CyberCX Data Processing Agreement
Last updated: 21 July 2024
This Data Processing Agreement (“DPA”) is subject to and forms part of the Agreement and governs CyberCX’s and its Affiliates’ Processing of Personal Data.
1. Structure.
You enter this DPA with CyberCX UK Limited (“CyberCX”).
2. CyberCX as Data Processor and Data Controller.
Data Processing Roles |
|
| CyberCX as a Data Processor | When CyberCX Processes Personal Data as a Data Processor, it is acting as a Data Processor on behalf of you, the Data Controller. |
| CyberCX as a Data Controller | When CyberCX Processes Personal Data as a Data Controller it:
|
Data Processing Purposes |
|
| CyberCX as a Data Processor | The purposes of CyberCX’s Processing of Personal Data in its capacity as a Data Processor are to perform, and provide access to, CyberCX’s products and services (including making available third party products as a reseller). |
| CyberCX as a Data Controller | The purposes of CyberCX’s Processing of Personal Data in its capacity as a Data Controller when providing CyberCX’s products and services are to:
|
Categories of Data Subjects and Personal Data: CyberCX as a Data Processor and a Data Controller |
|
| Data Subjects | CyberCX may Process the Personal Data of Clients (and their employes and representatives) and any end user Clients of the Client or other natural persons who accesses or uses the Services, or whose details are provided by or disclosed to CyberCX by the Client as part of (or during the course of) the contracted Services. |
| Personal Data | The Client, rather than CyberCX, determines which categories of Personal Data exist and will be disclosed to and Processed by CyberCX in the provisioning of the Services because:
|
Duration of Processing |
|
| CyberCX as a Data Processor | For:
|
Data Security |
|
| CyberCX as a Data Processor and Data Controller | CyberCX will implement and maintain a written information security program with the Data Security Measures stated in the Exhibit of this DPA. |
Governing Law |
|
| This DPA shall be governed by the law of the country of the United Kingdom in which the data exporter is established, namely England. | |
3. CyberCX Obligations when acting as a Data Processor.
3.1 Obligations.
When CyberCX is acting as a Data Processor for you, CyberCX will:
(a) Process Personal Data on your behalf and according to your Instructions. CyberCX will inform you if, in its opinion, Instructions violate or infringe Data Protection Law;
(i) ensure that all persons CyberCX authorizes to Process Personal Data are granted access to Personal Data on a need-to-know basis and are committed to respecting the confidentiality of that Personal Data;
(ii) to the extent required by Data Protection Law, inform you of each request CyberCX receives from Data Subjects (including “verifiable consumer requests” as defined under the CCPA) exercising their rights under Data Protection Law to:
(iii) access (e.g., right to know under the CCPA) their Personal Data;
(A) have their Personal Data corrected or erased;
(B) restrict or object to CyberCX’s Processing; or
(C) data portability (collectively “Data Subject Request”).
(b) other than to request further information, identify the Data Subject, and, if applicable, direct the Data Subject to you as Data Controller, CyberCX will not respond to these requests unless you instruct CyberCX in writing to do so.
(c) to the extent required by Data Protection Law (and otherwise to the extent permitted by Law), inform you of each law enforcement request CyberCX receives from a Governmental Authority requiring CyberCX to disclose Personal Data or participate in an investigation requiring CyberCX to disclose Personal Data;
(d) to the extent required by Data Protection Law, provide you with reasonable assistance, following your written request, to help you comply with your obligations under Data Protection Law and, taking into account the nature of the Processing and the information available to CyberCX, CyberCX will provide reasonable information to help you conduct a data protection impact assessment or consult with a Supervisory Authority. If you request assistance from CyberCX that goes beyond CyberCX’s obligations under Data Protection Law or this Agreement, CyberCX may charge you a reasonable fee;
(e) if CyberCX experiences a Data Incident, notify you without undue delay, in each case after becoming aware of the Data Incident. For Data Incidents affecting Personal Data Subjects under the GDPR or UK GDPR, notice will be no later than 48 hours after becoming aware of the Data Incident. To the extent known to CyberCX, CyberCX’s notification to you will describe in reasonable detail:
(i) the type of Personal Data that was the subject of the Data Incident
(ii) the categories and potential number of individuals or records affected (including their countries), and
(iii) the status of CyberCX’s investigation and current or planned remediation.
Following the notification, CyberCX will provide relevant updates to assist you in complying with your obligations under Data Protection Law;
(f) to the extent required by Data Protection Law and following your written request, contribute to audits or inspections by making audit reports available to you. Following this request, and no more frequently than once annually, CyberCX will promptly provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding CyberCX’s and its Affiliates’ Processing of Personal Data. All reports and documentation provided, including any response to a security questionnaire, are CyberCX’s confidential information and are not be shared with a third party without CyberCX’s written consent; and
(g) at your choice, delete or return to you all Personal Data Processed in connection with the Services, and delete existing copies, following termination of the Agreement, except that CyberCX will not be required to delete or return that Personal Data, or delete existing copies, to the extent that CyberCX’s storage of that Personal Data or those copies is (i) required by CyberCX to exercise its rights and perform its obligations under this Agreement; or (ii) required or authorized by Data Protection Law for a longer period.
