Effective date: November 25, 2021
This Data Processing Agreement (“DPA”) reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the CloudBerry and MSP360 Service Agreement (the “Agreement”), by MSPBYTES, Corp., d/b/a/ MSP360 (“MSP360”) and the entity listed below (“Customer”) (collectively, the “Parties”). The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.
Customer
Scope and Applicability.
This DPA applies to MSP360’s Processing of Personal Data on Customer’s behalf as a Processor for the provision of the Services specified in the Agreement. Unless otherwise expressly stated in the Agreement, this version of the Data Processing Agreement shall be effective and remain in force for the term of the Agreement. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail and control, but only with respect to the subject matter of this DPA.
For the purposes of the GDPR (as defined in Section 12 below), for the transfer of personal data to Processors established in third countries outside the European Economic Area ("EEA") that are not recognized by the European Commission or applicable governing body as ensuring an adequate level of data protection for personal data (“Third Country Recipients”), those entities of Customer who are transferring Personal Data outside of the EEA and MSP360 (if MSP360 is or becomes a Third Country Recipient) hereby agree that Module 2: Transfer controller to processor of the Standard Contractual Clauses (the “Clauses”), linked here and incorporated into this DPA by reference (as supplemented in the next paragraphs below), shall apply to such transfers. Notwithstanding the foregoing, pursuant to the terms of the Agreement, where Customer is an authorized reseller of the Services specified in the Agreement and subject to the GDPR, the Customer and MSP360 (if MSP360 is or becomes a Third Country Recipient) hereby agree that Module 3: Transfer processor to processor of the Clauses, incorporated into this DPA by reference (as supplemented in the next paragraphs below), shall apply to such transfers.
With respect to Module 2 and Module 3 of the Clauses, Clause 7, the ‘Docking Clause – Optional’, shall not be deemed incorporated. In clause 9(a) of the Clauses, the parties choose Option 2 (General Written Authorization). With respect to Option 2 the Customer consents to the use of Sub-processors found in Annex III below and in accordance with Section 4 of this DPA. MSP360 will inform Customer of changes to Sub-processors and, if there is no objection by Customer within fifteen (15) days, this will be deemed as acceptance by Customer to the use of the proposed Sub-processors. If Customer objects, MSP360 will use commercially reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer's configuration or use of the affected Services to avoid processing of Personal Data by the objected-to Sub-processor. The optional wording in clause 11 of the Clauses shall not be deemed incorporated. In clause 17 of the Clauses, the Parties agree that the Clauses shall be governed by the laws of the EU Member State in which the data exporter is established. In clause 18 of the Clauses, the Parties agree that any dispute arising from the Clauses shall be resolved by the courts of the EU Member State in which the data exporter is established.
Solely for purposes of the GDPR, Annex I.A, Annex I.B, and Annex I.C of the Clauses shall be deemed completed with the information set out in Appendix 1, attached hereto. Annex II of the Clauses shall be deemed completed with the information set out in Appendix 2, attached hereto. Annex III of the Clauses shall be deemed completed with the information set forth in Appendix 3.
Processing of Personal Data by MSP360 and Customer Obligations.
MSP360 will Process data provided by Customer, including Personal Data, on documented instructions from Customer given in accordance with this DPA and the Agreement, including with regard to transfers of Personal Data to a third country or a third party, and in such manner as is necessary for the provision of Services under the Agreement, except as required to comply with a legal obligation to which MSP360 is subject. MSP360 shall inform Customer if, in its opinion, the execution of an instruction relating to the Processing of Personal Data could infringe on any Applicable Data Protection Law. For the avoidance of doubt, except for basic account and user information including, but not limited to, contact information used to gain access to or sign up for the Services, Customer is solely responsible for determining how and where data, to include Personal Data, is Processed as part of the Customer’s configuration options in the Services.
In addition to Customer instructions, Customer may provide additional instructions in writing to MSP360 with regard to Processing of Personal Data in accordance with Applicable Data Protection Law. MSP360 will promptly comply with all such instructions to the extent necessary for MSP360 to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist Customer in complying with obligations under Applicable Data Protection Law relevant to use of the Services.
MSP360 will follow Customer’s reasonable instructions. To the extent MSP360 expects to incur additional charges or fees not covered by the Fees for Services payable under the Agreement, it will promptly inform Customer thereof upon receipt of Customer’s instructions. Without prejudice to MSP360’s obligation to comply with Customer instructions, the parties will negotiate in good faith with respect to any such charges or fees.
Except as otherwise specified in the Agreement or in writing between the parties, Customer may not provide MSP360 with any sensitive or special categories Personal Data that imposes specific data security or data protection obligations on MSP360 in addition to or different from those specified in the DPA or Agreement.
Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data that it provides to MSP360 for Processing under the Agreement. Customer is responsible for providing any notice to the Individuals and for obtaining and demonstrating evidence that it has obtained any necessary consents, authorizations, and permissions from the Individuals in a valid manner for MSP360 to perform the Services. Customer will provide MSP360 with such evidence of this as MSP360 may reasonably request if MSP360 needs this information to comply with Data Protection Laws or the request of any Regulator. Customer understands that custom fields and other text fields provided as a part of the Services (such as “notes” fields) are not designed for the Processing of Special Categories of Personal Data and warrants that it will not enter such data in such fields or otherwise when using the Covered Services.
Individual Inquiries and Requests.
If Customer receives a request or inquiry from an Individual related to Personal Data processed by MSP360 for the provision of Services, Customer can either (a) securely access account information via the Services to address the request or inquiry or (ii) to the extent such access or the requested information is not available via Customer’s account, contact MSP360 via contact@msp360.com with detailed written instructions to MSP360 on how to assist with such Individual’s request.
If MSP360 directly receives any requests or inquiries from Individuals that identify Customer, MSP360 will promptly pass on such requests to Customer without responding to the Individual. Otherwise, MSP360 will advise the Individual to identify and contact the relevant Customer(s) or controller(s), as applicable.
Sub-processors.
Except as required by Applicable Data Protection Law, MSP360 is not responsible for Third Party Subprocessors, provided, however such entities shall be subject to at least the same level of data protection and security as MSP360.
Cross-border Transfers.
MSP360 and its service providers may Process Personal Data globally to perform the Services. To the extent such processing involves a transfer of Personal Data subject to cross-border transfer restrictions under Applicable Data Protection Law, such transfers shall be subject to security and data privacy requirements consistent with the relevant requirements of this DPA and Applicable Data Protection Law.
Security and Confidentiality.
MSP360 has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These security measures govern all areas of security applicable to the Services, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures.
All MSP360 employees, are subject to appropriate written confidentiality arrangements, including confidentiality agreements and compliance with MSP360 policies concerning protection of confidential information.
Audit Rights.
Customer may audit MSP360’s compliance with its obligations under this DPA up to once per year and only for the purposes of meeting its regulatory audit requirements.
If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and MSP360 (except if such third party is a Regulator). MSP360 will not unreasonably withhold its consent to a third party auditor. The third party must execute a written confidentiality agreement acceptable to MSP360 or otherwise be bound by a statutory or legal confidentiality obligations.
To request an audit, Customer must submit a detailed proposed audit plan to MSP360 at least sixty (60) days in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. MSP360 will review the proposed audit plan and provide Customer with any concerns or questions. MSP360 will work cooperatively with Customer to agree on a final audit plan.
The audit must be conducted during regular business hours, subject to the agreed final audit plan and MSP360’s relevant policies, and may not unreasonably interfere with MSP360 business activities. Upon completion of the audit, Customer will provide MSP360 with a copy of the audit report, which is subject to the confidentiality terms of the Agreement.
Each party will bear its own costs in relation to the audit, unless MSP360 informs Customer upon reviewing Customer’s audit plan that it expects to incur additional charges or fees in the performance of the audit that are not covered by the Fees payable under the Agreement, such as additional license or third party contractor fees. The parties will negotiate in good faith with respect to any such charges or fees.
Without prejudice to the rights granted in Section 7.1 above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI-DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and MSP360 provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.
Incident Management and Breach Notification.
MSP360 has implemented controls designed to detect and respond to incidents that create suspicion of or indicate unauthorized destruction, loss, alteration, disclosure, or access to Personal Data to the extent Processed by MSP360 (a “Security Incident”). To the extent within the reasonable control of MSP360 and subject to the limitations on liability found in the Agreement, MSP360 will take reasonable measures designed to identify cause(s), mitigate any possible adverse effects and prevent a recurrence of Security Incidents. Customer agrees to coordinate with MSP360 on the content of any of intended public statements or required notices for the affected Individuals and/or notices to the relevant Regulators regarding any Security Incident involving MSP360.
MSP360 shall notify Customer without undue delay after MSP360 becomes aware of a Security Incident involving MSP360 or its applicable Sub-processors that impacts Personal Data provided to MSP360 pursuant to this DPA and the Agreement. Such notification may be by any means MSP360 has established for such notification, including notification by email.
Return or Deletion of Personal Data.
Except as otherwise stated in the Agreement or any documentation or link incorporated therein, and to the extent MSP360 has possession, upon termination of the Services, MSP360 will at its sole discretion return or delete any remaining copies of Personal Data on MSP360 systems.
Customer is solely responsible for any Personal Data held or processed on Customer’s systems or environments, including those systems controlled or directed by Customer. Customer is advised to take appropriate action to back up or otherwise store and separately protection any Personal Data.
Legal Requirements.
