Data Protection Addendum

Version 2.3 Last updated 1st October 2021
View changelog

Our Data Protection Addendum is an agreement that sets out the legal framework under which OnceHub processes personal data.  The Data Protection Addendum is an addendum to, and forms part of our Master Services Agreement.

  1. Introduction
    1. This Data Protection Addendum (the "Addendum") forms part of the Master Services Agreement (the "MSA") between OnceHub and you the Customer to reflect the parties’ agreement with regards to the Processing of Personal Data.
    2. By signing the MSA, Customer enters into this Addendum on behalf of itself and, if applicable, its Authorized Affiliates to the extent that, OnceHub processes Personal Data on behalf of Customer or Authorized Affiliates. For the purposes of this Addendum only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.
    3. This Addendum is entered into and becomes a binding part of the MSA with effect from the date the MSA, or an agreement into which this Addendum is incorporated by reference, was entered into.
  2. Definitions
    1. Capitalized terms have the definitions as set forth below or inline in this Agreement.
      1. "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the subject entity, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
      2. "Application Data" means all data, including text, sound or image files that are provided to OnceHub by, or on behalf of, Customer through Customer’s use of the Services, including Personal Data, but excluding Usage Data.
      3. "Authorized Affiliate" means any of Customer’s Affiliate(s) which is permitted to use the Services pursuant to the Agreement between Customer and OnceHub, but has not entered into a separate MSA with OnceHub.
      4. "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
      5. "Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
      6. "Data Protection Law" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the MSA.
      7. "Data Subject" means the identified or identifiable person to whom Personal Data relates.
      8. "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
      9. "Non-OnceHub Application" means any application, software, plug-in, or other software application functionality that interoperates with the Services and is provided by Customer or a third party.
      10. "OnceHub" means OnceHub Inc., 2093 Philadelphia Pike #5585, Claymont, DE 19703, USA and its Affiliates.
      11. "Personal Data" means any information relating to
        1. An identified or identifiable natural person; or
        2. An identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations),
        where for each (i) or (ii), such data is Application Data.
      12. "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      13. "Processor" means the entity which Processes Personal Data on behalf of the Controller.
      14. "Services" means the products and services that are ordered by Customer pursuant to the MSA.
      15. "Standard Contractual Clauses" means the agreement executed by and between Customer and OnceHub and pursuant to the European Commission’s decision (C(2021)3972) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
      16. "Subprocessor" means any person or legal entity appointed by or on behalf of OnceHub to Process Personal Data on behalf of Customer in connection with the Master Services Agreement.
      17. "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR.
      18. "Usage Data" means information about your use of the Services, including for example through analysis of patterns and trends, that is stored in an anonymized, pseudonymized, de-personalized or aggregated form in accordance with applicable privacy laws.
  3. Authorized Affiliates
    1. The parties acknowledge and agree that, by executing the MSA, the Customer enters into this Addendum on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate Addendum between OnceHub and each such Authorized Affiliate subject to the provisions of the MSA and this clause 3.
    2. The Customer that is the contracting party to the MSA shall remain responsible for coordinating all communication with OnceHub under this Addendum and be entitled to make and receive any communication in relation to this Addendum on behalf of its Authorized Affiliates.
    3. Where an Authorized Affiliate becomes a party to this Addendum with OnceHub, it shall to the extent required under applicable Data Protection Law be entitled to exercise the rights and seek remedies under this Addendum.
    4. Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this Addendum against OnceHub directly by itself, the parties agree that:
      1. Solely the Customer that is the contracting party to the MSA shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate; and
      2. The Customer that is the contracting party to the MSA shall exercise any such rights under this Addendum not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Affiliates together.
  4. Processing of data
    1. The parties acknowledge and agree that;
      1. With regard to the Processing of Personal Data, Customer is the Controller, and OnceHub is the Processor and that OnceHub has no direct control or ownership of Personal Data that it processes; and
      2. OnceHub will engage Subprocessors pursuant to the requirements in clauses 10 and 11.
  5. Subject matter of Processing of Personal Data
    1. The subject matter of Processing of Personal Data by OnceHub is the performance of the Services pursuant to the MSA. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this Addendum are further specified in Appendix 1, "Details of the Processing" to this Addendum.
  6. Responsibilities of each party
    1. Customer shall:
      1. At all times, in its use of the Services, Process Personal Data in compliance with applicable Data Protection Law. For the avoidance of doubt;
        1. Customer shall have sole responsibility for complying with Data Protection Law that requires providing notice, disclosure, or obtaining consent prior to transferring Personal Data to OnceHub for processing purposes;
