This Data Processing Addendum (“DPA”) is incorporated by reference into the Software License and Subscription Agreement, or other written agreement between (i) BeyondTrust Corporation (“BeyondTrust”) and (ii) the customer entity identified in this DPA or on the applicable BeyondTrust Order (“Customer”) (the “Agreement”) and reflects the parties’ agreement with regard to BeyondTrust’s Processing of Personal Data in the course of providing the Services to the Customer pursuant to the Agreement. This DPA shall be effective on the effective date of the Agreement, unless it is separately executed, in which case it shall be effective on the date of the last signature to this DPA. To the extent required by the applicable data protection regulations, the Parties shall enter into and execute the Standard Contractual Clauses as a separate document.
1. Roles and Responsibilities
1.1. Roles of the Parties. This DPA applies when and only to the extent that Personal Data is processed by BeyondTrust in the course of providing the Services to Customer pursuant to the Agreement. The parties acknowledge and agree that with regard to the Processing of Personal Data:
1.1.1. where Customer acts as a Data Controller, BeyondTrust shall act as a Data Processor; and/or
1.1.2. where the Customer acts as a Data Processor, BeyondTrust shall act as a Sub-Processor.
1.2. BeyondTrust’s Responsibilities. BeyondTrust shall only Process Personal Data:
1.2.1. on behalf of, and in accordance with, Customer’s documented instructions;
1.2.2. for the purposes specified in this DPA, including as set out at Schedule 1; and/or
1.2.3. as otherwise required by law (subject to BeyondTrust first notifying Customer of the relevant legal requirement unless such notification is itself prohibited by law on important grounds of public interest).
The parties agree that this DPA and the Agreement constitute Customer’s documented instructions to BeyondTrust for the Processing of Personal Data. Any Processing outside of the scope of these instructions will require prior written agreement between BeyondTrust and Customer.
1.3. Customer Responsibilities. Customer shall:
1.3.1. have sole responsibility for the accuracy and quality of Personal Data to be transferred to BeyondTrust under this DPA and the means by which Customer acquired it;
1.3.2. ensure that it has all appropriate consents and notices in place to enable the lawful transfer of the Personal Data to BeyondTrust for the duration and purpose of this DPA;
1.3.3. ensure that its instructions to BeyondTrust for the Processing of Personal Data comply with all applicable Data Protection Laws. BeyondTrust will immediately notify Customer if BeyondTrust believes any of Customer’s instructions relating to Processing of Personal Data breaches applicable Data Protection Laws;
1.3.4. comply with its obligations under the applicable Data Protection Laws which arise in relation to this DPA, the Agreement and the receipt of the Services; and
1.3.5. not do or omit to do anything which causes BeyondTrust (or any Sub-processor) to breach any of its obligations under the applicable Data Protection Laws.
1.4. CCPA. BeyondTrust agrees to act as a Service Provider to Customer for purposes of the CCPA. Customer is solely responsible for determining whether any Personal Data is provided to BeyondTrust pursuant to the Agreement and controls the use of such Personal Data. Customer is not selling or otherwise providing Personal Data to BeyondTrust for its own benefit or use. BeyondTrust shall not, except to the extent necessary to comply with its legal obligations:
1.4.1. sell or share Personal Data it collects pursuant to this DPA;
1.4.2. retain, use or disclose Personal Data for any purpose, including a Commercial Purpose, other than for the specific purpose of performing the Services or as otherwise permitted by CCPA;
1.4.3. retain, use, or disclose Personal Data outside the direct business relationship between the Parties, unless expressly permitted by CCPA; or
1.4.4. combine the personal information that it receives from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with Data Subjects, provided that BeyondTrust may combine personal information to perform any business purpose consistent with Data Subjects’ expectations, as defined in regulations to be adopted by the Attorney General, with the exception of the business purpose for in paragraph (6) of subdivision (e) of section 1798.140 of CCPA.
BeyondTrust certifies that it understands the restrictions contained in this Section and will comply with them.
BeyondTrust shall notify Customer if it makes a determination that it can no longer meet its obligations under CCPA, and Customer may take reasonable and appropriate steps to stop and remediate the unauthorized Processing of Personal Data.
2. Security and Controls for the Protection of Personal Data
2.1. BeyondTrust Controls. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for rights and freedoms of natural persons, BeyondTrust shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Such measures shall include the administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described in Schedule 2 (BeyondTrust Security Standards). Customer shall be responsible for reviewing the information made available by BeyondTrust relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under the applicable Data Protection Laws.
2.2. BeyondTrust Personnel. BeyondTrust shall ensure that any BeyondTrust personnel engaged in the Processing of Personal Data are subject to appropriate contractual obligations or an appropriate statutory obligation of confidentiality.
