AUX DOC

INDEX

 

Service Description Documentation 

Name of the service

Description of the service

Compatibility requirements

Functionalities

Data and hosting

Service and support

Website

Contact us

Appendix A

Service Level Agreement (“SLA”)

1. Service Availability

2. Remedy

3. Updates

4. User Support

5. Backups

6. General

Data Processing Annex (“DPA”)

1. Purpose of the processing assignment 

2. Identification of the affected information

3. Term of the processing

4. Obligations of PrivacyPerfect

Appendix B

I

Last updated: July 29, 2020

 

1.    Name of the service

The name of the Service is PrivacyPerfect and this is a registered trade name of PrivacyAgent B.V., a limited liability company established under the laws of The Netherlands, whose contact data you may find in the “Contact us” section.

2.    Description of the service

PrivacyPerfect is a comprehensive software application to create your organisations’ privacy landscape and enhance compliance with the General Data Protection Regulation by registering personal data operations conducted by the Customer, map data flows, and create assessments and reports.

PrivacyPerfect is offered as a Software as a Service (SaaS) solution based on a one-to-many cloud model. Customers access the Service on servers controlled by PrivacyPerfect and the Service is updated and data is backed up by PrivacyPerfect. All customers are on the same version of the Service, on the same infrastructure and all use the same security configurations. Therefore, unlike on-premise application service providers, PrivacyPerfect cannot offer a customisable model where each customer is treated differently, except to the extent provided in the Package availed by the Customer. The advantage is that PrivacyPerfect’s one-to-many business model is more cost-effective: all customers are on the same release; costly and disruptive local upgrades are avoided.

3.    Compatibility requirements

PrivacyPerfect is a SaaS solution that will work on every modern desktop computer or laptop with an internet connection and medium high security settings. It has been tested to work with the following browsers:

  • Firefox version 44 (Release January 2016) and above
  • Chrome version 47 (Release December 2015) and above
  • Safari 9 (Release September 2015) and above
  • Edge Version 21 (Release June 2015) and above.

Older browsers might work (including, currently, Internet Explorer 11, to a certain extent), but we strongly recommend you use the latest browser version available at all times to reduce any general security risk the use of older browsers may incur. Also, we cannot guarantee that PrivacyPerfect access via old browsers will provide all functions accessible through the browser versions listed above.

4.    Functionalities

Customer can decide to avail specific functionalities of our Service depending on the Package. A specified set of functionalities is referred to as a Service Type further detailed in the table attached hereto as Appendix A, which can be unilaterally updated from time to time by PrivacyPerfect, as long as it does not materially alter the Service provided to the Customer.

Irrespective of whether the Customer has access to more functionalities than agreed to under the Service Type, it is hereby understood and agreed that the Customer shall only be entitled to use the functionalities that are part of the Service Type availed by the Customer. Access to any other functionalities does not create any additional usage or other rights on the part of the Customer over these functionalities, unless specifically agreed to in writing.

The following are a description of all the current functionalities available in PrivacyPerfect:

Name of functionality

Description

Add/edit

assessment

Create or edit assessments with characteristics such as pre-assessment, processing description, necessity and proportionality, data subject rights, security controls, threat-impact assessments, accountability and risks and mitigating measures for each relevant section of the assessments and include relevant attachments to it.

Add/edit breach

Create or edit breaches with characteristics such as name, breach properties, impacts, mitigating measures, consequences for data subjects and notifications.

Add/edit

processing

Create or edit processing records with characteristics such as name,

purpose, processing and transfer grounds, personal data, data sources, retention terms, and attachments.

API

Application programming interface that allows the Service to be linked to, or communicate with other services.

Audit Trail

The audit trail contains an overview of all events taking place in the PrivacyPerfect Customer tenant.

Data Group Editor

Allows the grouping of related data items. A group consists of one or more items chosen from different fields that relate to each other.

Data Import

Import previously created privacy records into the Service platform. This is done by means of an “import sheet” provided by PrivacyPerfect and filled in by the Customer.

Embedded Document Management

Upload documents to attach to Customer’s privacy records. Previsouly uploaded documents are saved in the Service platform and can be attached to multiple records.

Environment

Model your organisation’s hierarchy and model other

organisations’ hierarchies.

Graphical View

Graphical view of the different elements of a processing operation as recorded in the processing records.

 

 

 

 

Languages

The Service is available in more than one language, and the user has the right to determine the language from a list of languages offered by the System. Currently, the available languages include:

 

Dutch

English

French

German

Spanish

Portuguese

Japanese

Chinese

 

We are in the process of upgrading the Service to include the following languages as well:

 

Danish

Italian

Norwegian

Swedish

Turkish

Greek

Legal grounds pre-loaded

GDPR based legal grounds/basis for processing personal data, transferring personal data and/or data breaches are pre-defined in a list.

