We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site....
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Other uncategorised cookies are those that are being analysed and have not been classified into a category as yet.
Legal documents governing your use of iboss services and our commitment to data protection
Last Updated: June, 2024
This Data Processing Addendum (the "Addendum") is made by and between iboss, Inc. with a registered office in Orlando, Florida USA ("Company") and the entity identified as Customer (collectively, "Customer") in the iboss Terms of Service Agreement, in the iboss Cloud Services End User Terms of Service Agreement, in the iboss Quote, in the Master Software License and Services Agreement, or in such other agreement between Customer and iboss for the purchase of iboss software and services (in each case, the "Agreement").
This Addendum is incorporated into the Agreement between Company and Customer and applies in respect of the provision of the Services (as defined in the Agreement) to Customer if the Processing of Customer Personal Data (as defined below) is subject to Data Protection Legislation. This Addendum shall be effective for so long as the Company Processes Customer Personal Data.
1. "Customer Personal Data" means the Personal Data described under Section 2 of this Addendum, in respect of which Customer is the Controller and which is provided to Company by or on behalf of Customer and Processed by Company, each in connection with the Agreement for Company to provide Services to Customer;
2. "Data Protection Legislation" means all applicable legislation relating to data protection and privacy including without limitation the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
3. "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
4. "Personal Data", "Data Subject", "Process", "Processor" and "Controller" will each have the meaning given to them in applicable Data Protection Legislation; and
5. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by Company that compromises the confidentiality, integrity, or availability of such Customer Personal Data.
6. "Standard Contractual Clauses" or "SCC" means the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
7. "Swiss Data Protection Legislation" means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
8. "UK Addendum" means the UK Information Commissioner's ("UK ICO") International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0 in force 21 March 2022.
9. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
1. Categories of Data Subjects. Categories of Data Subjects whose Personal Data may be included in Customer Personal Data include Customer's customers, end users, partners, suppliers, employees, other personnel, and other Data Subjects about whom Customer receives or collects, and thereafter provides, Personal Data to Customer in the form of Customer Personal Data.
2. Types of Personal Data. Customer Personal Data may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, such as names, email addresses, IP addresses, and web browsing data, including websites visited; location data; and browsing, search, and other network activity of authorized users of Customer's network, each of which is provided to Company in connection with Customer's use of the Services.
3. Subject-Matter and Nature of the Processing. The subject-matter of Company's Processing of Customer Personal Data is the provision of the Services to Customer, which include the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities that Company must perform to provide the Services pursuant to the Agreement and any applicable statement of work or other ordering document.
4. Purpose of the Processing. Company will process Customer Personal Data for purposes of providing the Services described in the Agreement and any applicable statement of work or other ordering document.
5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 10 of this Addendum.
1. This Addendum applies to the Processing of Customer Personal Data. If applicable Data Protection Legislation recognizes the roles of "Controller" and "Processor" as applied to Customer Personal Data, then as between Company and Customer, Customer acts as Controller and Company acts as a Processor (or Subprocessor, as the case may be) of Customer Personal Data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with the Agreement and this Addendum, including with respect to transfers of Customer Personal Data, unless Processing is required by applicable Data Protection Legislation to which Company is subject, in which case Company shall, to the extent permitted by applicable law, inform Customer of that legal requirement before so Processing that Customer Personal Data. The Parties agree that Company may Process Customer Personal Data as necessary to enable Company to provide the Services according to the Agreement. Any additional or different instructions from Customer pertaining to the Processing of Customer Personal Data require a signed agreement between Company and Customer and may be subject to additional fees. For the avoidance of doubt, Customer's instructions for the Processing of Customer Personal Data shall comply with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Personal Data. Company will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation, provided, however, Company is not responsible for performing legal research and/or for providing legal advice to Customer.
2. If Company cannot process Customer Personal Data according to Customer's instructions due to a legal requirement under any applicable Data Protection Legislation, Company will (i) promptly notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) Process (or continue to Process) Customer Personal Data to the extent Company is able to comply with Customer's instructions in order to provide the Services as set forth in the Agreement.
