Data Protection Addendum

Version 2.4 Last updated 3rd October 2022
View changelog

Our Data Protection Addendum is an agreement that sets out the legal framework under which OnceHub processes personal data.  The Data Protection Addendum is an addendum to, and forms part of our Master Services Agreement.

  1. Introduction
    1. This Data Protection Addendum (the "DPA") forms part of the Master Services Agreement (the "MSA") between OnceHub and you the Customer to reflect the parties’ agreement with regards to the Processing of Personal Data.
    2. By signing the MSA, Customer enters into this DPA on behalf of itself and, if applicable, its Authorized Affiliates to the extent that, OnceHub processes Personal Data on behalf of Customer or Authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.
    3. This DPA is entered into and becomes a binding part of the MSA with effect from the date the MSA, or an agreement into which this DPA is incorporated by reference, was entered into.
  2. Definitions
    1. Capitalized terms have the definitions as set forth below or inline in this Agreement.
      1. "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the subject entity, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
      2. "Application Data" means all data, including text, sound or image files that are provided to OnceHub by, or on behalf of, Customer through Customer’s use of the Services, including Personal Data, but excluding Usage Data.
      3. "Authorized Affiliate" means any of Customer’s Affiliate(s) which is permitted to use the Services pursuant to the Agreement between Customer and OnceHub, but has not entered into a separate MSA with OnceHub.
      4. "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
      5. "Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
      6. "Data Protection Law" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the MSA.
      7. "Data Subject" means the identified or identifiable person to whom Personal Data relates.
      8. "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
      9. "Non-OnceHub Application" means any application, software, plug-in, or other software application functionality that interoperates with the Services and is provided by Customer or a third party.
      10. "OnceHub" means OnceHub Inc., 2093 Philadelphia Pike #5585, Claymont, DE 19703, USA and its Affiliates.
      11. "Personal Data" means any information relating to
        1. An identified or identifiable natural person; or
        2. An identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations),
        where for each (i) or (ii), such data is Application Data.
      12. "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      13. "Processor" means the entity which Processes Personal Data on behalf of the Controller.
      14. "Services" means the products and services that are ordered by Customer pursuant to the MSA.
      15. "Standard Contractual Clauses" means the agreement executed by and between Customer and OnceHub and pursuant to the European Commission’s decision (C(2021)3972) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
      16. "Subprocessor" means any person or legal entity appointed by or on behalf of OnceHub to Process Personal Data on behalf of Customer in connection with the Master Services Agreement.
      17. "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR.
      18. "Usage Data" means information about your use of the Services, including for example through analysis of patterns and trends, that is stored in an anonymized, pseudonymized, de-personalized or aggregated form in accordance with applicable privacy laws.
  3. Authorized Affiliates
    1. The parties acknowledge and agree that, by executing the MSA, the Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between OnceHub and each such Authorized Affiliate subject to the provisions of the MSA and this clause 3.
    2. The Customer that is the contracting party to the MSA shall remain responsible for coordinating all communication with OnceHub under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
    3. Where an Authorized Affiliate becomes a party to this DPA with OnceHub, it shall to the extent required under applicable Data Protection Law be entitled to exercise the rights and seek remedies under this DPA.
    4. Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against OnceHub directly by itself, the parties agree that:
      1. Solely the Customer that is the contracting party to the MSA shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate; and
      2. The Customer that is the contracting party to the MSA shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Affiliates together.
  4. Processing of data
    1. The parties acknowledge and agree that;
      1. With regard to the Processing of Personal Data, Customer is the Controller, and OnceHub is the Processor and that OnceHub has no direct control or ownership of Personal Data that it processes; and
      2. OnceHub will engage Subprocessors pursuant to the requirements in clauses 10 and 11.
  5. Subject matter of Processing of Personal Data
    1. The subject matter of Processing of Personal Data by OnceHub is the performance of the Services pursuant to the MSA. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 1, "Details of the Processing" to this DPA.
  6. Responsibilities of each party
    1. Customer shall:
      1. At all times, in its use of the Services, Process Personal Data in compliance with applicable Data Protection Law. For the avoidance of doubt;
        1. Customer shall have sole responsibility for complying with Data Protection Law that requires providing notice, disclosure, or obtaining consent prior to transferring Personal Data to OnceHub for processing purposes;
        2. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data that Customer or Customer’s end users submit to OnceHub Services;
