The following Data Processing Agreement applies only to the specific Services described in Appendix 1 and the Main Agreement (SoW and Terms and Conditions) and does not replace any other data processing arrangement for the provision of other services or solutions.
This Agreement does not cover the processing of personal data by Bitdefender as a Data Controller, including names, surname, address, email, telephone number and other personal data of employees of the Client integrated into the information processed by Bitdefender directly necessary for the provisions of the services (e.g. contracts, invoices, contact persons for services provision etc.)
1. Definitions
The following terms shall have the following meaning when used in this Agreement:
"Agreement" means the terms of this data processing agreement including its Appendixes and any document expressly cross referenced from either;
"Data Protection Legislation" means General Data Protection Regulation 2016/679 ("GDPR"), Directive 2002/58/EC and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities;
"data controller", "data processor", "data subject", "personal data", "processing" and "appropriate technical and organizational measures", “personal data breach” shall be interpreted in accordance with applicable Data Protection Legislation in the relevant jurisdiction;
1. General Terms on processing personal data
1.1 Bitdefender agrees that the Client is the data controller of personal data which Bitdefender will process and that Bitdefender is a data processor in relation to personal data that is processed by or on behalf of the Client pursuant to the Scope of Work concluded by the two parties and this Agreement. The processing will be carried out until the date that Bitdefender ceases to provide the Services to the Client. Appendix 1 of this Agreement sets out the nature and purpose of the processing, the types of personal data Bitdefender processes and the categories of data subjects whose personal data is processed.
1.2 The personal data will only be processed in accordance with written instructions from the Client(which are instructions of a general nature as set out in the Scope of Work, this Agreement, Proposal, or as otherwise specified by the Client to Bitdefender via written communication methods, as described in the agreement). If Bitdefender is required to process such personal data for any other purpose by European Union or Member State laws to which Bitdefender, its staff or subcontractors are subject, Bitdefender will promptly inform the Client of this requirement first, unless such law(s) prohibit this;
2. Obligations of the Data Controller
▪ complies with GDPR when processing personal data, and only gives lawful instructions to Data Processor;
▪ guarantees that data subjects have been informed of the uses of personal data as required by GDPR, including about sharing their data with the Data Processor, if required; confirms it relies on a valid legal ground for the processing of personal data under GDPR, including if required obtaining consent from data subjects;
▪ complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of processing, and objection to the processing;
▪ implements appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of personal data is performed in accordance with GDPR, including for securing the transfer of data from its data subjects to the Data Processor;
▪ cooperates with Data Processor to fulfill their respective data protection compliance obligations in accordance with GDPR;
▪ does its own analysis of the data processing, based on its specific policies
▪ In any situation when the Data Controller must fulfill an obligation, such as informing the data subject on a data breach, the Data Processor can’t be held responsible of the inaction of the Data Controller from that obligation.
3. Obligations of the Data Processor
▪ Only processes personal data on behalf of Data Controller in accordance with its specific instructions as mentioned in Article 1.2 or as otherwise agreed by both parties in writing.
▪ Will promptly inform Data Controller if, in its opinion, the Data Controller’s instructions infringe GDPR, and/or if Data Processor is unable to comply with the Data Controllers’ instructions.
▪ will ensure that personnel required to access such personal data are subject to a binding duty of confidentiality in respect of such personal data;
▪ will notify Data Controller without undue delay after becoming aware of a personal data breach when the data is processed by the Data Processor. Data Processor will take reasonable steps to mitigate the effects and to minimize any damage resulting from the personal data breach. Any processing of personal data by the Data Processor for sole purpose of provisioning of the Services will not be considered a personal data breach, as the Data Controller provided a written agreement to Data Processor for these services in the Scope of Work.
▪ will assist Data Controller in complying with data security, data breach notifications, and other requirements under GDPR, taking into account the nature of the processing and the information available to Data Processor. To the extent authorized under applicable law, Data Controller shall be responsible for any costs arising from Data Processor’s provision of such assistance.
▪ taking into account the nature of the processing, will assist Data Controller by appropriate technical and organizational measures, insofar as this is possible, to fulfill Data Controller’s obligation to respond to data subjects’ requests to exercise their rights as provided under GDPR. To the extent authorized by applicable law, Data Controller shall be responsible for any costs arising from Data Processor’s provision of such assistance.