        2. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data that Customer or Customer’s end users submit to OnceHub Services;
        3. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA; and
        4. Customer shall ensure that OnceHub’s processing of Personal Data in accordance with Customer’s instructions will not cause OnceHub to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Law.
    2. OnceHub shall:
      1. Only Process Personal Data on behalf of, and in accordance with Customer’s documented instructions for the following purposes:
        1. Processing in accordance with the MSA;
        2. Processing initiated by users in their use of OnceHub Services; and
        3. Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the MSA.
      2. Treat Personal Data as Confidential Information;
      3. Not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another business, person, or third party for monetary or other valuable consideration; and
      4. Inform Customer if it becomes aware or reasonably believes that Customer’s data processing instructions violate applicable Data Protection Law.
  7. Confidentiality
    1. OnceHub shall ensure that its employees who may process Personal Data are informed of the confidential nature of the data, and have received appropriate training on their responsibilities and are subject to confidentiality undertakings which shall survive the termination of the personal engagement.
    2. OnceHub shall take commercially reasonable steps to ensure the reliability of any OnceHub personnel engaged in the processing of Personal Data.
  8. Return and deletion of data
    1. OnceHub will to the extent permitted by applicable law, delete all your account and Application Data in accordance the procedures and timeframes specified in our deletion schedule, as updated from time to time and made available on our website https://www.oncehub.com/trustcenter/data.
  9. Security
    1. OnceHub shall maintain appropriate technical and organizational measures for protection of the security, including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, and the confidentiality and integrity of Application Data, as detailed in the MSA and in the Trust Center on the OnceHub website.
    2. Customer is responsible for reviewing the information OnceHub makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under applicable Data Protection Law and this Addendum. Customer is further responsible for properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the data processed by Customer’s use of the Services.
    3. OnceHub will not materially decrease the overall security of the Services during a subscription term.
  10. Data Incident
    1. OnceHub will notify Customer via email to the email address of the Administrator as recorded in the Services by the Customer, no later than 48 hours after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Application Data, including Personal Data, transmitted, stored or otherwise Processed by OnceHub or its Subprocessors of which OnceHub becomes aware (a "Data Incident").
    2. OnceHub will make reasonable efforts to identify and remediate the cause of such Data Incident, to the extent that remediation is within OnceHub’s reasonable control. OnceHub will provide reasonable assistance to Customer in the event that Customer is required under Data Protection Law to notify a Supervisory Authority or any data subjects of the Data Incident.
    3. Customer agrees that:
      1. An unsuccessful Data Incident will not be subject to this clause 10. An unsuccessful Data Incident is one that results in no unauthorized access to Application Data or to any of OnceHub’s equipment or facilities storing , and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
      2. OnceHub’s obligation to report or respond to a Data Incident under this clause 10 is not and will not be construed as an acknowledgement by OnceHub of any fault or liability of OnceHub with respect to the unsuccessful Data Incident.
    4. The obligations herein shall not apply to Data Incidents that are caused by Customer or Customer’s end users.
  11. Subprocessors
    1. Customer agrees that;
      1. Customer provides a general consent to OnceHub to engage Subprocessors conditional on the requirements of clauses 11 and 12 herein;
      2. OnceHub’s Affiliates may be retained as Subprocessors; and
      3. OnceHub may continue to use those Subprocessors already engaged by OnceHub as at the date of this Addendum as listed on the Subprocessor page on OnceHub’s web site, "the Subprocessor List".
    2. Where OnceHub authorizes any Subprocessor in accordance with clause 11.1, OnceHub agrees:
      1. That before the Subprocessor first Processes Customer Data, OnceHub shall carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Data required by this Addendum and the MSA;
      2. OnceHub shall enter into a written agreement with each Subprocessor containing data protection obligations not less protective than those in the MSA and this Addendum with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Subprocessor.
      3. To restrict the Subprocessor's access to Application Data only to what is strictly necessary to perform its services, and OnceHub will prohibit the Subprocessor from processing Customer Data for any other purpose.
    3. OnceHub shall be liable for the acts and omissions of its Subprocessors to the same extent OnceHub would be liable if performing the services of each Subprocessor directly under the terms of this Addendum, except as otherwise set forth in the MSA.
  12. Notification of existing and new Subprocessors and the right to object
    1. A list of the current Subprocessors used by OnceHub for the provision of the Services can be found in the Subprocessor List on the OnceHub web site. Customer may subscribe to notifications of new Subprocessors via the mechanisms described on the Subprocessor list web page.
