DATA PROCESSING ADDENDUM

 

The Customer agreeing to these terms (“Customer”) and Invajo International AB, org. nr. 556737-5489, address Grev Turegatan 30, 114 38 Stockholm (“Invajo”) have entered into one or more Agreement(s) about the Invajo System (“The Service”) (each, as amended from time to time, (“Main Agreement(s)”).

 

This Data Processing addendum to the Main Agreement(s) including its appendices (the “Data Processing Addendum”) will, as from the Addendum Effective Date (as defined below), be effective and replace any previously applicable data processing agreement(s).

1.     BACKGROUND

1.1.   The Personal Data Act (1998:204), (Sw: Personuppgiftslagen), hereinafter “PUL”) and the General Data Protection Regulation 2016/679 (hereinafter “GDPR”), require a written agreement when data processors are to process Personal Data on behalf of a data controller. This Data Processing Addendum thus has the purpose of meeting the requirements pursuant to Section 30, second paragraph under PUL and the requirements pursuant to Articles 28-29 under GDPR on data processor agreements between a contractor and a processor. The Data Processing Addendum applies to all Personal Data processing performed by the Processor on behalf of the Controller.

1.2.   The Main Agreement is the agreement that governs what the Processor shall be responsible for and what duties the Processor should perform on behalf of the Controller. This Data Processing Addendum constitutes a supplementary agreement to the Main Agreement.

1.3.   In case of a conflict between the Main Agreement and the Data Processing Addendum, regarding the processing of Personal Data, the provisions of this Addendum shall prevail.

2.     DEFINITIONS

2.1.   The following terms are based on definitions under Article 4 GDPR.

      Addendum Effective Date means, as applicable: (a) 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to this Data Processing Addendum in respect of the applicable Agreement prior to or on such date; or (b) the date on which Customer clicked to accept or the parties otherwise agreed to this Data Processing Amendment in respect of the applicable Agreement, if such date is after 25 May 2018.

      Agreement, refers to the service and/or product agreement(s) between the Customer and Invajo.

      Applicable data protection legislation, refers to Directive 95/46/EC of the European Parliament and of the Council, incorporated in Swedish law by the PUL, the Personal Data Ordinance (1998:1191), (Sw: Personuppgiftsförordning), and the GDPR with its implementing regulations. In the event of a conflict between the above-mentioned regulations, GDPR shall take precedence from 25 May 2018.

      Controller, refers to the one which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

      Data Subject, see the definition of Personal Data below.

      Personal Data, refers to any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

      Personal Data breach, refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. 

      Processing, refers to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

      Processor, refers to the one which processes Personal Data on behalf of the Controller.

      Special categories of Personal Data (sensitive data), refers to Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

      Standard data protection clauses, refers to the model clauses adopted by the European Commission or adopted by a supervisory authority and approved by the Commission (Article 46 c) – d) GDPR.

      Supervisory Authority, refers to an independent public authority. At the time of signing this Data Protection Addendum, the Swedish supervisory authority is the Data Protection Authority.

      Sub Processor, refers to the subcontractor employed by the Processor or by one of the Processor’s sub processors, which processes Personal Data on behalf of the Controller in accordance with the Controllers instructions, terms and the terms of a written sub-processor agreement.

      Technical and Organisational Measures, refers to actions designed to protect Personal Data against accidental or illegal expulsion, accidental loss or change, unauthorized disclosure or unauthorised access, especially when the processing involves the transmission of data over a network and against any other form of illegal treatment.

3.     CONTROLLER’S OBLIGATIONS

3.1.   The Controller shall ensure that the Personal Data is only processed in accordance with applicable data protection legislation and other relevant laws.

3.2.   The Controller shall only provide the Processor with the necessary Personal Data for the purpose of the processing.

3.3.   The Controller is responsible for providing the Processor, without undue delay, with documents containing information regarding the purpose, nature, extent and duration of the processing, the categories of Data Subjects and other relevant instructions in order for the Processor to be able to fulfil its obligations under this Data Processing Addendum and applicable data protection legislation.

3.4.   The Controller is responsible for not providing the Processor with instructions that would entail unlawful processing and for ensuring that Personal Data is not processed for the purpose of promoting illegal activities. The Parties also agree that the Processor shall be held indemnified in the event such unlawful information is processed.

3.5.   The Controller shall, without undue delay, inform the Processor of changes in the processing that affects the Processor’s obligations. This includes changes resulting from third party actions as a result of the processing, such as by the Supervisory Authority or by the Data Subject.