3. Each of Customer and Company will comply with their respective obligations under the Data Protection Legislation. Customer shall (a) provide all required notices and appropriate disclosures to all Data Subjects regarding Customer's, and Company's, Processing of Customer Personal Data and (b) ensure that Customer has obtained (or will obtain) and maintain during the term of the Agreement all rights and consents (if required) which are necessary for Company to Process Customer Personal Data in accordance with this Addendum and the Agreement. If Customer is not required by Data Protection Legislation to obtain and maintain valid consent from Data Subjects, Customer will otherwise comply with requirements under Data Protection Legislation to obtain and maintain a valid legal basis to Process Customer Personal Data and for providing such data to Company for Processing under the Agreement.
4. Cross-border transfers of Customer Personal Data:
1. The Services allow Customer to designate the location in which Customer Personal Data will be Processed based on compatibility with the Services. If Customer elects to transfer Customer Personal Data to Company outside a jurisdiction restricting the transfer of Personal Data relating to Data Subjects located in that jurisdiction, either directly or via onward transfer, to a jurisdiction which the Data Protection Legislation in such originating jurisdiction concluded does not provide an adequate level of protection for such Personal Data, such transfer shall be subject to the protections and provisions of the Standard Contractual Clauses (where Schedule 1 specifically delineates the terms in the SCC's Appendix) or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Legislation.
2. In Annex I, Customer shall be deemed to have signed the SCC in its capacity of "data exporter" and Company in its capacity as "data importer." Module Two or Module Three of the SCC shall apply to the transfer depending on whether Customer is Data Controller of the Customer Personal Data (for Module Two) or a Data Processor of the Customer Personal Data on behalf of its customer (for Module Three). If Module Three applies, Customer hereby notifies Company that it is a Processor and the instructions shall be as set forth in Section 3.1. Clause 7 is omitted. In Clause 11(a), the optional provision shall not apply. For purposes of Clauses 17 and 18 of the SCCs, the Parties select The Netherlands. Additional provisions applicable to Customer Personal Data transferred pursuant to SCC are set forth in Schedule 2.
3. The SCC will cease to apply if Company has implemented an alternative recognized compliance mechanism for the lawful transfer of personal data in accordance with applicable Data Protection Legislation and has informed Customer thereof.
4. In the event of any conflict between any terms in the SCC and Addendum, the SCC shall prevail to the extent of the conflict.
5. To the extent such a transfer includes Customer Personal Data subject to Swiss Data Protection Legislation, the SCC shall be adapted to use for Switzerland (where the Swiss Data Protection Legislation shall apply as the applicable Data Protection Legislation, Clauses 17 and 18 of the SCC shall refer to Switzerland, and data subjects in Switzerland shall be able to avail themselves of any rights conferred by the SCC).
6. If the UK Addendum applies, then:
1. Table 1 of the UK Addendum is completed with the parties' details and Key Contacts of Customer (as data exporter) and Company (as data importer), as provided above. The "Start date" is the Effective Date or other similar date of the Agreement.
2. Table 2 of the UK Addendum is completed by selecting "the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum".
3. For the purposes of Table 2 and Table 3 of the UK Addendum, the "Approved EU SCCs" are completed with the Modules, selections, and details set forth above.
4. Table 4 of the UK Addendum is completed by selecting "neither party".
5. Customer is responsible for compliance with all applicable Data Protection Legislation regarding its content, including without limitation that which regulates (a) content directed toward children (as defined under applicable Data Protection Legislation and for example, individuals under 13 years old in the United States or under 16 years old in certain other countries) (b) financial, payment, or credit data or (c) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual's genetic data, biometric data, health data, or data regarding sex life or sexual orientation ((a) – (c) collectively, "Sensitive Data"), where Customer is specifically responsible for obtaining express consent from individuals whose Personal Data is provided to Company for Processing, where required by Data Protection Legislation. Any Sensitive Data provided by Customer to Company is provided solely at Customer's election, and Customer understands and agrees that Company does not differentiate between different types of data sensitivity when Processing Customer Personal Data or treat certain types of Customer Personal Data differently from other types and applies the same security measures to all Customer Personal Data as set forth in Section 5 of this Addendum.
