Background:

The Supplier and VDP have entered into a Master Services Agreement (the Agreement) and have or will enter into Statements of Work under the Agreement.  This DPA is incorporated by reference into the Agreement as if set out in full in the Agreement.  The parties will comply with this DPA when Supplier is processing VDP Personal Data on behalf of VDP or a VDP Customer in the provision of the Services.

In this DPA:

Words and expressions defined in the Agreement will have the same meanings in this DPA and the following additional words and expressions will have the following meanings:

Data Protection Laws mean all Applicable Laws relating to privacy or the use or processing of data relating to natural persons, including (a) EU Directive 2002/58/EC (as amended by 2009/136/EC) and any legislation implementing or made under such directive, including (in the UK) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (b) EU Regulation 2016/679 and any laws or regulations confirming, implementing or supplementing it; (c) the retained version of the EU General Data Protection Regulation ((EU) 2016/679) in the UK, as defined in s.3(10) of the Data Protection Act 2018, and as supplemented by s.205(4).

Data Subject Request means a request from a Data Subject to exercise its rights under Data Protection Laws in relation to its Personal Data.

DP Regulator means any governmental or regulatory body or authority with responsibility for monitoring or enforcing Data Protection Laws.

EU Standard Contractual Clauses means Module 3 of the agreement in the form annexed to the European Commission’s decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries or the replacement agreement annexed to any subsequent European Commission decision for use in relation to transfers from a processor located in the EU/EEA (or otherwise subject to the EU GDPR) to processors established outside the EU/EEA (and not subject to the EU GDPR).

Permitted Region means the United Kingdom and the European Economic Area.

Security Breach means any actual loss, unauthorised or unlawful processing, destruction, damage, alteration, or unauthorised disclosure of, or access to the VDP Personal Data, whether accidental or intentional.

Standard Contractual Clauses means the EU Standard Contractual Clauses as modified by the UK Addendum.

Sub-Processor means a subcontractor (including any Affiliates of Supplier or Personnel who are not employees of Supplier) appointed by Supplier to process VDP Personal Data and approved in advance by VDP.

UK Addendum means the addendum approved by the UK from time to time which is intended to be used in conjunction with the EU Standard Contractual Clauses for the transfer of personal data to third countries compliant with the Data Protection Laws applicable in the UK and as incorporated under this Agreement.

VDP Personal Data means all Personal Data processed by Supplier on behalf of VDP and/or VDP Customers under or in connection with the Agreement.

The terms “Data Subject”, “Personal Data”, “controller” and “processor”, “process”, “processing”, “transfer” (in relation to transfers of Personal Data) and “technical and organisational measures” have the meanings given in the GDPR.

VDP enters into this DPA for its own benefit and for the benefit of each VDP Customer. If a VDP Customer is the controller of VDP Personal Data processed by Supplier, VDP Customer may enforce this DPA and the Standard Contractual Clause against Supplier as if named herein and/or the Standard Contractual Clauses as VDP