4.     DATA PROCESSING

4.1.   Unless the Processor is required by law to process Personal Data for other purposes or means, the Processor may only process Personal Data in accordance with this Data Processing Addendum, applicable data protection legislation and the documented instructions of the Controller.

4.2.   The Processor may only process the Personal Data as instructed in Appendix 1 –Specification on the Processing of Personal Data.

4.3.   The Processor processes Personal Data as long as is necessary considering the purpose of the processing. The Processor shall enable the Controller to delete Personal Data at the end of the current term of the Main Agreement and the Processor shall delete Personal Data (including copies) on the Controllers instructions in accordance with applicable data protection legislation. The Processor shall without undue delay follow these instructions from the Controller.

4.4.   The Processor shall take steps to ensure that any person who performs work under the supervision of the Processor and who has access to the Personal Data, only processes the Personal Data in accordance with the Controller’s instructions, unless otherwise required by Union law or member states’ national law.

4.5.   Access to the Personal Data shall be restricted to persons who need it in order to perform their obligations.

4.6.   The Processor shall, at no additional cost for the Controller, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia as appropriate:

a)     The pseudonymisation and encryption of Personal Data,

b)     the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services,

c)     the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident,

d)     a process for regularly testing, assessing and evaluating the effectiveness of the Technical and Organisational Measures for ensuring the security of the Processing.

4.7.   In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

4.8.   The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes on applicable data protection legislation. The Processor understands that the Processor is not required to provide legal advice to the Controller regarding the responsibilities of the Controller.

4.9.   In the event of a Personal Data Incident, or a high risk thereof, the Processor shall immediately inform the Controller, and provide the Controller with all necessary and accessible information that the Controller requires in order to take appropriate measures as well as in order to fulfil his obligations regarding the notification of Personal Data Incidents to the Supervisory Authority. The Processor shall instruct and coordinate any of its sub-processors in according to the Controller’s instructions at its owns cost.

4.10.        The Processor shall, without undue delay and no later than fifteen (15) business days after the request of the Controller, provide access to the Personal Data it has in its possession and make requested rectifications, erasures, restrictions or transfers of the Personal Data. Necessary measures to prevent recovery of Personal Data shall be taken after the Controller or the Processor has deleted Personal Data.

4.11.        The Processor shall keep a record of all Personal Data processing performed on behalf of the Controller and shall provide a readable transcript of the record upon the Controller’s or competent Supervisory Authority´s request. The record shall at least contain the following information:

a)     the name and contact details of the Controller and, where applicable, the joint controller, the Controller's representative and the data protection officer;

b)     the purposes of the Processing;

c)     a description of the categories of Data Subjects and the categories of Personal Data;

d)     the categories of recipients to whom the Personal Data have been or will be disclosed to;

e)     where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49:1 GDPR, the documentation of suitable safeguards;

f)      where possible, the envisaged time limits for erasure of the different categories of Personal Data;

g)     where possible, a general description of the technical and organisational security measures taken.

5.     PURPOSE OF PROCESSING

5.1.   The purpose of the processing are set out in Appendix 1 –Specification on the Processing of Personal Data.

6.     TRANSFER OF PERSONAL DATA

6.1.   With respect to Personal Data that originates from Controllers established in the European Union and is Processed by Processor outside of the European Union, Processor shall ensure that it has taken appropriate steps to ensure Personal Data is Processed in accordance with applicable data protection laws. Controller shall execute such further documents and do any and all such further things as may be necessary to ensure that any international transfers and subsequent Processing of Personal Data by Processor, Processor’s affiliates or their Sub-processors is in compliance with applicable data protection laws. 

6.2.   In cases where the Processor transfer Personal Data to a country outside the European Economic Area ("EEA") and which the European Commission does not consider meets an adequate level of protection in relation to applicable data protection rules, the Parties shall conclude an additional agreement based on Standard Data Protection Clauses which the Processor is mandated to sign on behalf of Controller. Where applicable, the Processor shall, upon request, provide the Controller with a signed copy of such a supplementary agreement as referred to above.

7.     DATA SUBJECT’S RIGHTS

7.1.   The Processor will provide the Controller with electronic access to its technical environment which holds Personal Data to allow the Controller to fulfil its obligations to the Data Subject, such as the Data Subject’s right to information, access, data portability, objection (including objection to automated decision making), erasure, rectification, restriction of processing. If such electronic access is not feasible or practical, the Processor shall instead, to the extent permitted by applicable law, follow the Controller’s documented instructions to fulfil the responsibilities of the Controller under this paragraph.