Company shall implement processes designed to ensure that Customer Personal Data is only made available to those of its personnel, including its sub-Processors, who (i) need to access such Customer Personal Data in order to carry out their roles in the performance of Company's obligations under the Agreement and this Addendum and (ii) have committed themselves to protect the confidentiality of such Customer Personal Data or are otherwise under an appropriate statutory obligation of confidentiality.
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (described under Annex II to the Standard Contractual Clauses). Company may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of a statement of work or other ordering document.
2. Company will provide Customer with legally-required and reasonable assistance as necessary for the fulfilment of Customer's obligations under applicable Data Protection Legislation.
3. Customer is responsible for security relating to its environment and databases and security relating its configuration of the Services. This includes implementing and managing procedural, technical, and administrative safeguards on its software and networks sufficient to: (a) ensure the confidentiality, security, integrity, and privacy of Customer Personal Data in transit, at rest, and in storage; (b) protect against any anticipated threats or hazards to the security and integrity of Customer Personal Data; and (c) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Personal Data. Notwithstanding any other provision of this Addendum, the Agreement or any other agreement related to the Services, Company will have no obligations or liability as to any breach or loss resulting from: (x) Customer's environment, databases, systems or software, or (y) Customer's security configuration or administration of the Services.
1. Customer authorizes Company to appoint the entities identified in Company's support portal at https://support.ibosscloud.com as Sub-Processors of Customer Personal Data and generally authorizes Company's engagement of additional Sub-Processors and Company's replacement of any Sub-Processors identified within https://support.ibosscloud.com. For the avoidance of doubt, the above authorization constitutes Customer's prior written consent to the Sub-Processing of Customer Personal Data for purposes of Clause 9, Option 2 of the Standard Contractual Clauses. Company will inform Customer of any intended changes concerning the addition or replacement of any Sub-Processors. If Customer can show on reasonable and objective grounds that a new Sub-Processor does not or cannot comply with applicable Data Protection Legislation and wishes to object to Company's use of such Sub-Processor, then Customer has fifteen (15) days after Company notifies customer of such new Sub-Processor to notify Company in writing of its reasonable and objective basis, supported by documentary evidence, for objection to the use of the new Sub-Processor. Upon receipt of Customer's written objection, Customer and Company will work together without unreasonable delay to find a mutually acceptable resolution to address the objection, including but not limited to reviewing additional documentation supporting the Sub-Processor's ability to comply with Data Protection Legislation. To the extent Customer and Company do not reach a mutually acceptable resolution within a reasonable timeframe, Company will use reasonable endeavors to make available to Customer a change in the Services or will recommend a commercially reasonable change to the Services to prevent the applicable Sub-Processor from Processing Customer Personal Data. If Company is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, Customer shall have the right, as its sole remedy, to terminate the relevant Services (i) in accordance with the termination provisions in the Agreement; (ii) without liability to Customer or Company, and (iii) without relieving Customer from its payment obligations under the Agreement up to the date of termination.
2. Company will enter into a binding written agreement with the Sub-Processor that imposes on the Sub-Processor the same level of restrictions that apply to Company under this Addendum to the extent applicable to the nature of the services provided by such Sub-Processor. Where any of its Sub-Processors fails to fulfil its data protection obligations in relation to the Services provided to Customer, such that Company would be found to have violated its obligations to Customer under this Addendum, Company will be responsible to Customer for the performance of its Sub-Processors' obligations.
1. To the extent legally permitted, and where a Data Subject identifies Customer as the entity that collected its Personal Data, Company shall notify Customer without undue delay of receiving any request or complaint from Data Subjects regarding Customer Personal Data ("Data Subject Inquiry"). Company shall not respond to Data Subject Inquiries without Customer's prior written consent and written instructions. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Inquiry, Company will provide Customer with assistance necessary for the fulfilment of Customer's obligation to respond to requests for the exercise of Data Subjects' rights in accordance with Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Company's provision of such assistance.