    2. OnceHub shall provide notification to Customer of a new Subprocessor by adding details of the new Subprocessor to the Subprocessor List before authorizing any new Subprocessor to Process Personal Data in connection with the provision of the Services.
    3. Customer may object to OnceHub’s appointment or replacement of a Subprocessor prior to its appointment, provided such objection is in writing and based on reasonable grounds relating to data protection.
    4. OnceHub will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected to new Subprocessor without unreasonably burdening Customer.
    5. If OnceHub is unable to make available such change within a reasonable period of time, which shall not exceed thirty days, Customer may terminate the applicable subscription with respect only to those Services which cannot be provided by OnceHub without the use of the objected to new Subprocessor by providing written notice to OnceHub.
    6. OnceHub will refund Customer any prepaid fees covering the remainder of the term of the applicable subscription following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
  13. Customer audit rights
    1. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, OnceHub will make available to Customer, that is not a competitor of OnceHub (or Customer’s independent, third-party auditor that is not a competitor of OnceHub), a copy of OnceHub’s most recent audit reports, or an Executive Summary thereof.
    2. Customer agrees that any audit rights granted by Data Protection Law (including, where applicable, Article 28(3) of the GDPR or clause 8.9 of the Standard Contractual Clauses) will be satisfied by these Audit Reports, and will only arise to the extent that OnceHub’s provision of an audit report does not provide sufficient information or to the extent that Customer must respond to a regulatory or Supervisory Authority audit.
    3. In such event, Customer agrees to enter a mutually agreed upon audit plan that:
      1. Ensures the use of an independent third party, that is not a competitor of OnceHub;
      2. Provides notice to OnceHub in a timely fashion;
      3. Requests access only during agreed business hours;
      4. Accepts billing to Customer at OnceHub’s then current rates;
      5. Occurs no more than once annually;
      6. Restricts its findings to only Personal Data relevant to Customer; and
      7. Obligates Customer, to the extent permitted by law, to keep confidential any information gathered that, by its nature, should be confidential.
  14. Rights of data subjects
    1. OnceHub will provide reasonable and timely assistance to Customer to enable Customer to respond to a request received by Customer from a data subject seeking to exercise their rights under applicable Data Protection Law, to the extent that Customer is unable to respond to such requests through its use of the Services.
    2. OnceHub shall promptly notify Customer if OnceHub or any Subprocessor receives a request from a data subject under Data Protection Law that identifies Customer as the applicable Controller, and shall ensure that OnceHub and the Subprocessor does not respond to that request.
  15. Limitation of liability
    1. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, and all Addendums between Authorized Affiliates and OnceHub, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ clause of the MSA, and any reference in such clause to the liability of a party means the aggregate liability of that party and all of its Affiliates under the MSA and all Addendums together.
    2. For the avoidance of doubt, OnceHub’s total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the MSA and all Addendums shall apply in the aggregate for all claims under both the MSA and all Addendums established under this Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and to any Authorized Affiliate that is a contractual party to any such Addendum.
  16. Regulatory fines and penalties
    1. Notwithstanding anything to the contrary in this Addendum or in the MSA (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of Data Protection Law.
  17. European specific provisions
    1. OnceHub will Process Personal Data in accordance with the GDPR requirements directly applicable to OnceHub’s provision of its Services.
    2. OnceHub shall provide reasonable assistance to Customer needed to fulfil Customer’s obligation under the GDPR to carry out any data protection impact assessments related to Customers use of the Services, including prior consultations with Supervising Authorities or other competent data privacy authorities, to the extent that Customer does not otherwise have access to the relevant information, and to the extent that such information is available to OnceHub.
    3. Subject to the additional terms in Appendix 2, the transfer mechanism listed below shall apply to any transfers of Personal Data under this Addendum from the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Law of the foregoing territories, to the extent such transfers are subject to such Data Protection Law:
      1. The Module Two Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision C(2021) 3972, which are hereby incorporated by reference, provided that:
        1. Annexes 1 and 2 of the Standard Contractual Clauses are set forth in Appendix 3 to this Addendum;
        2. The optional docking provision in Clause 7 of the Standard Contractual Clauses shall apply;
        3. For the purpose of Clause 9(a) of the Standard Contractual Clauses, option 2 shall apply and the period shall be seven days;
        4. The optional provision in Clause 11 of the Standard Contractual Clauses shall not apply;
        5. For the purpose of Clause 13 of the Standard Contractual Clauses, the competent supervisory authority shall be the supervisory authority with responsibility for ensuring compliance by the Customer with the GDPR as regards the data transfer; and
        6. For the purpose of Clause 17 of the Standard Contractual Clauses, the parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland.
    4. OnceHub have appointed a data protection officer. The appointed person may be reached at privacyoffice@oncehub.com