        3. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA; and
        4. Customer shall ensure that OnceHub’s processing of Personal Data in accordance with Customer’s instructions will not cause OnceHub to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Law.
    2. OnceHub shall:
      1. Only Process Personal Data on behalf of, and in accordance with Customer’s documented instructions for the following purposes:
        1. Processing in accordance with the MSA;
        2. Processing initiated by users in their use of OnceHub Services; and
        3. Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the MSA.
      2. Treat Personal Data as Confidential Information;
      3. Not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another business, person, or third party for monetary or other valuable consideration; and
      4. Inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate applicable Data Protection Law.
  7. Confidentiality
    1. OnceHub shall ensure that its employees who may process Personal Data are informed of the confidential nature of the data, and have received appropriate training on their responsibilities and are subject to confidentiality undertakings which shall survive the termination of the personal engagement.
    2. OnceHub shall take commercially reasonable steps to ensure the reliability of any OnceHub personnel engaged in the processing of Personal Data.
  8. Return and deletion of data
    1. OnceHub will to the extent permitted by applicable law, delete all your account and Application Data in accordance the procedures and timeframes specified in our deletion schedule, as updated from time to time and made available on our website https://www.oncehub.com/trustcenter/data.
  9. Security
    1. OnceHub shall maintain appropriate technical and organizational measures for protection of the security, including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, and the confidentiality and integrity of Application Data, as detailed in the MSA and in the Trust Center on the OnceHub website.
    2. Customer is responsible for reviewing the information OnceHub makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under applicable Data Protection Law and this DPA. Customer is further responsible for properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the data processed by Customer’s use of the Services.
    3. OnceHub will not materially decrease the overall security of the Services during a subscription term.
  10. Data Incident
    1. OnceHub will notify Customer via email to the email address of the Administrator as recorded in the Services by the Customer, no later than 48 hours after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Application Data, including Personal Data, transmitted, stored or otherwise Processed by OnceHub or its Subprocessors of which OnceHub becomes aware (a "Data Incident").
    2. OnceHub will make reasonable efforts to identify and remediate the cause of such Data Incident, to the extent that remediation is within OnceHub’s reasonable control. OnceHub will provide reasonable assistance to Customer in the event that Customer is required under Data Protection Law to notify a Supervisory Authority or any data subjects of the Data Incident.
    3. Customer agrees that:
      1. An unsuccessful Data Incident will not be subject to this clause 10. An unsuccessful Data Incident is one that results in no unauthorized access to Application Data or to any of OnceHub’s equipment or facilities storing , and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
      2. OnceHub’s obligation to report or respond to a Data Incident under this clause 10 is not and will not be construed as an acknowledgement by OnceHub of any fault or liability of OnceHub with respect to the unsuccessful Data Incident.
    4. The obligations herein shall not apply to Data Incidents that are caused by Customer or Customer’s end users.
  11. Subprocessors
    1. Customer agrees that;
      1. Customer provides a general consent to OnceHub to engage Subprocessors conditional on the requirements of clauses 11 and 12 herein;
      2. OnceHub’s Affiliates may be retained as Subprocessors; and
      3. OnceHub may continue to use those Subprocessors already engaged by OnceHub as at the date of this DPA as listed on the Subprocessor page on OnceHub’s web site, "the Subprocessor List".
    2. Where OnceHub authorizes any Subprocessor in accordance with clause 11.1, OnceHub agrees:
      1. That before the Subprocessor first Processes Customer Data, OnceHub shall carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Data required by this DPA and the MSA;
      2. OnceHub shall enter into a written agreement with each Subprocessor containing data protection obligations not less protective than those in the MSA and this DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Subprocessor.
      3. To restrict the Subprocessor's access to Application Data only to what is strictly necessary to perform its services, and OnceHub will prohibit the Subprocessor from processing Customer Data for any other purpose.
    3. OnceHub shall be liable for the acts and omissions of its Subprocessors to the same extent OnceHub would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth in the MSA.
  12. Notification of existing and new Subprocessors and the right to object
    1. A list of the current Subprocessors used by OnceHub for the provision of the Services can be found in the Subprocessor List on the OnceHub web site. Customer may subscribe to notifications of new Subprocessors via the mechanisms described on the Subprocessor list web page.
    2. OnceHub shall provide notification to Customer of a new Subprocessor by adding details of the new Subprocessor to the Subprocessor List before authorizing any new Subprocessor to Process Personal Data in connection with the provision of the Services.