2. If a Data Subject does not identify an entity that collected its Personal Data, Company will instruct the Data Subject to identify and contact the relevant entity that collected its Personal Data.
3. Company shall comply with Customer's instructions regarding the handling of a Data Subject Inquiry, subject to the terms of Section 3.1.
1. Company will notify Customer at the contact information on file without undue delay and in any event within forty-eight (48) hours after it becomes aware of and confirms any Personal Data Breach. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Company, Company will also provide Customer with information regarding (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (ii) the reasonably anticipated consequence of the Personal Data Breach; (iii) measures taken to mitigate any possible adverse effects; and (iv) other information concerning the Personal Data Breach reasonably known or available to Company that Customer is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Legislation. Company's contact point for additional details regarding a Personal Data Breach is [email protected]. Except as required by applicable Data Protection Legislation, the obligations set out in this Section shall not apply to Personal Data Breaches caused by Customer. Company's provision of any notification of a Personal Data Breach shall not constitute an admission of fault.
2. Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any data incidents. Customer and Company shall work together in good faith within the timeframes for Customer to provide Personal Data Breach notifications in accordance with Data Protection Legislation to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Legislation. In any event, Customer shall not disclose any confidential or proprietary information of Company in the content of any notification.
Company will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, including by providing Customer with documentation regarding Company's Processing operations, if Customer is required to engage in such activities under applicable Data Protection Legislation and such assistance relates to the Processing by Company of Customer Personal Data.
1. Subject to Section 10.2 below, and unless Company and Customer otherwise agree in writing in the Agreement, Company shall, following termination or expiration of the Agreement, delete and use all reasonable efforts to procure the deletion of all copies of Customer Personal Data Processed by Company or any Sub-Processors, and where deletion is not possible, sufficiently de-identify Customer Personal Data such that it is no longer Personal Data, except if required or permitted by applicable law or for compliance, audit, or security purposes. Company and Customer may agree in writing for Company to provide certain log data containing Customer Personal Data.
2. Company and its Sub-Processors may retain Customer Personal Data to the extent required by applicable laws, only to the extent and for such period as required by applicable laws, and provided that Company shall protect the confidentiality of all such Customer Personal Data and Process such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
1. Company will provide Customer with all information reasonably necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Legislation (which such information is Company Confidential Information under the Agreement), and, subject to the terms below, allow for and participate in audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within Company's control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
2. Upon Customer's written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Company shall make available to Customer that is not a competitor of Company (or Customer's independent, third-party auditor that is not a competitor of Company) a copy of Company's security documentation and summaries of any available and recent third-party audits or certifications, as applicable, each for the sole purposes of confirming Company's compliance with this Addendum and to assist Customer with complying with its obligations under Data Protection Legislation. If no such audit report is available at the time of Customer's request, Company will allow and contribute to audits as set forth below.
3. Customer may, upon reasonable notice and at reasonable times, and at Customer's own expense, audit (either by itself or using independent third-party auditors) Company's compliance with this Addendum. Company shall assist with and contribute to any audits conducted in accordance with this Section 11. Such audits may be carried out once per year or more often if required by Data Protection Legislation.
4. Any third party engaged by Customer to conduct an audit must be pre-approved by Company (such approval not to be unreasonably withheld) and sign Company's confidentiality agreement. Customer must provide Company with a proposed audit plan at least two weeks in advance of the audit, after which Customer and Company shall discuss in good faith and finalize the audit plan prior to commencement of any audit activities.
5. Audits may be conducted only during regular business hours, in accordance with the finalized audit plan and Company's security and other policies, and may not unreasonably interfere with Company's regular business activities. Customer shall reimburse Company for any reasonable costs or expenses incurred by Company in connection with the audit.
