SDO DATA PROCESSING ADDENDUM

This Data Processing Addendum (together with it Annexes, the “Addendum”) is between Secret Double Octopus Ltd. or its affiliates (the “Company”, “We”, “UsorOur”), on the one hand (“SDO”) and Customer (as defined below), each a “Party” and together the “Parties”). This Addendum is attached to the Terms and Conditions between SDO and Customer as an integral part thereof, and is applicable only if and to the extent that Data Protection Laws applies to the Processing of any Personal Data by SDO on behalf of and under the instructions of the Customer in connection with the Services (“Customer Personal Data”). Users are not a party to this Addendum nor a third party beneficiary. All capitalized terms not defined herein shall have the meanings ascribed to them in the Terms and Conditions.

SDO provide end-customers with a tool for managing passwordless authentication of customer’s users through, at the customer’s choice, either authentication server than can be installed on premise or cloud and managed by the customer (“On-premise solution”) or a Cloud-SAS managed by SDO (“SDO Cloud”). The authentication methods include the Octopus Authenticator mobile app or any mean of authenticator (e.g., FIDO token, third party authenticator) through which customer’s users can approve the authentication request (collectively the “Solution”) and reports, maintenance, support and any other service (collectively the “Services”).

  1. Definitions

    When used in this Addendum, the following terms have the meaning ascribed next to them:

    1. Customer” means the business, legal entity or other organization that purchased the Products either directly from Company or through a Reseller, and is using the Products subject to and in accordance with the terms of the subscription agreement.
    2. Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or ‘GDPR’) and EU Member State laws, rules and guidelines implementing or supplementing the GDPR, as amended, replaced or superseded from time to time, applicable to SDO in the Processing of Personal Data.
    3. Users” means Customers’ employees, IT agent, representatives, administrators, or other individuals authorized by Customers to access and use SDO’s Services and which have been supplied with user identifications and passwords during the performance of the agreement with SDO for provision of its Services.
    4. Subprocessor(s)” means any person or entity appointed by or on behalf of SDO to Process Personal Data in connection with the Services, excluding any employee of SDO or its subsidiaries. The list of SDO Subprocessors is detailed in Annex III attached hereto.
    5. Government Authority Request” means any subpoena, warrant or other judicial, regulatory, governmental or administrative order by a government or quasi-governmental or other regulatory authority (including law enforcement or intelligence agencies) seeking or requiring access to or disclosure of Personal Data.
    6. “Personal Data”, “Process/Processing”, “Controller”, “Processor”, Personal Data Breach”, “Supervisory Authority”, “Special Categories of Data” and “Data Subjects” shall have the meanings given to them in Data Protection Law.

  2. Processing of personal data and parties’ obligations

    1. Each Party agrees to comply with the obligations that apply to it under this Addendum and Data Protection Laws. The Customer is the Controller and SDO and its subsidiaries are the Processor as regards to the Personal Data Processed pursuant to the Services.
    2. Customer hereby represents that:
      1. The Customer Personal Data provided to SDO pursuant to the Terms and Conditions was obtained and is provided to SDO lawfully, in accordance with all requirements of Data Protection Laws;
      2. It has established a documented purposes and legal basis for the Processing of Customer Personal Data, it has determined retention periods for the Processing of Customer Personal Data, it transfers Customer Personal Data outside of the European Union (EU)/European Economic Area (EEA) in accordance with the applicable safeguards of the Data Protection Laws, it implements adequate technical and organizational measures to secure Customer Personal Data on its premises servers, it implements Data Subjects’ rights in accordance with Data Protection Laws, and it has provided Users with all required privacy notices.