    3. Customer may object to OnceHub’s appointment or replacement of a Subprocessor prior to its appointment, provided such objection is in writing and based on reasonable grounds relating to data protection.
    4. OnceHub will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected to new Subprocessor without unreasonably burdening Customer.
    5. If OnceHub is unable to make available such change within a reasonable period of time, which shall not exceed thirty days, Customer may terminate the applicable subscription with respect only to those Services which cannot be provided by OnceHub without the use of the objected to new Subprocessor by providing written notice to OnceHub.
    6. OnceHub will refund Customer any prepaid fees covering the remainder of the term of the applicable subscription following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
  13. Customer audit rights
    1. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, OnceHub will make available to Customer, that is not a competitor of OnceHub (or Customer’s independent, third-party auditor that is not a competitor of OnceHub), a copy of OnceHub’s most recent audit reports, or an Executive Summary thereof.
    2. Customer agrees that any audit rights granted by Data Protection Law (including, where applicable, Article 28(3) of the GDPR or clause 8.9 of the Standard Contractual Clauses) will be satisfied by these Audit Reports, and will only arise to the extent that OnceHub’s provision of an audit report does not provide sufficient information or to the extent that Customer must respond to a regulatory or Supervisory Authority audit.
    3. In such event, Customer agrees to enter a mutually agreed upon audit plan that:
      1. Ensures the use of an independent third party, that is not a competitor of OnceHub;
      2. Provides notice to OnceHub in a timely fashion;
      3. Requests access only during agreed business hours;
      4. Accepts billing to Customer at OnceHub’s then current rates;
      5. Occurs no more than once annually;
      6. Restricts its findings to only Personal Data relevant to Customer; and
      7. Obligates Customer, to the extent permitted by law, to keep confidential any information gathered that, by its nature, should be confidential.
  14. Rights of data subjects
    1. OnceHub will provide reasonable and timely assistance to Customer to enable Customer to respond to a request received by Customer from a data subject seeking to exercise their rights under applicable Data Protection Law, to the extent that Customer is unable to respond to such requests through its use of the Services.
    2. OnceHub shall promptly notify Customer if OnceHub or any Subprocessor receives a request from a data subject under Data Protection Law that identifies Customer as the applicable Controller, and shall ensure that OnceHub and the Subprocessor does not respond to that request.
  15. Limitation of liability
    1. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and OnceHub, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ clause of the MSA, and any reference in such clause to the liability of a party means the aggregate liability of that party and all of its Affiliates under the MSA and all DPAs together.
    2. For the avoidance of doubt, OnceHub’s total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the MSA and all DPAs shall apply in the aggregate for all claims under both the MSA and all DPAs established under this Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and to any Authorized Affiliate that is a contractual party to any such DPA.
  16. Regulatory fines and penalties
    1. Notwithstanding anything to the contrary in this DPA or in the MSA (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of Data Protection Law.
  17. European specific provisions
    1. OnceHub will Process Personal Data in accordance with the GDPR requirements directly applicable to OnceHub’s provision of its Services.
    2. OnceHub shall provide reasonable assistance to Customer needed to fulfil Customer’s obligation under the GDPR to carry out any data protection impact assessments related to Customers use of the Services, including prior consultations with Supervising Authorities or other competent data privacy authorities, to the extent that Customer does not otherwise have access to the relevant information, and to the extent that such information is available to OnceHub.
    3. Subject to the additional terms in Appendix 2, the transfer mechanism listed below shall apply to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Law of the foregoing territories, to the extent such transfers are subject to such Data Protection Law:
      1. The Module Two Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision C(2021) 3972, which are hereby incorporated by reference, provided that:
        1. Annexes 1 and 2 of the Standard Contractual Clauses are set forth in Appendix 3 to this DPA;
        2. The optional docking provision in Clause 7 of the Standard Contractual Clauses shall apply;
        3. For the purpose of Clause 9(a) of the Standard Contractual Clauses, option 2 shall apply and the period shall be seven days;
        4. The optional provision in Clause 11 of the Standard Contractual Clauses shall not apply;
        5. For the purpose of Clause 13 of the Standard Contractual Clauses, the competent supervisory authority shall be the supervisory authority with responsibility for ensuring compliance by the Customer with the GDPR as regards the data transfer; and
        6. For the purpose of Clause 17 of the Standard Contractual Clauses, the parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland.
    4. OnceHub have appointed a data protection officer. The appointed person may be reached at privacyoffice@oncehub.com

