Data processing addendum
Effective September 1, 2022
This Data Processing Addendum (“DPA”) applies whenever it is incorporated by reference into the Master Services Agreement (“Agreement”) between you and Code42. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.
1. Purpose and scope
To provide the Offerings to you under the Agreement, Code42 Processes Customer Data on your behalf and Customer Data may include Personal Data. This DPA reflects the parties’ agreement relating to the Processing of Personal Data in accordance with the requirements of Data Protection Laws. This DPA will control in the event of any conflict with the Agreement.
2. Definitions
2.1 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
2.2 “Data Protection Laws” means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states.
2.3 “Data Subject” means the person to whom Personal Data relates.
2.4 “Personal Data” means any Customer Data that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, to an identified or identifiable person.
2.5 “Processing”, “Processes” or “Process” means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
2.6 "Processor" means the entity that Processes Personal Data on behalf of the Data Controller.
2.7 “Standard Contractual Clauses” means the controller to processor standard contractual clauses for transfers of personal data to third countries which do not show an adequate level of data protection as approved by the European Commission decision 2021/914, dated 4 June 2021, incorporated herein by reference.
2.8 “Sub-processor” means Code42’s Affiliates or other third-party service providers that Process Personal Data for Code42.
3. Processing of Personal Data
3.1 Data Processing Roles. As between you and Code42, you are the Controller and Code42 is the Processor. You control the categories of Data Subjects and Personal Data Processed under the Agreement and provide such Personal Data to Code42 for business purposes only. Code42 has no knowledge of, or control over, the Personal Data that you provide for Processing. You are solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which you acquired such Personal Data.
3.2 Data Processing Instructions. This DPA and the Agreement are your complete and final instructions to Code42 for the Processing of Personal Data. You and Code42 must agree on any additional or alternate instructions. Code42 will inform you if, in Code42's opinion, your instructions violate Data Protection Laws. Code42 will process Personal Data in accordance with the Agreement (including all documents incorporated in the Agreement), and to comply with other reasonable instructions you provide to Code42 where your instructions are consistent with the Agreement. Code42 will not sell Personal Data. Code42 will not collect, retain, use, or disclose Personal Data (A) for any purpose other than for the specific purpose set forth in the Agreement, or (B) outside the direct business relationship between you and Code42. Code42 will disclose Personal Data if required to do so by applicable law, in which case Code42 will inform you in advance unless Code42 is prohibited from doing so. Code42 certifies that it understands and will comply with the restrictions in this section 3 (Processing of Personal Data).
4. Rights of Data Subjects
4.1 Correction, Blocking and Deletion. If you do not have the ability to amend, block, or delete Personal Data as required by Data Protections Laws, you can provide written instructions to Code42 to act on your behalf. Code42 will follow your instructions to the extent technically feasible and legally permissible. You will pay Code42’s costs of providing this assistance if the assistance exceeds the services provided under the Agreement.
4.2 Data Subject Requests. If permitted, Code42 will promptly notify you of any request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. Code42 will not respond to any Data Subject request without your prior written consent, except to confirm that the request relates to you.
4.3 Cooperation and Assistance. Code42 will assist you to address any request, complaint, notice, or communication you receive relating to Code42’s Processing of Personal Data received from a Data Subject or any applicable data protection authority. Code42 will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment. You will pay Code42’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.
5. Sub-processors
5.1 Authorization. You expressly authorize Code42 to engage Sub-processors to Process Personal Data to enable Code42 to perform specific services under the Agreement. You authorize Code42's use of the Sub-processors listed at: http://code42.com/r/support/dpa-subprocessors (“Sub-processor List”).
5.2 Requirements. Code42 has written agreements with its Sub-processors that contain data protection obligations substantially similar to Code42’s obligations under this DPA. Code42 is liable for any breach of this DPA caused by an act or omission of its Sub-processors.
5.3 Notice and Objection. Code42 will notify you of the engagement of any new Sub-processor, which the parties agree such notice may be given by Code42 updating the Sub-processor List. You can subscribe to receive email notification by emailing privacynotices@code42.com with the email address to which you want notification sent. If you subscribe, Code42 will notify you by email of new Sub-Processors before authorizing such Sub-processor(s) to process Personal Data. You have a right to reasonably object to Code42’s use of a new Sub-processor by notifying Code42 in writing within 10 business days after Code42 publishes notice of a new Sub-processor. If you do so, Code42 will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Personal Data by the new Sub-processor. If Code42 is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate only the Subscription Term for the Software and Cloud Service that Code42 cannot provide without using the new Sub-processor. You must provide written notice of termination to Code42 in accordance with the Agreement. Code42 will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated Software and Cloud Services offering.
