Data Processing Addendum

This Data Protection Addendum was published on 30th April 2021 and supplements Object Matrix’s Customer Terms. For previous versions, see www.object-matrix.com/legals/dpa/history.

1. Definitions

1.1. In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Agreement (as defined in the Customer Terms). In addition in this Data Protection Addendum the following definitions have the meanings given below:

Applicable Law means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Services:
(a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or
(d) any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
Controller has the meaning given to that term in Data Protection Laws;
Data Protection Laws means as applicable and binding on either party or the Services:
(a) the GDPR;
(b) the Data Protection Act 2018;
(c) any laws which implement any such laws; and
(d) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
Data Protection Losses means all liabilities, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
(b) to the extent permitted by Applicable Law:
(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
(ii) compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and
(iii) the reasonable costs of compliance with investigations by a Supervisory Authority;
Data Subject has the meaning given to that term in Data Protection Laws;
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR;
GDPR means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);
Information Security Policy means the Supplier’s information security policy made available to the Customer upon request, as updated from time to time by the Supplier;
International Recipient means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Customer’s prior written authorisation;
Lawful Safeguards means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
List of Sub-Processors means the latest version of the list of Sub-Processors used by the Supplier, as updated from time to time;
Personal Data has the meaning given to that term in Data Protection Laws;
Personal Data Breach Processing means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);
Processing Instructions has the meaning given to that term in paragraph 3.1.1;
Processor has the meaning given to that term in Data Protection Laws;
Protected Data means Personal Data in the Customer Data;
Sub-Processor means a Processor engaged by the Supplier or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer;
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; and
Transfer bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).

2. Processor and Controller

2.1. The parties agree that, for the Protected Data, the Customer shall be the Controller and the Supplier shall be the Processor. Nothing in our Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.

2.2. To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Supplier to process the Protected Data in accordance with our Agreement.

2.3. The Supplier shall process Protected Data in compliance with:
2.3.1. the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under our Agreement; and
2.3.2. the terms of our Agreement.

2.4. The Customer shall ensure that it, its Authorised Affiliates and each User shall at all times comply with:
2.4.1. all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.4.2. the terms of our Agreement.

2.5. The Customer warrants, represents and undertakes, that at all times:
2.5.1. the processing of all Protected Data (if processed in accordance with our Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;
2.5.2. fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by the Supplier and its Sub-Processors in accordance with our Agreement;
2.5.3. the Protected Data is accurate and up to date;
2.5.4. the Protected Data is not subject (or potentially subject) to any laws from time to time to the extent giving effect to Article 71 (Protection of personal data) of the agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community;
2.5.5. it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate copy of all Protected Data provided to the Supplier (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by the Supplier or any other person; and
2.5.6. all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws.

3. Instructions and Details of Processing

3.1. Insofar as the Supplier processes Protected Data on behalf of the Customer, the Supplier:
3.1.1. unless required to do otherwise by Applicable Law, shall process the Protected Data in accordance with the Customer’s documented instructions as set out in our Agreement, as updated from time to time or otherwise agreed with the Customer in writing (“Processing Instructions”);
3.1.2. if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
3.1.3. shall promptly inform the Customer if the Supplier becomes aware of a Processing Instruction that, in the Supplier’s opinion, infringes Data Protection Laws, provided that:
3.1.3.1. this shall be without prejudice to paragraphs 2.4 and 2.5; and
3.1.3.2. to the maximum extent permitted by Applicable Law, the Supplier shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph 3.1.3.

3.2. The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Subscribed Services by a User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). The Customer shall ensure that its Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command the Supplier is under no obligation to seek to restore it.

3.3. Subject to applicable Subscribed Service Specific Terms or the Quote the processing of the Protected Data by the Supplier under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects as follows:
3.3.1. Subject matter: the subject matter of the processing under this Data Protection Addendum is the Protected Data;
3.3.2. Duration: the duration of the processing shall be the term of the Agreement or as otherwise specified by the Customer;
3.3.3. Purpose: the purpose of the processing is for the Supplier to provide and the Customer to procure the Services as specified in the Agreement;
3.3.4. Nature: cloud services, data storage facilities and such other services as specified in the Service Specific Terms or the Quote;
3.3.5. Categories of Personal Data: the Customer Data uploaded to the Supplier’s systems as part of the Services;
3.3.6. Data Subjects: the Customer Data uploaded to the Supplier’s systems as part of the Services.