APPENDIX 1 – DETAILS OF THE PROCESSING

 

  1. Nature and purpose of Processing
    1. OnceHub will Process Personal Data as necessary to perform the Services pursuant to the MSA, and as further instructed by Customer in its use of the Services.
    2. The purposes of the Processing of data from the Controller is to provide a SaaS subscription Service (which may include the detection, prevention and resolution of security and technical issues) and otherwise to fulfil the obligations under the terms of service as stated in the MSA.
    3. OnceHub processes data to provide and improve the services we offer and perform essential business operations. This includes operating the services, maintaining and improving the performance of the services, including developing new features, research and providing customer support.
    4. OnceHub does not sell Customer end users’ Personal Data and does not share end users’ information with third parties for those third parties’ own business interests
  2. Duration of Processing
    1. Subject to clause 8 of this DPA, OnceHub will Process Personal Data for the duration of the MSA, unless otherwise agreed upon in writing.
  3. Categories of data subjects
    1. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
      1. Prospects, customers, business partners and vendors of Customer (who are natural persons);
      2. Employees or contact persons of Customer prospects, customers, business partners and vendors;
      3. Employees, agents, advisors, freelancers of Customer (who are natural persons); and
      4. Customer’s Users authorized by Customer to use the Services.
  4. Type of Personal Data
    1. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
      1. First and last name
      2. Title
      3. Position
      4. Employer
      5. Contact information (company, email, phone, physical business address)
      6. ID data
      7. Professional life data
      8. Personal life data
      9. Sensitive personal data, to the extent permitted by the OnceHub Acceptable User Policy

 

 

APPENDIX 2 – ADDITIONAL TERMS FOR EUROPEAN DATA TRANSFERS

 

ADDITIONAL TERMS FOR STANDARD CONTRACTUAL CLAUSES

Customer parties to the Standard Contractual Clauses

Module Two of the Standard Contractual Clauses and the additional terms specified in this section “Additional Terms for Standard Contractual Clauses” apply to Customer including Authorized Affiliates which are subject to the data protection laws and regulations of the European Union, the European Economic Area and their member states, Switzerland or the United Kingdom

For the purpose of the Standard Contractual Clauses and this section “Additional Terms for Standard Contractual Clauses” Customer, and each Authorized Affiliate, shall be deemed “data exporters”.

Instructions

This DPA and the MSA are the Customer’s complete and final documented instructions at the time of signature of the MSA to OnceHub for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately between the parties.

For the purposes of clause 8.1 of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data:

  1. Processing in accordance with the MSA; 
  2. Processing initiated by users in their use of OnceHub Services; and
  3. Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the MSA.

Appointment of new Subprocessors and list of current Subprocessors.

Pursuant to clause 9 of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that

  1. OnceHub’s Affiliates may be retained as Subprocessors; and
  2. OnceHub and OnceHub’s Affiliates respectively may engage third-party Subprocessors in connection with the provision of the OnceHub Services. OnceHub shall make available to Customer the current list of Subprocessors in accordance with clause 12 of this DPA.

Notification of new Subprocessors and objection right for new Subprocessors

Pursuant to clause 9(a) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that OnceHub may engage new Subprocessors as described in clauses 11 and 12 of this DPA.

Copies of Subprocessor agreements

The parties agree that the copies of the Subprocessor agreements that must be provided by OnceHub to Customer pursuant to clause 9(c) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by OnceHub beforehand; and, that such copies will be provided by OnceHub, in a manner to be determined in its discretion, only upon request by Customer.

Audits and certifications

The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with clause 13 of this DPA.

Certification of deletion

The parties agree that the certification of deletion of Personal Data that is described in clause 16(d) of the Standard Contractual Clauses shall be provided by OnceHub to Customer only upon Customer’s request.

Conflict

In the event of any conflict or inconsistency between the body of this DPA and any of its Appendices (not including the Standard Contractual Clauses) and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Signatories to the Standard Contractual Clauses

DATA EXPORTER
Signed by Customer executing the MSA or an agreement into which this DPA is incorporated by reference, on behalf of itself and each Authorized Affiliate

DATA IMPORTER
Signed by OnceHub executing the MSA or an agreement into which this DPA is incorporated by reference, on behalf of itself and each of its Affiliates

APPENDIX 3 – APPENDICES TO STANDARD CONTRACTUAL CLAUSES

ANNEX 1 TO THE STANDARD CONTRACTUAL CLAUSES

  1. List of Parties

    Data exporter

    The data exporter is (please specify briefly your activities relevant to the transfer):

    The data exporter is the Customer as defined above and the user of OnceHub’s Services

    Data importer

    The data importer is (please specify briefly activities relevant to the transfer):

    The data importer for the OnceHub Services is OnceHub Inc.