  3. Processing of customer personal data

    1. SDO shall Process Customer Personal Data on Customer’s behalf and according to the Customer’s lawful written instructions which are hereby provided: Processing for use of the Services.
    2. The Terms and Conditions and this DPA shall consist the entirety of the Customer’s written instructions in relation to the Processing with which SDO is required to comply.
    3. SDO may create de-identified and anonymous data from the Personal Data provided by the Customer and Process it for an unlimited period of time for improving the Solution and/or Services and/or the User’s experience and for statistical and analytical purposes.
    4. Customer sets forth the details of the Processing of Customer Personal Data, as required by Article 28(3) of the GDPR in Annex I (Details of Processing of Customer Personal Data), attached hereto.
    5. If SDO receives a Government Authority Request concerning Customer Personal Data, SDO shall: (i) To the fullest extent permitted by law, without undue delay notify Customer, in writing of such Government Authority Request so that Customer may contest or seek to narrow such disclosure or seek a protective order or other appropriate remedy; (ii) reasonably cooperate with and take reasonable steps to assist Customer to contest or seek to narrow such Government Authority Request, obtain a protective order or seek another remedy, at Customer’s expense; (iii) Where any attempt to contest, or to seek to narrow such Government Authority Request, or obtain a protective order or seek another remedy is not successful so that some or all of the Personal Data is required to be disclosed, SDO shall take reasonable steps to furnish only the minimum amount of Personal Data legally required to be disclosed; (iv) SDO shall maintain a written record of all Government Authority Requests.

  4. SDO’s personnel and SubProcessors

    1. SDO shall ensure that access to the Customer Personal Data by its personnel (which includes any employees, agents or freelance consultants employed by SDO or its subsidiaries or any person appointed by SDO, which may have access to the Customer Personal Data) is limited to a need to know and/or access basis, and that all its personnel receiving such access to and/or Processing the Customer Personal Data, are subject to written confidentiality undertakings or statutory obligations of confidentiality.
    2. Customer consents to SDO engaging its subsidiaries and Subprocessors to Process Customer Personal Data for the provision of the Services as set out in Annex III). SDO inform Customer in writing of any intended changes to that list through the addition or replacement of Subprocessors, thereby giving Customer sufficient time to be able to object to such changes prior to the engagement of the Subprocessor(s).
    3. In the event Customer objects to such new Subprocessors due to reasonable grounds relating to data protection, it may notify SDO of its objection and reasons therefore, during 15 days from SDO’s notification. Thereafter, for an additional period of 15 days, the Parties shall attempt to reach an amicable solution with respect to the utilization of such new Subprocessor. Absent such solution, Customer may terminate the purchase order with SDO, and SDO shall not refund Customer for any prepaid amounts for the terminated period of the Services.
    4. SDO will enter into appropriate data processing agreements with the SDO Subprocessors.

  5. International data transfers

    1. When SDO and/or its subsidiaries transfer Customer Personal Data from within the EU/EEA to countries that are based outside the EU/EEA, the transfer takes places on the basis of:

      1. An adequacy decision by the European Commission; or
      2. Any one of the transfer mechanisms consistent with the requirement of Data Protection Laws, including standard contractual clauses.
    2. For the purpose of this DPA, the Parties agree that the standard contractual clauses for Controller to Processor (Module 2) as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes thereto, as may be amended or replaced from time to time (“SCC”) are incorporated herein by reference and the Parties are deemed to have accepted and signed the SCC where necessary in their entirety. Annex I, Annex II and Annex III of the SCC shall be represented by Annex I, Annex II and Annex III to this DPA.
    3. The Parties agree that with respect to the election of specific terms and/or optional clauses required by the SCC the following shall apply and any optional clauses not expressly selected are not included: (i) as between the Parties, SDO will be deemed the “data importer” and Customer will be deemed the “data exporter”; (ii) if and to the extent the SCC conflict with any provision of this DPA, the SCC will prevail to the extent of such conflict; and (iii) Clause 7 of the SCC is opted out. In Clause 9 of the SCC option 2 (general written authorization) will apply, the authorization period will be 15 days, the agreed sub processor(s) list is attached as Annex III to the DPA and notification regarding changes to this list shall be as described in this Section 4 above. In Clause 11 of the SCC the optional language will not apply. In Clause 17 of the SCC governing law will be Irish law; In Clause 18 of the SCC disputes shall be resolved by the courts of Ireland. In Annex I of the SCC Customer is the ‘Data exporter’, SDO is the ‘Data importer’; The competent supervisory authority is the Irish DPC.

  6. Technical and organizational measures

    SDO and its subsidiaries shall implement and maintain appropriate technical and organizational measures to ensure a level of security of the Customer Personal Data appropriate to the risk, taking into account the nature, scope and context of the Processing and the costs of implementation. The major information security measures currently implemented by SDO, in particular in case of SDO Cloud solution, are listed in Annex II hereto, as may be updated from time to time, provided the level of security is not materially degraded.