7.2.   The Processor shall forward to the Controller all requests from a Data Subject to erase, rectify or block Personal Data, or any other requests relating to Personal Data processed under this Data Processing Addendum.

8.     SUB PROCESSOR

8.1.   Processor may engage third party sub-processors to assist in the provision of Services, and Controller authorises Processor to sub-contract Processing of Personal Data under this Data Processing Agreement to a third party provided that Processor shall be responsible for compliance by such Sub-processors with data protection obligations which are no less onerous than the data protection obligations of Processor contained within this Data Processing Agreement. 

8.2.   Upon Controller’s written request, Processor shall make available to Controller a current list of key sub-processors engaged by Processor to process Personal Data in connection with the provision of the Services.

8.3.   Controller may choose to “opt-in” to receiving email notifications of any proposed changes to key sub-processors engaged by Processor by sending an email to privacy@invajo.com requesting the opt-in. If Controller has a reasonable basis to object to Processor’s use of a new Sub-processor, Subscriber may terminate the Main Agreement and this Data Processing Agreement by providing written notice to Processor.

8.4.   For the avoidance of doubt, no refund will be due from Processor in the event of termination by Subscriber pursuant to Section 8.

8.5.   The Controller has the right to request, and receive, a copy of the agreements between the Processor and its Sub Processors. If an agreement contains confidential information, the Processor shall provide the Controller with a version where confidential information is masked.

9.     THE PROCESSOR’S OBLIGATIONS

9.1.   The Processor agrees to comply with applicable privacy laws and regulations. In the event that a Data Subject, Supervisory Authority or other third party requests information from the Processor regarding the Processing of Personal Data, the Processor shall refer them to the Controller. The Processor may only disclose Personal Data, or other information about the processing of Personal Data, on the explicit instruction from the Controller or as a result of mandatory national or union law.

9.2.   The Processor is not entitled to represent the Controller or act on behalf of the Controller to Data Subject, Supervisory Authority or other third party.

9.3.   The Processor is liable for damages that occur for the Controller as a result of this Data Processing Addendum from: (i) breach of, at any point in time, applicable Personal Data law, by the Processor’s own conduct or failure to act; (ii) negligence; and/or (iii) Processing of Personal Data which goes beyond the Controller’s instructions.

9.4.   The total liability of the Processor for damages under this Data Processing Addendum is limited, unless the Processor has demonstrated intent or gross negligence, to a sum amounting to the annual fee for the Service, which is delivered on behalf of the Controller under the Main Agreement.

10.  CONTROLLER’S INSTRUCTIONS

10.1.        During the terms of this Data Processing Addendum, the Controller may provide instructions to the Processor for the Processing of Personal Data in addition to what is specified in this Data Processing Addendum. The Processor will follow all such instructions in accordance with section ‎4.

10.2.        If an action requested by the Controller does not appear in the Main Agreement or this Data Processing Addendum (hereinafter "Additional Instructions"), the Processor is entitled to compensation from the Controller to follow his or her written instructions. Cost of Additional Instruction shall be approved by the Controller in advance.

10.3.        If the costs of meeting the Controller’s Additional instruction are unreasonable and disproportionate in relation to the service charge for the service under the Parties' Main Agreement, the Processor is entitled to terminate the Main Agreement and this Data Processing Addendum with thirty (30) days of notice.

11.   CONFIDENTIALITY

11.1.        The Processor agrees to not disclose or transfer any information regarding the processing of the Personal Data or any other information received under this Data Processing Addendum to any third party. The obligations stated in this section does not apply to: (i) information which a Party can show was known to the public at the time of reception; or (ii) information that a Party is issued to submit to an authority based on national or Union law.

11.2.        The Parties shall disclose Confidential information only to employees or subcontract personnel who need to know the Confidential information for their work in relation to the carrying out of the Main Agreement and/or this Data Processing Addendum.

11.3.        The Processor shall ensure that persons authorised to process Personal Data (employees, Sub Processor, consultants, or others) have undertaken to obey confidentiality or that they are subject to an appropriate statutory duty of confidentiality. The non-disclosure agreement with Sub Processors shall be displayed upon request from the Controller.