  2. Description of Transfer

    Categories of data subjects

    The personal data transferred concern the following categories of data subjects (please specify):

    Data exporter’s customers and end-users. The data importer will receive any personal data in the form of Application Data that the data exporter instructs OnceHub to process through its cloud communications products and services. The precise personal data that the data exporter will transfer to the data importer is necessarily determined and controlled solely by the data exporter.

    Categories of personal data transferred

    The personal data transferred concern the following categories of data (please specify):

    Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

    (a) First and last name
    (b) Title
    (c) Position
    (d) Employer
    (e) Contact information (company, email, phone, physical business address)
    (f) ID data
    (g) Professional life data
    (h) Personal life data
    (i) Sensitive personal data, to the extent permitted by the OnceHub Acceptable Use Policy

    Special categories of data (if appropriate)

    Data exporter may submit special categories of data to the OnceHub Services in accordance with the terms of the OnceHub Acceptable Use Policy, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data,

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

    Continuous basis

    Nature of the processing:

    Data collection, saving, organisation, hosting and deletion.

    Purpose(s) of the data transfer and further processing:

    Provision of Services to data exporter as further detailed in MSA.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    Data will be retained for as long as the data exporter requires the Services.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    Same as above

  3. Competent Supervisory Authority

    The Supervisory Authority with responsibility for ensuring compliance by the Customer with the GDPR as regards the data transfer.

ANNEX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons

1.Measures of pseudonymisation and encryption of personal data

All data and backups are encrypted at rest using the Transparent Data Encryption service (TDE) provided by Microsoft Azure. TDE uses strong cyphers (AES 256) and securely managed encryption keys to ensure that in the unlikely event that data is compromised, it still cannot be deciphered. Where data is classified as particularly sensitive, for example sign-in credentials, additional column level encryption is used to further protect the data.  In some cases, additional column level encryption is applied for sensitive credentials such as passwords.

All personal data is pseudonymised in internal systems, where technically feasible.

2.Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Contractual measures

Security, Availability, Confidentiality, Processing Integrity and Privacy related obligations are communicated to OnceHub's employees through

  • Confidentiality and non-disclosure agreements provisions in contracts of employment;
  • OnceHub’s ISPP; and
  • Annually security and privacy awareness training and policy acknowledgement for OnceHub employees.

Data processing addendums, service agreements and non-disclosure agreements are in place with subservice organizations.

Technical measures

The availability and resilience of processing systems and services is built into the architectural design and implementation of OnceHub production systems hosted by Microsoft Azure and Amazon AWS.

Traffic to the network is managed using secure load balancing services. There are multiple virtual IP endpoints terminated on managed load balancers, which provide automated high availability and load balancing capabilities.

The database is a cluster of database nodes with one primary database that is accessible for customer workload, and three secondary processes containing copies of data.  The primary node constantly pushes the changes to secondary nodes in order to ensure that the data is available on secondary replicas if the primary node crashes for any reason.

Regular automated scans of the OnceHub platform and the environment are performed by Quality Assurance to ensure that application releases maintain the integrity of the platform.

3.Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident 

OnceHub databases are configured with real time replication to a geographically redundant location. Backups are maintained for 14 days and are saved off-site.  Procedures are in place to detect back-up failures and initiating corrective action when such failures occur.

Backup data is restored on demand through the Azure administration portal. The backup data is restored into a separate environment in order to determine the integrity of data and potential data recovery issues.

OnceHub has developed disaster recovery and business continuity plans to enable the company to continue to provide critical services in case of a disaster or business interruption. OnceHub documents and approves on an annual basis a restore document describing the required steps in order to perform a restore. Plans are reviewed and tested on an annual basis.

4.Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Risk Management

OnceHub systematically addresses and identifies emerging risks. Risks are recorded in a backlog and reviewed on a quarterly basis with executive management. If and when deemed necessary, risk-mitigation strategies are formalized in the form of policies and procedures.  Risk management meetings are performed on a quarterly basis in order to review and evaluate risks and to approve mitigation measures.