  7. Personal data breach

    1. SDO shall promptly and without undue delay notify Customer by written notice upon SDO becoming aware of a Personal Data Breach relating to Customer Personal Data. Notification to the Customer of a breach shall not constitute admitting to any fault or liability with respect to the Personal Data Breach. Any notification to Supervisory Authorities or Data Subjects, if required, will be the responsibility of the Customer.
    2. SDO shall reasonably assist the Customer with providing available information in SDO’s possession relating to a Personal Data Breach.
    3. The Customer shall not issue any public statement on the Personal Data Breach without the approval of SDO, unless required by the Data Protection Laws.
    4. If the investigation of the Personal Data Breach raises any security issues to be remediated by SDO, SDO shall implement reasonable industry standard measures for such remediation at SDO’s sole discretion.

  8. Data subject rights, data protection impact assessment and prior consultation

    At Customer’s reasonable request, SDO shall provide commercially reasonable assistance to Customer to comply with (i) any of Customer’s obligations concerning Customer Data Subject’s requests to exercise Data Subject rights including by deleting Data Subjects Personal Data from Customer Personal Data in response to a Data Subject request exercised in accordance with the Data Protection Laws; and (ii) with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, related to the Processing activities conducted by SDO.

  9. Retention, Deletion or Return of customer personal data

    1. Within 30 days of the end of the term of the license or earlier at Customer’s written request and to the extent commercially reasonable, SDO shall promptly delete, return, or destroy all copies of any Customer Personal Data, provided they are not required to perform the Services, and unless required to retain such Personal Data under applicable law. Customer hereby agrees that SDO may retain a copy of the Personal Data for a period of 7 years following the termination of the Processing, to establish, exercise, or defend legal claims, provided that such copy of the Personal Data, will be under strict access authorizations.
    2. To the extent deletion of the Customer Personal Data requires disproportionate effort, SDO shall make best efforts to segregate and secure the non-active Customer Personal Data, such that it cannot be processed; and ensure that it may be accessed only by the minimum necessary number of authorized personnel solely if required for internal administrative purposes such as data management, compliance and data security.

  10. Inspection and audit rights

    1. SDO shall, subject to a 30 days prior written notice and advance coordination, reasonably cooperate with audits or inspections (the “Audit”) conducted by Customer or any independent third party appointed by the Customer for conducting such audit, provided such third party is not a competitor of SDO (the Customer or its appointee shall be referred to as the “Auditor”). The Audit shall be limited to verifying SDO’s compliance with this DPA with respect to Processing of Customer Personal Data by SDO under this DPA. Audits will not be conducted more than once annually except in the event of a Personal Data Breach.
    2. SDO shall make commercially reasonable efforts to provide to the Auditor materials and information requested by the Auditor which are necessary for the purposes of the Audit and which are available to SDO.

    3. SDO’s cooperation with any such Audit shall be subject to the following conditions:

      1. the Auditor shall sign, prior to the Audit, a confidentiality undertaking covering all information which the Auditor and/or its personnel may have access to in performance of the Audit;
      2. the Audit shall be conducted at SDO’s normal working hours;
      3. the Auditor’s personnel shall abide by the security policies and procedures of SDO and conduct the Audit with minimal disturbance to SDO’s operations and business;
      4. the Audit shall be conducted solely in premises under the direct control of SDO in which Customer’s Personal Data is stored.

    4. SDO shall be entitled to take any reasonable precautions at its sole discretion to prevent disclosure of:

      1. other Customers’ Personal Data and confidential or proprietary information;
      2. SDO’s internal financial information;
      3. SDO’s trade secrets;
      4. any information that in SDO’s sole discretion, could compromise the security of any of SDO’s systems or premises or cause SDO to breach obligations under any applicable laws or its obligations to any third party.

  11. Personal data processed as independent controllers

    Each Party shall Process the contact details of the other Party’s employees or representative tasked with the administration of the Services as an independent Controller. With respect to such Personal Data, each Party shall be responsible to fulfil all of its obligations under the Data Protection Laws and shall cooperate with the other Party as reasonably necessary to assist with the fulfilment of the other Party’s obligations under the Data Protection Laws.

  12. Term

    This DPA shall terminate automatically upon the termination or expiration of the term of the license, provided however, that SDO’s obligations under this DPA will remain in force for as long as SDO Processes Customer Personal Data.

