INDEX
Service Description Documentation
Name of the service
Description of the service
Compatibility requirements
Functionalities
Data and hosting
Service and support
Website
Contact us
Appendix A
Service Level Agreement (“SLA”)
1. Service Availability
2. Remedy
3. Updates
4. User Support
5. Backups
6. General
Data Processing Annex (“DPA”)
1. Purpose of the processing assignment
2. Identification of the affected information
3. Term of the processing
4. Obligations of PrivacyPerfect
Appendix B
Last updated: July 29, 2020
1. Name of the service
The name of the Service is PrivacyPerfect and this is a registered trade name of PrivacyAgent B.V., a limited liability company established under the laws of The Netherlands, whose contact data you may find in the “Contact us” section.
2. Description of the service
PrivacyPerfect is a comprehensive software application to create your organisations’ privacy landscape and enhance compliance with the General Data Protection Regulation by registering personal data operations conducted by the Customer, map data flows, and create assessments and reports.
PrivacyPerfect is offered as a Software as a Service (SaaS) solution based on a one-to-many cloud model. Customers access the Service on servers controlled by PrivacyPerfect and the Service is updated and data is backed up by PrivacyPerfect. All customers are on the same version of the Service, on the same infrastructure and all use the same security configurations. Therefore, unlike on-premise application service providers, PrivacyPerfect cannot offer a customisable model where each customer is treated differently, except to the extent provided in the Package availed by the Customer. The advantage is that PrivacyPerfect’s one-to-many business model is more cost-effective: all customers are on the same release; costly and disruptive local upgrades are avoided.
3. Compatibility requirements
PrivacyPerfect is a SaaS solution that will work on every modern desktop computer or laptop with an internet connection and medium high security settings. It has been tested to work with the following browsers:
- Firefox version 44 (Release January 2016) and above
- Chrome version 47 (Release December 2015) and above
- Safari 9 (Release September 2015) and above
- Edge Version 21 (Release June 2015) and above.
Older browsers might work (including, currently, Internet Explorer 11, to a certain extent), but we strongly recommend you use the latest browser version available at all times to reduce any general security risk the use of older browsers may incur. Also, we cannot guarantee that PrivacyPerfect access via old browsers will provide all functions accessible through the browser versions listed above.
4. Functionalities
Customer can decide to avail specific functionalities of our Service depending on the Package. A specified set of functionalities is referred to as a Service Type further detailed in the table attached hereto as Appendix A, which can be unilaterally updated from time to time by PrivacyPerfect, as long as it does not materially alter the Service provided to the Customer.
Irrespective of whether the Customer has access to more functionalities than agreed to under the Service Type, it is hereby understood and agreed that the Customer shall only be entitled to use the functionalities that are part of the Service Type availed by the Customer. Access to any other functionalities does not create any additional usage or other rights on the part of the Customer over these functionalities, unless specifically agreed to in writing.
The following are a description of all the current functionalities available in PrivacyPerfect:
Name of functionality |
Description |
Add/edit assessment |
Create or edit assessments with characteristics such as pre-assessment, processing description, necessity and proportionality, data subject rights, security controls, threat-impact assessments, accountability and risks and mitigating measures for each relevant section of the assessments and include relevant attachments to it. |
Add/edit breach |
Create or edit breaches with characteristics such as name, breach properties, impacts, mitigating measures, consequences for data subjects and notifications. |
Add/edit processing |
Create or edit processing records with characteristics such as name, purpose, processing and transfer grounds, personal data, data sources, retention terms, and attachments. |
API |
Application programming interface that allows the Service to be linked to, or communicate with other services. |
Audit Trail |
The audit trail contains an overview of all events taking place in the PrivacyPerfect Customer tenant. |
Data Group Editor |
Allows the grouping of related data items. A group consists of one or more items chosen from different fields that relate to each other. |
Data Import |
Import previously created privacy records into the Service platform. This is done by means of an “import sheet” provided by PrivacyPerfect and filled in by the Customer. |
Embedded Document Management |
Upload documents to attach to Customer’s privacy records. Previsouly uploaded documents are saved in the Service platform and can be attached to multiple records. |
Environment |
Model your organisation’s hierarchy and model other organisations’ hierarchies. |
Graphical View |
Graphical view of the different elements of a processing operation as recorded in the processing records. |
Languages |
The Service is available in more than one language, and the user has the right to determine the language from a list of languages offered by the System. Currently, the available languages include:
Dutch English French German Spanish Portuguese Japanese Chinese
We are in the process of upgrading the Service to include the following languages as well:
Danish Italian Norwegian Swedish Turkish Greek |
Legal grounds pre-loaded |
GDPR based legal grounds/basis for processing personal data, transferring personal data and/or data breaches are pre-defined in a list. |
Legal roles |
Define GDPR-based legal roles in processing records: controllers, processors (including processor hierarchy), executing entities, and data recipients. |
Link to processor and controller agreements |