6. Information obtained or results produced in connection with an audit are Company Confidential Information under the Agreement and may only be used by Customer to confirm compliance with this Addendum and for complying with its requirements under Data Protection Legislation.
Company may charge Customer a reasonable fee for time spent in connection with any assistance or cooperation required by Customer under this Addendum if such assistance or cooperation involves the commitment of resources over a prolonged period of time, which are not included as part of the Services, or involve third-party costs and does not arise from any breach by Company of this Addendum.
1. Each party's liability to the other under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
2. Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, Company will not be liable under the Agreement or this Addendum for any claim brought by a Data Subject arising from any action or omission by Company, to the extent that such action or omission resulted from Customer's instructions or from Customer's failure to comply with its obligations under the applicable Data Protection Legislation.
1. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.
2. To the extent the California Consumer Privacy Act ("CCPA") applies to Customer Personal Data and no exemptions in the CCPA apply, (i) Company shall not (a) sell or share (as such terms are defined in the CCPA) Customer Personal Data; (b) retain, use or disclose Customer Personal Data for any purpose other than providing Services under the Agreement, (c) retain, use or disclose Customer Personal Data outside of the direct business relationship between Company and Customer, or (d) except as otherwise permitted by the CCPA, combine Customer Personal Data with Personal Data that Company receives from or on behalf of another person or persons, or collects from its own interaction with the data subject and (ii) Customer may, as specifically permitted by the CCPA: (a) take reasonable and appropriate steps as set forth in Section 11 to help to ensure that Company uses Customer Personal Data in a manner consistent with the Customer's obligations under CCPA; (b) require Company to notify Customer if Company makes a determination that it can no longer meet its obligations under CCPA; and (c) upon written notice to Company and as set forth in Section 11, take reasonable and appropriate steps to stop and remediate Company's unauthorized use of Customer Personal Data.
3. Company may disclose Customer Personal Data in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Company's business by or to another company, including the transfer of contact information and data of Customer's customers, partners and end users, and Customer Personal Data Processed in connection with the Services.
4. The parties agree that the bundling of Customer's data exporters, for example, if Customer consists of multiple global affiliates, as controllers within this single Addendum is undertaken for efficiency purposes (i.e., to avoid a multitude of different contract documents) and (i) shall result in legally separate Addenda between the respective Customer entity and Company solely for purposes of addressing any such obligations under Data Protection Legislation; (ii) shall not create any new or different legal or other relationship whatsoever between the "bundled" Customer entities; (iii) does not create any additional rights or remedies for such bundled Customer entities; (iv) all processing instructions must be provided by the Customer entity that is signatory to the Agreement and Company is not responsible for consolidating or evaluating the validity of instructions received from other Customer entities; (v) any commercial terms not provided by the Addendum are provided by the Agreement regardless of whether the bundled Customer entities signed or were consulted regarding the terms of the Agreement; and (vi) any audits conducted in accordance with the Addendum shall be conducted only by and through the Customer entity that is signatory to the Agreement.
Name: The data exporter is the entity identified as "Customer" in the Addendum
Address: As set forth in the Agreement
Contact person: As set forth in the Notices provision in the Agreement
Activities relevant to the data transferred under these Clauses: As set forth in the Agreement
Signature and date: Refer to Addendum
Role: Controller, except when processing data on behalf of another entity, in which case data exporter is a processor
Name: The data importer is the entity identified as "Company" in the Addendum
Address: As set forth in the Agreement
Contact person: As set forth in the Notices provision in the Agreement
Activities relevant to the data transferred under these Clauses: As set forth in the Agreement
Signature and date: Refer to Addendum
Role: Processor, or sub-processor if data exporter is a processor
Categories of data subjects whose personal data is transferred: Data subjects are defined in Section 2.1 of the Addendum
Categories of personal data transferred: Categories of personal data are defined in Section 2.2 of the Addendum.
Sensitive categories of data (if appropriate): As determined and controlled by Customer in its sole discretion, and if provided to data importer, data exporter shall comply with Section 3.5 of the Addendum.