6. Security
6.1 Protection of Personal Data. Code42 maintains appropriate administrative, technical and organizational safeguards to protect Personal Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage. Code42’s safeguards are described in the Information Security Addendum available at https://support.code42.com/Terms_and_conditions/Legal_terms_and_conditions/Information_security_addendum.
6.2 Incident Management and Breach Notification. Code42 will notify you within 24 hours of becoming aware of a breach of Personal Data. To the extent known, the notice will include (A) a description of the nature of the Personal Data breach, including the categories and approximate number of your Data Subjects concerned and the categories and approximate number of your records concerned; (B) the name and contact details of a Code42 contact point for more information; (C) the measures Code42 is taking to address the breach, including measures to mitigate its possible adverse effects. You can find more information about Code42's incident response procedures in the Information Security Addendum.
6.3 Confidentiality. Code42 personnel engaged in the Processing of Personal Data are informed about the confidential nature of such Personal Data, receive appropriate training on their responsibilities and are subject to written agreements with confidentiality obligations that survive the termination of their relationship with Code42.
6.4 Limitation of Access. Code42 ensures that access to Personal Data is limited to those personnel who require access to perform the services under the Agreement.
6.5 Certifications and Audits. Code42 uses external auditors to verify the adequacy of its security measures. Such audits are performed at least annually by independent third party security professionals and result in the generation of a confidential audit report (“Audit Report”). Code42’s certifications and Audit Report are described in the Information Security Addendum.
6.6 Customer Audits. Code42 will provide you a copy of the Audit Report upon request so that you can reasonably verify Code42’s compliance with its obligations under this DPA. To the extent required by Data Protection Laws, Code42 will provide additional information and will allow and contribute to audits. You will provide written notice to Code42 to request an audit of the procedures relevant to Code42’s Processing of your Personal Data. The audit must be conducted during normal business hours and cannot unreasonably interfere with Code42’s day-to-day operations. You will conduct the audit at your own expense and reimburse Code42 for time spent on an on-site audit at Code42’s then current rates.
7. Return and deletion of Personal Data
Upon termination or expiration of your Subscription Term, or at any time upon your request, Code42 will delete your Personal Data in accordance with the Agreement. Code42 will provide a certificate of deletion upon request. The Software and Cloud Services allow you to retrieve Customer Data at any time prior to the end of a Subscription Term. Providing this functionality through the Software and Cloud Services during the Subscription Term satisfies any obligation of Code42 to return Personal Data.
8. Cross-border data transfers
8.1 Restricted Transfers. To the extent Code42’s Processing requires the transfer of Personal Data from the European Economic Area (“EEA”), Switzerland and/or the United Kingdom (“UK”) to a third country that does not ensure an adequate level of protection under Data Protection Laws (“Restricted Transfer”), the parties agree that the Standard Contractual Clauses are incorporated into this DPA and apply to the transfer as set forth in Sections 8.2, 8.3 and 8.4 below.
8.2 Transfers from the EEA. Where the Restricted Transfer is made from the EEA, the Standard Contractual Clauses apply as follows:
(A) Module Two applies where you are the Controller and Code42 is the Processor, and Module Three applies where both you and Code42 are Processors.
(B) Clause 7: The optional docking clause does not apply.
(C) Clause 8.9: The audit described in Clause 8.9 shall be carried out in accordance with Section 6.6 of this DPA.
(D) Clause 9(a): Option 2 (General written authorization) applies and the period for prior notice of changes to our sub-processors is set forth Section 5 of this DPA.
(E) Clause 11(a): The optional language does not apply.
(F) Clause 17: The Parties agree that the governing law shall be the law of Germany.
(G) Annex I of the Standard Contractual Clauses is completed with the information in Schedules A to this DPA. Annex II is completed with the information in Schedule 2 to this DPA, and Annex III is completed with the information in Section 5.1 of this DPA.
8.3 Transfers from Switzerland. Where the Restricted Transfer is made from Switzerland, the Standard Contractual Clauses apply as modified in Section 8.2 above, except:
(A) Clause 13: The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner if the Restricted Transfer is governed by the Swiss Federal Act on Data Protection (FDAP).
(B) References to ‘Member State’ refer to Switzerland and Data Subjects located in Switzerland may exercise and enforce their rights under the Standard Contractual Clauses in Switzerland.
(C) References to the General Data Protection Regulation (GDPR) refer to the FDAP, as amended or replaced.
8.4 Transfers from the UK. Where the Restricted Transfer is made from the UK, the Standard Contractual Clauses apply as modified in Section 8.2 above, subject to the following:
(A) The International Data Transfer Addendum to the Standard Contractual Clauses (“UK Addendum”) applies and is hereby incorporated by reference.
(B) Clauses 17 and 18: The laws and courts of England and Wales shall govern.
(C) The information provided in this Section 8, Schedule 1 and Schedule 2 provide the information required for completing the UK Addendum.