11.4.        The confidentiality obligation in this section 11 shall survive the Agreement.

12.  AUDIT CAPABILITY

12.1.        At the request of the Controller, the Processor shall provide the Controller with all information required to demonstrate that the Processor has fulfilled its obligations under this Data Processing Addendum, including a certificate of compliance with IT security requirements applicable to the services. The Controller may, by itself or by third party appointed by the Controller, review the Processor’s compliance to the terms of this Data Processing Addendum and the Main Agreement up to once a year. The Controller may carry out more frequent audits to the extent that there are special circumstances causing further control or if required by law. If a third party is to perform the audit, it must enter into a confidentiality agreement with the Processor before the audit is performed.

12.2.        In order to request an audit, the Controller must submit an audit plan at least two weeks before the proposed date of audit to the Processor, which describes the purpose of the audit, start date and expected extent and duration. The Processor shall review the audit plan and provide comments to the Controller in the event of any problems (for example, request for information that may endanger the Processor’s security, privacy or employment policies). The Controller will provide the Processor with a copy of all audit reports generated in connection with auditing carried out in accordance with this section. The Controller may only use the audit reports in order to comply with applicable laws and/or confirm compliance with the obligations under this Data Processing Addendum and the Main Agreement. Audit reports shall be treated as confidential information for the Parties under the terms of this Data Processing Addendum.

12.3.        All audits are made at the expense of the Controller. A request for the Processor to assist in an audit is considered a request for a separate service if such audit assistance requires different or additional resources. Before leaving such audit assistance, the Processor must have the written consent of the Controller that the Controller agrees to pay any related charges for assistance provided.

13.  COLLABORATION OF THE PARTIES

13.1.        The Parties shall cooperate to achieve the purpose of this Data Processing Addendum. The Parties undertake to dedicate time and to provide the other Party with information on their development plans, strategies and cooperation to the extent necessary to achieve the purpose of this Data Processing Addendum.

14.  GENERAL DATA PROTECTION REGULATION

14.1.        On 25th May 2018, the GDPR will enter into force and the obligations and rights deriving from the Act shall also apply to this Data Processing Addendum.

14.2.        The Processor is obliged to cooperate with the Supervisory Authority on its own and upon request in addition to the terms of this Data Processing Addendum.

15.  COMPENSATION

15.1.        Unless specifically mentioned in this Data Processing Addendum, each Party shall carry their own costs relating to the processing of Personal Data in accordance with this Data Processing Addendum.

16.  TERM

16.1.        This Data Processing Addendum enters into force when the Main Agreement has been signed upon authorised signature of both Parties, and shall remain in force as long as the Processor processes Personal Data on behalf of the Controller based on the Main Agreement.

16.2.        The following Sections shall remain in force after termination of this Data Processing Addendum: Section 9.4 (Processor’s Obligations), 11 (Confidentiality), Section 16 (Term), Section 17 (Obligations after Termination of Agreement) and Section 18 (Applicable Law And Disputes).

17.   OBLIGATIONS AFTER TERMINATION OF AGREEMENT

17.1.        The Parties agree that the Processor and any Sub Processors, after the termination of the Main Agreement and, depending on what the Controller decides, shall within 90 days either return all the transferred Personal Data and copies thereof to the Controller, or permanently destroy all Personal Data, and in writing to the Controller attest to the destruction of all Personal Data.

17.2.        If return or destruction of the Personal Data, as described above, is not technically possible, or if the Processor has legal obligation to preserve the data after the termination of the Main Agreement, the Processor will confirm that he will preserve the confidentiality of the Personal Data, that he will not further process the Personal Data and that, if it is technically possible without unreasonable costs, he will anonymise the Personal Data in ways that render it impossible to recreate, as long as it does not violate any applicable laws.

18.  APPLICABLE LAW AND DISPUTES

18.1.        The Agreement shall be governed and interpreted by Swedish laws, without reference to the choice of law and conflict of law provisions thereof.

18.2.        Any dispute, controversy or claim in connection with this Data Processing Addendum shall be solved by mediation between the Controller and the Processor. The Parties shall be represented by each Parties’ CEO or by another qualified and suitable representative as chosen by that Parties CEO.

18.3.        If one of the Parties objects to Mediation or if the Mediation is terminated, the dispute shall be finally resolved in accordance with the Main Agreement.

18.4.        Any and all information disclosed during or otherwise in connection with the dispute procedure including the content of the award constitutes confidential information.