  1. General & Compliance with Data Protection Laws
    1. VDP will be a processor and the Supplier will be a sub-processor of VDP Personal Data
    2. The term of this DPA may be amended or supplemented by a Statement of Work.
    3. Supplier warrants to VDP that it will: (a) comply with its obligations under Data Protection Laws as a processor of the VDP Personal Data; and (b) not commit any act or failure that would put VDP and/or VDP Customers in breach of Data Protection Laws.
    4. The supplier will maintain records of all processing operations for which it is responsible that contain at least the minimum information required by Data Protection Laws, and, if requested, will make such information available to any DP Regulator.
  2. Processing and Security
    1. Unless VDP permits otherwise in writing, Supplier will only process the types of Personal Data, and only in respect of the categories of Data Subjects and types of processing set out in the Schedule.
    2. In processing the VDP Personal Data, Supplier will:
      1. process VDP Personal Data only in compliance with VDP’s written instructions (including those set out in the Agreement) unless required to do so by applicable European Union or EU member state law. If this is the case, the Supplier will inform VDP of that legal requirement before processing, unless that law prevents such disclosure on important grounds of public interest;
      2. only process the VDP Personal Data for the purpose set out in the Agreement or otherwise permitted by VDP in writing;
      3. notify VDP within 2 Business Days if it receives a Data Subject Request in relation to VDP Personal Data;
      4. provide VDP with its full co-operation and assistance (including technical and organisational measures) in relation to any Data Subject Request
      5. comply with any request from VDP to fulfil (or support VDP’s fulfilment of) a Data Subject Request (to the extent that it relates to VDP Personal Data) within 5 Business Days of the date of VDP’s request;
      6. not disclose any VDP Personal Data to any Data Subject or to a third party (including any subcontractor or Affiliate) other than at the written direction of VDP or as expressly provided for in the Agreement;
      7. taking into account: (i) the latest technology; (ii) the nature, scope, context and purposes of the processing; and (iii) the risk and severity of potential harm, protect the VDP Personal Data by making sure that it has in place technical and organisational measures so that processing meets the requirements of Data Protection Laws and the rights of Data Subjects under Data Protection Laws are protected. This will include: (i) making sure that any computer system on which VDP Personal Data is stored or processed is controlled by a password which is kept confidential; and (ii) measures to protect the VDP Personal Data against a Security Breach, including viruses being present in Supplier servers, hardware, software or email; and
      8. make sure that only authorised person process VDP Personal Data (including accessing it) and that such persons are (i) subject to binding confidentiality obligations in relation to the VDP Personal Data (including how it is processed); (ii) trained on the requirements of Data Protection Laws and their obligations in respect of VDP Personal Data under the Agreement; and (iii) only given access to those parts of the VDP Personal Data as are necessary for the performance of that person’s responsibilities.
    3. The supplier will immediately (at least within 24 hours) after discovering any Security Breach or any failure or defect in security which leads, or might reasonably be expected to lead, to a Security Breach (together with a Security Issue) notify VDP in writing by email to dpo@voodoopark.com and Supplier will restore such VDP Personal Data at its own cost.
    4. Where there is a Security Issue, the Supplier will:
      1. as soon as reasonably possible, provide VDP with full details of the Security Issue, the actual or expected results, and the measures taken, or to be taken, to fix or lessen it;
      2. co-operate with VDP , and provide VDP with all reasonable assistance in relation to the Security Issue; and
      3. unless required by Applicable Law, not make any notifications to a DP Regulator or Data Subjects about the Security Issue without getting VDP’s permission first. VDP will not unreasonably withhold or delay such consent.
  3. Return or Destruction of Personal Data
    1. The supplier will, at VDP’s request, provide VDP with a copy of all VDP Personal Data held by the Supplier in the format and on the media reasonably requested by VDP.
    2. Except as required by paragraph 3 below, at VDP’s request, or when Supplier no longer needs such VDP Personal Data to exercise or perform its rights or obligations under the Agreement, and on expiry or termination of the Agreement, Supplier will:
      1. immediately stop using or processing VDP Personal Data;
      2. securely return to VDP all VDP Personal Data that it has, or controls, and permanently delete all VDP Personal Data it has, or controls; and
      3. if requested by VDP, deliver a certificate confirming it has complied with the return and/or destruction of VDP Personal Data.
    3. If Supplier is required by Data Protection Laws to retain all or part of the VDP Personal Data (the Retained Data), Supplier undertakes that it will:
      1. tell VDP of such requirements including the Applicable Law;
      2. stop all processing of the Retained Data other than as required by the Applicable Law;
      3. keep confidential all such Retained Data; and
      4. continue to comply with this DPA in relation to such Retained Data.
    4. When transferring VDP Personal Data to VDP, the Supplier will only use secure networks approved in advance in writing by VDP (acting reasonably).
  4. Audit
    1. The supplier will comply with all requests from VDP, VDP Customers and their respective auditors and internal or external representatives to access and inspect the Supplier’s (and its approved Sub-Processors’) premises, systems, and procedures, records and personnel relevant to any processing of VDP Personal Data. The supplier will help VDP and VDP Customers to audit and verify that the Supplier is (and its approved Sub-Processors are) complying fully with its obligations under the Agreement and Data Protection Laws in relation to VDP Personal Data.
