Idera Affiliates Data Processing Terms

(for the Customer-Facing DPA)

Details of Processing of Filestack, Inc.

1. Address: –

   10801 N. Mopac Expressway, Building 1, Suite 100, Austin, TX 78759

2. Type of Services provided by Filestack involving the Processing of Customer Personal Data: –
   1. Filestack powerful APIs enable developers to process content at scale and provide an off-the-shelf tech stack from uploading, transforming, understanding, and delivering content within applications and interfaces. Filestack’s low-code platform enables developers to build automated content processing and analysis that dramatically accelerates the development lifecycle. The company’s infrastructure powers billions of file uploads, transformations, and downloads every month for customers in a wide variety of industries, including ed-tech, e-commerce, crowdsourcing, and printing.
3. Data Protection Officer (DPO) Details: –

   VeraSafe, LLC

   [email protected]

   100 M Street S.E., Suite 600, Washington, D.C . 20003 USA

4. EU Data Protection Representative: –

   VeraSafe Ireland Ltd.

   Unit 3D North Point House North Point Business Park New Mallow Road, Cork T23AT2P Ireland

   Contact form: https://verasafe.com/public-resources/contact-data-protection-representative

5. UK Data Protection Representative: –

   VeraSafe United Kingdom Ltd.

   37 Albert Embankment London SE1 7TL United Kingdom

   Contact form: https://verasafe.com/public-resources/contact-data-protection-representative

6. Subject matter and duration: –

   The subject matter and duration of the Processing of Customer Personal Data are set forth in the Main Agreement and all amendments, exhibits, schedules, task orders, addenda, SOWs, purchase orders and other documents associated therewith and incorporated therein.

7. Nature and Purpose of Processing: –

   The nature and purpose of the Processing of Customer Personal Data are set forth in the Main Agreement and all amendments, exhibits, schedules, task orders, addenda, SOWs, purchase orders and other documents associated therewith and incorporated therein.

8. Further Processing: –

   No further Processing of Customer Personal Data beyond the Processing necessary for the provision of the Services is allowed.

9. Categories of Data Subjects: –

   Data subjects may include Customer’s representatives, such as employees, contractors, collaborators, partners. Data subject may also include individuals attempting to communicate or transfer Customer Personal Data to users of the Services.

10. Categories of Customer Personal Data: –

    The Categories of Customer Personal Data that Customer authorizes and requests that Filestack Processes include but are not limited to: Personal contact information such as full name, address, mobile number, email address; details including employer name, job title and function, identification numbers and business contact details; goods or services provided; IP addresses and interest data.

11. Special Categories of Customer Personal Data to be Processed (if applicable) and the applied restrictions to the Processing of these Special Categories of Customer Personal Data: –

    n/a

12. Categories of third-party recipients to whom the Customer Personal Data may be disclosed or shared by Idera: –

    Subprocessors; and other Idera Affiliates, if applicable.

13. Frequency of the Transfer of Customer Personal Data: –

    The frequency of the transfer of Customer Personal Data is determined by the Customer. Customer Personal Data is transferred each time that the Customer instructs Filestack to Process Customer Personal Data.

14. Maximum data retention periods, if applicable: –

    The retention period of the Customer Personal Data is generally determined by the Customer and is subject to the term of the DPA and the Main Agreement, respectively, in the context of the contractual relationship between Filestack and the Customer.

15. The basic Processing activities to which Customer Personal Data will be subject include, without limitation: –

    Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to Customer in accordance with the terms of the Main Agreement.