2.3. Customer Controls. Customer is responsible for implementing and maintaining privacy protections and security measures for any components that Customer provides or controls. Customer may elect to implement additional technical and organizational security measures in relation to Personal Data as described in BeyondTrust’s Documentation for its products and Services. Such additional measures may include:
2.3.1. configuring the Services;
2.3.2. using any controls available in connection with the Services (including the security controls); and
2.3.3. taking such steps as Customer considers adequate to maintain appropriate security, protection, deletion and backup of Personal Data.
2.4. Updates to Security Measures. Customer acknowledges that the BeyondTrust Security Standards are subject to technical progress and development and that BeyondTrust may update or modify the BeyondTrust Security Standards from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
2.5. Disclosure of Personal Data. BeyondTrust will not sell, access, use, or disclose to any third party, any Personal Data, except as necessary to maintain or provide the Services or to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order).
2.6. Government and Law Enforcement Requests. If BeyondTrust receives a demand for Personal Data from a government body or law enforcement agency (a “Third Party”), BeyondTrust will attempt to redirect the Third Party to request that data directly from Customer. As part of this effort, BeyondTrust may provide Customer’s basic contact information to the Third Party. If compelled to disclose Personal Data to a Third Party, then BeyondTrust will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless BeyondTrust is legally prohibited from doing so. Where BeyondTrust remains compelled to disclosed Personal Data to a Third Party, it shall disclose only the minimum amount of Customer Data necessary to satisfy the request.
3. Audits and Third-Party Certifications.
3.1. Audits. The parties acknowledge that Customer must be able to assess BeyondTrust’s compliance with its obligations under applicable Data Protection Laws in connection with its Processing of Personal Data pursuant to this DPA. To the extent required by Data Protection Laws, and provided that the parties have an applicable NDA in place, BeyondTrust shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of BeyondTrust) all information necessary to demonstrate compliance with its obligations under the Data Protection Laws, including under Article 28 of the GDPR and the Standard Contractual Clauses where applicable. BeyondTrust shall allow for and contribute to Customer audits, including inspections, conducted by the Customer or the Customer’s designee pursuant to this Agreement.
3.2. Third Party Certifications. BeyondTrust uses external auditors to verify the adequacy of its security measures with respect to its processing of Personal Data. Such audits are performed at least once per annum (at BeyondTrust’s expense) by an independent third party. The parties agree that any audit conducted under this DPA shall consist of examination of the most recent reports, certifications and/or extracts prepared by such independent third party, which are BeyondTrust’s confidential information (the “Audit Materials”). In the event that provision of the Audit Materials is not deemed sufficient in the reasonable opinion of the Customer, the Customer may, at its own expense and no more than once per annum, conduct a more extensive audit. The scope of such audit shall be agreed in advance with BeyondTrust and be:
3.2.1. limited in scope to matters specific to the Customer (for the avoidance of doubt, the Customer shall not be entitled to review or access any materials pertaining to any of BeyondTrust’s other customers or partners);
3.2.2. carried out during BeyondTrust’s business hours and upon reasonable notice, which shall be not less than 4 weeks unless an identifiable material issue has arisen; and
3.2.3. conducted in a way which does not interfere with BeyondTrust’s day-to-day business.
3.3. Customer Assistance. Taking into account the nature of the Services and the information available to BeyondTrust, BeyondTrust will assist Customer, at Customer’s expense, in complying with Customer’s obligations pursuant to the applicable Data Protection Laws, including respect to security, breach notifications, privacy impact assessments, litigation, and communication with supervisory authorities or regulators.
4. Rights of Data Subjects
4.1. BeyondTrust shall promptly notify Customer if it receives a request from a Data Subject to exercise their right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or their right not to be subject to an automated individual decision making under the applicable Data Protection Laws related to the provision of the Services provided to Customer under the Agreement (each a “Data Subject Request”). BeyondTrust shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject Request to the extent Customer does not have access to the requested information through its own use of the Services.
5.1. Authorized Sub-processors. Customer provides BeyondTrust with a general authorization to engage its Affiliates and/or third-party sub-processors in connection with the provision of the Services and subject to Section 5.2 below. The current list of Sub-Processors and Affiliate as at the Effective Date of this DPA is set out at Schedule 3.
5.2. Sub-processor Obligations. Where BeyondTrust authorizes any Sub-processor as described in Section 5.1:
5.2.1. BeyondTrust will restrict Sub-processor’s access to Personal Data only to what is necessary to maintain or provide the Services to Customer;
5.2.2. BeyondTrust will enter into a written data processing agreement with the Sub-processor containing data protection obligations not less protective than those in this DPA and in compliance with the applicable Data Protection Laws; and
5.2.3. where the Sub-processor fails to fulfil such data protection obligations, BeyondTrust shall remain fully liable to Customer for the performance of those obligations.