    2. The supplier will provide such information, cooperation and assistance in relation to any request made under paragraph 1 above as VDP or VDP Customers may reasonably request. The supplier will immediately inform VDP if it thinks a request breaches any Data Protection Laws.
  5. Co-operation and Assistance
    1. The supplier will promptly co-operate with VDP, and promptly provide such information and assistance as VDP may reasonably request, to help VDP to:
      1. comply with VDP’s obligations under Data Protection Laws (including Articles 32-36 of GDPR) in relation to VDP Personal Data; and
      2. deal with and reply to all investigations and requests for information relating to the VDP Personal Data from any DP Regulator.
    2. If Supplier receives any complaint, notice or communication from a DP Regulator or other third party (which is not a Data Subject Request) which relates to VDP Personal Data or to either party’s compliance with Data Protection Laws, it will notify VDP as soon as reasonably possible and will provide VDP with reasonable co-operation and assistance.
  6. Sub-Processors
    1. Subject to the provisions of the MSA and any restrictions on Supplier’s right to appoint sub-contractors under the Agreement (which Supplier must comply with notwithstanding this paragraph 1), Supplier may not engage Sub-Processors to process the VDP Personal Data on Supplier’s behalf unless:
      1. Supplier notifies VDP in writing of any proposed Sub-Processor or any proposed change to the nature or scope of the activities being undertaken by an approved Sub-Processor (each a Sub-Processing Instruction) at least 60 days prior to the change taking effect;
      2. the Sub-Processor does not conduct any business activities that compete with the business activities of any VDP Entity or the applicable VDP Customer;
      3. Supplier carries out appropriate due diligence to satisfy itself that: (i) each Sub-Processor will be able to comply with the applicable requirements of the Agreement, including this DPA; (ii) a Sub-Processing Instruction will not cause VDP or Supplier to breach their respective obligations under Data Protection Laws; (iii) a Sub-Processing Instruction will not adversely affect the confidentiality, security, availability or integrity of VDP Personal Data;
      4. upon request, the Supplier provides VDP with details of the findings of its due diligence carried out under paragraph 1.3 above and provides VDP with reasonable cooperation and assistance in performing its own due diligence in relation to a Sub-Processing Instruction; and
      5. VDP is entitled to object to any Sub-Processing Instruction in accordance with paragraph 2 below. VDP may revoke any consent it gives to the use of any or all Sub-Processors by Supplier if Supplier fails to comply with the requirements of paragraph 6.1 above.
    2. VDP may object to a Sub-Processing Instruction.
    3. If VDP objects to a Sub-Processing Instruction in accordance with paragraph 2, then:
      1. The supplier will not implement the relevant Sub-Processing Instruction (or, if it has already been implemented at the date of VDP’s objection, immediately cease the activities being performed by the Sub-Processor under that Sub-Processing Instruction); and
      2. The supplier will promptly make available to VDP an alternative arrangement that complies with the terms of this Agreement and: (i) addresses (to VDP’s satisfaction) the concerns raised by VDP in its objection; or (ii) avoids the processing of VDP Personal Data under that Sub-Processing Instruction.
    4. If an alternative arrangement proposed by Supplier under paragraph 3 constitutes a Sub-Processing Instruction then the provisions of paragraphs 6.1 to 6.3 will apply to it.
    5. If Supplier appoints a Sub-Processor, Supplier will ensure that:
      1. such Sub-Processor shall only process VDP Personal Data in order to perform one or more of Supplier’s obligations under the Agreement; and
      2. it enters into a written agreement with that Sub-Processor, prior to any processing by the Sub-Processor, requiring the Sub-Processor to:
        1. process VDP Personal Data only in accordance with the written instructions of Supplier or VDP; and
        2. comply with data protection obligations equivalent in all material respects to those imposed on Supplier under this DPA.
    6. Notwithstanding the appointment of a Sub-Processor, the Supplier is responsible and liable to VDP for any breach of this DPA by a Sub-Processor, as if the Sub-Processor’s acts and omissions were Supplier’s own acts and omissions.
  7. Transfer of Personal Data outside the Permitted Region
    1. In respect of any transfer of or access to any VDP Personal Data to or by Supplier outside of the Permitted Region:
      1. the transfer of VDP Personal Data will be subject to the Standard Contractual Clauses;
      2. VDP will be the data exporter and Supplier will be the data importer under Standard Contractual Clauses;
      3. the information required by the EU Standard Contractual Clauses and the UK Addendum is set out in the Schedule to this DPA.
    2. Upon VDP’s request, the Supplier must provide VDP with written details of all transfers of VDP Personal Data outside of the Permitted Region (including details of the recipients of the VDP Personal Data, the locations to which the VDP Personal Data has been transferred, and the method(s) by which the transfers satisfy Data Protection Laws).
    3. If Supplier transfers VDP Personal Data outside of the Permitted Region and either: (a) the method by which the transfer satisfies Data Protection Laws ceases to be valid; (b) the transfer ceases to satisfy the requirements of paragraph 2 above; or (c) any DP Regulator requires the relevant transfer of Personal Data (or a category of transfers of Personal Data which includes Supplier’s transfer) to be suspended, then Supplier must:
      1. immediately stop such transfers of Personal Data until such time as it is able to perform the transfer in full compliance with this paragraph 7 and the requirements of any DP Regulator; and
      2. if requested by VDP, delete or return all Personal Data previously transferred outside of the Permitted Region.
    4. Supplier shall indemnify VDP against all administrative fines and penalties incurred by VDP due to any failure by Supplier to comply with any of its obligations under this DPA.