APPENDIX 1 – DETAILS OF THE PROCESSING

 

  1. Nature and purpose of Processing
    1. OnceHub will Process Personal Data as necessary to perform the Services pursuant to the MSA, and as further instructed by Customer in its use of the Services.
    2. The purposes of the Processing of data from the Controller is to provide a SaaS subscription Service (which may include the detection, prevention and resolution of security and technical issues) and otherwise to fulfil the obligations under the terms of service as stated in the MSA.
    3. OnceHub processes data to provide and improve the services we offer and perform essential business operations. This includes operating the services, maintaining and improving the performance of the services, including developing new features, research and providing customer support.
    4. OnceHub does not sell Customer end users’ Personal Data and does not share end users’ information with third parties for those third parties’ own business interests
  2. Duration of Processing
    1. Subject to clause 8 of this Addendum, OnceHub will Process Personal Data for the duration of the MSA, unless otherwise agreed upon in writing.
  3. Categories of data subjects
    1. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
      1. Prospects, customers, business partners and vendors of Customer (who are natural persons);
      2. Employees or contact persons of Customer prospects, customers, business partners and vendors;
      3. Employees, agents, advisors, freelancers of Customer (who are natural persons); and
      4. Customer’s Users authorized by Customer to use the Services.
  4. Type of Personal Data
    1. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
      1. First and last name
      2. Title
      3. Position
      4. Employer
      5. Contact information (company, email, phone, physical business address)
      6. ID data
      7. Professional life data
      8. Personal life data
      9. Sensitive personal data, to the extent permitted by the OnceHub Acceptable User Policy

 

 

APPENDIX 2 – ADDITIONAL TERMS FOR EUROPEAN DATA TRANSFERS

 

ADDITIONAL TERMS FOR STANDARD CONTRACTUAL CLAUSES

Customer parties to the Standard Contractual Clauses

Module Two of the Standard Contractual Clauses and the additional terms specified in this section “Additional Terms for Standard Contractual Clauses” apply to Customer including Authorized Affiliates which are subject to the data protection laws and regulations of the European Union, the European Economic Area and their member states, Switzerland or the United Kingdom

For the purpose of the Standard Contractual Clauses and this section “Additional Terms for Standard Contractual Clauses” Customer, and each Authorized Affiliate, shall be deemed “data exporters”.