4. Technical and Organisational Measures

4.1. The Supplier shall implement and maintain technical and organisational measures as set out in Schedule 1, and:
4.1.1. in relation to the processing of Protected Data by the Supplier, as set out in the Supplier’s Information Security Policy; and
4.1.2. to assist the Customer insofar as is reasonably possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with the Supplier’s then current rates. The parties have agreed that (taking into account the nature of the processing) the Supplier’s compliance with paragraph 6.1 shall constitute the Supplier’s sole obligations under this paragraph 4.1.2.

5. Using Staff and Other Processors

5.1. Subject to paragraph 5.2, the Supplier shall not engage a new (or make changes to its) Sub-Processor(s) for carrying out any processing activities in respect of the Protected Data in connection with our Agreement without providing Customers who request notification at least 14 days written notice (“Sub-Processor Notice”). In the event that the Customer reasonably objects to the appointment of a new Sub-Processor, the Customer shall be entitled to terminate the affected Services on 14 days written notice. Where the Customer does not object to the appointment of a new Sub-Processor within the 14 days’ notice period following receipt of the Sub-Processor Notice, the Customer shall be deemed to have authorised the new Sub-Processor (or any change to any of the Sub-Processors). The Customer shall not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors).

5.2. The Customer hereby authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors.

5.3. The Supplier shall:
5.3.1. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive); and
5.3.2. remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

6. Assistance with Compliance and Data Subject Rights

6.1. The Supplier shall refer all Data Subject Requests it receives to the Customer without undue delay. The Customer shall pay the Supplier for all work, time, costs and expenses incurred by the Supplier or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at the Supplier’s the day rates as specified on Object Matrix’s current price list.

6.2. The Supplier shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
6.2.1. security of processing;
6.2.2. data protection impact assessments (as such term is defined in Data Protection Laws);
6.2.3. prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4. notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,
provided the Customer shall pay the Supplier for all work, time, costs and expenses incurred by the Supplier or any Sub-Processor(s) in connection with providing the assistance in this paragraph 6.2, calculated at the Supplier’s then current rates.

7. International Data Transfers

7.1. Subject to paragraphs 7.2 and 7.3, the Supplier shall not Transfer any Protected Data outside the United Kingdom and European Economic Area without the Customer’s prior written authorisation except where required by Applicable Law (in which case the provisions of paragraph 3.1 shall apply).

7.2. The Customer hereby authorises the Supplier (or any Sub-Processor) to Transfer any Protected Data to any International Recipient(s), provided all Transfers of Protected Data by the Supplier of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws. The provisions of our Agreement (including this Data Protection Addendum) shall constitute the Customer’s instructions with respect to Transfers in accordance with paragraph 3.1.1.

7.3. The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by the Users. The Customer acknowledges that the Supplier does not control such processing and the Customer shall ensure that its Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all Applicable Laws.

8. Information and Audit

8.1. The Supplier shall maintain, in accordance with Data Protection Laws binding on the Supplier, written records of all categories of processing activities carried out on behalf of the Customer.

8.2. On request, the Supplier shall provide the Customer with a copy of the third party certifications and audits to the extent made generally available to its customers (as updated from time to time) or such information as is reasonably necessary to demonstrate the Supplier’s compliance with its obligations under Article 28 of the GDPR. Such information shall be confidential to the Supplier and shall be Supplier’s Confidential Information as defined in our Agreement, and shall be treated in accordance with applicable terms.

9. Breach Notification

9.1. In respect of any Personal Data Breach, the Supplier shall, without undue delay (and in any event within 72 hours):
9.1.1. notify the Customer of the Personal Data Breach; and
9.1.2. provide the Customer with details of the Personal Data Breach.

10. Deletion of Protected Data and Copies

Following the end of the provision of the Services (or any part) relating to the processing of Protected Data the Supplier shall dispose of Protected Data in accordance with its obligations under our Agreement. The Supplier shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement.

11. Compensation and Claims

11.1. The Supplier shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Agreement:
11.1.1. only to the extent caused by the processing of Protected Data under our Agreement and directly resulting from the Supplier’s breach of our Agreement; and
11.1.2. in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by the Customer.

11.2. If a party receives a compensation claim from a Data Subject relating to processing of Protected Data in connection with our Agreement or the Services, it shall promptly provide the other party with notice and full details of such claim.