 

 

Schedule

ANNEX I to the EU Standard Contractual Clauses

  1. LIST OF PARTIES

    Data exporter/
    processor: Name and Address: VDP whose details are set out in the Agreement
    Contact person’s name, position and contact details: as set out in the Agreement
    Activities relevant to the data transferred under these Clauses:
    Supplier of the services set out in each Statement of Work to its customers Data importer/processor:
    Name and Address: Supplier whose details are set out in the Agreement
    Contact person’s name, position and contact details: as set out in the Agreement
    Activities relevant to the data transferred under these Clauses:
    Supplier of the services set out in each Statement of Work to VDP
  2. DESCRIPTION OF TRANSFER

    To the extent necessary to provide Services under a Statement of Work, the Supplier may have access to personal data processed by a VDP Customer as controller and VDP as a processor to a VDP Customer.  Additional information about personal data processed by Suppliers may be provided in each Statement of Work. Categories of data subjects whose personal data is transferred to personnel, customers, prospects, business contacts and suppliers and personnel of such customers, prospects, business contacts and suppliers. Categories of personal data transferred. Personal details, family, lifestyle and social circumstances, educational and training details, employment details, financial details, goods or services provided, transactional details, and device data. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitations, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
    Data concerning the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health, sex life or sexual orientation, and criminal offences. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
    Continuous Nature of the processing Collecting, recording, organising, structuring, copying, storing, adapting, retrieving, using, investigating, disclosing by transmitting, making available, combining and erasing purely for the purpose of providing the Services.Purpose(s) of the data transfer and further processingTo enable Supplier to provide Services under each Statement of Work.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    Until expiry or termination of the applicable Statemen t of Work

    For transfers to (sub-) processors, also specify the subject matter, nature and duration of the processing

    Supplier may have access to personal data processed by a VDP Customer as controller and VDP as a processor to a VDP Customer to the extent necessary for Supplier to provide Services under a Statement of Work.  Duration will be the duration of the applicable Statement of Work.