Instructions

This Addendum and the MSA are the Customer’s complete and final documented instructions at the time of signature of the MSA to OnceHub for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately between the parties.

For the purposes of clause 8.1 of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data:

  1. Processing in accordance with the MSA; 
  2. Processing initiated by users in their use of OnceHub Services; and
  3. Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the MSA.

Appointment of new Subprocessors and list of current Subprocessors.

Pursuant to clause 9 of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that

  1. OnceHub’s Affiliates may be retained as Subprocessors; and
  2. OnceHub and OnceHub’s Affiliates respectively may engage third-party Subprocessors in connection with the provision of the OnceHub Services. OnceHub shall make available to Customer the current list of Subprocessors in accordance with clause 12 of this Addendum.

Notification of new Subprocessors and objection right for new Subprocessors

Pursuant to clause 9(a) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that OnceHub may engage new Subprocessors as described in clauses 11 and 12 of this Addendum.

Copies of Subprocessor agreements

The parties agree that the copies of the Subprocessor agreements that must be provided by OnceHub to Customer pursuant to clause 9(c) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by OnceHub beforehand; and, that such copies will be provided by OnceHub, in a manner to be determined in its discretion, only upon request by Customer.

Audits and certifications

The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with clause 13 of this Addendum.

Certification of deletion

The parties agree that the certification of deletion of Personal Data that is described in clause 16(d) of the Standard Contractual Clauses shall be provided by OnceHub to Customer only upon Customer’s request.

Conflict

In the event of any conflict or inconsistency between the body of this Addendum and any of its Appendices (not including the Standard Contractual Clauses) and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Signatories to the Standard Contractual Clauses

DATA EXPORTER
Signed by Customer executing the MSA or an agreement into which this Addendum is incorporated by reference, on behalf of itself and each Authorized Affiliate

DATA IMPORTER
Signed by OnceHub executing the MSA or an agreement into which this Addendum is incorporated by reference, on behalf of itself and each of its Affiliates

APPENDIX 3 – APPENDICES TO STANDARD CONTRACTUAL CLAUSES

ANNEX 1 TO THE STANDARD CONTRACTUAL CLAUSES

  1. List of Parties

    Data exporter

    The data exporter is (please specify briefly your activities relevant to the transfer):

    The data exporter is the Customer as defined above and the user of OnceHub’s Services

    Data importer

    The data importer is (please specify briefly activities relevant to the transfer):

    The data importer for the OnceHub Services is OnceHub Inc.

  2. Description of Transfer

    Categories of data subjects

    The personal data transferred concern the following categories of data subjects (please specify):

    Data exporter’s customers and end-users. The data importer will receive any personal data in the form of Application Data that the data exporter instructs OnceHub to process through its cloud communications products and services. The precise personal data that the data exporter will transfer to the data importer is necessarily determined and controlled solely by the data exporter.

    Categories of personal data transferred

    The personal data transferred concern the following categories of data (please specify):

    Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

    (a) First and last name
    (b) Title
    (c) Position
    (d) Employer
    (e) Contact information (company, email, phone, physical business address)
    (f) ID data
    (g) Professional life data
    (h) Personal life data
    (i) Sensitive personal data, to the extent permitted by the OnceHub Acceptable Use Policy

    Special categories of data (if appropriate)

    Data exporter may submit special categories of data to the OnceHub Services in accordance with the terms of the OnceHub Acceptable Use Policy, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data,

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

    Continuous basis

    Nature of the processing:

    Data collection, saving, organisation, hosting and deletion.

    Purpose(s) of the data transfer and further processing:

    Provision of Services to data exporter as further detailed in MSA.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    Data will be retained for as long as the data exporter requires the Services.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    Same as above

  3. Competent Supervisory Authority

    The Supervisory Authority with responsibility for ensuring compliance by the Customer with the GDPR as regards the data transfer.