Legal roles

Define GDPR-based legal roles in processing records: controllers,

processors (including processor hierarchy), executing entities, and data recipients.

Link to processor and controller agreements

Add links to applicable processor and controller agreements within the privacy records.

Multi-factor authentication

Additional security by making MFA optional or obligatory for each of the user roles.

Overview of privacy records

Table view of three types of privacy records, filter on type and

status.

Pre-filled Templates*

Pre-filled examples/templates of processing records to reuse as applicable.

Promote privacy
records

To reflect the relation between the contents of an assessment, processing and/or breach record, it is possible to promote parts of its content between assessments and processing records, and from processing records to breaches.

Reports

Configurable processing, assessment and breach overview reports.

Reuse building blocks

Organisations, entities, personal data items, and data sources can be reused across a customer tenant once they have been introduced in one of the privacy records.

Risk Identification

Toggle view to see if the privacy records contain risks in line with the requirements of the GDPR.

Security Report

Outcome of a security and penetration test done on a regular basis by an external, independent provider.

Single Sign On (SSO)

SSO lets users access the Service platform without the need for an extra user ID/password combination. Instead, users can authenticate on the internal company network.

Templates

Save processing records as templates to reuse their contents.

User and role management

Create new users and assign roles (administrator, chief privacy

officer, privacy officer, Business User and Read-only User).

View processings

View processing characteristics in table or graphical view.

White labelling

Possibility to change the appearance of PrivacyPerfect with a customer logo and colour.

Workflows

Build-in status-based workflow. It uses four of the “Status” field values as workflow triggers.

*Disclaimer

The Pre-filled Templates shall not be construed as legal advice, and PrivacyPerfect does not warrant their legal accuracy. The Customer is solely responsible for complying with the requirements of the GDPR and associated rules, regulations and guidelines, and for obtaining expert legal advice as necessary.

1.    Data and hosting

PrivacyPerfect offers the possibility to register personal data operations conducted by the organisation, map data flows, make assessments and create reports. PP warrants that it shall not store, register, or otherwise process personal data in the Service, except to the extent necessary to provide the Service.

All application services and data uploaded to the System are hosted within the European Union (‘EU’) by a Dutch provider of Infrastructure as a Service. Our provider has ISO 9001 (quality management) and 27001 (security management) certification.

At the expiration or termination of the Service (unless the termination is caused by breach of the Customer), Customer will upon request obtain a copy of all information regarding its data processing procedures as uploaded into the Service, which PrivacyPerfect shall make available in .csv format, or any other format as per availability within the Service at the given point in time.

2.    Service and support

PP offers extensive support and service levels in accordance with the Service Type availed by the Customer. More information on service and support can be found in our Service Level Agreement (SLA).

3.    Website

Visit our website www.privacyperfect.com to find out more about PrivacyPerfect.

4.    Contact us

PrivacyPerfect has its headquarters in Rotterdam, The Netherlands.

Our corporate name is PrivacyAgent B.V.

Our registered offices are:

Stationsplein 45, 4th Floor

3013 AK Rotterdam

The Netherlands

+31 10 31 00 740

VAT number: NL8531.85.566.B01

Chamber of Commerce number: 58796576

You can also contact us at: support@privacyperfect.com

Appendix A

Service Types

 

Service Type

 

 Functionalities and Support Services

SME

Languages – English and 1 other language as per the preference of the Customer from the list of available languages in the System

Add/ Edit Processings – Up to 50 records.

Pre-filled templates -10 templates

Templates

View Processings

Overview of Privacy Records

Reuse building blocks

Legal Roles

Data group editor

Legal grounds pre-loaded

Environment

Link to your processor and controller agreements

Onboarding program – duration 1 hour  – learn the basics

Basic Support from our Customer Service

Data import into the System

Pro

Languages – English and 1 other language as per the preference of the Customer from the list of available languages in the System.

Add/edit Processings – Up to 250 records.

