytics purposes.
  • The Data Processor will promptly inform Data Controller if, in its opinion, the Data Controller’s instructions infringe GDPR, and/or if Data Processor is unable to comply with the Data Controllers’ instructions.
  • The Data Processor will notify Data Controller without undue delay after becoming aware of a personal data breach when the data is processed by the Data Processor. Data Processor will take reasonable steps to mitigate the effects and to minimize any damage resulting from the personal data breach.
  • The Data Processor will assist Data Controller in complying with data security, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities requirements under GDPR, taking into account the nature of the processing and the information available to Data Processor. To the extent authorized under applicable law, Data Controller shall be responsible for any costs arising from Data Processor’s provision of such assistance.
  • The Data Processor, taking into account the nature of the processing, will assist Data Controller by appropriate technical and organizational measures, insofar as this is possible, to fulfill Data Controller’s obligation to respond to data subjects’ requests to exercise their rights as provided under GDPR. To the extent authorized by applicable law, Data Controller shall be responsible for any costs arising from Data Processor’s provision of such assistance.
  • When the licenses provided under the License Agreement expires the Data Processor will delete or anonymize all personal data, and delete or anonymize existing copies unless EU or EU member state law prevents it from returning or destroying all or part of the personal data or requires storage of the personal data (in which case Data Processor must keep them confidential).

8. Sub-processors

The Data controller agrees with the usage of sub-processors by the Data Processors for hosting purposes. The Data Controller gives a general authorization to the Data Processor to share personal data to future Sub-Processors under the following conditions:

  • Data Processor guarantees that it will have an agreement with its Sub-Processors which imposes on the Sub-Processor the same data protection obligations as are imposed on Data Processor under this Exhibit or by GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures to ensure the processing will meet requirements under GDPR, to the extent applicable to the nature of the service provided by the Sub-Processors. Where the Sub-Processor fails to fulfill its data protection obligations under such agreement, Data Processor shall remain fully liable towards Data Controller for the performance of the Sub-Processor’s obligations under such agreement.
  • The sub-processors will process data exclusively within a Member State of the European Union (EU), within a Member State of the European Economic Area (EEA) or in any state with an adequate data protection regime as recognized by the European Commission (including the companies certified under the US- EU Privacy Shield Programme);
  • Data Processor shall inform Data Controller of any addition or replacement of Sub-Processors and allow Data Controller to reasonably object to such changes by notifying Data Processor in writing within five business days after receipt of Data Processor’s notice of the addition or replacement of a Sub-Processor. Data Controller’s objection should be sent to privacy@titanhq.com and explain the reasonable grounds for the objection.

9. Security of the processing and Confidentiality.

The Data Processor must implement appropriate technical and organizational measures to ensure standard industry security measures appropriate to the risk. In assessing the appropriate level of security, Data Processor must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Data Processor shall take steps to ensure that any person acting under its authority who has access to personal data is bound by enforceable contractual or statutory confidentiality obligation.

10. Data Protection Audit.

Upon prior written request by Data Controller, Data Processor agrees to cooperate and within reasonable time provide to Data Controller with:

(a) a summary reports demonstrating Data Processor’s compliance with its obligations under this agreement, after redacting any confidential and commercially sensitive information; and

(b) confirmation that the report has not revealed any material vulnerability in Data Processor’s systems, or to the extent that any such vulnerability was detected, that Data Processor has fully remedied such vulnerability.

If the above measures are not sufficient to confirm compliance with GDPR or reveal some material issues, subject to the strictest confidentiality obligations, Data Processor allows Data Controller to request an audit of Data Processor’s data protection compliance program by external independent auditors, which are jointly selected by the parties. The external independent auditor cannot be a competitor of Data Processor, and the parties will mutually agree upon the scope, timing, and duration of the audit. The audit may not start with less than 30 days from the first request of the Data Controller. Data Processor will make available to Data Controller the result of the audit of its data protection compliance program. Data Controller must fully reimburse Data Processor for all expenses and costs for such audit.

11. Liability to data subjects.

Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation of GDPR

If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. For that purpose, both parties agree that Data Controller will be liable to data subjects for the entire damage resulting from a violation of GDPR with regard to processing of personal data for which it is a Data Controller, and that Data Processor will only be liable to data subjects for the entire damage resulting from a violation of the obligations of GDPR directed to the Data Processor or where it has acted outside of or contrary to Data Controller’s lawful instructions.

Data Processor will be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

12. Entry into force.

This Exhibit will enter into force on 25.08.2018 and may be changed by agreement of both parties.

Get Your 30 Day FREE Trial
TitanHQ

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us