Idera Affiliates Data Processing Terms

(for the Customer-Facing DPA)

Details of Processing of Kiuwan Software, S.L.

1. Address: –

   Calle de Velázquez, nº 157 - 1ª Plta, 28002 - Madrid Spain

2. Type of Services provided by the Idera Affiliate involving the Processing of Customer Personal Data: –
   1. Kiuwan provides an end-to-end application security platform to bring objective data and facilitate informed decisions regarding the cost, effort, activity, quality, maintainability, efficiency, and dependencies of the company’s applications
3. Data Protection Officer (DPO) Details: –

   VeraSafe, LLC, a Delaware limited liability company.

   [email protected]

4. EU Data Protection Representative: –

   n/a

5. UK Data Protection Representative: –

   VeraSafe United Kingdom Ltd.

   37 Albert Embankment London SE1 7TL United Kingdom

   Contact form: https://verasafe.com/public-resources/contact-data-protection-representative

6. Subject matter and duration: –

   The subject matter and duration of the Processing of Customer Personal Data are set forth in the Main Agreement and all amendments, exhibits, schedules, task orders, addenda, SOWs, purchase orders and other documents associated therewith and incorporated therein.

7. Nature and Purpose of Processing: –

   The nature and purpose of the Processing of Customer Personal Data are set forth in the Main Agreement and all amendments, exhibits, schedules, task orders, addenda, SOWs, purchase orders and other documents associated therewith and incorporated therein.

8. Further Processing: –

   No further Processing of Customer Personal Data beyond the Processing necessary for the provision of the Services is allowed.

9. Categories of Data Subjects: –

   Data subjects may include Customer’s representatives, such as employees, contractors, collaborators, partners. Data subject may also include individuals attempting to communicate or transfer Customer Personal Data to users of the Services.

10. Categories of Customer Personal Data: –

    The Categories of Customer Personal Data that Customer authorizes and requests that Kiuwan Processes include but are not limited to: Professional contact data of customer employees, temporary staff, trainees, apprentices (professional telephone number/email address, department affiliation).

11. Special Categories of Customer Personal Data to be Processed (if applicable) and the applied restrictions to the Processing of these Special Categories of Customer Personal Data: –

    n/a

12. Categories of third-party recipients to whom the Customer Personal Data may be disclosed or shared by Kiuwan: –

    Subprocessors; and other Idera Affiliates, if applicable.

13. Frequency of the Transfer of Customer Personal Data: –

    The frequency of the transfer of Customer Personal Data is determined by the Customer. Customer Personal Data is transferred each time that the Customer instructs Kiuwan to Process Customer Personal Data.

14. Maximum data retention periods, if applicable: –

    The retention period of the Customer Personal Data is generally determined by the Customer and is subject to the term of the DPA and the Main Agreement, respectively, in the context of the contractual relationship between Kiuwan and the Customer.

15. The basic Processing activities to which Customer Personal Data will be subject include, without limitation: –

    Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to Customer in accordance with the terms of the Main Agreement.

16. The following is deemed an instruction by the Customer to Kiuwan to Process Customer Personal Data: –
    1. Processing in accordance with the Main Agreement.
    2. Processing initiated by Data Subjects in their use of the Services.
    3. Processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Main Agreement.
17. List of Kiuwan’s Subprocessors available at https://www.ideracorp.com/Legal/Kiuwan/Subprocessors
18. Description of technical and organizational security measures implemented by the Kiuwan: –
    1. Measures of pseudonymization and encryption of Customer Personal Data:
       1. Encryption at rest within Kiuwan’s software applications using a minimum of AES-256.
    2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services:
       1. Restriction of logical access to IT systems that Process transferred Customer Personal Data to those officially authorized persons with an identified need for such access;
       2. Active monitoring and logging of network and database activity for potential security events, including intrusion;
       3. Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Kiuwan;
       4. Firewall protection of external points of connectivity in Data Importer’s network architecture; and
       5. Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Kiuwan.
       6. Key management/documentation of key issuance.
       7. Security Zones Concept
       8. Physical access control system, e.g. badge reader (magnetic/chip cards).
       9. Factory security / gatekeeper
       10. Security doors / security windows
       11. Door protection (electrical door opener, combination lock, etc.)
       12. Alarm system
       13. Video surveillance
       14. Special server room protection measures
       15. Locked filing cabinets
       16. Guideline for a tidy working environment
    3. Measures for ensuring the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident:
       1. Backup procedures.
       2. Secured storage of backups.
    4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing
       1. Management process for security incidents;
       2. Management process for incidents relevant to data protection;
       3. Definition of security requirements in crisis situations / emergencies;
       4. Comprehensive emergency plan incl. regular updating; and
       5. Regular execution and documentation of emergency tests.
    5. Measures for user identification and authorization:
       1. Appropriate authorization concepts:
          i. Responsabilities;
          ii. Task-related profiles and roles; and
          iii.Target role concept.
          