Pre-filled templates – 25 templates

Risk Identification

Graphical view to show how personal data is collected

Data group editor

Legal grounds pre-loaded

Link to your processor and controller agreements

Embedded document management

Add/ Edit Assessments or Breaches – Customer can choose either Assessments or Breaches

Audit Trail

Reports

Role management

Workflows

Onboarding Program – 4 hours dedicated onboarding

Professional support from our Customer Service

Data import into the System

Enterprise

Languages – All available languages

Processings – Unlimited records

Pre-filled templates – Unlimited templates

Risk Identification

Graphical view to show how personal data is collected

Data group editor

Legal grounds pre-loaded

Link to your processor and controller agreements

Embedded document management

Add/ Edit Assessments

Add/Edit Breaches

Audit trail

Reports

Role management

Workflows

Single Sign-On (SSO)

Multi-factor authentication (MFA)

Security report

White labelling

API

Onboarding Program – 12 hours dedicated onboarding

One on one customized support with a Customer Success Manager

Data import into the System

 

Service Level Agreement (“SLA”)

This Service Level Agreement (“SLA”) is subject to and part of the PrivacyPerfect Service Agreement between PrivacyPerfect and Customer. Capitalised terms, unless otherwise defined herein, shall have the same meaning as in the PrivacyPerfect Standard Terms and Conditions of Application.

1.    Service Availability

  • The following terms, indicated with a capital letter, shall have the following meaning:

Guaranteed Availability: the total amount of minutes in the month minus those in which the Service is unavailable because of (i) maintenance or upgrading operations taking place once per month on weekdays after 19:00 in the evening to 8:00 CE(S)T in the morning or at the weekends from 19:00 Friday evening to 08:00 Monday morning CE(S)T; and/or (ii) reasons of force majeur or other circumstances beyond PP’s reasonable control.

Unplanned Outage: the total of minutes for which the Service is not available during the time of Guaranteed Availability.

  • PrivacyPerfect’s Service shall be available for 99,5% of the Guaranteed Availability for any given calendar month. Service Availability is calculated per month as follows:

Guaranteed Availability - Unplanned Outage

                        ----------------------------------------------------------------------------------------                x 100

Guaranteed Availability

 

2.    Remedy

  • If Service Availability falls in any month below 99,5% of the Guaranteed Availability, PP will refund an amount equal to 10% of 1/12th of the paid annual fee for such month. If this happens for 3 consecutive months, Customer will be entitled to terminate the Agreement within 30 days of this being verified (no other indemnity applying).

  • If any other warranty is breached, PrivacyPerfect shall correct it at no additional charge or shall otherwise be subject to such liability as applicable under Standard Terms and Conditions of Application of the PrivacyPerfect Service Agreement.

3.    Updates

  • Periodically, PrivacyPerfect will introduce new features or functionalities in the Service or apply procedural and/or technological changes or improvements. The Service is a one-to-many, SaaS-based service. Hence, introducing updates or upgrades will be to the sole discretion of PrivacyPerfect, updates and upgrades will be made available to all PrivacyPerfect customers (depending on the Package availed) and no customer specific features or functionalities will be implemented without a separate agreement to that effect. In any case, PrivacyPerfect shall gradually incorporate any amendments necessary to adapt its features to any legal amendments pertaining to the relevant features in the EU Regulation.

4.    User Support Services

  • PrivacyPerfect will provide first line User Support to Customers by email and telephone regarding the use and functionalities of the Service or organise this support with selected partners. The level of support services depends on the Service Type availed by the Customer as follows:

    (a) Starter Edition: Basic Support – Support on usage of PrivacyPerfect via email;
    (b) Pro Edition: Professional Support – Support on usage of PrivacyPerfect via email and telephone;
    (c) Enterprise Edition: One-on-one Customised Support – Support on usage of PrivacyPerfect via email and telephone and a dedicated Customer Success Manager.
  • User Support is provided on Business Days during regular business hours (from 08:00 to 18:30 CE(S)T). Response times for User Support is based on “best efforts” only and no response times are guaranteed.
  • User Support can be contacted via +31 (0)10 31 00 740 or support@privacyperfect.com.
  • In case the Service is unavailable and such unavailability prevents Company from accessing or retrieving Company Data needed for urgent and critical reporting, or for urgent and critical notifications to (data protection) authorities, PP will work to resolve the issue until Customer has gained the necessary access or retrieved the necessary information.

5.    On-Boarding Services

Depending on the Service Type availed by the Customer, PrivacyPerfect will provide on-boarding service to the Customer as detailed below:

(a) Learn the Basics

  • SME Package: 1 hour of remote on-boarding via video conference over the course of 1 week in 2 sessions on one module of choice;
  • Pro Package: up to 6 hours of remote on-boarding via video conference over the course of 4 weeks in 6 sessions on 2 modules of choice;
  • Enterprise Package: up to 12 hours of remote on-boarding via video conference over the course of 8 weeks in 12 sessions on 3 modules of choice.

