Idera Affiliates Data Processing Terms

(for the Customer-Facing DPA)

Details of Processing of Perspectium Corp.

1. Address: –

   10801 N. Mopac Expressway, Building 1, Suite 100, Austin, TX 78759

2. Type of Services provided by Perspectium involving the Processing of Customer Personal Data: –

   Perspectium is a data integration and synchronization tool offered as a SaaS solution for ServiceNow users. Perspectium Data Sync solutions automatically extract data from ServiceNow to enable analytics, backup/recovery, business intelligence, migrations, machine learning, and more - all without impacting application performance. Perspectium ServiceBond solutions are turn key eBonding applications that extend ServiceNow workflows into other ServiceNow instances, other enterprise applications, and third-parties – enabling true cross-application process execution delivered as a fully managed service.

3. Data Protection Officer (DPO) Details: –

   VeraSafe, LLC

   [email protected]

   100 M Street S.E., Suite 600, Washington, D.C . 20003 USA

4. EU Data Protection Representative: –

   VeraSafe Ireland Ltd.

   Unit 3D North Point House North Point Business Park New Mallow Road, Cork T23AT2P Ireland

   Contact form: https://verasafe.com/public-resources/contact-data-protection-representative

5. UK Data Protection Representative: –

   n/a

6. Subject matter and duration: –

   The subject matter and duration of the Processing of Customer Personal Data are set forth in the Main Agreement and all amendments, exhibits, schedules, task orders, addenda, SOWs, purchase orders and other documents associated therewith and incorporated therein.

7. Nature and Purpose of Processing: –

   The nature and purpose of the Processing of Customer Personal Data are set forth in the Main Agreement and all amendments, exhibits, schedules, task orders, addenda, SOWs, purchase orders and other documents associated therewith and incorporated therein.

8. Further Processing: –

   No further Processing of Customer Personal Data beyond the Processing necessary for the provision of the Services is allowed.

9. Categories of Data Subjects: –

   Data subjects may include Customer’s representatives, such as employees, contractors, collaborators, partners. Data subject may also include individuals attempting to communicate or transfer Customer Personal Data to users of the Services.

10. Categories of Customer Personal Data: –

    The Categories of Customer Personal Data that Customer authorizes and requests that Perspectium Processes include but are not limited to: Personal contact information such as full name, email address; details including employer name, job title, goods or services provided.

    Perspectium Integration Mesh (MBS) server, which is the only component hosted and managed by Perspectium, does not process any customer’s Scoped Data. The other two components (i.e. Perspectium’s ServiceNow app and Perspectium’s Agents/Meshlets) are installed on customer hosting servers, which are configured and managed by the customer.

11. Special Categories of Customer Personal Data to be Processed (if applicable) and the applied restrictions to the Processing of these Special Categories of Customer Personal Data: –

    n/a

12. Categories of third-party recipients to whom the Customer Personal Data may be disclosed or shared by Idera: –

    Subprocessors; and other Idera Affiliates, if applicable.

13. Frequency of the Transfer of Customer Personal Data: –

    The frequency of the transfer of Customer Personal Data is determined by the Customer. Customer Personal Data is transferred each time that the Customer instructs Perspectium to Process Customer Personal Data.

14. Maximum data retention periods, if applicable: –

    The retention period of the Customer Personal Data is generally determined by the Customer and is subject to the term of the DPA and the Main Agreement, respectively, in the context of the contractual relationship between Perspectium and the Customer.

15. The basic Processing activities to which Customer Personal Data will be subject include, without limitation: –

    Collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to Customer in accordance with the terms of the Main Agreement.

16. The following is deemed an instruction by the Customer to Perspectium to Process Customer Personal Data: –
    1. Processing in accordance with the Main Agreement.
    2. Processing initiated by Data Subjects in their use of the Services.
    3. Processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Main Agreement.
17. List of Perspectium’s Subcontractors: –

    Available at https://www.ideracorp.com/legal/Perspectium#tabs-2.