____________

This agreement is accepted by the Controller by electronic signature.


APPENDIX 1 – SPECIFICATION OF PROCESSING OF PERSONAL DATA

1.     INSTRUCTIONS

1.1.   Brief description of the Service and the purpose of the treatment

Enter all purposes for which personal data are to be processed by Invajo:

Invajo is a digital tool for event-planning with which Event Organisers (Customers) can invite potential Participants (end users) and/or accept their registration.

a)     Invajo Main Agreement – Invajo will process personal data to the extent it is required to provide the Service, as described in the Main Agreement, and to follow the Customer’s instructions, as provided in its use of the Service.

b)     Invajo Main Agreement – Invajo will process personal data to the extent it is required in order to provide the end users of the Service with adequate support functions.

 

1.2.   Categories of personal data

Specify the personal data to be processed by Invajo:

The Customer decides, at its sole convenience, which categories of personal data Invajo is to process, which may includes:

    Address

    Birthdate

    Cookies

    Device Information

    Email address

    Employer

    Employment Identification number

    Employment Title

    Event location presence

    IP-adress

    Name

    National Identification Number (Social Security Number)

    Nationality

    Passwords

    Phone number

    Pictures

    Sex

    Sound Recordings

    System Usage Data (behaviour)

    System Usage Location Data

    System Usage Timestamps

    User ID

    Vehicle Registration Number

    Address

The Customer is also given the option to use a Supplementary Service for ticket-sales through its use of the Service, in which the following categories of personal data is processed from the relevant Customer’s account holder:

    Birth date,

    Valid passport or driver’s license

    OR other as specified: _______________

 

Specify the special categories of personal data to be processed by Invajo (if any):

Invajo does not process special categories of personal data as part of basic Service. Special categories of personal data are processed only on instruction of the Customer, in its sole convenience. And may include:

    Health information (Allergies, Special Diets)

    Biometrics

    Passport Number

    Political Views

    Race or Ethnic origin

    Religious views

    Sexual Orientation or preference

    Union Affiliation

    OR other as specified: _________________

Customer should notify Invajo when asking Invajo to process special categories of data.

 

 

 

1.3.   Categories of registered data subjects

Specify which categories of registered data subjects of whom the Supplier will process personal data and its scope.

The Customer decides, at its sole convenience, which categories of registered data subjects will be subject to processing, which may include:

    Event Organizers (System Users)

    Event Visitors (Attendees)

    Organizers Customer Leads (Invited Persons)

    Organizer Customers (Attendees)

    Organizers Employees or Contractors (Event Admins)

    System Users

 

1.4.   Processing activities (storage, administration, datasets that have been matched or combined, etc.)

Specify which processing activities will be performed by Invajo:

Invajo is the provider of the Service and process personal information in accordance with the Customer’s instructions in the Main Agreement and this Specification, which includes the following activities:

    Adaptation

    Alignment

    Alteration

    Collection

    Combination

    Consultation (Troubleshooting, Support)

    Destruction

    Disclosure by Transmission

    Erasure

    Retrieval

    Storage

    Structuring

 

1.5.    Site for processing of personal data

Enter all countries where personal data may be stored and / or processed by the Supplier:

Personal data is processed by Invajo and it sub-processors in Sweden, The United Kingdom, Ukraine, The Netherlands, Germany and USA.

 

1.6.   Use in order to improve the Service

If the Supplier has the right to process personal data "For the purpose of developing and improving the Service", this shall be explicitly stated in the table below:

Personal data may be processed for the following activities for the purpose of developing and improving the Service (if any):

    Adaptation

    Alignment

    Collection

    Combination

    Consultation (Troubleshooting , Support)

    Destruction

    Disclosure by Transmission

    Erasure

    Retrieval

    Storage

    Structuring

 

Specification of the categories of personal data that may be used to improve services ordered by the Customer (e.g.: name, address):

    Cookies

    Device Information

    Email Address

    Employer

    Employment Title

    Event Location Presence

    IP-address

    Name

    Nationality

    Passwords

    Phone number

    Pictures

    System Usage Data (behaviour)

    System Usage Location Data

    System Usage Timestamp

    User ID

These personal data should be retrieved from the following treatments performed by the Supplier on behalf of the Customer (e.g.: backup, storage, troubleshooting)

    Collection

    Consultation (Troubleshooting , Support)