▪ Data deletion at termination. When the Services under the SOW are delivered or the SOW term expires or at the end of the storage term as defined in the Appendix, the Data Processor will delete all personal data and existing copies, unless EU or EU member state law prevents it from returning or destroying all or part of the personal data or requires storage of the personal data (in which case Data Processor must keep them confidential) or unless the Client specifically instructs or requests a different data retention period;
▪ Data retention. Data Processor shall however keep the Deliverables for the duration of the business relationship (including extensions and/or renewals) with the Client and for extra 3 years after its completion, in the Client’s interest for additional services from Bitdefender that may require data from such Deliverables, unless the Client specifically instructs or requests a different data retention period. Any additional requests regarding the performance of the service may only be made 14 days before the deletion of the data. If a complaint is made Bitdefender may retain data and suspend any deletion regarding such complaint, for the legitimate interest of Bitdefender and Client, until such complaint is resolved and finalized or until the complaint is retracted.
▪ Deletion request prior to termination. The Client may ask for deletion of data before termination of contract or completion; however, such deletion may interfere with the efficiency of the Deliverables and Client accepts and acknowledges that Bitdefender may not be able to deliver the Services as provisioned, considering access to data is an essential condition for providing the Services.
4. Security of the processing
The Data Processor must implement appropriate technical and organizational measures, such as compliance with standards ISO 27001 and Soc 2 Type 2, to ensure standard industry security measures appropriate to the risk. In assessing the appropriate level of security, Data Processor must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. The Data Processor shall take steps to ensure that any person acting under its authority who has access to personal data is bound by enforceable contractual or statutory confidentiality obligations.
5. Sub-processors
5.1. Data controller agrees with the usage of the specific sub-processors by the Data Processor specified in Appendix 1
5.2. Data Controller gives a general authorization to the Data Processor to share personal data to other future Sub-Processors than the ones previously mentioned, under the conditions set below:
▪ Data Processor shall inform Data Controller of any addition or replacement of Sub-Processors and allow Data Controller to reasonably object to such changes by notifying Data Processor in writing within five business days after receipt of Data Processor’s notice of the addition or replacement of a Sub-Processor. Data Controller’s objection should be sent to dpo@bitdefender.com and explain the reasonable grounds for the objection.
▪ Data Processor guarantees that it will have an agreement with its Sub-Processors which imposes on the Sub-Processor similar data protection obligations as are imposed on Data Processor under this Agreement or by GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures to ensure the processing will meet requirements under GDPR, to the extent applicable to the nature of the service provided by the Sub-Processors. Where the Sub-Processor fails to fulfill its data protection obligations under such agreement, Data Processor shall remain fully liable towards Data Controller for the performance of the Sub-Processor’s obligations under such agreement.
▪ Data Processor guarantees that all the sub-processors will process data exclusively within a Member State of the European Union (EU), within a Member State of the European Economic Area (EEA) or in any state with an adequate data protection regime as recognized by the European Commission or other appropriate safeguards, including Standard Contractual Clauses.
6. Data Protection Audit.
6.1. Upon prior written request by Data Controller, Data Processor agrees to cooperate and within reasonable time provide to Data Controller with:
(a) a summary of the audit reports demonstrating Data Processor’s compliance with its obligations under this Agreement, after redacting any confidential and commercially sensitive information; and
(b) confirmation that the audit has not revealed any material vulnerability in Data Processor’s systems, or to the extent that any such vulnerability was detected, that Data Processor has fully remedied such vulnerability.
6.2. If the above measures are not sufficient to confirm compliance with GDPR or reveal some material issues, subject to the strictest confidentiality obligations, Data Processor allows Data Controller to request an audit of Data Processor’s data protection compliance program by external independent auditors, which are jointly selected by the parties. The external independent auditor cannot be a competitor of Data Processor, and the parties will mutually agree upon the scope, timing, and duration of the audit. The audit may not start with less than 30 days from the first request of the Data Controller. Data Processor will make available to Data Controller the result of the audit of its data protection compliance program. Data Controller must fully reimburse Data Processor for all expenses and costs for such audit.