The frequency of the transfer: As set forth in the Agreement
Nature of the processing: As set forth in Sections 2 and 3 of the Addendum and in the Agreement
Purposes of the data transfer and further processing: As set forth in Sections 2 and 3 of the Addendum and in the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in Sections 2.5 and 10 of the Addendum, and in the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As set forth in Sections 2, 6, and 10 of the Addendum, and in the Agreement
The data protection authority competent for the Data Exporter or, if the Data Exporter is not established in the European Union or has not appointed a representative in the European Union, is the data protection authority competent for the data subjects whose personal data are transferred under the clauses.
1. The iboss architecture, platform, points of presence, security controls and security program are audited and assessed both internally and by external third parties. iboss holds ISO 27001 and ISO 9000 certifications and contracts with an external audit firm for ongoing SOC 1 and SOC 2 Type II audits. iboss also contracts with multiple industry leading assessment and testing organizations to complete external and internal penetration and vulnerability scanning on a routine basis.
2. The iboss Information Security Policy is an umbrella policy for other policies, including:
1. Access Control and Business Continuity Policies (incl. Data backup and Recovery)
2. Asset management
3. Human resources security
4. Data encryption
5. Physical access
6. Network security
7. Access control
8. Compliance
3. Each customer service delivery environment is deployed in an isolated containerized node(s), inclusive of any gateway nodes and a separate reporter node. Nodes are deployed in iboss datacenters or the customer's own managed environment. Containerization allows iboss to decommission and destroy IT assets and data in a customer-specific methodology.
4. Customer Personal Data are input within the containerized environment from the gateway node to the reporter node.
5. Customers may configure their deployment to redirect Customer Personal Data to its SIEM environment. This data can be controlled, downloaded and reported on via the Services' administrative web application. This application is wholly accessed and managed by Customer administrators.
6. Adoption of architecture design principles that minimize system surface area that can be attacked, remove exposure to protocols or applications from where there is no expectation of communication, and provide dynamic scale in the gateway design to mitigate volumetric attacks that consumer heavy resources and prioritize the ability to quickly scale computation resources up or down.
7. An Information Security awareness program is in place for all employees.
8. An Access Management Policy is in place that establishes access control rules for iboss information, IT systems and resources (non-critical and critical) and details how iboss manages system accounts, including establishing, activating, modifying, reviewing, disabling and removing accounts. The iboss Access Management Policy covers the following supporting standards: Application Access Control, Network access control, password settings, and user access management and administration.
9. Remote network access is restricted by role to limit access to employees as necessary to perform their duties. Remote network access is only granted through the provisioning process with proper approvals from iboss Human Resources and Management. Remote access is only granted to iboss-owned and configured equipment. Two factor authentication, Active Directory, and VPN services are used to deliver the Service.
10. iboss conducts monthly, quarterly and annual reviews of systems and procedures. Review processes include providing evidence of policy and procedure compliance. Additionally, annual internal and external audits, semiannual compliance audits, and annual external technology platform testing are conducted.
11. Data retention configuration and backups are customizable by customer administrators. Backups of customer environments are encrypted using AES 256 by private key and stored solely in the Customer's node environment and not stored with the data backup. iboss can return or security destroy Customer data upon written request.
12. An iboss information security group, separate from iboss operations, daily reviews all alarms, alerts and reports from the tools, information systems and network appliances deployed in the Services environment and results in the categorization, escalation, remediation and tracking of any identified issues.
13. iboss maintains an asset inventory including hardware, software and information assets. Documentation is maintained in dedicated or existing inventories. Ownership of assets is assigned and a classification is defined for each asset.
14. All assets and data are destroyed with techniques aligned with NIST 800-88 (industry standard DOD 5220-22M).
15. iboss maintains an Information Classification Policy to help manage and protect its information assets. Iboss personnel are required to abide by the Information Classification Policy and handle information accordingly.