Upon written request, and subject to any confidentiality restrictions, BeyondTrust shall provide Customer all relevant information in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Data Protection Laws. Customer acknowledges that such information may have commercial information redacted by BeyondTrust prior to its release.
5.3. Changes to Sub-processors. BeyondTrust will notify Customer at least 30 days before it engages a new Sub-processor to carry out processing activities on Personal Data on behalf of Customer. Customer may object to BeyondTrust’s appointment of a Sub-processor on reasonable grounds related to data protection and/or security, provided that it notifies BeyondTrust in writing of its specific objection within thirty (30) days of receiving notification of the change from BeyondTrust. If the Customer does not object within such period, the appointment of the new Sub-processor shall be deemed to have been accepted.
5.4. Objections to Sub-processors. In the event Customer objects to a new Sub-processor, BeyondTrust will use reasonable efforts to change the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to Sub-processor without unreasonably burdening Customer. If BeyondTrust is unable to make such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Order(s) in respect of those Services which cannot be provided by BeyondTrust without the use of the objected-to new Sub-processor, by providing written notice to BeyondTrust. Customer shall receive a refund of any prepaid and unused fees for the period following the effective date of termination in respect of such terminated Services.
6. Transfers to Third Countries
6.1. Compliance with Data Protection Laws. BeyondTrust may transfer Personal Data outside of the European Economic Area (EEA), Switzerland or the United Kingdom in order to provide the Services under the Agreement and shall comply with all applicable requirements relating to the cross-border transfer of Personal Data under the Data Protection Laws.
6.2. Transfers from the EEA or Switzerland to BeyondTrust. To the extent that BeyondTrust processes any Personal Data under this DPA that originates from the EEA or Switzerland in a country that has not been designated by the European Commission or the Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for personal data, the parties agree to enter into the EU Standard Contractual Clauses which are hereby incorporated into and form part of this DPA. The parties agree that the EU Standard Contractual Clauses will apply in the following manner:
6.2.1. Module Two (Controller to Processor) will apply where Customer is acting as a controller of Personal Data and BeyondTrust is acting as a processor of Personal Data; and
6.2.2. Module Three (Processor to Processor) will apply where Customer is acting as a processor of Customer Data and BeyondTrust is acting as a sub-processor of Customer Data. In addition, the Customer grants BeyondTrust a mandate to execute the Module Three Standard Contractual Clauses with any relevant Sub-processor (including BeyondTrust Affiliates) for onward transfers of Personal Data, as appropriate.
6.2.3. The parties agree that the following shall apply to each Module, as applicable:
i. Clause 7: the optional docking clause shall apply;
ii. Clause 9: Option 2 shall apply. The time period for prior notice of intended Sub-processor changes shall be as set out at Section 5.3 of this DPA;
iii. Clause 11: the optional language shall not apply;
iv. Clause 17: Option 1 shall apply, and the EU Standard Contractual Clauses will be governed by Irish law;
v. Clause 18(b): disputes will be resolved before the courts of Ireland;
vi. For the purposes of Annex I, Part A: the “Data Importer” shall be BeyondTrust, and the “Data Exporter” shall be the Customer and any authorised Affiliates of Customer that have acceded to the EU Standard Contractual Clauses pursuant to Clause 7;
vii. Schedule 1 of this DPA shall serve as Annex I of the EU Standard Contractual Clauses; and
viii. Schedule 2 of this DPA shall serve as Annex II of the EU Standard Contractual Clauses.
6.2.4. The provisions of Schedule 4 of this DPA shall apply in addition to the EU Standard Contractual Clauses.
6.2.5. For Personal Data of Data Subjects in Switzerland, the EU Standard Contractual Clauses (as revised above in Section 6.2.3) are implemented as follows:
i. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU Standard Contractual Clauses shall be interpreted to include the Swiss Federal Act with respect to data transfers subject to the Swiss Federal Act;
ii. The terms of the EU Standard Contractual Clauses shall be interpreted to protect the data of legal entities until the effective date of the Swiss Federal Act;
iii. Clause 13 of the EU Standard Contractual Clauses is modified to provide that the Swiss Federal Data Protection Authority shall have authority over data transfers governed by the Swiss Federal Act and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed;
iv. In Clause 17 and Clause 18 of the EU Standard Contractual Clauses, the governing law and forum shall be Switzerland; and
v. The term “EU Member State” as utilized in the EU Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU Standard Contractual Clauses.
