This Data Processing Addendum (together with it Annexes, the “Addendum”) is between Secret Double Octopus Ltd. or its affiliates (the “Company”, “We”, “Us” or “Our”), on the one hand (“SDO”) and Customer (as defined below), each a “Party” and together the “Parties”). This Addendum is attached to the Terms and Conditions between SDO and Customer as an integral part thereof, and is applicable only if and to the extent that Data Protection Laws applies to the Processing of any Personal Data by SDO on behalf of and under the instructions of the Customer in connection with the Services (“Customer Personal Data”). Users are not a party to this Addendum nor a third party beneficiary. All capitalized terms not defined herein shall have the meanings ascribed to them in the Terms and Conditions.
SDO provide end-customers with a tool for managing passwordless authentication of customer’s users through, at the customer’s choice, either authentication server than can be installed on premise or cloud and managed by the customer (“On-premise solution”) or a Cloud-SAS managed by SDO (“SDO Cloud”). The authentication methods include the Octopus Authenticator mobile app or any mean of authenticator (e.g., FIDO token, third party authenticator) through which customer’s users can approve the authentication request (collectively the “Solution”) and reports, maintenance, support and any other service (collectively the “Services”).
When used in this Addendum, the following terms have the meaning ascribed next to them:
When SDO and/or its subsidiaries transfer Customer Personal Data from within the EU/EEA to countries that are based outside the EU/EEA, the transfer takes places on the basis of:
SDO and its subsidiaries shall implement and maintain appropriate technical and organizational measures to ensure a level of security of the Customer Personal Data appropriate to the risk, taking into account the nature, scope and context of the Processing and the costs of implementation. The major information security measures currently implemented by SDO, in particular in case of SDO Cloud solution, are listed in Annex II hereto, as may be updated from time to time, provided the level of security is not materially degraded.
At Customer’s reasonable request, SDO shall provide commercially reasonable assistance to Customer to comply with (i) any of Customer’s obligations concerning Customer Data Subject’s requests to exercise Data Subject rights including by deleting Data Subjects Personal Data from Customer Personal Data in response to a Data Subject request exercised in accordance with the Data Protection Laws; and (ii) with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, related to the Processing activities conducted by SDO.
SDO’s cooperation with any such Audit shall be subject to the following conditions:
SDO shall be entitled to take any reasonable precautions at its sole discretion to prevent disclosure of:
Each Party shall Process the contact details of the other Party’s employees or representative tasked with the administration of the Services as an independent Controller. With respect to such Personal Data, each Party shall be responsible to fulfil all of its obligations under the Data Protection Laws and shall cooperate with the other Party as reasonably necessary to assist with the fulfilment of the other Party’s obligations under the Data Protection Laws.
This DPA shall terminate automatically upon the termination or expiration of the term of the license, provided however, that SDO’s obligations under this DPA will remain in force for as long as SDO Processes Customer Personal Data.
Data exporter(s): Data exporter(s): shall be the Customer and any Customer affiliates that are authorized to use the Services.
Data importer(s): Name: Secret Double Octopus entity party to the applicable agreement (“SDO”)
Categories of data subjects whose personal data is transferred: Customer’s Users, i.e., employees and Contractors of the Customer.
Categories of personal data transferred: The Personal Data relating to Customer Data Subjects is provided by the Customer and/or automatically generated as Customer Data Subjects’ use the Services, as follows:
Customer Personal Data: Training history and records, encrypted username, encrypted password, email address, users’ devices data (such as model and OS version), Contact persons’ positions, IP address, usage data (e.g., Browser, Operating System, Search Keyword, Last Seen).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: n/a
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): The Customer is likely to be requiring Services on a regular basis.
Nature of the processing: Provision of the Services as detailed at the beginning of the Addendum and in the Terms and Conditions.
Purpose(s) of the data transfer and further processing: Provision of the Services as detailed at the beginning of the Addendum and in the Terms and Conditions.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: During the term of the license and 30 days thereafter, unless required to retain such Personal Data under applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As described above and see Annex III.
Identify the competent supervisory authority/ies in accordance with Clause 13
To the extent that the data exporter submits EEA originating Personal Data to the Service: Irish DPC.
The controller has authorized the use of the following sub-processors for processing Customer Personal Data through the Solution:
|SDO’s Affiliate Companies
[the non-contracting entity under the DPA listed herein will be a Subprocessor of the contracting party]
|Secret Double Octopus Ltd.||Product Support, Professional Services, Cloud Infrastructure Support and Back Up (both Cloud Products Only)||Israel
97 Rokach Blvd, Tel Aviv 6153101
|Secret Double Octopus Inc.||Product Support, Professional Services, Cloud Infrastructure Support and Back Up (both Cloud Products Only)||United States
1600 El Camino Real, Suite 280, Menlo Park, CA 94025
|Amazon Web Services||Hosting customer Personal Data/ Cloud Services||Luxemburg
38 Ave John F Kennedy, L-1855, B186284
|Grid Dynamics Holdings, Inc||DevOps Services||United States
5000 Executive Parkway, Suite 520 San Ramon, CA 94583
|Hub City Media Inc.||Managed Support Services||United States
1 Cragwood Rd. South, Plainfield, NJ 07080