16. The following is deemed an instruction by the Customer to Filestack to Process Customer Personal Data: –
    1. Processing in accordance with the Main Agreement.
    2. Processing initiated by Data Subjects in their use of the Services.
    3. Processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Main Agreement.
17. List of Filestack’s Subprocessors available at https://www.ideracorp.com/legal/filestack/subprocessors
18. Description of technical and organizational security measures implemented by the Filestack: –
    1. Measures of pseudonymization and encryption of Customer Personal Data:
       1. Customer creates and manages encryption keys. The AWS platform enforces the customer to maintain an encrytped password.
       2. Customer encrypts data before transmission.
       3. Data transmissions to Filestack hosts are through secure HTTP with TLS 1.2 (only strong cipher suites accepted)
       4. Data transmissions within Filestack infrastructure are through secure protocols.
       5. Customer Scoped Data stays encrypted throughout Filestack infrastructure.
       6. Customer Scoped Data stays encrypted at rest.
       7. No Filestack employee has customer’s encryption keys.
    2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services:
       1. Restriction of logical access to IT systems that Process transferred Customer Personal Data to those officially authorized persons with an identified need for such access;
       2. Active monitoring and logging of network and database activity for potential security events, including intrusion;
       3. Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Filestack;
       4. Firewall protection of external points of connectivity in Data Importer’s network architecture; and
       5. Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Filestack.
    3. Measures for ensuring the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident:
       1. RTO: 24 hours
       2. RPO: 12 hours
    4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing
       1. Software development security test performed daily (using OWASP Orizon)
       2. Software build vulnerability scans are performed regularly.
       3. SOC 2 audit performed yearly (independent party)
       4. Application Penetration Tests are performed yearly (independent party)
       5. Internal security audit is performed yearly
    5. Measures for user identification and authorization:
       1. User Access Policy established
       2. User Access are reviewed when one of the following events occurs:
          1. Major change in organization structure
          2. Major change in security architecture
          3. Major attrition
          4. Security incident
          5. Twice a year
    6. Measures for the protection of data during transmission:
       1. Customer creates and manages encryption keys
       2. Customer encrypts data before transmission
       3. Data transmissions to Filestack hosts are through secure HTTP with TLS 1.2 (only strong cipher suites accepted)
       4. Data transmissions within Filestack infrastructure are through secure protocols.
       5. Customer Scoped Data stays encrypted throughout Filestack infrastructure.
    7. Measures for the protection of data during storage:
       1. Customer Scoped Data stays encrypted at rest.
       2. No Filestack employee has customer’s encryption keys
       3. Access to network assets is restricted to a small Operations Team’s members
    8. Measures for ensuring physical security of locations at which Customer Personal Data are processed:
       1. Filestack does not have data centers; all servers are hosted via AWS.
    9. Measures for ensuring events logging:
       1. All systems and network assets are monitored 24x7. Alert rules are configured to create alert events for any anomaly or unauthorized activities. IDS/IPS service is setup for all critical network assets.
    10. Measures for ensuring system configuration, including default configuration:
        1. All systems and network assets are built by codes. Baseline default configurations are embedded in deployment codes.
        2. Code modifications must go through Filestack standard Change Management Process.
    11. Measures for internal IT and IT security governance and management:
        1. IT/IS Security Policy and Procedure established.
        2. All IT personnel are required to complete yearly security and compliance training.
    12. Measures for certification/assurance of processes and products:
        1. Software build vulnerability scans are performed regularly.
        2. Application Penetration Tests are performed yearly (independent party).
        3. SOC 2 audit performed yearly (independent party)
        4. Internal security audit is performed yearly.
    13. Measures for ensuring data minimization:
        1. N/A. Filestack does not collect, retain, or use any of Customer Scoped Data.
    14. Measures for ensuring data quality:
        1. N/A. Filestack does not collect, retain, or use any of Customer Scoped Data.
    15. Measures for ensuring limited data retention:
        1. N/A. Filestack does not collect, retain, or use any of Customer Scoped Data.
    16. Measures for ensuring accountability:
        1. Each authorized access is unique and traceable.
        2. Authorized access is reviewed quarterly
        3. System audit logs are retained for 180 days.
    17. Measures for allowing data portability and ensuring erasure:
        1. Customer data is stored on AWS.
        2. Customers have the option of storing their data (documents, images, etc.) on the Filestack AWS servers. The contents of the data are determined by the customer (Filestack has no control over the contents of the files). The customer controls when data is deleted).
    18. Other:
        1. Internal policies establishing that
           1. Where Filestack is prohibited by law from notifying Data Exporter of an order from a public authority for transferred Customer Personal Data, Filestack shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent Supervisory Authorities;
           2. Filestack must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Customer Personal Data;
           3. Filestack shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid; and
           4. If Filestack is legally required to comply with an order, it will respond as narrowly as possible to the specific request.