Add links to applicable processor and controller agreements within the privacy records. |
Multi-factor authentication |
Additional security by making MFA optional or obligatory for each of the user roles. |
Overview of privacy records |
Table view of three types of privacy records, filter on type and status. |
Pre-filled Templates* |
Pre-filled examples/templates of processing records to reuse as applicable. |
Promote privacy |
To reflect the relation between the contents of an assessment, processing and/or breach record, it is possible to promote parts of its content between assessments and processing records, and from processing records to breaches. |
Reports |
Configurable processing, assessment and breach overview reports. |
Reuse building blocks |
Organisations, entities, personal data items, and data sources can be reused across a customer tenant once they have been introduced in one of the privacy records. |
Risk Identification |
Toggle view to see if the privacy records contain risks in line with the requirements of the GDPR. |
Security Report |
Outcome of a security and penetration test done on a regular basis by an external, independent provider. |
Single Sign On (SSO) |
SSO lets users access the Service platform without the need for an extra user ID/password combination. Instead, users can authenticate on the internal company network. |
Templates |
Save processing records as templates to reuse their contents. |
User and role management |
Create new users and assign roles (administrator, chief privacy officer, privacy officer, Business User and Read-only User). |
View processings |
View processing characteristics in table or graphical view. |
White labelling |
Possibility to change the appearance of PrivacyPerfect with a customer logo and colour. |
Workflows |
Build-in status-based workflow. It uses four of the “Status” field values as workflow triggers. |
*Disclaimer
The Pre-filled Templates shall not be construed as legal advice, and PrivacyPerfect does not warrant their legal accuracy. The Customer is solely responsible for complying with the requirements of the GDPR and associated rules, regulations and guidelines, and for obtaining expert legal advice as necessary.
1. Data and hosting
PrivacyPerfect offers the possibility to register personal data operations conducted by the organisation, map data flows, make assessments and create reports. PP warrants that it shall not store, register, or otherwise process personal data in the Service, except to the extent necessary to provide the Service.
All application services and data uploaded to the System are hosted within the European Union (‘EU’) by a Dutch provider of Infrastructure as a Service. Our provider has ISO 9001 (quality management) and 27001 (security management) certification.
At the expiration or termination of the Service (unless the termination is caused by breach of the Customer), Customer will upon request obtain a copy of all information regarding its data processing procedures as uploaded into the Service, which PrivacyPerfect shall make available in .csv format, or any other format as per availability within the Service at the given point in time.
2. Service and support
PP offers extensive support and service levels in accordance with the Service Type availed by the Customer. More information on service and support can be found in our Service Level Agreement (SLA).
3. Website
Visit our website www.privacyperfect.com to find out more about PrivacyPerfect.
4. Contact us
PrivacyPerfect has its headquarters in Rotterdam, The Netherlands.
Our corporate name is PrivacyAgent B.V.
Our registered offices are:
Stationsplein 45, 4th Floor
3013 AK Rotterdam
The Netherlands
+31 10 31 00 740
VAT number: NL8531.85.566.B01
Chamber of Commerce number: 58796576
You can also contact us at: support@privacyperfect.com
Appendix A
Service Types
Service Type
|
Functionalities and Support Services |
SME |
Languages – English and 1 other language as per the preference of the Customer from the list of available languages in the System |
Add/ Edit Processings – Up to 50 records. |
|
Pre-filled templates -10 templates |
|
Templates |
|
View Processings |
|
Overview of Privacy Records |
|
Reuse building blocks |
|
Legal Roles |
|
Data group editor |
|
Legal grounds pre-loaded |
|
Environment |
|
Link to your processor and controller agreements |
|
Onboarding program – duration 1 hour – learn the basics |
|
Basic Support from our Customer Service |
|
Data import into the System |
|
Pro |
Languages – English and 1 other language as per the preference of the Customer from the list of available languages in the System. |
Add/edit Processings – Up to 250 records. |
|
Pre-filled templates – 25 templates |
|
Risk Identification |
|
Graphical view to show how personal data is collected |
|
Data group editor |
|
Legal grounds pre-loaded |
|
Link to your processor and controller agreements |
|
Embedded document management |
|
Add/ Edit Assessments or Breaches – Customer can choose either Assessments or Breaches |
|
Audit Trail |
|
Reports |
|
Role management |
|
Workflows |
|
Onboarding Program – 4 hours dedicated onboarding |
|
Professional support from our Customer Service |
|
Data import into the System |
|
Enterprise |
Languages – All available languages |
Processings – Unlimited records |
|
Pre-filled templates – Unlimited templates |
|
Risk Identification |
|
Graphical view to show how personal data is collected |
|
Data group editor |
|
Legal grounds pre-loaded |
|
Link to your processor and controller agreements |
|
Embedded document management |
|
Add/ Edit Assessments |
|
Add/Edit Breaches |
|
Audit trail |
|
Reports |
|
Role management |
|
Workflows |
|
Single Sign-On (SSO) |
|
Multi-factor authentication (MFA) |
|
Security report |
|
White labelling |
|
API |
|
Onboarding Program – 12 hours dedicated onboarding |
|
One on one customized support with a Customer Success Manager |
|
Data import into the System |
Service Level Agreement (“SLA”)
This Service Level Agreement (“SLA”) is subject to and part of the PrivacyPerfect Service Agreement between PrivacyPerfect and Customer. Capitalised terms, unless otherwise defined herein, shall have the same meaning as in the PrivacyPerfect Standard Terms and Conditions of Application.