3. Sub-processors.
(a) CyberCX engages Sub-processors as necessary to perform the CyberCX’s list of Sub-processors, which may also include CyberCX Affiliates, is located at https://cybercx.com.au/sub-processors (“CyberCX Sub- processors List”).
(a) You consent to CyberCX’s use of its existing Sub-processors and grant CyberCX a general written authorisation to engage one or more Sub-processors as necessary to facilitate, perform and administer the Any changes to the CyberCX Sub-processors List will be published on that webpage. You may reasonably object to a change on legitimate grounds within 30 days after you receive notice of the change. You acknowledge that CyberCX’s Sub-processors are essential to provide the Services and that if you object to CyberCX’s use of a Sub-processor, then notwithstanding anything to the contrary in the Agreement (including this DPA), CyberCX will not be obligated to provide you the Services for which CyberCX uses that Sub-processor (and no remedy or liability will apply).
(b) CyberCX will enter into a written agreement with each Sub-processor that imposes on that Sub-processor obligations comparable to those imposed on CyberCX under this DPA, including the obligation to implement appropriate Data Security Measures. If a Sub-processor fails to fulfill its data protection obligations under that agreement, CyberCX will remain liable to you for the acts and omissions of its Sub-processor to the same extent CyberCX would be liable if performing the relevant Services directly under this DPA.
3.3 CCPA.
If the CCPA applies and CyberCX is acting as a Data Processor, CyberCX will not: (a) sell or share (as defined under the CCPA) Personal Data; (b) retain, use or disclose Personal Data outside of its direct business relationship with you other than to provide CyberCX’s products and services and as required to comply with Law; and (c) combine Personal Data received from or through you with Personal Data received from or on behalf of an individual or collected from CyberCX’s own interactions with the individual, except to provide CyberCX’s products and services and as permitted by Law. CyberCX certifies that it understands and will comply with the requirements in this DPA relating to the CCPA and will provide the same level of privacy protection to Personal Data as required by the CCPA. CyberCX will inform you if it determines that it can no longer meet its obligations under the CCPA and will take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.
3.4 Disclaimer of Liability.
NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, INCLUDING THIS DPA, CYBERCX AND ITS AFFILIATES WILL NOT BE LIABLE FOR ANY CLAIM MADE BY A DATA SUBJECT ARISING FROM OR RELATED TO CYBERCX’S OR ANY OF ITS AFFILIATES’ ACTS OR OMISSIONS, TO THE EXTENT THAT CYBERCX WAS ACTING IN ACCORDANCE WITH YOUR INSTRUCTIONS.
4. Your obligations when acting as a Data Controller.
You must:
(a) only provide Instructions to CyberCX that are lawful;
(b) comply with and perform your obligations under Data Protection Law, including with regard to Data Subject rights, data security and confidentiality, and ensure you have an appropriate legal basis for the Processing of Personal Data as described in the Agreement, including this DPA; and
(c) provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible privacy notice) and, where required by Data Protection Law, obtain all necessary consents in writing from the Data Subjects regarding CyberCX’s and your Processing of Personal Data for the purposes described in the Agreement, including this DPA.
5. CyberCX’s obligations when acting as a Data Controller.
CyberCX must comply with and perform its obligations under Data Protection Law when Processing Personal Data.
6. Data transfers.
6.1 Cross-border data transfers by you.
You acknowledge that in order for CyberCX to provide the Services, you may be required to transfer Personal Data to CyberCX Pty Ltd (“CyberCX AU”) in Australia. If the transfer comprises Personal Data that requires a Data Transfer Mechanism, the Data Transfers Addendum, which is incorporated into this DPA, will apply.
6.2 Cross-border data transfers by CyberCX.
CyberCX and its Affiliates may transfer Personal Data on a global basis as necessary to provide the Services. In particular, Personal Data may be transferred to CyberCX AU in Australia and to CyberCX’s Affiliates and Sub-processors in other jurisdictions. If the transfer comprises Personal Data that requires a Data Transfer Mechanism, the Data Transfers Addendum, which is incorporated into this DPA, will apply.
7. Conflict.
If there is any conflict between:
(a) the provisions of this DPA and any provision of the Agreement regarding Personal Data Processing, the provisions of this DPA will prevail; and
(b) the provisions of this DPA and any provision of the Data Transfers Addendum, the provisions of the Data Transfers Addendum will prevail.