Monitoring

Management uses automated reports created through various applications and processes to monitor the efficiency of certain processes and the effectiveness of certain key controls. Metrics produced from these systems are used to identify the strengths and achievements as well as the weaknesses, inefficiencies or potential performance issues with respect to a particular process.

Managers are given the responsibility to inform the individuals who report to them about these items at the appropriate time. Deficiencies are communicated to parties responsible for taking corrective action. The OnceHub Management Team monitors the progress with respect to OnceHub Service processes on a regular basis. The Management Team tracks whether deficiencies are remedied on a timely basis.

Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.

Analysis of root cause is performed through various tools and meetings, and corrective measures are communicated to relevant groups through emails, meetings, and a project portal tool in order to prevent future occurrences. This includes daily reporting, access to shared systems with audit trails, and customer feedback. If and when deemed necessary, corrective measures are communicated to employees via email, ongoing training, a review of key cases and weekly meetings.

Penetration and Vulnerability Testing

Penetration tests are performed by a third party on at least an annual basis. High risk issues are followed up during the weekly management meetings and appropriate changes are acted upon the review of the penetration test report.  Penetration tests include, but are not limited to, procedures which prevent customers, groups of individuals, or other entities from accessing confidential information other than their own, as well as procedures and tests that simulate external hacking attempts.

Vulnerability tests are performed on OnceHub databases on a weekly basis, using an external tool, in order to detect potential security breaches.

5.Measures for user identification and authorisation

OnceHub platform controls for Controllers

Controllers can manage system access by setting bespoke password policies, by implementing Single Sign On integration and by enforcing 2 factor authentication.

OnceHub internal access controls

OnceHub manages and delivers its services using a variety of systems and environments. The authorizations to the different environments are based on roles according to job responsibilities upon approval from management e.g.: 

  1. Access to production environment servers is restricted to authorized personnel who have been approved by the Head of IT Security. 
  2. Developers do not have access to the production environment.
  3. Access to the Azure and AWS admin portal within the production environment is performed using two-factor authentication. 
  4. A review of users and permissions within the different environments (web servers, database servers and administration application) is performed on a quarterly basis.

Access to system resources is protected through a combination of firewalls, VPNs, native operating system security, database management system security, application controls and intrusion detection monitoring software.

Where possible, strong password configuration settings are enforced, using operating system local policies. Enforced policies include forced password update, password history, minimum password character length, account lockout policy, and password complexity requirements.

New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed, and access is disabled when access is no longer required, or the infrastructure and software are no longer in use.

6.Measures for the protection of data during transmission

OnceHub is a “HTTPS only” platform. All data in transit is encrypted using TLS 1.2 and higher (depending on the client browser). In cases where HTTP is used, visitors are automatically redirected to a secure connection. These safeguards ensure that customer data is always encrypted in transit.

7.Measures for the protection of data during storage

See section 1 “Measures of pseudonymisation and encryption of personal data”, section 8 “Measures for ensuring physical security of locations at which personal data are processed”

8.Measures for ensuring physical security of locations at which personal data are processed

OnceHub production systems are hosted in a cloud infrastructure provided by Microsoft Azure and Amazon AWS.

Physical access to data centers is strictly controlled by Microsoft and Amazon who comply with multiple security and privacy frameworks. Further details can be found on their respective Trust and Security web site pages.

Cloud Infrastructure providers implement protection measures against environmental risks or disasters with redundant internet uplinks, routing infrastructure, firewalls and network intrusion detection services. Performance is continually measured to ensure sufficient resources and redundancy is built into the architecture of the environment.

8.Measures for ensuring events logging

OnceHub has implemented and configured monitoring tools and alert thresholds triggering notifications to appropriate personnel on production servers.

All machines are audited and logged for security and system events. Logs are automatically analysed and flagged using advanced threat analytics in the Azure Security Center.  These include but are not limited to:

  1. User access;
  2. Changes to user permissions;
  3. Modification of sensitive files;
  4. System events;
  5. Windows policy changes.

A full audit of all database events is kept for the previous three months and monitored using the Azure advanced threat analytics system. Identified issues trigger notifications to the Dev-Ops team who then handle and escalate the issue appropriately.   Logs are also manually cross-referenced periodically to ensure they are consistent with the expected behaviour of authorized users, processes and applications. 