1. Service Availability
- The following terms, indicated with a capital letter, shall have the following meaning:
Guaranteed Availability: the total amount of minutes in the month minus those in which the Service is unavailable because of (i) maintenance or upgrading operations taking place once per month on weekdays after 19:00 in the evening to 8:00 CE(S)T in the morning or at the weekends from 19:00 Friday evening to 08:00 Monday morning CE(S)T; and/or (ii) reasons of force majeur or other circumstances beyond PP’s reasonable control.
Unplanned Outage: the total of minutes for which the Service is not available during the time of Guaranteed Availability.
- PrivacyPerfect’s Service shall be available for 99,5% of the Guaranteed Availability for any given calendar month. Service Availability is calculated per month as follows:
Guaranteed Availability - Unplanned Outage
---------------------------------------------------------------------------------------- x 100
Guaranteed Availability
2. Remedy
- If Service Availability falls in any month below 99,5% of the Guaranteed Availability, PP will refund an amount equal to 10% of 1/12th of the paid annual fee for such month. If this happens for 3 consecutive months, Customer will be entitled to terminate the Agreement within 30 days of this being verified (no other indemnity applying).
- If any other warranty is breached, PrivacyPerfect shall correct it at no additional charge or shall otherwise be subject to such liability as applicable under Standard Terms and Conditions of Application of the PrivacyPerfect Service Agreement.
3. Updates
- Periodically, PrivacyPerfect will introduce new features or functionalities in the Service or apply procedural and/or technological changes or improvements. The Service is a one-to-many, SaaS-based service. Hence, introducing updates or upgrades will be to the sole discretion of PrivacyPerfect, updates and upgrades will be made available to all PrivacyPerfect customers (depending on the Package availed) and no customer specific features or functionalities will be implemented without a separate agreement to that effect. In any case, PrivacyPerfect shall gradually incorporate any amendments necessary to adapt its features to any legal amendments pertaining to the relevant features in the EU Regulation.
4. User Support Services
- PrivacyPerfect will provide first line User Support to Customers by email and telephone regarding the use and functionalities of the Service or organise this support with selected partners. The level of support services depends on the Service Type availed by the Customer as follows:
(a) Starter Edition: Basic Support – Support on usage of PrivacyPerfect via email;
(b) Pro Edition: Professional Support – Support on usage of PrivacyPerfect via email and telephone;
(c) Enterprise Edition: One-on-one Customised Support – Support on usage of PrivacyPerfect via email and telephone and a dedicated Customer Success Manager. - User Support is provided on Business Days during regular business hours (from 08:00 to 18:30 CE(S)T). Response times for User Support is based on “best efforts” only and no response times are guaranteed.
- User Support can be contacted via +31 (0)10 31 00 740 or support@privacyperfect.com.
- In case the Service is unavailable and such unavailability prevents Company from accessing or retrieving Company Data needed for urgent and critical reporting, or for urgent and critical notifications to (data protection) authorities, PP will work to resolve the issue until Customer has gained the necessary access or retrieved the necessary information.
5. On-Boarding Services
Depending on the Service Type availed by the Customer, PrivacyPerfect will provide on-boarding service to the Customer as detailed below:
(a) Learn the Basics
- SME Package: 1 hour of remote on-boarding via video conference over the course of 1 week in 2 sessions on one module of choice;
- Pro Package: up to 6 hours of remote on-boarding via video conference over the course of 4 weeks in 6 sessions on 2 modules of choice;
- Enterprise Package: up to 12 hours of remote on-boarding via video conference over the course of 8 weeks in 12 sessions on 3 modules of choice.