  3. COMPETENT SUPERVISORY AUTHORITY

    Identify the competent supervisory authority/ies in accordance with Clause 13The UK Information Commissioner unless specified in a Statement of Work

 

 

ANNEX II to the EU Standard Contractual Clauses

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

General Statement


Supplier processing Data and/or using VDP System needs to establish formal documentation covering the below mentioned security requirements at a minimum approved by an appropriate level of Supplier management.

Such formal documentation must be reviewed and approved by an appropriate level of Supplier management at least annually.

  1. Information security policy

    1. Establish its own Information Security Policy based on the best industry standards.
    2. Communicate the Information Security Policy, and any changes or updates thereto, in writing to staff who process or have access to Data.
  2. Human resource security

    1. Appropriate background checks are performed on potential hires based on the perceived risks involved
    2. Information security awareness training is conducted for all Supplier staff having access to Data, including:
      1. new hires upon joining; and
      2. for all other Supplier staff, on an annual basis at a minimum.
    3. All Supplier staff having access to Data are required to sign a confidentiality/non-disclosure agreement.
    4. The roles and responsibilities of Supplier staff in relation to information security must be defined and documented.
    5. Disciplinary processes are in place to deal with Supplier staff who have committed an information security breach.
    6. Supplier staff access (including physical and logical access) to Data or Supplier Systems that process Data is removed within twenty-four (24) hours of their last working day, in the event of their resignation, termination, or transfer.
    7. Supplier staff are required to return all corporate assets (e.g. laptop, mobile phone, access cards and keys) and Data (whether in electronic or physical format) in their possession or control before leaving the Supplier.
  3. Information security risk management

    1. An information security risk assessment is performed at least annually on its critical information assets, information systems and processes relevant to the Services rendered to VDP, including but not limited to:
      1. identification of the information security risks associated with the above mentioned critical information assets, information systems and processes;
      2. assessment (in collaboration with VDP) of the potential loss for VDP of customer trust, adverse publicity and reputational damage, financial loss and regulatory fines; and
      3. risk remediation activities for each identified information security risk, which include identification and implementation of appropriate mitigating controls and remediation timelines.
    2. An information security risk register is maintained to monitor the progress of such remediation activities, with regular reporting to an appropriate level of management.
  4. Information asset management

    1. Segregate Data from non-Data through logical or physical means.
    2. Maintain an up-to-date inventory with all recorded information assets and information systems (e.g. software and hardware components, including virtual resources where applicable) used in the processing of Data, with clear ownership and identification of the roles and responsibilities of Supplier staff for managing such information assets and information systems. Such inventory must be reviewed for accuracy at least annually or when there is a material change, whichever is sooner.
    3. Identify and replace systems and infrastructure that process Data that are end of life (EOL) or end of support (EOS), prior EOL or EOS occurrence.
    4. Establish retention requirements for Data processed by the Supplier in accordance with the Agreement.
    5. Technology Records must be retained according to local law(s) or regulation(s) applicable to records category. Data stored in physical and electronic formats are securely disposed of and certified in writing to the designated VDP authorised representative (and/or such other VDP contact(s) notified in writing by VDP to the Supplier from time to time).
  5. Information security incident management and notification

    1. The designated VDP authorized representative (and/or such other VDP contact(s) notified in writing by VDP to Supplier) is notified of information security incidents involving Data within the timelines prescribed under the Agreement. .
    2. Established information security incident reporting and escalation procedures, which include appropriate timelines for investigation and escalation of information security incidents.
    3. Performance of root cause and impact analysis for information security incidents involving Data, and implementation of adequate corrective measures to prevent a recurrence of such incidents.
    4. Reporting of the results of the root cause and impact analysis for information security incidents involving Data as soon as possible, within the timelines prescribed under the Agreement, to the designated VDP authorised representative (and/or such other VDP contact(s) notified in writing by VDP to Supplier).
  6. Data leakage prevention