ANNEX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons

1.Measures of pseudonymisation and encryption of personal data

All data and backups are encrypted at rest using the Transparent Data Encryption service (TDE) provided by Microsoft Azure. TDE uses strong cyphers (AES 256) and securely managed encryption keys to ensure that in the unlikely event that data is compromised, it still cannot be deciphered. Where data is classified as particularly sensitive, for example sign-in credentials, additional column level encryption is used to further protect the data.  In some cases, additional column level encryption is applied for sensitive credentials such as passwords.

All personal data is pseudonymised in internal systems, where technically feasible.

2.Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Contractual measures

Security, Availability, Confidentiality, Processing Integrity and Privacy related obligations are communicated to OnceHub's employees through

  • Confidentiality and non-disclosure agreements provisions in contracts of employment;
  • OnceHub’s ISPP; and
  • Annually security and privacy awareness training and policy acknowledgement for OnceHub employees.

Data processing addendums, service agreements and non-disclosure agreements are in place with subservice organizations.

Technical measures

The availability and resilience of processing systems and services is built into the architectural design and implementation of OnceHub production systems hosted by Microsoft Azure and Amazon AWS.

Traffic to the network is managed using secure load balancing services. There are multiple virtual IP endpoints terminated on managed load balancers, which provide automated high availability and load balancing capabilities.

The database is a cluster of database nodes with one primary database that is accessible for customer workload, and three secondary processes containing copies of data.  The primary node constantly pushes the changes to secondary nodes in order to ensure that the data is available on secondary replicas if the primary node crashes for any reason.

Regular automated scans of the OnceHub platform and the environment are performed by Quality Assurance to ensure that application releases maintain the integrity of the platform.

3.Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident 

OnceHub databases are configured with real time replication to a geographically redundant location. Backups are maintained for 14 days and are saved off-site.  Procedures are in place to detect back-up failures and initiating corrective action when such failures occur.

Backup data is restored on demand through the Azure administration portal. The backup data is restored into a separate environment in order to determine the integrity of data and potential data recovery issues.

OnceHub has developed disaster recovery and business continuity plans to enable the company to continue to provide critical services in case of a disaster or business interruption. OnceHub documents and approves on an annual basis a restore document describing the required steps in order to perform a restore. Plans are reviewed and tested on an annual basis.

4.Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Risk Management

OnceHub systematically addresses and identifies emerging risks. Risks are recorded in a backlog and reviewed on a quarterly basis with executive management. If and when deemed necessary, risk-mitigation strategies are formalized in the form of policies and procedures.  Risk management meetings are performed on a quarterly basis in order to review and evaluate risks and to approve mitigation measures.

Monitoring

Management uses automated reports created through various applications and processes to monitor the efficiency of certain processes and the effectiveness of certain key controls. Metrics produced from these systems are used to identify the strengths and achievements as well as the weaknesses, inefficiencies or potential performance issues with respect to a particular process.

Managers are given the responsibility to inform the individuals who report to them about these items at the appropriate time. Deficiencies are communicated to parties responsible for taking corrective action. The OnceHub Management Team monitors the progress with respect to OnceHub Service processes on a regular basis. The Management Team tracks whether deficiencies are remedied on a timely basis.

Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.

Analysis of root cause is performed through various tools and meetings, and corrective measures are communicated to relevant groups through emails, meetings, and a project portal tool in order to prevent future occurrences. This includes daily reporting, access to shared systems with audit trails, and customer feedback. If and when deemed necessary, corrective measures are communicated to employees via email, ongoing training, a review of key cases and weekly meetings.

Penetration and Vulnerability Testing

Penetration tests are performed by a third party on at least an annual basis. High risk issues are followed up during the weekly management meetings and appropriate changes are acted upon the review of the penetration test report.  Penetration tests include, but are not limited to, procedures which prevent customers, groups of individuals, or other entities from accessing confidential information other than their own, as well as procedures and tests that simulate external hacking attempts.

Vulnerability tests are performed on OnceHub databases on a weekly basis, using an external tool, in order to detect potential security breaches.