(b) Dedicated On-boarding
- SME Package: 1 hour of assistance in data migration using the standard tools available from PrivacyPerfect;
- Pro Package: up to 2 hours of assistance in data migration using the standard tools available from PrivacyPerfect;
- Enterprise Package: up to 4 hours of assistance in data migration using the standard tools available from PrivacyPerfect
Support on single sign-on implementations is excluded from the on-boarding and can be obtained separately
6. Backups
Backups are stored for a month. PrivacyPerfect creates backups of all data at an interval of 4 hours.
7. General
PrivacyPerfect shall have no obligations under this SLA during any period in which Customer is in breach of the Agreement.
Data Processing Annex (“DPA”)
This section further develops and explains the obligations assumed by PrivacyPerfect (“PP”) and its Customer by virtue of Section 2 of the PrivacyPerfect Standard Terms and Conditions (“ST”).
1. Purposes of the processing assignment
PrivacyPerfect, as data processor, will process personal data controlled by the Customer insofar as necessary to provide the Service. The Service consists of a comprehensive software application to create the Customers’ privacy landscape and to enhance compliance with the General Data Protection Regulation. To this effect, Customer may register personal data operations conducted by Customer’s organisation, map data flows, register data breaches, maintaining records of data subject requests, as well as create assessments and reports, depending on the Package chosen by the Customer.
Specifically, PrivacyPerfect will process data of Authorised Users of the Service, whether Standard Users or Read-only Users (together referred to as “Authorised Users”). This is necessary to identify, authenticate and contact such Authorised Users and to enable them to use the Service, as well as to trace any log-in and other information needed for support and bug fixing.
PrivacyPerfect may also process personal data of third parties that Authorised Users have entered into the System (as limited in the ST), for the purposes of storage and access when necessary:
- for providing the Services,
- for complying with PrivacyPerfect’s obligations under the GDPR,
- for assisting the Customer in complying with its obligations under the GDPR.
2. Identification of the affected information
In order to carry out the object of this Service, the Customer, as data controller, will make available to PrivacyPerfect, as data processor, the following information:
- User identification and authentication information – first name, last name, email address, preferred language and company name.
- User log in information – username, password and Customer Service tenant
- User contact information – mobile phone number, work phone number (optionally if the users provide this)
The Customer may also populate the personal information of representatives, clients, customers, or data protection officers of their own organisation or other organisations (besides Authorised Users) as defined in Clause 1.2 of the ST within the System. The personal data categories in this case may include:
- Name
- Company name
- Contact Data – including address, email address, phone number
- Information on data subject rights requests – including communication with the data subject and details about how the request was addressed or resolved.
- Information concerning data breaches – including communication with the data subject.
The responsibility for providing notice and obtaining a legitimate legal ground if required, from the data subjects, rests solely with the Customer, who is the controller of the personal data processing operations within the System/Service.
3. Term of the processing
The processing clauses shall be in force during the whole term of the PrivacyPerfect Service Agreement, which is defined in clause 3 of the ST.
Once this Agreement has expired or has been terminated, PP will retain a copy of the personal data contained in the System or other Customer personal data for a period of three years from the date of termination/expiry of the Agreement or such longer period as required under law. Notwithstanding anything to the contrary contained here, if the Customer requests in writing, for the return/ deletion/destruction of its personal data with PP, PP shall either return, delete, anonymise or destroy such personal data, unless it is required to retain the concerned personal data under applicable law.
4. Obligations of PrivacyPerfect
- Purpose
PP shall only process the personal data for the purpose of providing the Service (including support and onboarding services) and for facilitating its improvement. Under no circumstances personal data is used for other purposes, except as required under law. - Instructions
PrivacyPerfect shall process the data according to the instructions of the Customer.
If PP considers that any of the instructions breaches the GDPR or other relevant European Union Data Protection laws, PrivacyPerfect shall immediately inform the Customer.
- Processing activities
PrivacyPerfect shall maintain a record of processing activities carried out on behalf of the Customer, containing: - The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
- The categories of processing carried out on behalf of each controller;
- Where appropriate, transfers of personal data to a third country or international organisation, including the identification of such third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49 (1) of the GDPR, the documentation of appropriate guarantees;
- A general description of the technical and organisational measures which may consist of:
b) The ability to guarantee the confidentiality, integrity, availability and resilience of systems and services;
c) The ability to restore availability and access to personal data in a timely manner in case of a physical or technical incident;
d) The process of regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the safety of processing.