6.3. Transfers from the UK to BeyondTrust. To the extent that BeyondTrust processes any Personal Data under this DPA that originates from the United Kingdom in a country that has not been designated by the United Kingdom Government as providing an adequate level of protection for personal data, the parties agree to enter into the UK Standard Contractual Clauses which are hereby incorporated into and form part of this DPA. The parties agree that the UK Standard Contractual Clauses will apply in the following manner:
6.3.1. Schedule 1 of this DPA shall serve as Table 1 of the UK Standard Contractual Clauses;
6.3.2. The selection at Table 2 of the UK Standard Contractual Clauses shall be as follows:
“the Approved EU SCC, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCC brought into effect for the purposes of this Addendum”
The remainder of the table shall be completed as follows:
i. The module selection shall be completed as per the parties’ roles as set forth in clauses 6.3.1 and 6.3.2 above;
ii. Clause 7 (Docking Clause) shall not apply;
iii. Clause 11 (Option) shall not apply;
iv. Clause 9a (Prior Authorisation or General Authorisation) shall be “General Authorisation”; and
v. Clause 9a (Time Period) shall be as set out at Section 5.3 of this DPA.
6.3.3. The information at Table 3 of the UK Standard Contractual Clauses shall be as follows:
i. Schedule 1A of this DPA shall serve as Annex IA of the UK Standard Contractual Clauses;
ii. Schedule 1B of this DPA shall serve as Annex IB of the UK Standard Contractual Clauses;
iii. Schedule 2 of this DPA shall serve as Annex II of the UK Standard Contractual Clauses; and
iv. Schedule 3 of this DPA shall serve as Annex III of the UK Standard Contractual Clauses.
6.3.4. The provisions of Schedule 4 of this DPA shall apply in addition to the UK Standard Contractual Clauses.
6.3.5. The selection at Table 4 of the UK Standard Contractual Clauses shall be “Importer”.
6.4. Transfers to the US. BeyondTrust has certified to, and maintains compliance with, the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks maintained by the U.S. Department of Commerce (the “Privacy Shield”), however, and for the avoidance of doubt, it shall not rely on the Privacy Shield as a valid transfer mechanism for the transfer and onward transfer of personal data originating in the EEA, United Kingdom, or Switzerland.
6.5. Other Transfer Mechanisms. If and to the extent the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses are no longer recognized by the European Commission, Swiss authorities or the UK Government, as applicable, as an adequate mechanism for the transfer of Personal Data to a third country, the parties will abide by another adequate transfer mechanism as set out in the Data Protection Laws.
7. Return or deletion of Personal Data
7.1. When BeyondTrust ceases to provide Services relating to the Processing pursuant to this DPA, it will at Customer’s option, delete or return to Customer all Personal Data. BeyondTrust shall delete all copies of Personal Data except insofar as it is required by law to continue to store such copies. BeyondTrust shall take all commercially reasonable efforts to ensure the confidentiality of such retained Personal Data and shall ensure that it is only Processed as necessary for the purpose(s) for which it was originally collected and in accordance with the applicable Data Protection Laws.
7.2. Where the Services provide Customer with controls that it may use to retrieve or delete Personal Data as described in the Documentation, Customer will have the ability to retrieve or delete Personal Data in accordance with this Section up to the date of termination of the Agreement and for 30 days thereafter, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or where such access could subject BeyondTrust to liability. No later than the end of this 30-day period, Customer will close all BeyondTrust accounts.
8. Personal Data Breach Management and Notification
8.1. Personal Data Breach. BeyondTrust will notify Customer without undue delay after becoming aware of a Personal Data Breach related to the provision of the Services and shall take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach to the extent such mitigation is within BeyondTrust’s reasonable control. To assist Customer in relation to any personal data breach notifications Customer is required to make under the applicable Data Protection Laws, BeyondTrust will include in the notification such information about the Personal Data Breach as is required by such Data Protection Laws, to the extent that such information is reasonably available to BeyondTrust. Where and insofar as BeyondTrust cannot provide all the information relevant to a Personal Data Breach at the same time, it may provide such information in phases without undue further delay. Customer is solely responsible for complying with any data breach notification obligations applicable to the Customer under applicable Data Protection Laws and for fulfilling any third-party notification obligations related to any Personal Data Breach(es). BeyondTrust’s notification of or response to a Personal Data Breach under this Section is not an acknowledgement by BeyondTrust of any fault or liability with respect to the Personal Data Breach.
8.2. Communication. Notifications of Personal Data Breaches, if any, will be delivered to one or more of Customer’s administrators by any means BeyondTrust selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information with BeyondTrust.
9. General Terms
9.1. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
9.2. The limitations and exclusions of liability set out in the Agreement apply to all claims made pursuant to any breach of the terms of this DPA. In the absence of such a provision in the Agreement, each party’s cumulative liability for all claims arising out of or related to this DPA shall not exceed the fees paid by Customer under the Agreement during the twelve (12) month period preceding the first event giving rise to the claim. Neither party shall have any liability for any loss or corruption of data, loss of profits, or incidental, special, exemplary, or consequential damages arising out of or related to this DPA.
9.3. No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
9.4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
9.5. This DPA will terminate simultaneously and automatically with the termination or expiration of the Agreement; provided, however, provisions requiring secure destruction of Personal Data and retention of Personal Data to satisfy legal or regulatory requirements shall survive the termination or expiration of the DPA for the minimum time required to satisfy the respective obligations under those provisions.