    1. Access to web-based email, social media, file-sharing networks and cloud-based internet storage sites is blocked by default:
      1. on all machines that process Data; and
      2. for all Supplier staff that have access to Data.
    2. Access to ports such as USB, FireWire or any similar removable media interfaces is disabled by default (and formal access request with business justification is required prior to unlocking).
    3. Access to ports such as USB, FireWire or any similar removable media interfaces is disabled by default (and formal access request with business justification is required prior to unlocking).
    4. Printing of Data is prohibited from all IT devices with access to Data unless explicitly required as part of the Services.
    5. Protection of Data at rest using one or more of the following methods:
      1. column-level encryption on all databases that process Data, e.g. symmetric encryption for SQL Server and Oracle databases;
      2. file-level or folder-level encryption on all devices and storage media that process Data, using 128-bit Advanced Encryption Standard (AES-128) at a minimum; and/or
      3. full disk encryption on all devices (mobile devices and portable storage devices e.g. laptops, external hard drives, mobile phones) that process Data, using AES-128 at a minimum.
    6. Data is secured in transit, depending on the method of communication:
      1. e-mail: Data is encrypted using PGP or WinZip with AES-128 at a minimum. The password to decrypt Data must be sent via a different channel (not via e-mail); and
      2. network connection transmission is encrypted using Transport Layer Security (TLS) 1.2 at a minimum.
  7. Access control

    1. Users are assigned unique user IDs with clear ownership (i.e. traceable to an individual).
    2. Requests for user access are approved by an appropriate level of management.
    3. Access to systems is controlled by a secure log-on process (e.g. authentication of user ID and password).
    4. When granting access, the principle of ‘least privilege’ is applied in establishing segregation of duties.
    5. When granting access, the principle of ‘never alone’ is adopted to ensure no one person has access to perform sensitive system functions.
    6. Multi-factor authentication is implemented for users with access to sensitive system functions.
    7. User accounts inactive for more than ninety (90) days are disabled.
    8. Access matrix must be reviewed annually.
    9. Access rights of all users must be recertified semi-annually.
    10. Privileged accounts must be:
      1. restricted to authorised staff;
      2. granted access on a ‘need-to-use’ basis;
      3. an addition to the user holding normal user access;
      4. used for defined security and system administrative activities; and
      5. securely vaulted when not in use and returned to the vault as soon as the allowed administration activities are completed.
    11. Activities of privileged accounts must be logged and reviewed.
    12. Password requirements:
      1. passwords must contain a minimum of twelve (12) characters, including at least one of each: an uppercase letter, lowercase letter, number, special character;
      2. passwords must not contain repetition of any three (3) of the same characters (i.e. 111, AAA, bbb) and not to be sequential (i.e. 123456, 98765, abcd);
      3. password change on the first log on;
      4. password reuse/history prohibitions: minimum last ten (10) passwords;
      5. user account locking after six (6) consecutive failed login attempts; and
      6. session timeout set to fifteen (15) minutes of inactivity forcing revalidation of credentials.
  8. Remote access management

    1. Remote access to Supplier Systems is only granted to authorised Supplier staff and devices. Such access must be granted with valid business justification. This includes remote access by privileged users for administrative or system configuration tasks.
    2. Multi-factor authentication is used to authenticate Supplier staff when remotely connecting.
    3. Supplier remote access connections are encrypted using TLS 1.2 (Transport Layer Security) or higher.
    4. Supplier remote access connections are obtained via Virtual Private Networks (VPN) acceptable to VDP.
  9. Malware and vulnerability management