7. Liability to data subjects.
7.1. Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation of GDPR. The Data Controller and the Data Processor will share their responsibilities on ensuring personal data protection (for example on confidentiality or security of personal data processing) depending on access and effective control on personal data, both from a legal and technical perspective.
7.2. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. For that purpose, both parties agree that Data Controller will be liable to data subjects for the entire damage resulting from a violation of GDPR with regard to processing of personal data for which it is a Data Controller, and that Data Processor will only be liable to data subjects for the entire damage resulting from a violation of the obligations of GDPR of the Data Processor and where it has acted outside of or contrary to Data Controller’s lawful instructions.
7.3. Data Processor will be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
8. Data Controller and SCCs
If the Data Controller is a business located in a country outside the EU and/or the European Economic Area (EEA) or in a jurisdiction which offer adequate level of personal data protection according to European Union standards (art 45 GDPR), then the following Standard Contractual Clauses (SCCs) in Appendix 2 will also be applicable. Any update made by the European Commission to these SCCs shall be applicable without the need to amend this agreement.
9. Final provisions.
9.1. This Agreement will enter into force on the effective date of the Main Agreement and may be changed by agreement of both parties.
9.2. In the event of any conflict or inconsistency between the provisions of the Scope of Work and these terms, the provisions of these terms shall prevail. Save as specifically modified and amended in these terms, all of the terms, provisions and requirements contained in the Scope of Work shall remain in full force and effect and govern this Agreement.
9.3. These terms and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the subject matter or formation shall be governed by and interpreted in accordance with the law of Romania and the parties agree that the courts of Romania have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) that arises out of, or in connection them.
1. Nature and purpose and duration of the processing
Personal data shall be processed in order to allow Bitdefender to provide the specific GravityZone for the Client, including support for this service. The processing shall take place for the duration of the Scope of Work, unless otherwise directed by the Client.
The sole purpose is to ensure ensuring network and information security for the Data Controller, by providing the services, including logging and reporting necessary for the provision of the services.
If necessary, the processing includes all operations performed on the collected personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, alignment or combination, restriction, erasure or destruction, unless otherwise instructed by the Data Controller.
2. Categories of data subjects whose personal data is processed
Depending on data that is disclosed by the system or application of the Client that is subject of the services, the categories of personal data may include Employees of the Client, Customers of the Client as well as any other person that uses the technical infrastructure of the Client, that is in-scope of the provided services.
3. Categories of personal data
Depending on data that is disclosed by the system or application of the Client that is subject of the services, the categories of personal data may include:
▪ Technical data of these devices or applications (e.g. IP, MAC Address, configuration data, running processes, system/network information). In most cases, these technical data may not lead to the direct or indirect identification, but in some very specific cases computer specialists might be able to identify a specific device. Therefore, we treat all such information as personal data and protect it as such. Other data that are only technical data and may not directly or indirectly be linked to a data subject, other than linked it with the data above, may also be collected according to details in the technical specifications of the product and the specified tools;
▪ Basic personal data (for example: username, email address or name and surname) that are disclosed by the Data Controller during the provision of the services and/or that could be inadvertently or incidentally processed during the dynamic provisions of the Bitdefender services;
In case of Red Teaming services, personal data may be collected from publicly available sources (such as social media profiles, OSINT tools) and may additionally include: password and/or password hashes, email addresses, name, job title, Linkedin profile URL, cookies/session tokens, system/network information.
There are no sensitive personal data presumed to be processed, except if otherwise specifically instructed by the Client.
4. Frequency of the transfer
This is a continuous basis transfer during the delivery of the Services.
5. Period of retention
By default, the personal data is being processed for entire the duration of the business relationship. The data is also retained for contractual compliance proofs for a maximum 3 years after completion, unless the Client specifically instructs or requests a different data retention period.
The retention period may be changed, if both parties agree on different terms.
6. Subprocessors
Bitdefender uses the following sub-processors for this solution:
▪ Bitdefender APAC PTE LTD located in Singapore, as a security services provider.
The subprocessor has offices and may process data in Singapore or other countries outside of the EU, and as such Bitdefender has signed adequate Standard Contractual Clauses (SCCs) with this subprocessor, and has performed a security assessment with this subprocessor.