MSP360 may be required by law to provide access to Personal Information, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement purposes. MSP360 will promptly inform Customer of requests to provide access to Personal Data and comply with Customer’s reasonable instructions with respect to such requests, unless otherwise required by law.
Miscellaneous.
Liability and Indemnity. Subject to Clause 12 of the Clauses, if applicable, any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Agreement.
Dispute Resolution. Subject to the Agreement, in the event of a dispute between Customer and MSP360 related to the subject matter of this DPA, such dispute shall be referred to the individuals responsible for data protection issues for each organization, who shall endeavour to resolve the dispute within thirty (30) days.
Changes in Applicable Data Protection Laws and Regulations. The Parties agree to negotiate modifications to this DPA if changes are required to continue to comply with Applicable Data Protection Law or the legal interpretation of Applicable Data Protection Law.
Severability. If any provision of this DPA shall be found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect the other provisions of this DPA. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.
Definitions.
"Applicable Data Protection Law" means data privacy or data protection laws or regulations that apply to the Processing of Personal Data under this DPA, which may include the EU General Data Protection Regulation (“GDPR”), as supplemented by applicable EU Member State law and as incorporated into the Agreement.
"Individual" shall have the same meaning as the term “data subject” or the equivalent term under Applicable Data Protection Law.
"Process" or "Processing", "Controller", "Processor" and (or the equivalent terms) have the meaning set forth under Applicable Data Protection Law.
"Personal Data" shall have the same meaning as the term "personal information", "personally identifiable information (PII)" or the equivalent term under Applicable Data Protection Law.
"Regulator" shall have the same meaning as the term "supervisory authority", "data protection authority" or the equivalent term under Applicable Data Protection Law.
"Services" or equivalent terms, mean the services as more fully detailed in the Agreement.
"Sub-processor" means a third party, other than MSP360 which MSP360 contracts with to provide the Services and which may Process Personal Data.
The data exporter is Customer. Data exporter’s name, address, contact person’s name, position and contact details are indicated in the table on page 1 of this DPA. The role of data exporter is: Controller (or, where the Customer is a reseller as contemplated by the Agreement and Section 1.2 of this DPA, Processor).
The activities relevant to the data transferred are specified under the heading ‘NATURE OF THE PROCESSING’ and ‘PURPOSES OF THE DATA TRANSFER AND FURTHER PROCESSING’ in point B of this Appendix 1.
Data exporter’s signature and date: by executing the Agreement for Services provided by MSP360.
The data importer is MSPBYTES, Crop., d/b/a MSP360. The role of data importer is: Processor.
Contact person’s name, position and contact details: Brian Helwig, CEO of MSPBytes Corp. email: legal@msp360.com
The activities relevant to the data transferred are specified under the headings ‘NATURE OF THE PROCESSING’ and ‘PURPOSES OF THE DATA TRANSFER AND FURTHER PROCESSING’ in point B of this Appendix 1.
Signature and date: ___________________________________________________
Categories of data subjects whose personal data is transferred
Categories of personal data transferred
Sensitive data transferred (if applicable)
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing
Purpose(s) of the data transfer and further processing
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Identify the competent supervisory authority/ies in accordance with Clause 13
MSP360 currently observes the security practices described in this Appendix 2. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, MSP360 may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
Outsourced processing: MSP360 hosts its Services with outsourced cloud infrastructure providers. Additionally, MSP360 maintains contractual relationships with vendors in order to provide the Services in accordance with the Standard Contractual Clauses. MSP360 relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: MSP360 hosts its product infrastructure with multitenant, outsourced infrastructure providers. The providers, as listed in Annex III, are certified according to SOC2 and other industry compliance standards.
Authentication: MSP360 implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of MSP360’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
MSP360 implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Static code analysis: Security reviews of code stored in MSP360’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Security assessment: MSP360’s products are designed to be resilient to external attackers. MSP360 performs regular vulnerability scans to assess and prepare defenses from cyber-attack and data loss.
Product access: A subset of MSP360’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: All MSP360 employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
In-transit: MSP360 makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the MSP360 products. MSP360’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: MSP360 stores hashes of user passwords and user passwords following policies that follow industry standard practices for security. MSP360 has implemented technologies to ensure that stored data is encrypted at rest.
Detection: MSP360 designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. MSP360 personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: MSP360 maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, MSP360 will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If MSP360 becomes aware of unlawful access to Customer data stored within its products, MSP360 will: 1) notify the affected Customers of the incident; 2) provide a description of the steps MSP360 is taking to resolve the incident; and 3) provide status updates to the Customer contact, as MSP360 deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form MSP360 selects, which may include via email or telephone.
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods. MSP360’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists MSP360 operations in maintaining and updating the product applications and backend while limiting downtime.
The list of MSP360’s utilized Sub-processors can be found here.