5.Measures for user identification and authorisation

OnceHub platform controls for Controllers

Controllers can manage system access by setting bespoke password policies, by implementing Single Sign On integration and by enforcing 2 factor authentication.

OnceHub internal access controls

OnceHub manages and delivers its services using a variety of systems and environments. The authorizations to the different environments are based on roles according to job responsibilities upon approval from management e.g.: 

  1. Access to production environment servers is restricted to authorized personnel who have been approved by the Head of IT Security. 
  2. Developers do not have access to the production environment.
  3. Access to the Azure and AWS admin portal within the production environment is performed using two-factor authentication. 
  4. A review of users and permissions within the different environments (web servers, database servers and administration application) is performed on a quarterly basis.

Access to system resources is protected through a combination of firewalls, VPNs, native operating system security, database management system security, application controls and intrusion detection monitoring software.

Where possible, strong password configuration settings are enforced, using operating system local policies. Enforced policies include forced password update, password history, minimum password character length, account lockout policy, and password complexity requirements.

New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed, and access is disabled when access is no longer required, or the infrastructure and software are no longer in use.

6.Measures for the protection of data during transmission

OnceHub is a “HTTPS only” platform. All data in transit is encrypted using TLS 1.2 and higher (depending on the client browser). In cases where HTTP is used, visitors are automatically redirected to a secure connection. These safeguards ensure that customer data is always encrypted in transit.

7.Measures for the protection of data during storage

See section 1 “Measures of pseudonymisation and encryption of personal data”, section 8 “Measures for ensuring physical security of locations at which personal data are processed”

8.Measures for ensuring physical security of locations at which personal data are processed

OnceHub production systems are hosted in a cloud infrastructure provided by Microsoft Azure and Amazon AWS.

Physical access to data centers is strictly controlled by Microsoft and Amazon who comply with multiple security and privacy frameworks. Further details can be found on their respective Trust and Security web site pages.

Cloud Infrastructure providers implement protection measures against environmental risks or disasters with redundant internet uplinks, routing infrastructure, firewalls and network intrusion detection services. Performance is continually measured to ensure sufficient resources and redundancy is built into the architecture of the environment.

8.Measures for ensuring events logging

OnceHub has implemented and configured monitoring tools and alert thresholds triggering notifications to appropriate personnel on production servers.

All machines are audited and logged for security and system events. Logs are automatically analysed and flagged using advanced threat analytics in the Azure Security Center.  These include but are not limited to:

  1. User access;
  2. Changes to user permissions;
  3. Modification of sensitive files;
  4. System events;
  5. Windows policy changes.

A full audit of all database events is kept for the previous three months and monitored using the Azure advanced threat analytics system. Identified issues trigger notifications to the Dev-Ops team who then handle and escalate the issue appropriately.   Logs are also manually cross-referenced periodically to ensure they are consistent with the expected behaviour of authorized users, processes and applications. 

OnceHub uses a monitoring tool in order to check the file integrity on their Virtual Machines. The monitoring dashboard is reviewed on a regular basis by the Information Security department.

OnceHub platform availability is continuously monitored and tracked and published on a public status page. 

10.Measures for ensuring system configuration, including default configuration

Virtual machines are updated and hardened according to the OnceHub patching policy and hardened according to recommendations provided by Microsoft and Amazon.

OnceHub changes its production environment in response to evolving client and market needs. These changes include adding/removing/changing the configuration policies of the existing servers and performing routine maintenance activities, software updates, and other infrastructure-related changes. 

Infrastructure changes are documented within the issue tracking tool. The request is reviewed and approved by the Director of Engineering and the Head of IT Security. 

Fixes are applied as part of regular weekly maintenance slots (patches). Emergency changes are performed and updated as part of hot fixes. Hot fixes follow the same process as described above but with a shorter timeframe. 

Metric reports are regularly issued to the management team in order to provide them with key indicators regarding the change management process. Changes that may affect system security, availability, processing integrity or confidentiality related issues are reviewed on a regular basis.