ANNEX I

  1. List of parties

    Data exporter(s): Data exporter(s): shall be the Customer and any Customer affiliates that are authorized to use the Services. 

    • Name: as described under the applicable agreement
    • Address: as described under the applicable agreement
    • Contact person’s name, position and contact details:  as described under the applicable agreement Activities relevant to the data transferred under these Clauses: Services as detailed in the Terms and Conditions and applicable agreement.
    • Signature and date: as applicable agreement
    • Role (controller/processor): Controller

     

    Data importer(s): Name: Secret Double Octopus entity party to the applicable agreement (“SDO”)

    • Address: as described under the applicable agreement
    • Contact person’s name, position and contact details: Shimrit Tzur-David, Chief Security Officer, [email protected]
    • Activities relevant to the data transferred under these Clauses: Services as detailed in the Terms and Conditions and applicable agreement
    • Signature and date: as applicable agreement
    • Role (controller/processor): Processor

     

  2. Description of transfer

    Categories of data subjects whose personal data is transferred: Customer’s Users, i.e., employees and Contractors of the Customer. 

    Categories of personal data transferred: The Personal Data relating to Customer Data Subjects is provided by the Customer and/or automatically generated as Customer Data Subjects’ use the Services, as follows:

    Customer Personal Data: Training history and records, encrypted username, encrypted password, email address, users’ devices data (such as model and OS version), Contact persons’ positions, IP address, usage data (e.g., Browser, Operating System, Search Keyword, Last Seen). 

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: n/a

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): The Customer is likely to be requiring Services on a regular basis.

    Nature of the processing: Provision of the Services as detailed at the beginning of the Addendum and in the Terms and Conditions.

    Purpose(s) of the data transfer and further processing: Provision of the Services as detailed at the beginning of the Addendum and in the Terms and Conditions.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: During the term of the license and 30 days thereafter, unless required to retain such Personal Data under applicable law.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As described above and see Annex III.

     

  3. Competent supervisory authority

    Identify the competent supervisory authority/ies in accordance with Clause 13

    To the extent that the data exporter submits EEA originating Personal Data to the Service: Irish DPC.

 

 

ANNEX II

Technical and Organisational measures including technical and Organisational measures to ensure the security of the data

 

  1. SDO maintains the Information Security Management System in accordance with the requirements of ISO 27001.
  2. Access of information is restricted to authorized users who have a bona-fide business need to access the information.
  3. Instructions provided to the authorized users on how to access the information and keep it protected.
  4. IT Operation is required to monitor Access and Use through resource access logs and to report any access violation.
  5. Appropriate information classifications control, based upon the results of formal risk assessments and guidance.
  6. Information held in a physical format, including personal data, is used and stored in a secure manner in an access-controlled location.
  7. Systems hosting personal data are protected in alignment with industry best practice, such as:
    1. Up to date anti-malware protection
    2. Industry standard firewalls
    3. Network Intrusion Detection or Prevention Systems (NIDS/NIPS)
  8. Periodical workforce training and audits are conducted

 

 

ANNEX III

List of SDO Affiliates and Sub-Processors

 

The controller has authorized the use of the following sub-processors for processing Customer Personal Data through the Solution:

SDO’s Affiliate Companies
[the non-contracting entity under the DPA listed herein will be a Subprocessor of the contracting party]
Company Services Location
Secret Double Octopus Ltd. Product Support, Professional Services, Cloud Infrastructure Support and Back Up (both Cloud Products Only) Israel
97 Rokach Blvd, Tel Aviv 6153101
Secret Double Octopus Inc. Product Support, Professional Services, Cloud Infrastructure Support and Back Up (both Cloud Products Only) United States
1600 El Camino Real, Suite 280, Menlo Park, CA 94025

 

Subprocesssors
Subprocessor’s Name Services Location
Amazon Web Services Hosting customer Personal Data/ Cloud Services Luxemburg
38 Ave John F Kennedy, L-1855, B186284
Grid Dynamics Holdings, Inc DevOps Services United States
5000 Executive Parkway, Suite 520 San Ramon, CA 94583
Hub City Media Inc. Managed Support Services United States
1 Cragwood Rd. South, Plainfield, NJ 07080