- Transfer of personal data
PrivacyPerfect and all its authorised personnel shall not transfer the personal data uploaded in the System, to third parties, unless PP has the express authorisation of the Customer in legally admissible cases, and in line with Clause 4.6 of this Data Processing Annex, or if such transfer is necessary in order to deliver the Onboarding and/or Support Services to the Customer.
PrivacyPerfect can transfer the data to the other processors of the Customer, only in accordance with the instructions given by the Customer. In this case, the Customer shall identify, in advance and in writing, the entity to which PerfectPerfect shall communicate the data, the type of data that shall be transferred and all the applicable security measures.
- Investigation
If PrivacyPerfect receives a request from a supervisory authority to provide access to personal data, PrivacyPerfect shall notify Customer immediately. In handling the request, PrivacyPerfect shall observe Customers’ instructions, if any, and provide all reasonably required cooperation.
- Subprocessing
PrivacyPerfect may subcontract any operation of its System (i) to any third company identified in the subprocessor list contained in Appendix B or (ii) to any other subcontractor by notifying this in writing to the Customer after the concluding of the Agreement. In this latter case, PrivacyPerfect will commence making available data to the subcontractor at least 10 business days after the notification to the Customer.
Any subprocessor or subcontractor, who will also have the status of processor, shall guarantee the same level of data protection as set out in this document between PrivacyPerfect and the Customer. PP is obliged to execute a new data processing agreement with the subcontractor, by virtue of which the subcontractor shall comply with the same obligations and with the same formal requirements with regards to the adequate processing of personal data and to guarantee the rights of data subjects.
- Confidentiality
PrivacyPerfect shall ensure that persons authorised to process personal data have
(i) committed themselves in writing to confidentiality or are under appropriate statutory obligation of confidentiality and
(ii) committed themselves in complying with the relevant security measures. - Training
PrivacyPer shall ensure that necessary training on data protection has been given to the people authorised to process personal data. - Assistance with data subject right requests
When appropriate, PP and its authorised personnel shall assist the Customer in providing answers to the exercise of the data subject rights of:
- Access,
- Rectification,
- Erasure
- Restriction of processing
- Data portability
- Objection to processing
- Not to be subject to automated individual decision-making (including profiling)
When data subjects exercise the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing and the right not to be subject to automated individual decision making, PP shall communicate this by sending an e-mail to the address indicated by the Customer for this purpose. The communication shall be made immediately and without undue delay following the receipt of the request, together with, when appropriate, other information that may be relevant to address the request.
- Notification of a personal data breach
PP shall notify the Customer without undue delay and in any case before the deadline of 72 hours, and through either written notification or a system alert, any breaches of the security of the personal data under its control, together with all relevant information for the documentation and communication of the incidence.
If available, the following information shall be provided to Customer:
- Description of the nature of the personal data breach, including, where possible, the categories and the approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer or other contact point where more information can be obtained;
- Description of the likely consequences of the personal data breach;
- Description of the measures taken or proposed to be taken by the Customer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The Customer is obliged to notify the personal data breach to the supervisory authority, and to the data subjects when this is required by the applicable data protection legislation.
- Assistance with DPIAs
PP and its authorised personnel shall provide support to the Customer in conducting impact assessments concerning data protection, where appropriate. - Assistance with consultations
PP and its authorised personnel shall provide support to the Customer in conducting prior consultations to the relevant data protection authority, where appropriate. - Audits
PP shall make available to the Customer all the information necessary to demonstrate compliance with their obligations, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, when communicated reasonably in advance. - Technical and organisational security measures
PP shall implement the following security measures: - The regular (at least yearly) assessment by an external party of the security of the PrivacyPerfect application by doing, among other things, penetration testing;
- The use of the latest releases of software libraries to ensure to have all security fixes in place;
- The use of a certified hosting provider (ISO 27001 and ISO 9001);
- The use of 256bit AES encryption and 2048bit SSH network tunnels;
- Ensuring high availability, confidentiality, integrity, and resilience of the system;
- Backup and restoring facilities.
Appendix B
Subprocessor list
These are the current subprocessors in relation to the System:
Name of subprocessor |
Chamber of Commerce ID |
Belonging to Privacy Agent B.V. Group |
Address |
Nature of subprocessing operations |
Commencement of subprocessing |
ProServe B.V. |
24310353 |
No |
Oostmaaslaan 71 3063 AN Rotterdam
|
Hosting |
November 23, 2018 |
CloudVPS B.V. |
24404163 |
No |
Oostmaaslaan 71 3063 AN Rotterdam
|
Hosting |
November 23, 2018 |