8. Interpretation
A reference to a law or legislation, or any subordinate instrument made under a law or legislation is taken to include any amendments, reenactments, restatements or otherwise updates to that law or legislation.
Words of inclusion are not to be taken as words of limitation.
9. Definitions
Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.
“Affiliate” means an entity belonging to the CyberCX group of companies or named as a CyberCX Sub-processor. The term “CyberCX” is inclusive of the applicable Affiliate when: (i) Applicable Laws require a direct relationship between Affiliate and the Client with respect to data protection agreements, and (ii) the Affiliate Processes Client Personal Data. CyberCX represents that it is duly and effectively authorized (or will be subsequently ratified) to act on the Affiliate’s behalf;
“Agreement” means the CyberCX services agreement between a Client and CyberCX which refers to this DPA.
“Client” or “you” means the person or entity (referred to as “you”, “Client”, “Customer” or “User” in an Agreement) that has entered into the Agreement with CyberCX (and where such person or entity is a trustee of a trust, or an agent on behalf of a Client, then “Client” for the purposes of this DPA means in both cases, each of the persons or entities involved).
“CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, and its implementing regulations.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which may include, as applicable, a “Business” as defined under the CCPA.
“Data Incident” means an unauthorized or unlawful Processing, use, access, loss, disclosure, destruction or alteration of Personal Data in a party’s or its Affiliate’s, or a party’s or its Affiliate’s subcontractor’s, agent’s or representative’s, possession or control.
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a “Service Provider” as defined under the CCPA.
“Data Security Measures” means technical and organizational measures that are intended to secure Personal Data to a level of security appropriate for the risk of the Processing.
“Data Subject” means an identified or identifiable natural person to which Personal Data relates.
“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under Data Protection Law, which includes transfer mechanisms that are required under Data Protection Law in the EEA, Switzerland and the UK, such as the EEA SCCs, the UK International Data Transfer Addendum and any data transfer mechanism available under Data Protection Law that is incorporated into this DPA.
“Data Transfers Addendum” means the data transfers addendum located at https://cybercx.com.au/data-transfers-addendum/
“Data Protection Law” means Law that applies to Personal Data Processing under this DPA, including international, federal, state, provincial and local Law relating in any way to privacy, data protection or data security.
“EEA” means the European Economic Area.
“EEA SCCs” means Module 1 (Transfer: Controller to Controller) and Module 2 (Transfer: Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR.
“GDPR” means General Data Protection Regulation (EU) 2016/679.
“Instructions” means any communication or documentation, including that which may be provided through a CyberCX API, or CyberCX Dashboard, or written agreements between you and CyberCX through which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller. The following is a mutually agreed instruction: (a) Processing of Personal Data in accordance with the Agreement and any applicable orders; (b) Processing initiated by users in their use of the CyberCX Services, and (c) Processing to comply with other reasonable documented instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement.
“Joint Controller” means a Data Controller that jointly determines the purposes and means of Processing Personal Data with one or more Data Controllers.
“Personal Data” means any information relating to an identifiable natural person that is Processed in connection with the Services, and includes “personal data” as defined under the GDPR and “personal information” as defined under the CCPA.
“Process” means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under Data Protection Law.
“Sub-processor” means an entity a Data Processor engages to Process Personal Data on that Data Processor’s behalf in connection with the Services.
“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection that has supervisory authority and jurisdiction over you.
“UK GDPR” means the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
“UK International Data Transfer Addendum” means the international data transfer addendum to the EEA SCCs issued by the United Kingdom’s Information Commissioner’s Office.
EXHIBIT: CYBERCX DATA SECURITY – TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Security Control Category |
Description |
| Security Programs and Policies | CyberCX maintains and enforces a security program that addresses how CyberCX manages security, including its security controls. The security program includes:
● documented policies that CyberCX formally approves, internally publishes, communicates to appropriate personnel and reviews at least annually; ● documented, clear assignment of responsibility and authority for security program activities; ● policies covering, as applicable, acceptable computer use, data classification, cryptographic controls, access control, removable media and remote access; and ● regular testing of the key controls, systems and procedures. |
| Risk and Asset Management | CyberCX performs risk assessments, and implements and maintains controls for risk identification, analysis, monitoring, reporting and corrective action.
CyberCX maintains and enforces an asset management program that appropriately classifies and controls hardware and software assets throughout their life cycle. |
| Personnel Education and Controls | All (a) CyberCX employees; and (b) CyberCX independent contractors who may have access to data, including those who Process Personal Data ((a) and (b), collectively ‘‘Personnel”) acknowledge their data security and privacy responsibilities under CyberCX’s policies.