9.6. The provisions of this DPA are severable. If any phrase, section or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, section or provision, and the rest of this DPA shall remain in full force and effect.
10. Definitions and Interpretation
10.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party.
10.2. “BeyondTrust Security Standards” means the security standards attached to this DPA as Schedule 2.
10.3. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., and all regulations promulgated thereunder as may be amended, superseded or replaced.
10.4. “Data Protection Laws” means all laws and regulations which are applicable to the Processing of Personal Data under the Agreement, including where applicable, the GDPR, the UK GDPR, the CCPA, PIPEDA and the Swiss Federal Act.
10.5. “Documentation” means the documents, help files, and other textual matter, in any form or media, that are included with BeyondTrust’s products, and which describe their specifications, functionality and limitations.
10.6. “EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914/EU, as may be amended, superseded or replaced.
10.7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) in each case, as may be amended, superseded or replaced.
10.8. “Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by applicable Data Protection Laws, and which is provided by the Customer to BeyondTrust pursuant to this DPA and the Agreement in connection with the provision of Services.
10.9. “PIPEDA” means the Canadian Personal Information Protection and Electronic Documents Act, as may be amended, superseded or replaced.
10.10. “Services” means the delivery of BeyondTrust’s cloud-based products, support and/or professional services as described in the Agreement.
10.11. “Standard Contractual Clauses” means (i) the EU Standard Contractual Clauses; and/or (ii) the UK Standard Contractual Clauses, as applicable, for the transfer of personal data to processors established in third countries under the EU GDPR and/or the UK GDPR. Where the Standard Contractual Clauses apply, they shall prevail over any other term of this DPA.
10.12. “Swiss Federal Act” means the Swiss Federal Data Protection Act of 19 June 1992, including as revised as of 25 September 2020, and its related Ordinances as may be amended, superseded or replaced.
10.13. “UK GDPR” means the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018, in each case, as may be amended, superseded or replaced.
10.14. “UK Standard Contractual Clauses” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, found at https://ico.org.uk/media/for-o... and as may be amended, superseded or replaced.
10.15. All capitalized terms not defined herein shall have the meaning set forth in the Agreement and/or applicable Data Protection Laws.
10.16. The Parties agree that this DPA replaces and supersedes any existing or previous data processing agreement or SCCs that the Parties have previously entered into in connection with the provision of the Services.
10.17. In the event of a conflict between the Agreement and this DPA relating to provisions regarding Processing of Personal Data, the provisions of this DPA shall control.
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: As set out in the Agreement
Address: As set out in the Agreement
Contact person’s name, position and contact details: As set out in the Agreement
Activities relevant to the data transferred under these Clauses: Receiving the Services from the Data Importer pursuant to the Agreement and as set out in more detail at Section B.
Date: The effective date of the Agreement
Role (controller/processor): Controller (or Processor, as provided within Section 1.1.2 of this DPA)
Data importer(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: BeyondTrust Corporation
Address: 11695 Johns Creek Parkway, Suite 200, Johns Creek, Georgia 30097, United States
Contact person’s name, position and contact details: Valerie Moulden, VP, Deputy General Counsel & Data Protection Officer, firstname.lastname@example.org
Activities relevant to the data transferred under these Clauses: Providing the Services to the Data Exporter pursuant to the Agreement and as set out in more detail at Section B.
Date: The effective date of the Agreement
Role (controller/processor): Processor
1. Categories of data subjects whose personal data is transferred:
Data Exporter may submit Personal Data to Data Importer to enable it to provide the Services, the extent of which is determined and controlled and may be documented by Data Exporter in its sole discretion. Data Subjects may include the following categories, at the discretion of the Data Exporter:
• prospects, customers, business partners and vendors of Data Exporter (who are natural persons);
• employees or contact persons (who are natural persons) of Data Exporter’s prospects, customers, business partners and vendor;
• employees, agents, advisors, freelancers of Data Exporter (who are natural persons); and/or
• Data Exporter’s users (who are natural persons) authorized by Data Exporter to use the Services.
2. Categories of personal data transferred:
Data Exporter may submit Personal Data to Data Importer, the extent of which is determined and controlled and may be documented by Data Exporter in its sole discretion. Such Personal Data is dependent on the nature of the Services and may include:
• business contact details, such as first name, last name, title, name of employer, position, email address, business address and professional phone number; and
• product specific technical information, such as username, machine information and IP address as configured by the Data Exporter.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive personal data is intended to be processed by the Data Importer on behalf of the Data Exporter.
4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous, for the duration of the Agreement.
5. Nature of the processing
Collecting, recording, storing, hosting and erasure or destruction of data to enable the Data Importer to perform the Services pursuant to the Agreement and in accordance with the Data Exporter’s instructions.