11.3. The parties agree that the Customer shall not be entitled to claim back from the Supplier any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify or otherwise compensate the Supplier in accordance with our Agreement.

11.4. This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
11.4.1. to the extent not permitted by Applicable Law (including Data Protection Laws); and
11.4.2. that it does not affect the liability of either party to any Data Subject.

12. Survival

This Data Protection Addendum (as updated from time to time) shall survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in the possession or control of the Supplier or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.

Security Measures

As from the Terms Effective Date, Object Matrix will implement and maintain the Security Measures described in this Schedule 1.

1. Data Centre and Network Security
(a) Data Centres.

Infrastructure. Object Matrix maintains geographically distributed data centres. Object Matrix stores all production data in physically secure data centres.

Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow Object Matrix to perform many but not all types of preventative and corrective maintenance without interruption. Equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance, where possible, in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data centre equipment is scheduled through a standard change process according to documented procedures.

Power. The data centres used are selected to have electrical power systems that are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data centre. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data centre, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data centre at full capacity typically for a period of days.

Server Operating Systems. Object Matrix servers use a Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy. Object Matrix employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.

(b) Networks and Transmission.

Data Transmission. Data centres are typically connected via high-speed private links to provide secure and fast data transfer between data centres. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Object Matrix generally transfers data via Internet standard protocols.

External Attack Surface. Object Matrix employs multiple layers of network devices and is increasing its intrusion detection to protect its external attack surface. Object Matrix considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.

Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Object Matrix is increasing across multiple layers.
Incident Response. Object Matrix monitors a variety of communication channels for security incidents, and Object Matrix’s security personnel will react promptly to known incidents.

Encryption Technologies. Object Matrix makes HTTPS encryption (also referred to as SSL or TLS connection) available along with other encryption algorithms. Object Matrix employs VPN servers that support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

2. Access and Site Controls
(a) Site Controls.

On-site Data Centre Security Operation. Object Matrix data centres maintain an on-site security operation responsible for all physical data centre security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor closed circuit TV (CCTV) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data centre regularly. Object Matrix can provide, under NDA, potential customers with specific data centre details along with their specific security procedures.

Data Centre Access Procedures. Object Matrix maintains formal access procedures for allowing physical access to the data centres. The data centres are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data centre are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centres. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data centre electronic card key access requests must be made through e-mail, and require the approval of the requestor’s manager and the data centre director. All other entrants requiring temporary data centre access must: (i) obtain approval in advance from the data centre managers for the specific data centre and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data centre access record identifying the individual as approved.

On-site Data Centre Security Devices. Object Matrix’s data centres employ an electronic card key and at most sites, biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centres is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centres are alarmed. CCTV cameras are in operation both inside and outside the data centres. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data centre building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centres connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 30 days based on activity.

(b) Access Control.

Infrastructure Security Personnel. Object Matrix has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Object Matrix’s infrastructure security personnel are responsible for the ongoing monitoring of Object Matrix’s security infrastructure, the review of the Services, and responding to security incidents.

Access Control and Privilege Management. Customer’s administrators must authenticate themselves via a central authentication system or via a single sign on system in order to administer the Services.

Internal Data Access Processes and Policies – Access Policy. Object Matrix’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Object Matrix designs its systems to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Object Matrix requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Object Matrix’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of changes. Many systems log to an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.

3. Data

(a) Data Storage, Isolation and Logging. Object Matrix stores data in a multi-tenant environment on Object Matrix-owned servers. Subject to any Customer instructions to the contrary (for example, in the form of a data location selection), Object Matrix asynchronously replicates Customer Data between geographically dispersed data centres. Object Matrix also logically isolates the Customer’s data. Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable Customer to determine the product sharing settings applicable to Customer End Users for specific purposes. Customer may choose to make use of logging functionality that Object Matrix makes available via the Services.

(b) Decommissioned Disks and Disk Erase Policy. Disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving Object Matrix premises either for reuse or destruction. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Where the disk contains unreadable data (such as blocks from a erasure code algorithm than cannot form a whole file), disks may be sent to a secure data erasing 3rd party for final destruction.

4. Personnel Security

Object Matrix personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Object Matrix conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local employment law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Object Matrix’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Data are required to complete additional requirements appropriate to their role (e.g., certifications). Object Matrix’s personnel will not process Customer Data without authorization.

5. Subprocessor Security

Before onboarding Subprocessors, Object Matrix conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.