8.5 APEC Privacy Recognition for Processors. Code42 has obtained APEC Privacy Recognition for Processors (“PRP”) certification. Code42 will process Personal Data transferred from the APEC region in accordance with its PRP certification.
Schedule 1
A. List of Parties
Data exporter:
Name: The data exporter is the customer that is party to the Agreement with Code42 Software, Inc.
Address: The address associate with data exporter’s Code42 account or as otherwise specified in the DPA or Agreement.
Contact details: The contact details associated with the data exporter’s account, or as otherwise specified in the DPA or Agreement.
Activities relevant to the data transferred under the clauses: The activities specified in Section 3 of the DPA
Role (controller/processor): Controller
Data importer:
Name: The data importer is Code42 Software, Inc., a global provider of data security services.
Address: 100 Washington Avenue S, Suite 2000, Minneapolis, MN 55401, United States.
Contact details: privacy@code42.com.
Activities relevant to the data transferred under the clauses: The activities specified in Section 3 of the DPA.
Role (controller/processor): Processor
B. Description of the transfer
Categories of Data subjects
The categories of data subjects whose personal data may be processed include: data exporter’s employees, consultants, contractors, agents, prospects, customers, vendors, business partners and users authorized to use the Services; employees or contacts of third parties data exporter conducts business with.
Categories of personal data transferred
The personal data transferred may include the following categories of data: first and last name, employer, professional title, contact information (email, phone number, physical address), username, identification data (IP address, device ID) and any other personal data provided through the services; depending on the data exporter’s endpoint environment and naming conventions, data transferred may include personal data, such as that possibly found in a computer name, user name or file name.
Sensitive data transferred (if appropriate)
The personal data transferred may include sensitive personal data, the extent of which is determined and controlled solely by the data exporter, and which may include: racial or ethnic origin; political opinions, religious or philosophical beliefs; trade-union membership; genetic or biometric data; health data; and data concerning sex-life or sexual orientation.
Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
Personal data is transferred in accordance with the data exporter’s instructions as described in Section 3 of the DPA.
Nature of the Processing
The personal data will be processed for purposes of providing the services as described in the Agreement.The personal data transferred may be subject to the following basic processing activities: cloud based storage, retrieval, erasure or destruction, disclosure by transmission, analysis and any other processing necessary to provide and improve the services pursuant to the Agreement; to provide technical support; and otherwise in accordance with the data exporter’s instructions or to comply with law.
Purpose(s) of the data transfer and further processing
To provide the Services under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The duration of processing will be as specified and in accordance with the published data retention policies under the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The personal data transferred may be disclosed to sub-processors of data importer solely as permitted by data importer to provide the services to data exporter under the Agreement, a current list of which is available at: https://support.code42.com/Terms_and_conditions/Compliance_resources/Code42_authorized_subprocessors
C. Competent supervisory authority
The data exporter’s competent supervisory authority will be determined in accordance with the General Data Protection Regulation.
Schedule 2
A description of the technical and organizational security measures implemented by the data importer to ensure the security of Customer Data. Any capitalized term not otherwise defined herein will have the meaning given in the Agreement.
1. Information Security Program
Code42 maintains a written security program appropriate to the nature, size and complexity of Code42’s business operations. The program complies with industry recognized information security frameworks, and includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Data. The Code42 Chief Information Security Officer and security governance group continually review and update the security program policies, standards and operating procedures to ensure it retains relevancy and accuracy.
2. System and Network Security
a. Networks are logically segmented by Virtual Local Area Networks (VLANs) and firewalls monitor traffic to restrict access to authorized users, systems and services.
b. Firewall changes follow established processes and must be reviewed and approved.
c. Personnel access to Code42 systems and networks is based on job responsibility. Access is promptly disabled when no longer required.
d. Network perimeter defense solutions including an Intrusion Detection System (IDS) and firewalls are in place to monitor, detect, and prevent malicious network activity. Security personnel monitor items detected and take action as appropriate.
3. Server and Endpoint Security
a. An endpoint management solution tool is used to deploy end user devices and monitor software installed on endpoints.
b. Technology on Code42 workstations monitor for virus and malware infections. Endpoint devices are scanned in real-time. Virus definition updates are pushed to endpoint devices automatically.
c. Cloud servers are built using industry standard security configuration management tools to set and enforce server security configurations based on industry leading practices. Servers check in hourly for configuration updates.
d. Virtual servers are configured using a solution and adhere to the Code42 server security configuration requirements. Access to the solution is restricted to authorized individuals. Creation, modification, and removal of virtual servers requires appropriate authorizations.