    Storage

And may only be used by the Supplier for the purpose of improving and / or developing the following types of services or categories of services ordered by the Customer (e.g.: Supplier's error handling process):

 

    Billing

    Compliance

    Consultation (Troubleshooting, Support)

    Customer Satisfaction

    Error handling

    Statistics

 

 

2.     SECURITY

Enter all organizational and technical security measures that are to be implemented by Invajo, Customer has a right to request specific documentation by contacting Invajo at privacy@invajo.com:

 

    Physical access control

    System Access Control

    Personal Data access Control

    Transfer Access Control

    Control of Entry of Personal Data

    Control of Availability

    Control of Separation

    Storage Policy

    Safety Policy

 

Invajo Keeps the following Policies for compliance:

      Acceptable Use Policy

      Backup and Retention Policy

      Change Management Policy

      Data Breach Response Policy

      Data Classification Policy

      Email and Electronic Use Policy

      Information Security Policy

      Privacy Policy

      Logging, Monitoring and Audit Policy

      Mobile Device Policy

      Password Policy

      Patch Management Policy

      Risk Assessment Policy

      Logical and Physical Separation of Production and Development areas.

 

 

2.1.   Physical access control

Measures that prevent unauthorized persons access to IT systems where processing of personal data occurs:

Invajo uses Digital Ocean as sub-processor and sole provider of services that store Customer collected Personal Data.

Digital Ocean has the following physical access controls in place:

      24/7 Physical security guard services

      Physical entry restrictions to the property and the facility

      Physical entry restrictions to our co-located data center within the facility

      Full CCTV coverage externally and internally for the facility

      Biometric readers with two-factor authentication

      Facilities are unmarked as to not draw attention from the outside

      Battery and generator backup

      Generator fuel carrier redundancy

      Secure loading zones for delivery of equipment

 

2.2.   System access control

Measures to prevent unauthorized use of IT systems:

Invajo has access to the Customer’s data through an Admin interface that implements:

a)     Different levels of access to the system for every user, controlled and approved by management and implemented in our employees’ admin interfaces.

b)     Secure passwords are registered in accordance with our safety- and IT-policy, in which routines for following up on said policies are set.

Access to Customer’s data is based on the employee’s role and needs on a user level. This is achieved by logical safeguards in the system by which the user only has access to the data that is necessary in order to perform the work as required by their Role and as required in order to Deliver the Service as defined in the Main Agreement. When accessing Customers collected Personal Data full system logging demonstrating access to this data is applied, as well as all changes made to personal data, this information is available to the Customer, these logs will follow the Invajo’s Logging, Monitoring and Audit Policy and contain the following information:

      What activity was performed?

      Who or what performed the activity, including where or on what system the activity was performed from (subject)?

      What the activity was performed on (object)?

      When was the activity performed?

      What tool(s) was the activity was performed with?

      What was the status (such as success vs. failure), outcome, or result of the activity?

 Invajo staff needs to actively log into Customers environment which is only done by request of the Customer and per their strict instructions.

 

Invajo’s IT-operations and IT-security departments have access to Customer collected Personal data in order to reliably deliver the service in accordance with the Main agreement and this agreement and to comply with policies and regulations. Access is implemented with:

      Secure passwords and two-factor authentication and Secure passphrases through secure encrypted SSH tunnels. Registered in accordance with our safety- and IT-policy, in which routines for following up on said policies are set.

Customer may give access to their own environment by “inviting” Users to their account, no access is given unless a System User account is created for this User. Access can be revoked at any time.

 

2.3.   Personal data access control

Measures to ensure that persons authorized to use the IT system only have access to personal data restricted to the person's established authority:

Invajo has access to the Customer’s data through an Admin interface that implements:

c)     Different levels of access to the system for every user, controlled and approved by management and implemented in our employees’ admin interfaces.

d)     Secure passwords are registered in accordance with our safety- and IT-policy, in which routines for following up on said policies are set.

Access to Customer’s data is based on the employee’s role and needs on a user level. This is achieved by logical safeguards in the system by which the user only has access to the data that is necessary in order to perform the work as required by their Role and as required in order to Deliver the Service as defined in the Main Agreement. When accessing Customer collected Personal Data full system logging demonstrating access to this data is applied, as well as all changes made to personal data, this information is available to the Customer, these logs will follow the Invajo’s Logging, Monitoring and Audit Policy and contain the following information:

      What activity was performed?

      Who or what performed the activity, including where or on what system the activity was performed from (subject)?