For Personnel, CyberCX, either itself or through a third party: ● implements pre-employment background checks and screening; ● conducts security and privacy training; ● implements disciplinary processes for violations of data security or privacy requirements; and ● upon termination or applicable role change, promptly removes or updates Personnel access rights and requires Personnel to return or destroy Personal Data. Authentication. CyberCX authenticates each Personnel’s identity through appropriate authentication credentials such as strong passwords, token devices or biometrics. |
| Training and Awareness | Annual Security and Privacy Training. CyberCX’s employees complete an annual Security and Privacy awareness training on CyberCX’s data security and confidentiality policies and practices. |
| Network and Operations Management | Policies and Procedures. CyberCX implements policies and procedures for network and operations management. These policies and procedures address hardening, change control, segregation of duties, separation of development and production environments, technical architecture management, network security, malware protection, protection of data in transit and at rest, data integrity, encryption, audit logs and network segregation.
Vulnerability Assessments. CyberCX performs periodic vulnerability assessments and penetration testing on its systems and applications, including those that Process Personal Data. Vulnerabilities are managed and remediated in accordance with CyberCX’s Vulnerability Management Standard. |
| Technical Access Controls | Access control. CyberCX implements measures to prevent data processing systems from being used by unauthorized persons, including the following measures:
● user identification and authentication procedures; ● ID/password security procedures, including MFA; ● automatic blocking (e.g., password or timeout); and ● break-in-attempt monitoring. Data access control. CyberCX implements measures to ensure that persons entitled to use a data processing system gain access only to the Personal Data allowed for their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including: ● internal policies and procedures; ● access monitoring and logging; ● access reports; ● access procedure; ● change procedure; and ● deletion procedure. |
| Physical access controls | CyberCX uses reputable third-party service providers to host its production infrastructure. CyberCX relies on these third parties to manage the physical access controls to the data center facilities that they manage. Some of the measures that CyberCX’s service providers provide to prevent unauthorized persons from gaining physical access to the data processing systems available at premises and facilities (including databases, application servers and related hardware), where Personal Data is Processed, include:
● physical access control system and program in place at CyberCX premises; ● 24×7 Global Security Operation Center that monitors physical security systems; ● security video and alarm systems; ● access control roles and area zones; ● access control audit measures; ● electronic tracking and management program for keys; ● access authorisations process for employees and third parties; ● door locking (electrified locks etc.); and ● trained uniformed security staff. |
| Availability Controls | CyberCX implements measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, including:
● database replication; ● backup procedures; ● hardware redundancy; and ● a disaster recovery plan. |
| Disclosure Controls | CyberCX implements measures to ensure that Personal Data (a) cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic); and (b) can be verified to which companies or other legal entities Personal Data are disclosed, including logging, transport security and encryption. |
| Entry Controls | CyberCX implements measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems, including logging and reporting systems, and audit trails and documentation. |
| Certifications and Reports | ISO Reports. CyberCX maintains ISO27001 accreditation; certificates are produced annually and will be provided upon request.
CyberCX may add standards or certifications at any time. |
| Encryption | CyberCX applies data encryption mechanisms at multiple points in CyberCX’s service to mitigate the risk of unauthorized access to CyberCX data at rest and in transit. Access to CyberCX cryptographic key materials is restricted to a limited number of authorized Personnel.
Encryption in transit. To protect data in transit, CyberCX requires all inbound and outbound data connections to be encrypted using the TLS 1.2 protocol. For data traversing CyberCX’s internal production networks, CyberCX uses mTLS to encrypt connections between production systems. Encryption at rest. To protect data at rest, CyberCX uses industry standard encryption (AES- 256) to encrypt all production data stored in server infrastructure. |
| Data Security Incident Management and Notification | CyberCX implements a data security incident management program that addresses how CyberCX manages Data Incidents.
CyberCX will notify impacted CyberCX users and Governmental Authorities (where applicable) of Data Incidents in a timely manner as required by Data Protection Law. |
| Reviews, Audit Reports and Security Questionnaires | Upon written request, and no more frequently than annually, CyberCX will complete a written data security questionnaire of reasonable scope and duration regarding CyberCX’s business practices and data technology environment in relation to the Processing of Personal Data. CyberCX’s responses to the security questionnaire are CyberCX’s confidential data. |
| System Configuration | CyberCX implements measures for ensuring system configuration, including default configuration measures for internal IT and IT security governance.
CyberCX relies on deployment automation tools to deploy infrastructure and system configuration. These automation tools leverage infrastructure configurations that are managed through code that flows through CyberCX’s change control processes. CyberCX’s change management processes require formal code reviews and two-party approvals prior to the release to production. CyberCX uses monitoring tools to monitor production infrastructure for changes from known configuration baselines. |
| Data Retention and Deletion | CyberCX implements and maintains data retention policies and procedures related to Personal Data and reviews these policies and procedures as appropriate. |