6. Purpose(s) of the data transfer and further processing
Personal Data will be processed by Data Importer to enable it to perform the Services pursuant to the Agreement and the Data Exporter’s instructions, including to enable associated maintenance and support to be provided to the Data Exporter and for the purposes of billing and contract administration.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement unless otherwise set out in this DPA or as agreed by the parties in writing.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter and nature of the processing by sub-processors is as set out at Schedule 3 to this DPA and the duration of the processing is for the duration of the Agreement unless otherwise set out in this DPA or as agreed by the parties in writing.
Identify the competent supervisory authority/ies in accordance with Clause 13:
i. Where the data exporter is established in an EU Member State
The supervisory authority applicable to the data exporter in its country of establishment shall act as competent supervisory authority.
ii. Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of the GDPR
The supervisory authority applicable in the EU Member State where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR shall act as competent supervisory authority.
iii. Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of the GDPR without having to appoint an EU representative pursuant to Article 27(2) of the GDPR
The supervisory authority applicable to the EU Member State where the data subjects relevant to the transfer are located shall act as competent supervisory authority.
iv. Where personal data is processed under the UK GDPR
The competent supervisory authority is the Information Commissioners Office ("ICO").
v. Where personal data is processed under the Swiss Federal Act
The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
BeyondTrust has implemented and maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to (i) help secure Customer Data against accidental or unlawful loss, access or disclosure; and (ii) minimize security risks, including through risk assessment and regular testing (the “Security Program”). BeyondTrust will designate one or more employees to coordinate and be accountable for the Security Program.
The Security Program includes physical, technical, and administrative measures (including any relevant certifications) designed to protect Customer Data from unauthorized access, alteration, acquisition, use, disclosure, or destruction and have been implemented by BeyondTrust to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
1. Measures of pseudonymization and encryption of personal data
BeyondTrust has applied pseudonymization in data collection to support metric collection and analysis efforts.
BeyondTrust utilizes secure communications, HTTPS/SSL/TLS, for web-based communications and data collection. BeyondTrust products are configurable to meet data transmission and data at rest requirements.
2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
BeyondTrust maintains an Information Governance, Risk, and Compliance Program which includes measures for the protection of the confidentiality, integrity, and availability and resilience of data; and the adoption of best practices throughout BeyondTrust’s information systems and procedures, including disaster recovery, high availability, and periodic testing for data and application recovery.
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
BeyondTrust has a documented Business Continuity, Crisis Management and Disaster Recovery Plan that includes strategies for recovering and re-establishing access to Customer Data in case of emergency or other security, environmental, or operational occurrence.
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
BeyondTrust conducts periodic internal and independent security risk evaluations to identify critical information assets, assess threats to such assets, determine potential vulnerabilities, and provide for remediation. When software vulnerabilities are revealed and addressed by a vendor patch, BeyondTrust will obtain the patch from the applicable vendor and apply it within an appropriate timeframe in accordance with BeyondTrust's then current vulnerability management and security patch management standard operating procedure and only after such patch is tested and determined to be safe for installation in all production systems.
5. Measures for user identification and authorization
Access to BeyondTrust’s cloud-based services by BeyondTrust employees is protected by authentication and authorization mechanisms. User authentication is required to gain access to production and sub-production systems. Access privileges are based on job requirements and are revoked upon termination of employment. Production infrastructure includes appropriate user account and password controls (for example, the required use of virtual private network connections, complex passwords with expiration dates) and is accessible for administration.
BeyondTrust has implemented an access control authentication approach based on least privilege need to know and separation of duties. BeyondTrust products are configurable to meet strict access controls and audit requirements for privileged and general users and can be integrated into federated identity and access management solutions.
BeyondTrust adheres to a strict, complex password policy utilizing multi-factor authentication. BeyondTrust products are configured to meet password complexity, periodicity, and versioning requirements.
6. Measures for the protection of data during transmission
Customer Data processed by BeyondTrust is encrypted during transmission with TLS 1.2 or better.
7. Measures for the protection of data during storage
Customer Data processed by BeyondTrust is encrypted at rest, with AES-128 or better for storage purposes.
8. Measures for ensuring physical security of locations at which personal data are processed
BeyondTrust utilizes the following measures to ensure physical security of locations at which personal data are processed:
Data Center Facilities and Office Locations: (i) Physical access restrictions and monitoring that may include a combination of any of the following: multi-zone security, mantraps, appropriate perimeter deterrents (for example, fencing, berms, guarded gates), on-site guards, biometric controls, CCTV, and secure cages; and (ii) fire detection and fire suppression systems both localized and throughout the data center or office floor as appropriate.
Systems, Machines and Devices: (i) Physical protection mechanisms; and (ii) entry controls to limit physical access.