    1. Enterprise-level anti-virus software is installed and maintained on systems.
    2. Anti-virus software is configured to perform: automatic software and definition updates; daily full virus scans on devices like desktops, laptops and mobile phones; and weekly full virus scans on servers.
    3. Systems are hardened and deployed with robust baseline security standards which meet industry standards such as NIST, CIS and PCI.
    4. Security configuration is reviewed against internal standards on an annual basis at a minimum to monitor compliance.
    5. Security patches are assessed and prioritized according to their severity and business impact.
    6. Security patches are tested before deployment and deployed according to the severity in a timely manner to counter the latest security vulnerabilities exploitation.
    7. Vulnerability identification is conducted at least quarterly on all systems.
    8. Penetration tests are conducted at least annually on all external or internet facing systems.
    9. Network vulnerability scanning is conducted at least quarterly on systems.
      1. prioritisation based on the criticality and risk; and
      2. reporting to relevant stakeholders and committees, including VDP. Manage and track resolution within appropriate timelines for each level of criticality and risk.
  10. System development and change management

    1. Change requests must be initiated through a formal change request process.
    2. Risk and impact analyses are performed for such change requests in relation to systems.
    3. Change requests are approved by an appropriate level of management. For emergency changes, prior notification or escalation to change management stakeholders is maintained.
    4. Security requirements are given due consideration in the systems development and change management processes.
    5. Secure development practices address the SANS top twenty-five (25) programming errors and OWASP top ten (10) vulnerabilities.
    6. User Acceptance Testing (UAT) and System Integration Testing (SIT) test plans are prepared and their results are approved by an appropriate level of management upon completion of testing.
    7. Data is not used for testing unless authorised in writing by the designated VDP authorised representative (and/or such other VDP contact(s) notified in writing by VDP to the Supplier).
    8. Prior to the implementation of changes, a rollback plan (which may include a backup plan) is prepared.
    9. Source code review is conducted prior to implementation of changes to the production environment of a system.
    10. Development and testing environments are segregated from the production environment physically or logically.
    11. Developers do not have access to the production environment and are not authorised to implement changes to the production environment.
  11. Network security

    1. including:
      1. requests for configuration changes and exceptions to the firewall rules are documented and approved by an appropriate level of management;
      2. review of the firewall rules and exceptions is performed on a semi-annually basis at a minimum, which may include removal of expired or unnecessary rules, resolution of conflicting rules and addition of new rules; and
      3. Intrusion Detection / Prevention Systems (IDS/IPS) are configured to generate alerts for security events (which are monitored and escalated on a timely basis) and to prevent security incidents.
    2. Access to the firewall and IDS/IPS configuration settings are restricted to authorised Supplier staff.
  12. Wireless security

    1. Supplier wireless networks are configured with appropriate authentication mechanisms including: network access control (e.g. IEEE 802.1X), device authentication (e.g. EAP-TLS), user authentication (e.g. multi-factor authentication), end-to-end encryption standard of at least WPA2 (Wi-Fi Protected Access 2), TLS 1.2 or 1.3 (Transport Layer Security) or equivalent.
    2. Guest networks must be segregated from Supplier corporate production networks via the use of firewalls and Virtual Local Area Networks (VLANs).
  13. Mobile device security

    1. Secure standard configurations are enforced for Supplier corporate mobile devices (e.g. smart phones, tablets and laptops) via:
      1. usage of Mobile Device Management (MDM) and/or Mobile Application Management (MAM) software on Supplier corporate mobile devices;
      2. the configuration that enforces automatic updates and periodic scans of Supplier corporate mobile devices to check for jailbreaking/rooting/tampering and malware; and
    2. Circumvention or tampering of Supplier corporate mobile device security profiles is prohibited, and access to Data from compromised Supplier corporate mobile devices and personal mobile devices is prohibited.
    3. Access control mechanisms must be implemented, maintained and enforced to restrict administrative access of Supplier corporate mobile devices to authorised Supplier staff.
    4. Remote wipe capabilities must be implemented and configured for Supplier corporate mobile devices.
  14. Physical security