OnceHub uses a monitoring tool in order to check the file integrity on their Virtual Machines. The monitoring dashboard is reviewed on a regular basis by the Information Security department.

OnceHub platform availability is continuously monitored and tracked and published on a public status page. 

10.Measures for ensuring system configuration, including default configuration

Virtual machines are updated and hardened according to the OnceHub patching policy and hardened according to recommendations provided by Microsoft and Amazon.

OnceHub changes its production environment in response to evolving client and market needs. These changes include adding/removing/changing the configuration policies of the existing servers and performing routine maintenance activities, software updates, and other infrastructure-related changes. 

Infrastructure changes are documented within the issue tracking tool. The request is reviewed and approved by the Director of Engineering and the Head of IT Security. 

Fixes are applied as part of regular weekly maintenance slots (patches). Emergency changes are performed and updated as part of hot fixes. Hot fixes follow the same process as described above but with a shorter timeframe. 

Metric reports are regularly issued to the management team in order to provide them with key indicators regarding the change management process. Changes that may affect system security, availability, processing integrity or confidentiality related issues are reviewed on a regular basis.

11.Measures for internal IT and IT security governance and management

OnceHub Information Security and Privacy Program (ISPP)

OnceHub has appointed a Chief Information Officer with responsibility for maintaining and extending the OnceHub ISPP that outlines OnceHub’s approach to implementing and managing information and information technology security and privacy.

The Chief Information Officer is granted appropriate authority and backing from executive management to perform their role. The Chief Information Officer is suitably qualified and experienced and granted access to appropriate resources to ensure the integrity of the OnceHub ISPP.

The ISPP is reviewed and approved on an annual basis The program ensures that security is managed competently and is reviewed periodically to ensure ongoing program improvement.  Significant components of the ISPP include:

  1. Security, availability, and confidentiality requirements of users;
  2. Access rights, access restrictions, retention and destruction;
  3. Risk assessment;
  4. Preventing unauthorised access;
  5. Adding new users, modifying access levels, and removing users;
  6. Assigning responsibility for system availability, system changes & maintenance (including patch management), and confidentiality;
  7. Testing, evaluating and authorising system components before implementation;
  8. Secure Development Lifecycle;
  9. Complaint management and resolution;
  10. Identifying, responding to and mitigating security, availability and confidentiality breaches and other incidents;
  11. Employee training and resources to support system security policies;
  12. Identification of and consistency with applicable laws and regulations, defined commitments, and other contractual requirements;
  13. Third party vendor management;
  14. Recovering and continuing service in accordance with customer commitments or other agreements; and
  15. Monitoring system capacity.

Weekly management meetings are held to discuss operational and managerial matters and to announce new policies, procedures, controls and other strategic initiatives. Management retrospective meetings are performed on an as needed basis, in order to review incidents. In addition, policies and procedures are documented, reviewed and approved on an annual basis by the management team and available to OnceHub's employees.

12.Measures for certification/assurance of processes and products

OnceHub is audited annually for SOC 2 Type 2 compliance. The SOC 2 report outlines how OnceHub controls and processes uphold the trust service principles of security, confidentiality, privacy, availability, and processing integrity. Auditing of this report is conducted over a one year monitoring period for both suitability and effectiveness.

OnceHub is a PCI DSS level 1 service provider and is validated annually by an independent PCI Qualified Security Assessor.

13.Measures for ensuring data minimisation

The Controller has the sole and exclusive control over the adequacy, relevance and amount of personal data entered into OnceHub systems and managed by OnceHub as a Processor.  No personal data other than that by the Controller is processed by OnceHub in its capacity as a Processor

14.Measures for ensuring data quality

The Controller has the sole and exclusive control over the quality of data entered into OnceHub systems and managed by OnceHub as a Processor.  Controller has the ability to correct, update and delete all personal data entered into OnceHub software products.

OnceHub software using data input rules to ensure that data is entered into OnceHub systems in an appropriate format where technically feasible.

15.Measures for ensuring limited data retention

Controller has sole and exclusive control over the retention of personal data of data subjects entered into OnceHub systems.  Controller can manage the retention and deletion of personal data in OnceHub systems through administrative controls within OnceHub’s software applications.

16.Measures for ensuring accountability

OnceHub has appointed a Data Protection Officer who is responsible for managing and overseeing OnceHub’s privacy obligations.