      What the activity was performed on (object)?

      When was the activity performed?

      What tool(s) was the activity was performed with?

      What was the status (such as success vs. failure), outcome, or result of the activity?

 Invajo staff needs to actively log into Customers environment which is only done by request of the Customer and per their strict instructions.

 

Invajo’s IT-operations and IT-security departments have access to Customer collected Personal data in order to reliably deliver the service in accordance with the Main agreement and this agreement and to comply with policies and regulations. Access is implemented with:

      Secure passwords and two-factor authentication and Secure passphrases through secure encrypted SSH tunnels. Registered in accordance with our safety- and IT-policy, in which routines for following up on said policies are set.

Customer may give access to their own environment by “inviting” Users to their account, no access is given unless a System User account is created for this User. Access can be revoked at any time.

 

2.4.   Transfer access control

Measures to ensure that personal data cannot be read, copied, modified or deleted by electronic transmission or transfer or storage on storage devices without permission, and that recipients can be identified and verified when transfer of personal data is performed via electronic transmission:

All electronic transmissions are encrypted with SSL/TLS. No data is transferred unless the System User has logged into the Invajo system. All changes to personal data is logged as well as extractions from the system in machine readable formats as per defined in Invajo’s Logging, Monitoring an Audit policy.

 

2.5.   Control of entry of personal data

Measures to ensure that it is possible to review and determine retroactively whether personal data has been entered, changed or deleted in the IT system and who has performed the activity:

All additions, changes or erasures of personal data is logged and monitored as per Invajo’s Logging, Monitoring and Audit Policy and the logg is provided to the Customer. The logg will contain the following information:

      What activity was performed?

      Who or what performed the activity, including where or on what system the activity was performed from (subject)?

      What the activity was performed on (object)?

      When was the activity performed?

      What tool(s) was the activity was performed with?

      What was the status (such as success vs. failure), outcome, or result of the activity?

 

2.6.   Control of availability

Measures to ensure that personal data are protected from accidental destruction or loss:

Backups of personal data is performed on a regular basis as per defined in Invajos Backup and Retention Policy.

a)     A full system backup will be performed weekly. Weekly backups will be saved for a full month.

b)     The last full backup of the month will be saved as a monthly backup. The other weekly backup media will be recycled by the backup system.

c)     Monthly backups will be saved for one year, at which time the media will be reused.

d)     Yearly backups will be retained for five years and will only be run once a year at a predetermined date and time.

e)     Differential or Incremental backups will be performed daily. Daily backups will be retained for two weeks. Daily backup media will be reused once this period ends.

Backups are saved as per defined above and verified (at least yearly) through the performance of a complete data restoration and by verifying the access and integrity of restored data. Backups are transmitted to a place separate from current data. Backups have the same safety levels as the original data. Invajo undertakes regular emergency planning to ensure that Invajo’s organization, personnel and systems are readily available for processing within a timeframe that corresponds to the agreed level of service.

 

2.7.   Control of separation

Measures to ensure that personal data collected for different purposes can be treated separately:

Personal data is categorized and stored after the purpose of the processing and logically separated by “Event”. Access to the different personal data is logically separated at a System User Account level. To access Customer collected Personal Data a User needs to actively log into that Customers environment. Access can be given to a System User Account to either the entire Customer environment or to specific “event”. Access can be revoked at any time.

 

2.8.   Storage Policy

Measures to ensure that personal data are deleted during and after the term of agreement when use is no longer necessary for the initial purpose:

Customers may specify the retention schedule for the data Invajo Processes on behalf of the Controller. If Controller fails to specify retention time Invajo will erase or anonymise Personal Data six (6) months after it is deemed as inactive and not longer necessary to provide the service unless hindered to do so by law or technical limitations.

 

2.9.   Safety Policy

Provide the Supplier's internal security policy that apply to personal data processing, alternatively refer to website or other accessible platform, where the policy is available:

Invajo’s applicable security policies are provided to the Customer upon request sent to privacy@invajo.com

 

3.     PRE-APPROVED SUB-PROCESSORS

Name

Location of processing (country)

Sendgrid

USA

Stripe

The United Kingdom

Digital Ocean

Germany, The Netherlands, The United Kingdom

CLX

USA

Skrill

The United Kingdom

Svea Ekonomi

Sweden

Fort Knox

Sweden

UAB Silnera

Latvia

Beetroot

Ukraine