9. Measures for ensuring events logging
BeyondTrust implements hardware, software, and/or procedural mechanisms that record and examine BeyondTrust information systems activity. All BeyondTrust information systems containing Customer Data have been appropriately configured in accordance with existing requirements.
10. Measures for ensuring system configuration, including default configuration
BeyondTrust has a System Configuration Standard in place that specifies the detailed activities to be performed to complete a new BeyondTrust information system deployment. All default configurations for information systems are removed prior to active deployment.
BeyondTrust’s System Configuration Standard ensures the use of provisioning, configuration management, patch management, vulnerability management and application deployment tools to address known/applicable vulnerabilities, security patches, hardening and system configuration consistency.
11. Measures for internal IT and IT security governance and management
BeyondTrust maintains an Information Governance, Risk, and Compliance Program which oversees the adoption of best practices throughout BeyondTrust’s information systems and procedures.
BeyondTrust maintains a security awareness program that includes appropriate training of BeyondTrust personnel on the Security Program.
12. Measures for certification/assurance of processes and products
BeyondTrust undergoes a SOC 2 assessment by a certified third-party on an annual basis for its cloud solutions hosted within the cloud environment. This assessment is made available to BeyondTrust Customers under a non-disclosure agreement (NDA).
BeyondTrust is certified under the E.U.-U.S. and Swiss-U.S. Privacy Shield, is a member of the Cloud Security Alliance maintaining a STAR Self-Assessment, PCI/DSS Level 4 (Self-Assessment), Common Criteria Certification EAL2, and is ISO 27001:2013 and ISO27701:2019 certified. Additionally, BeyondTrust’s Secure Remote Access Support virtual appliances are FIPS 140-2 certified.
13. Measures for ensuring data minimization
BeyondTrust collects only the minimum data needed to conduct business and ensures that all employees including contractors undergo continuous security awareness training that aligns with industry security best practices.
BeyondTrust utilizes risk-based Privacy Impact Assessments (PIAs), when adopting, configuring, or implementing applications and tools that collect information and ensures that it only seeks to request and record the minimum amount of information required in order to fulfil its objectives.
BeyondTrust provides Customers with the ability to access any information collected and/or processed about them by BeyondTrust (if any).
14. Measures for ensuring data quality
BeyondTrust maintains a Software Development Life Cycle (“SDLC”) process which uses both agile and scrum frameworks to ensure the quality and integrity of data generated by BeyondTrust systems. Within the SDLC, security is designed into BeyondTrust products and reviewed throughout various phases of the SDLC to include secure code reviews, peer reviews, static and dynamic code analysis, regression/acceptance testing, penetration testing, vulnerability scans, and remediation efforts. BeyondTrust takes no responsibility for the quality or accuracy of Customer-provided data.
15. Measures for ensuring limited data retention
Customer Data is retained for the time period as obligated by contract or by applicable law and will be deleted within 30 days of the end of such period.
Subject to applicable law, BeyondTrust will delete Customer Data upon the earlier of (i) termination of any Agreement with BeyondTrust; (ii) when requested by the Customer; or (iii) where specified by relevant law.
16. Measures for ensuring accountability
BeyondTrust performs background screening on employees who have access to Customer Data in accordance with its then current applicable standard operating procedure and subject to applicable law.
BeyondTrust ensures that changes to its platform, applications and production infrastructure are evaluated to minimize risk and are implemented following its standard operating procedure.
All access requests to BeyondTrust’s information systems are reviewed and approved prior to granting access. User access is provisioned with the fewest privileges possible (“Least Privilege”), consistent with such user’s assigned duties and functions.
17. Measures for allowing data portability and ensuring erasure
BeyondTrust utilizes (i) a certified third-party vendor to complete industry standard destruction of sensitive materials before disposition of media; (ii) secure safe for storing damaged hard disks prior to physical destruction; and (iii) physical destruction of all decommissioned hard disks storing Customer Data.
Depending on the nature of the product and services to be provided to the Customer under the Agreement, the Customer may be provided with controls that it may use to retrieve or delete Customer Data as described further in the relevant product documentation.
18. For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
BeyondTrust maintains a vendor risk management program that assesses all vendors that access, store, process or transmit Customer Data for appropriate security controls and business disciplines.