(b) Dedicated On-boarding

  • SME Package: 1 hour of assistance in data migration using the standard tools available from PrivacyPerfect;
  • Pro Package: up to 2 hours of assistance in data migration using the standard tools available from PrivacyPerfect;
  • Enterprise Package: up to 4 hours of assistance in data migration using the standard tools available from PrivacyPerfect

Support on single sign-on implementations is excluded from the on-boarding and can be obtained separately

6.    Backups

Backups are stored for a month. PrivacyPerfect creates backups of all data at an interval of 4 hours.

7.    General

PrivacyPerfect shall have no obligations under this SLA during any period in which Customer is in breach of the Agreement.

Data Processing Annex (“DPA”)

This section further develops and explains the obligations assumed by PrivacyPerfect (“PP”) and its Customer by virtue of Section 2 of the PrivacyPerfect Standard Terms and Conditions (“ST”).

1.    Purposes of the processing assignment

PrivacyPerfect, as data processor, will process personal data controlled by the Customer insofar as necessary to provide the Service. The Service consists of a comprehensive software application to create the Customers’ privacy landscape and to enhance compliance with the General Data Protection Regulation. To this effect, Customer may register personal data operations conducted by Customer’s organisation, map data flows, register data breaches, maintaining records of data subject requests, as well as create assessments and reports, depending on the Package chosen by the Customer.

Specifically, PrivacyPerfect will process data of Authorised Users of the Service, whether Standard Users or Read-only Users (together referred to as “Authorised Users”). This is necessary to identify, authenticate and contact such Authorised Users and to enable them to use the Service, as well as to trace any log-in and other information needed for support and bug fixing.

PrivacyPerfect may also process personal data of third parties that Authorised Users have entered into the System (as limited in the ST), for the purposes of storage and access when necessary:

  • for providing the Services,
  • for complying with PrivacyPerfect’s obligations under the GDPR,
  • for assisting the Customer in complying with its obligations under the GDPR.

2.    Identification of the affected information

In order to carry out the object of this Service, the Customer, as data controller, will make available to PrivacyPerfect, as data processor, the following information:

  • User identification and authentication information – first name, last name, email address, preferred language and company name.
  • User log in information – username, password and Customer Service tenant
  • User contact information – mobile phone number, work phone number (optionally if the users provide this)

The Customer may also populate the personal information of representatives, clients, customers, or data protection officers of their own organisation or other organisations (besides Authorised Users) as defined in Clause 1.2 of the ST within the System. The personal data categories in this case may include:

  • Name
  • Company name
  • Contact Data – including address, email address, phone number
  • Information on data subject rights requests – including communication with the data subject and details about how the request was addressed or resolved.
  • Information concerning data breaches – including communication with the data subject.

The responsibility for providing notice and obtaining a legitimate legal ground if required, from the data subjects, rests solely with the Customer, who is the controller of the personal data processing operations within the System/Service.

3.    Term of the processing

The processing clauses shall be in force during the whole term of the PrivacyPerfect Service Agreement, which is defined in clause 3 of the ST.

Once this Agreement has expired or has been terminated, PP will retain a copy of the personal data contained in the System or other Customer personal data for a period of three years from the date of termination/expiry of the Agreement or such longer period as required under law. Notwithstanding anything to the contrary contained here, if the Customer requests in writing, for the return/ deletion/destruction of its personal data with PP, PP shall either return, delete, anonymise or destroy such personal data, unless it is required to retain the concerned personal data under applicable law.

4.    Obligations of PrivacyPerfect

  • Purpose
    PP shall only process the personal data for the purpose of providing the Service (including support and onboarding services) and for facilitating its improvement. Under no circumstances personal data is used for other purposes, except as required under law.
  • Instructions
    PrivacyPerfect shall process the data according to the instructions of the Customer.

If PP considers that any of the instructions breaches the GDPR or other relevant European Union Data Protection laws, PrivacyPerfect shall immediately inform the Customer.

  • Processing activities
    PrivacyPerfect shall maintain a record of processing activities carried out on behalf of the Customer, containing:
  • The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
  • The categories of processing carried out on behalf of each controller;
  • Where appropriate, transfers of personal data to a third country or international organisation, including the identification of such third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49 (1) of the GDPR, the documentation of appropriate guarantees;
  • A general description of the technical and organisational measures which may consist of:
a) The pseudonymisation and the encryption of personal data;
b) The ability to guarantee the confidentiality, integrity, availability and resilience of systems and services;
c) The ability to restore availability and access to personal data in a timely manner in case of a physical or technical incident;
d) The process of regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the safety of processing.