11.Measures for internal IT and IT security governance and management

OnceHub Information Security and Privacy Program (ISPP)

OnceHub has appointed a Chief Information Officer with responsibility for maintaining and extending the OnceHub ISPP that outlines OnceHub’s approach to implementing and managing information and information technology security and privacy.

The Chief Information Officer is granted appropriate authority and backing from executive management to perform their role. The Chief Information Officer is suitably qualified and experienced and granted access to appropriate resources to ensure the integrity of the OnceHub ISPP.

The ISPP is reviewed and approved on an annual basis The program ensures that security is managed competently and is reviewed periodically to ensure ongoing program improvement.  Significant components of the ISPP include:

  1. Security, availability, and confidentiality requirements of users;
  2. Access rights, access restrictions, retention and destruction;
  3. Risk assessment;
  4. Preventing unauthorised access;
  5. Adding new users, modifying access levels, and removing users;
  6. Assigning responsibility for system availability, system changes & maintenance (including patch management), and confidentiality;
  7. Testing, evaluating and authorising system components before implementation;
  8. Secure Development Lifecycle;
  9. Complaint management and resolution;
  10. Identifying, responding to and mitigating security, availability and confidentiality breaches and other incidents;
  11. Employee training and resources to support system security policies;
  12. Identification of and consistency with applicable laws and regulations, defined commitments, and other contractual requirements;
  13. Third party vendor management;
  14. Recovering and continuing service in accordance with customer commitments or other agreements; and
  15. Monitoring system capacity.

Weekly management meetings are held to discuss operational and managerial matters and to announce new policies, procedures, controls and other strategic initiatives. Management retrospective meetings are performed on an as needed basis, in order to review incidents. In addition, policies and procedures are documented, reviewed and approved on an annual basis by the management team and available to OnceHub's employees.

12.Measures for certification/assurance of processes and products

OnceHub is audited annually for SOC 2 Type 2 compliance. The SOC 2 report outlines how OnceHub controls and processes uphold the trust service principles of security, confidentiality, privacy, availability, and processing integrity. Auditing of this report is conducted over a one year monitoring period for both suitability and effectiveness.

OnceHub is a PCI DSS level 1 service provider and is validated annually by an independent PCI Qualified Security Assessor.

13.Measures for ensuring data minimisation

The Controller has the sole and exclusive control over the adequacy, relevance and amount of personal data entered into OnceHub systems and managed by OnceHub as a Processor.  No personal data other than that by the Controller is processed by OnceHub in its capacity as a Processor

14.Measures for ensuring data quality

The Controller has the sole and exclusive control over the quality of data entered into OnceHub systems and managed by OnceHub as a Processor.  Controller has the ability to correct, update and delete all personal data entered into OnceHub software products.

OnceHub software using data input rules to ensure that data is entered into OnceHub systems in an appropriate format where technically feasible.

15.Measures for ensuring limited data retention

Controller has sole and exclusive control over the retention of personal data of data subjects entered into OnceHub systems.  Controller can manage the retention and deletion of personal data in OnceHub systems through administrative controls within OnceHub’s software applications.

16.Measures for ensuring accountability

OnceHub has appointed a Data Protection Officer who is responsible for managing and overseeing OnceHub’s privacy obligations.

The Data Protection Addendum and supporting processes and controls outlined in this Appendix enable the Controller to demonstrate compliance with the principles as set out in Article 5 of the GDPR.

17.Measures for allowing data portability and ensuring erasure

OnceHub manages customer’s personal information in accordance with the company’s data retention and destruction policies as documented in the Master Services Agreement.

Personal data of a data subject entered into OnceHub systems can be exported by the Controller through the application interface in a structured, commonly used and machine-readable format.

Personal data of a data subject can be deleted by the Controller through the OnceHub software application interface.

Upon the termination of a contract between the Controller and OnceHub, all data is deleted from OnceHub systems in accordance with the data retention and provisions of the Master Services Agreement between the Controller and OnceHub.