BeyondTrust will conduct periodic reviews of the security of its Services and adequacy of its Security Program as measured against industry security standards and its policies and procedures. BeyondTrust will continually evaluate the security of its Services to determine whether additional or different security measures are required.
|Sub-processor||Location||EU Transfer Mechanism||UK Transfer Mechanism||Nature of Processing|
|Amazon Web Services, Inc.||Customer selection||Subject to customer selection||Subject to customer selection||Cloud hosting provider (Remote Support Cloud)|
|Azure||Customer selection||Subject to customer selection||Subject to customer selection||Cloud hosting provider (EPM Cloud)|
|Microsoft||USA||EU SCCs||UK SCCs||Email/Calendar|
|Salesforce||USA||EU SCCs||UK SCCs||Customer Relationship Management system|
|ServiceNow||USA||EU SCCs||UK SCCs||Support Services ticketing system|
|Gainsight||USA||EU SCCs||UK SCCs||Customer Success tool|
|Affiliate||Location||EU Transfer Mechanism||UK Transfer Mechanism||Nature of Processing|
|BeyondTrust Corporation||USA||EU SCCs||UK SCCs||BeyondTrust technical and support services; billing; and contract administration|
|BeyondTrust Software, Inc.||USA||EU SCCs||UK SCCs||BeyondTrust technical and support services; billing; and contract administration|
|BeyondTrust Software, Inc. (Branch office)||UAE||EU SCCs||UK SCCs||BeyondTrust technical and support services; billing; and contract administration|
|Bomgar Canada, Ltd.||Canada||Partial Adequacy Decision||Partial Adequacy Decision||BeyondTrust technical and support services; billing; and contract administration|
|BT Software Australia PTY, Ltd.||Australia||EU SCCs||UK SCCs||BeyondTrust technical and support services; billing; and contract administration|
|BT Software Asia Pacific PTE, Ltd.||Singapore||EU SCCs||UK SCCs||BeyondTrust technical and support services; billing; and contract administration|
|Avecto Ltd.||England||Adequacy Decision||N/A – UK company||BeyondTrust technical and support services; billing; and contract administration|
|Bomgar Germany GmbH||Germany||N/A - EU Member State||Adequacy Decision||BeyondTrust technical and support services; billing; and contract administration|
|Bomgar France SARL||France||N/A - EU Member State||Adequacy Decision||BeyondTrust technical and support services; billing; and contract administration|
1. Government and Law Enforcement Requests
1.1. Where the Standard Contractual Clauses apply, if BeyondTrust receives a legally binding order or request (a “Request”) for Personal Data from a competent government body or law enforcement authority (each a “Third-Party”), BeyondTrust will:
1.1.1. attempt to redirect the relevant authority to request that data directly from Customer. As part of this effort, BeyondTrust may provide Customer’s basic contact information to the Third-Party;
1.1.2. promptly notify Customer of the Request and use reasonable efforts to assist the Customer to oppose the Request, unless BeyondTrust is legally prohibited from doing so;
1.1.3. where BeyondTrust is prohibited from notifying Customer of the existence of the Request, it shall use reasonable efforts to challenge it and use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to the Customer; and
1.1.4. use its reasonable lawful efforts to challenge any overbroad or inappropriate Request, including where there is a conflict with the laws of the European Union or applicable Member State law.
1.2. Where BeyondTrust remains compelled to disclosed Personal Data to a Third-Party, it shall disclose only the minimum amount of Customer Data necessary to satisfy the Request, based on BeyondTrust’s reasonable interpretation of it.
1.3. BeyondTrust shall regularly review, assess and monitor the scope of disclosures of Personal Data in response to Third-Party orders it receives, as well as the safeguards and recourse in place to protect Data Subjects.
1.4. BeyondTrust shall promptly inform the Customer if it becomes aware of a change in applicable laws that would materially impact such access by authorities or recourse available to Data Subjects.
2. Access to personal data and systems
2.1. BeyondTrust certifies that: (i) it has not purposefully created back doors or similar programming that could be used to access its system and/or personal data; (ii) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems; and (iii) national law or government policy, subject to legislative changes, does not require BeyondTrust to create or maintain back doors or to facilitate access to personal data or systems or for BeyondTrust to be in possession or to hand over the encryption key.
3. Adequacy and Material Changes
3.1. BeyondTrust shall use its reasonable efforts to assist the Customer with its continuing assessment of the adequacy of the protection of the Personal Data in accordance with the requirements of applicable Data Protection Law.
3.2. BeyondTrust shall promptly notify the Customer in the event that it becomes aware of a change which has a substantial adverse effect, or which materially prevents it from fulfilling the instructions received from Customer and/or its obligations under this DPA. Where BeyondTrust is unable to rectify or provide a workaround for the change, the Customer shall be entitled to suspend the transfer of Customer Data and/or terminate the Agreement.
4. Internal policies for governance of transfers
4.1. BeyondTrust has adopted adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of formal or informal requests from public authorities to access the data.
5. Organization methods
5.1. BeyondTrust has implemented best practices to appropriately and timely involve and provide access to information to the data protection officer and to the legal and internal auditing services on matters related to international transfers of personal data.
6. Data Subject Rights
6.1. Nothing in this DPA is intended to restrict the rights of Data Subjects under the Data Protection Laws, including the right to claim compensation from BeyondTrust for material or non-material damage suffered by Data Subjects in accordance with Article 82 of the GDPR.