The DPA and supporting processes and controls outlined in this Appendix enable the Controller to demonstrate compliance with the principles as set out in Article 5 of the GDPR.

17.Measures for allowing data portability and ensuring erasure

OnceHub manages customer’s personal information in accordance with the company’s data retention and destruction policies as documented in the Master Services Agreement.

Personal data of a data subject entered into OnceHub systems can be exported by the Controller through the application interface in a structured, commonly used and machine-readable format.

Personal data of a data subject can be deleted by the Controller through the OnceHub software application interface.

Upon the termination of a contract between the Controller and OnceHub, all data is deleted from OnceHub systems in accordance with the data retention and provisions of the Master Services Agreement between the Controller and OnceHub.

APPENDIX 4 –UK ADDENDUM TO THE EU STANDARD CONTRACTUAL CLAUSES

VERSION B1.0, in force 21 March 2022


This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date

The date on which the DPA is signed by the Party signing last in time
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details Full legal name: As set forth in the Signatures to the DPA
Trading name (if different): As set forth in the Signatures to the DPA
Main address (if a company registered address): 
Official registration number (if any) (company number or similar identifier): As set forth in the Signatures to the DPA
Full legal name: As set forth in the Signatures to the DPA
Trading name (if different): As set forth in the Signatures to the DPA
Main address (if a company registered address): As set forth in the Signatures to the DPA
Official registration number (if any) (company number or similar identifier): As set forth in the Signatures to the DPA
Key Contact Full Name (optional): As set forth in the Signatures to the DPA
Job Title: As set forth in the Signatures to the DPA
Contact details including email: As set forth in the Signatures to the DPA
Full Name (optional): As set forth in the Signatures to the DPA
Job Title: As set forth in the Signatures to the DPA
Contact details including email: As set forth in the Signatures to the DPA

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date: The date on which the DPA is signed by the Party signing last in time
Reference (if any):
Other identifier (if any):
Or

☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: 


Module Module in operation Clause 7 (Docking Clause) Clause 11
(Option)
Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time period) Is personal data received from the Importer combined with personal data collected by the Exporter?
1







 

2











3











4













Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Set Forth in Table 1
Annex 1B: Description of Transfer: As set forth in Annex 1 to the Standard Contractual Clauses in Appendix 3 of the DPA
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set forth in Annex 2 to the Standard Contractual Clauses in Appendix 3 of the DPA
Annex III: List of Sub processors (Modules 2 and 3 only): Available at https://www.oncehub.com/trustcenter/subprocessors 

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19:
☒ Importer
☐ Exporter
☐ Neither Party

Part 2: Mandatory Clauses

Entering into this Addendum

  1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
  2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

    Interpretation of this Addendum 

  3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
    Addendum  This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
    Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
    Appendix Information As set out in Table 3.
    Appropriate Safeguards The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
    Approved Addendum The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
    Approved EU SCCs  The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
    ICO The Information Commissioner.
    Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.
    UK  The United Kingdom of Great Britain and Northern Ireland.
    UK Data Protection Laws  All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
    UK GDPR  As defined in section 3 of the Data Protection Act 2018.
  4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards. 
  5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
  6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
  7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies. 
  8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into. 

    Hierarchy 

  9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
  10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
  11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

    Incorporation of and changes to the EU SCCs

  12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
    1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; 
    2. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
    3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
  13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
  14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
  15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made: 
    1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
    2. In Clause 2, delete the words:

      “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

    3. Clause 6 (Description of the transfer(s)) is replaced with:

      “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

    4. Clause 8.7(i) of Module 1 is replaced with:

      “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

    5. Clause 8.8(i) of Modules 2 and 3 is replaced with:

      “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

    6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
    7. References to Regulation (EU) 2018/1725 are removed;
    8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
    9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
    10. Clause 13(a) and Part C of Annex I are not used; 
    11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
    12. In Clause 16(e), subsection (i) is replaced with:

      “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

    13. Clause 17 is replaced with:

      “These Clauses are governed by the laws of England and Wales.”;

    14. Clause 18 is replaced with:

      “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

    15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

    Amendments to this Addendum

  16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
  17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
  18. From time to time, the ICO may issue a revised Approved Addendum which:
    1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
    2. reflects changes to UK Data Protection Laws;

      The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified. 

  19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate, and demonstrable increase in:
    1. its direct costs of performing its obligations under the Addendum; and/or 
    2. its risk under the Addendum, 

      and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

  20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.