    1. Where Supplier Facilities and Supplier Systems are being used to provide the Services:
      1. Physical security mechanisms are implemented and maintained to restrict access to Supplier Systems and Supplier Facilities.
      2. A process is established for granting and approving access to Supplier Facilities.
      3. Threat and vulnerability assessments are performed to identify security threats to, and operational weaknesses of, any Supplier Facilities. Such assessment should be carried out on an annual basis, and material vulnerabilities discovered are mitigated.
  15. Information security aspects of backup and disaster recovery

    1. Security backups at rest are stored onsite and offsite of Supplier Facilities protected with physical security mechanisms (e.g. keys, access cards, smart cards, tokens, and biometric systems) where access to backups is restricted to authorised Supplier staff.
    2. Electronic backup is encrypted during transportation and transmission using AES-128 or higher (e.g. backup tapes, applicable network connections used for data transfer).
    3. Backups must be scheduled based on the criticality of the system and restoration testing must be performed at least annually. Scheduled and restoration testing results must be documented and maintained.
    4. Physical backups (i.e. paper media, backups on tapes) are transferred using unlabelled, non-identifiable envelopes/boxes.
    5. Data used as part of disaster recovery exercises and actual incidents are removed from Supplier Systems upon completion of disaster recovery exercises.
  16. Cryptographic key management

    1. Prior to the selection of cryptographic solutions for use in protecting Data, a risk assessment is performed to identify the required level of protection including but not limited to:
      1. circumstances in which cryptographic solutions must be used, taking into consideration the classification of Data to be protected, and applicable country legal, mandatory and regulatory requirements in relation to cross-border data transfer; and
      2. compliance of selected cryptographic solution(s) to Federal Information processing Standards Publication 140-2 (FIPS PUB 140-2) requirements (and for payment card related information, also compliance with PCI DSS).
    2. The encryption key management lifecycle includes the following elements:
      1. encryption keys are generated using approved key lengths and in a manner that ensures new encryption keys cannot be derived based on knowledge of previous encryption keys (in part or in whole);
      2. encryption keys are securely distributed, activated, stored, recovered, replaced (or updated) and disposed of in a manner to ensure they are not recoverable;
      3. storage of encryption keys is logically segregated from locations in which Data is stored;
      4. contingency and recovery procedures are in place to manage compromised, lost, corrupted or expired encryption keys, which include the immediate deactivation of compromised encryption keys;
      5. encryption keys are archived in a secure location and encryption keys histories are maintained;
      6. defined activation and deactivation dates or timeframes are allocated for all encryption keys; and
      7. encryption keys shall be for a single purpose and encryption keys used to protect Data and Supplier Systems that process Data are split between two or more authorised personnel.
    3. Ownership of encryption keys is identifiable to authorised Supplier staff, and keys used for the encryption of Data must be unique and not shared by non-VDP entities.
    4. Access to encryption keys is strictly managed in accordance with the following requirements:
      1. access to encryption keys is restricted to authorised Supplier staff;
      2. logging of encryption key management related activities is enabled, and such logs must be retained accordingly to local law or regulation applicable to the category of the records; and
      3. tamper-resistant hardware is used to protect the processing of encryption keys

 

UK Addendum Tables

Start DateDate of the agreement
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
The Parties’ detailsVDP whose details are set out in the agreementA supplier whose details are set out in the Agreement
Key ContactAs set out in the AgreementAs set out in the Agreement

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCsThe Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
ModuleModule in operationClause 7 (Docking Clause)Clause 11
(Option)
Clause 9a (Prior Authorisation or General Authorisation)Clause 9a (Time period)Is personal data received from the Importer combined with personal data collected by the Exporter?
3YesNoOption 1 – Specific authorisation60 daysNo