  • Transfer of personal data

PrivacyPerfect and all its authorised personnel shall not transfer the personal data uploaded in the System, to third parties, unless PP has the express authorisation of the Customer in legally admissible cases, and in line with Clause 4.6 of this Data Processing Annex, or if such transfer is necessary in order to deliver the Onboarding and/or Support Services to the Customer.

PrivacyPerfect can transfer the data to the other processors of the Customer, only in accordance with the instructions given by the Customer. In this case, the Customer shall identify, in advance and in writing, the entity to which PerfectPerfect shall communicate the data, the type of data that shall be transferred and all the applicable security measures.

  • Investigation

If PrivacyPerfect receives a request from a supervisory authority to provide access to personal data, PrivacyPerfect shall notify Customer immediately. In handling the request, PrivacyPerfect shall observe Customers’ instructions, if any, and provide all reasonably required cooperation.

  • Subprocessing

PrivacyPerfect may subcontract any operation of its System (i) to any third company identified in the subprocessor list contained in Appendix B or (ii) to any other subcontractor by notifying this in writing to the Customer after the concluding of the Agreement. In this latter case, PrivacyPerfect will commence making available data to the subcontractor at least 10 business days after the notification to the Customer.

Any subprocessor or subcontractor, who will also have the status of processor, shall guarantee the same level of data protection as set out in this document between PrivacyPerfect and the Customer. PP is obliged to execute a new data processing agreement with the subcontractor, by virtue of which the subcontractor shall comply with the same obligations and with the same formal requirements with regards to the adequate processing of personal data and to guarantee the rights of data subjects.

  • Confidentiality
    PrivacyPerfect shall ensure that persons authorised to process personal data have
    (i) committed themselves in writing to confidentiality or are under appropriate statutory obligation of confidentiality and
    (ii) committed themselves in complying with the relevant security measures.
  • Training
    PrivacyPer shall ensure that necessary training on data protection has been given to the people authorised to process personal data.
  • Assistance with data subject right requests
    When appropriate, PP and its authorised personnel shall assist the Customer in providing answers to the exercise of the data subject rights of:
    • Access,
    • Rectification,
    • Erasure
    • Restriction of processing
    • Data portability
    • Objection to processing
    • Not to be subject to automated individual decision-making (including profiling)

When data subjects exercise the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing and the right not to be subject to automated individual decision making, PP shall communicate this by sending an e-mail to the address indicated by the Customer for this purpose. The communication shall be made immediately and without undue delay following the receipt of the request, together with, when appropriate, other information that may be relevant to address the request.

  • Notification of a personal data breach

PP shall notify the Customer without undue delay and in any case before the deadline of 72 hours, and through either written notification or a system alert, any breaches of the security of the personal data under its control, together with all relevant information for the documentation and communication of the incidence.

If available, the following information shall be provided to Customer:

  1. Description of the nature of the personal data breach, including, where possible, the categories and the approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  2. The name and contact details of the data protection officer or other contact point where more information can be obtained;
  3. Description of the likely consequences of the personal data breach;
  4. Description of the measures taken or proposed to be taken by the Customer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The Customer is obliged to notify the personal data breach to the supervisory authority, and to the data subjects when this is required by the applicable data protection legislation.

  • Assistance with DPIAs
    PP and its authorised personnel shall provide support to the Customer in conducting impact assessments concerning data protection, where appropriate.
  • Assistance with consultations
    PP and its authorised personnel shall provide support to the Customer in conducting prior consultations to the relevant data protection authority, where appropriate.
  • Audits
    PP shall make available to the Customer all the information necessary to demonstrate compliance with their obligations, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, when communicated reasonably in advance.
  • Technical and organisational security measures
    PP shall implement the following security measures:
  • The regular (at least yearly) assessment by an external party of the security of the PrivacyPerfect application by doing, among other things, penetration testing;
  • The use of the latest releases of software libraries to ensure to have all security fixes in place;
  • The use of a certified hosting provider (ISO 27001 and ISO 9001);
  • The use of 256bit AES encryption and 2048bit SSH network tunnels;
  • Ensuring high availability, confidentiality, integrity, and resilience of the system;
  • Backup and restoring facilities.

Appendix B

Subprocessor list

These are the current subprocessors in relation to the System:

Name of subprocessor

Chamber of Commerce ID

Belonging to Privacy Agent B.V. Group

Address

Nature of subprocessing operations

Commencement of subprocessing

ProServe B.V.

24310353

No

Oostmaaslaan 71

3063 AN Rotterdam

 

Hosting

November 23, 2018

CloudVPS B.V.

24404163

No

Oostmaaslaan 71

3063 AN Rotterdam

 

Hosting

November 23, 2018