18. Description of technical and organizational security measures implemented by the Perspectium: –
    1. Measures of pseudonymization and encryption of Customer Personal Data:
       1. Encryption of the transferred Customer Personal Data in transit using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;
       2. Encryption at rest within Perspectium’s software applications using a minimum of AES-128. Perspectium supports both AES-128 and AES-256 based on the customer requirements.
    2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services:
       1. Restriction of logical access to IT systems that Process transferred Customer Personal Data to those officially authorized persons with an identified need for such access;
       2. Active monitoring and logging of network and database activity for potential security events, including intrusion;
       3. Regular scanning and monitoring of any unauthorized software applications and IT systems for vulnerabilities of Perspectium;
       4. Firewall protection of external points of connectivity in Data Importer’s network architecture; and
       5. Expedited patching of known exploitable vulnerabilities in the software applications and IT systems used by Perspectium.
    3. Measures for ensuring the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident:
       1. RTO: 4 hours
       2. RPO: 12 hours
    4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing
       1. Software development security test performed daily.
       2. Software build vulnerability scans are performed daily.
       3. Application Penetration Tests are performed yearly.
       4. Internal security audit is performed yearly
       5. SOC 2 Type 2 Audit is performed yearly.
    5. Measures for user identification and authorization:
       1. Use IAM services from AWS and GCP
       2. User Access Policy established
       3. User Access are reviewed when one of the following events occurs:
          • Major change in organization structure
          • Major change in security architecture
          • Major attrition
          • Security incident
          • Twice a year
    6. Measures for the protection of data during transmission:
       1. Customer creates and manages encryption keys
       2. Customer encrypts data before transmission
       3. Data transmissions to Perspectium hosts are through secure HTTP with TLS 1.2 (only strong cipher suites accepted)
       4. Data transmissions within Perspectium infrastructure are through secure protocols.
       5. Customer Scoped Data stays encrypted throughout Perspectium infrastructure.
    7. Measures for the protection of data during storage:
       1. Customer Scoped Data stays encrypted at rest.
       2. No Perspectium employee has customer’s encryption keys.
       3. Access to network assets is restricted to a small Operations Team’s members.
    8. Measures for ensuring physical security of locations at which Customer Personal Data are processed:
       1. Restriction of physical to IT systems that Process transferred Customer Personal Data to those officially authorized persons with an identified need for such access.
    9. Measures for ensuring events logging:
       1. All systems and network assets are monitored 24x7. Alert rules are configured to create alert events for any anomaly or unauthorized activities. IDS/IPS service is setup for all critical network assets.
    10. Measures for ensuring system configuration, including default configuration:
        1. All systems and network assets are built by codes. Baseline default configurations are embedded in deployment codes.
        2. Code modifications must go through Perspectium standard Change Management Process.
    11. Measures for internal IT and IT security governance and management:
        1. IT/IS Security Policy and Procedure established.
        2. All IT personnel are required to complete yearly security and compliance training.
    12. Measures for certification/assurance of processes and products:
        1. SOC 2 type 2 Audit is performed yearly.
    13. Measures for ensuring data minimization:
        1. N/A. Perspectium does not collect, retain, or use any of Customer Scoped Data.
    14. Measures for ensuring data quality:
        1. N/A. Perspectium does not collect, retain, or use any of Customer Scoped Data.
    15. Measures for ensuring limited data retention:
        1. N/A. Perspectium does not collect, retain, or use any of Customer Scoped Data
    16. Measures for ensuring accountability:
        1. Each authorized access is unique and traceable.
        2. Authorized access is reviewed quarterly.
        3. System audit logs are retained for 4 months.
    17. Measures for allowing data portability and ensuring erasure:
        1. Customer Scoped Data is kept in encrypted universal text format.
        2. Once a transaction is completed (the data is processed and delivered to intended destinations) the Customer Scoped Data is deleted from Perspectium ephemeral storage (cloud storage).
    18. Other:
        1. Internal policies establishing that
           • Where Perspectium is prohibited by law from notifying Data Exporter of an order from a public authority for transferred Customer Personal Data, Perspectium shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent Supervisory Authorities;
           • Perspectium must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred Customer Personal Data;
           • Perspectium shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid; and
           • If Perspectium is legally required to comply with an order, it will respond as narrowly as possible to the specific request.