       2. User management process incl. approval procedure;
    6. Measures for the protection of data during transmission:
       1. Encryption of the transferred Customer Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;
       2. Tunnelled remote data transfer connections (VPN = Virtual Private Network);
       3. SSL/TLS encryption;
    7. Measures for the protection of data during storage:
       1. Data is stored using a leading service that ensures high performance, scalability, availability and security by default; and
       2. Access is role based and reviewed regularly.
    8. Measures for ensuring physical security of locations at which Customer Personal Data are processed:
       1. Restriction of physical to IT systems that Process transferred Customer Personal Data to those officially authorized persons with an identified need for such access;
       2. Users have a unique personal identifier;
       3. Separate user IDs for privileged authorizations;
       4. Passwords are generally not stored in plain text or transmitted unencrypted;
       5. Secure password procedures;
       6. Secure generation and transmission of initial and reset passwords;
       7. Automatic locking of the clients after time lapse without user activity (e.g. password-protected screen saver);
       8. Continuous software updates / patching (patch Management);
       9. Continuous vulnerability scans;
       10. Firewall, IDS/IPS; and
       11. Monitoring of remote maintenance access by service providers.
    9. Measures for ensuring events logging:
       1. Active monitoring and logging of network and database activity for potential security events, including intrusion.
       2. Usage of security/logging software;
       3. Processing of data in accordance with applicable legal requirements for information security;
       4. Logs are protected against unauthorized access (confidentiality);
       5. Logs are protected against unauthorized modification (integrity); and
       6. Logs are protected against loss (availability).
    10. Measures for ensuring system configuration, including default configuration:
        1. Applications use standard configurations and they are scanned against best practices and vulnerabilities.
    11. Measures for internal IT and IT security governance and management:
        1. Users are created with only required permissions and access roles;
        2. Permissions are reviewed and removed regularly; and
    12. Measures for certification/assurance of processes and products:
        1. Kiuwan is SOC-2 Type 2 certified
    13. Measures for ensuring data minimization:
        1. Data minimization is guaranteed during the design and implementation processes.
    14. Measures for ensuring data quality:
        1. Customer is responsible for data quality and accuracy since the data is provided by the Customer; and
        2. Form validations are made to validate some fields.
    15. Measures for ensuring limited data retention:
        1. Different policies can apply depending on the type of data.
    16. Measures for ensuring accountability:
        1. Documentation about how personal data is processed.
    17. Measures for allowing data portability and ensuring erasure:
        1. In-product feature to allow data portability that securely transmits the data structured in a readable format; and
        2. A formal Compliance process for deleting Customer Personal Data by making a support request.
    18. Other:
        1. Internal policies establishing that
           1. Where Kiuwan is prohibited by law from notifying Data Exporter of an order from a public authority for transferred Customer Personal Data, Kiuwan shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent Supervisory Authorities;
           2. Kiuwan must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Customer Personal Data;
           3. Kiuwan shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid; and
           4. If Kiuwan is legally required to comply with an order, it will respond as narrowly as possible to the specific request.