16. iboss utilizes secured datacenters in appropriately staffed co-location facilities featuring cement walled buildings, no windows, no external signage to identify facility, and natural barriers to secured/video protected parking areas. Physical protection is provided by a combined effort of iboss and the co-location facility. The co-location facility provides alarms, fire, water, power, generators, monitoring, video surveillance cameras and a secure card-key with additional biometric access system. Additionally, all iboss servers are in a secured cage in locked cabinets with keys distributed only as needed for specific entry and only at the time entry is needed. Servers are locked at the OS level, with all administrators using identifiable, auditable and privileged IDs. Remote access tools are password protected.
17. A software development methodology requires architects and developers to consider security aspects. Design reviews focus on potential security exposure and provide for identification of security best practices for application and database design, as well as for all related infrastructure elements. The development methodology requires that developers consider the appropriate treatment of data capture, validation, storage, presentation and security. Where appropriate, audit and transaction records are captured and stored within the databases. Access to application and database source code is restricted to the appropriate members of the application development team. Personnel performing testing are independent from the original developer.
Please refer to the list provided at https://support.ibosscloud.com/
1. Company shall promptly notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) ("Disclosure Request") unless otherwise prohibited by law or a legally binding order of such body or agency and without responding to such request, unless otherwise required by applicable law (including to provide acknowledgement of receipt of the request). Company will review applicable law to evaluate any Disclosure Request, for example the ability of the requesting authority to make the Disclosure Request, and to challenge the Disclosure Request if, after a careful assessment, it concludes that there are grounds under applicable law to do so. When challenging a Disclosure Request, Company shall seek interim measures to suspend the effects of the Disclosure Request until an applicable court or other authority has decided on the merits. Company shall not disclose Customer Personal Data requested until required to do so under applicable law. Company shall only provide the minimum amount of Customer Personal Data permissible when responding to the Disclosure Request, based on a reasonable interpretation of the Disclosure Request. If the Disclosure Request is incompatible with the SCCs or other data transfer mechanism utilized in accordance with Section 3.4 in this Addendum, Company will so notify the requesting authority and, if permitted by applicable law, notify the competent EEA government authority with jurisdiction over the Customer Personal Data subject to the Disclosure Request. Company will maintain a record of Disclosure Requests and its evaluation, response, and handling of the requests. Company will provide Customer with such records relevant to Customer Personal Data except as prohibited by applicable law or legal process or in the interest in protecting Company's legal rights in connection with threatened, pending, or current litigation.
2. Company will utilize industry standard encryption while Customer Personal Data are being Processed by Company as set forth in Schedule 1, Annex II.
3. Company has not purposefully created "back doors" or similar programming in its systems that provide Services that could be used to access the systems and/or Customer Personal Data, nor has Company purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or its systems that provide the Services. To the best of Company's knowledge, United States Data Protection Legislation does not require Company to create or maintain "back doors" or to facilitate access to Customer Personal Data or systems that provide Services or for Company to possess or provide the encryption key in connection with a United States Disclosure Request.
4. Company shall use reasonable efforts to assist Customer and its Data Subjects, as instructed by Customer (in accordance with Section 7 of the Addendum), regarding Disclosure Requests, unless prohibited by applicable law, for example to provide information to Customer in connection with the Data Subject's efforts to exercise its rights and obtain legally available redress, provided Company shall not be required to provide Customer or Data Subjects with legal advice.
5. Customer may request to audit Company access logs regarding access to Customer Personal Data, subject to the terms of Section 11 of the Addendum.
6. Company has established an internal policy and procedure regarding handling of Disclosure Requests and applicable transfers of Personal Data of customers. Company Legal and Audit personnel are provided information regarding applicable transfers of Customer Personal Data prior to the transferring of any such data, where such information may include an explanation of the necessity of the transfer and any data protection safeguards in scope.
7. In the event Company receives a request to voluntarily disclose unencrypted Customer Personal Data to a government authority, Company will use reasonable efforts to first obtain Customer's consent, either on its behalf or on behalf of the relevant Data Subject.