4. User Access Controls
a. Code42 personnel are required to identify and authenticate to the network with their unique user ID and password. Access to the Code42 network is secured through VPN with two-factor authentication. Password requirements are defined and enforced via a password tool.
b. Access to cloud systems is restricted to authorized individuals. Baseline password requirements for these systems are that passwords must:
i. Be at least 14 characters in length
ii. Complexity rule – contain 3 of the 4 (uppercase, lowercase, numbers, non-alphabetic characters)
iii. Expire every 60 days
c. Code42 enforces the rule of least privilege by requiring application, database, network and system administrators to restrict user access to only that needed to perform authorized functions. Successful and unsuccessful login attempts are logged.
d. Code42 performs audits of administrator access to confidential and restricted systems, including the cloud production environment, on a regular basis. Any access by personnel who no longer require access based on job role is removed promptly.
e. Customers are required to enter a unique account user ID and a password to access the Code42 System. The Code42 system includes additional security configuration settings within the application, including MFA for administrator console access and integration with customer-specified authentication solutions.
5. Physical Security
Access to data centers is granted by job responsibilities and is removed or changed as part of the separation and internal job transfer processes. Code42 evaluates the physical security controls and assurance reports of data centers at least annually. The impact of any issues identified is assessed and remediated by the security team.
6. Storage and Transmission Security
a. Industry-standard encryption technologies are used for data contained within, accessed by, or transmitted through the Code42 system. Customer data is encrypted using AES 256-bit encryption.
b. Encryption keys are stored and transferred securely during the sign-in process using industry standard encryption technology.
c. Customer file data transmitted to Code42 is MD5 check-summed at multiple points after encryption at the source to provide destinations the ability to detect tampering or corruption.
d. Code42 has implemented a secure web-based data transfer tool used to encrypt and send data between customers and Code42 during customer support.
7. Monitoring and Logging
a. Code42 monitors server, storage, and network devices on a real-time basis for operational performance, capacity, and availability metrics. System dashboards are configured to alert when pre-defined thresholds are exceeded.
b. Incident management and escalation procedures exist to address system issues, problems and security-related events, in a timely manner. Incidents are logged, prioritized, and resolved based on established criteria and severity levels.
c. Code42 utilizes a security information event monitoring (SIEM) system to pull real-time security log information from servers, firewalls, routers, intrusion detection system devices, end users, and administrator activity. The SIEM is configured for alerts and monitored on an ongoing basis. Logs contain details on the date, time, source, and type of events and are reviewed by the security team.
8. Software and Application Security
a. Code42 has established a Software Development Life Cycle (SDLC) process to govern the acquisition, development, implementation, configuration, maintenance, modification, and management of infrastructure and software components.
b. Code42 utilizes a code versioning control system to maintain the integrity and security of the application source code.
c. Product releases undergo various levels of review and testing based on change type, including security and code reviews, regression, and user acceptance testing prior to approval for deployment.
d. Monthly internal and external vulnerability scans are conducted using industry-recognized vulnerability scanning tools. Identified vulnerabilities are evaluated and remediated to address the associated risk(s).
e. External application penetration tests are conducted by an independent third party at least annually. Critical findings from these tests are evaluated, documented and remediated.
9. Instructions to Personnel
a. All personnel sign a confidentiality agreement as part of their employment contract.
b. All personnel are required to complete security training upon hire and on an annual basis. Security training includes, at a minimum:
i. Security education and communications.
ii. General and role-specific security training.
iii. Ongoing phishing tests.
iv. Instructions on how to report security incidents.
v. Responsibilities regarding data privacy and security.
c. Upon hire and annually thereafter, all personnel must review and acknowledge the security program policies, standards, and operating procedures related to security, availability, processing integrity and confidentiality.
10. Ensuring Availability
a. To meet customer availability commitments, future processing demand is forecasted, compared to projected capacity demand and reviewed weekly and evaluated by the Cloud Operations department for corrective actions, if needed.
b. Weekly maintenance windows exist for both system maintenance (Code42 cloud infrastructure) and release maintenance (new features, enhancements, and fixed to Code42 products). Details for scheduled maintenance and any disruption of service are posted on the Code42 status page.
c. A customer critical response meeting is conducted daily to monitor and review any critical or system performance issues that may impact customers.
d. Code42 maintains a business continuity plan and a disaster recovery plan to manage significant disruptions to Code42 operations and infrastructure. The plans are updated as needed, but at least annually, and approved by the Chief Information Security Officer.
11. Certifications and Assessments
Code42 conducts third party audits to attest to various frameworks including ISO 27001, SOC2 Type 2, and application penetration testing.
12. Data Storage and Erasure
During your subscription, Customer Data is retained for the period described in the Documentation. All Customer Data is permanently deleted within 90 days of termination or expiration of a subscription in accordance with industry recognized standards for data destruction.
13. Sub-processor Compliance
Code42 has an established process to assess and manage third party sub-processors. All sub-processors are contractually obligated to comply with the security requirements established in this Annex, or in any event, requirements that are substantially similar or equivalent. The security team performs a security review of sub-processors during an onboarding process and at least annually thereafter.