HOME/ DATA PROTECTION ADDENDUM
Data Protection Addendum
Last Updated: September 2019
1.1 For the purposes of this DPA:
“Traxroot” means the company Traxoid Automations Pvt Ltd.
“Traxroot Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Traxroot. “Control,” for purposes of this definition, means direct or indirect ownership or control “Traxroot” means the company Traxoid Automations Pvt Ltd.of more than 50% of the voting interests of the subject entity;
“Customer Personal Data” means any Personal Data subject to Data Protection Laws contained in Customer Data that the Customer provides or has made available to Traxroot and is Processed by Traxroot on Customer’s behalf pursuant to the Agreement;
“Privacy Laws” or “Data Protection Laws” means the EU General Data Protection Regulation (EU 2016/679) (“GDPR”) and any applicable national legislation which supplements it.
“Security Directives” means all agreed applicable security requirements and security instructions and their updates applicable at each time and described in Appendix 1.
The terms “data controller“, “data processor“, “data subject“, “personal data” “processing” and “appropriate technical and organisational measures” shall have the meanings given to them under applicable Privacy Laws.
2. Role of the Parties
2.1 The Parties understand that for the provision of the Services a distinction is made between two types of processing of personal data: (i) the provision of platform services (i.e. the database of call data records and the logs created and managed by Traxroot on behalf and under the supervision of Customer) for which Traxroot will act as a data processor and agrees to comply with the respective obligations set out in Clause 3 – 11, and (ii) the transmission of messages by Traxroot and other Service Providers for which Traxroot will act as a data controller and agrees to comply with the respective obligations set out in Clause 13.
3. Subject matter, nature and purpose of Traxroot’s processing of personal data
3.1 As between the parties, Traxroot acts as a Processor of the Customer Personal Data on Customer’s behalf. As a Processor, Traxroot will:
3.1.1 Process Customer Personal Data in accordance with this Addendum (including, without limitation, Appendix 1), Documentation and/or Customer’s documented instructions as set forth in the Agreement, or as otherwise required by applicable law to which Traxroot is subject (the “Customer Instructions”). If Traxroot is required by applicable Union and Member State law to Process Customer Personal Data other than in accordance with the Customer Instructions, Traxroot will to the extent permitted by applicable Union and Member State law inform the Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest.
3.1.2 Not be responsible for obtaining consent, authorization, approval, agreement as may be required under applicable laws or policies, or for providing notices with regard to Customer Personal Data, in order to enable Traxroot to receive and Process the Customer Personal Data in accordance with the Agreement. It will be the Customer's sole responsibility for the accuracy, quality and legality of the Customer Personal Data, the means by which it acquires and uses the Customer Personal Data, and for the Customer Instructions regarding the Processing of Customer Personal Data. Customer shall ensure that its acts or omissions, including its Customer Instructions, do not put Traxroot in breach of any applicable laws or regulations. Where Traxroot believes that an instruction would be in breach of applicable Union or Member State data protection provisions, Traxroot shall notify Customer of such belief without undue delay. Traxroot shall be entitled to suspending performance on such instruction until Customer confirms or modifies such instruction.
4.1 The term of the Agreement plus the period from the expiry or termination of the Agreement until deletion of all Customer Data by Traxroot in accordance with the Agreement. Specific Customer Personal Data may have specific data retention and deletion policies in place (e.g., data points from wireless devices utilized by the customers located in the EEA, which is uploaded to the Hosted Software have a six months retention policy and deletion schedule in place as a default setting; which the Customer accepts, which can be amended due to Customer requirements).
5. Type of personal data processed
5.1 Personal Data relating to individuals provided to Traxroot via the Products, by (or at the direction of) Customer or by any employee or end user of the Customer which include, without limitation, names, contact information (e.g., company, email, address, telephone number), ID data, connection data, location data, profile pictures, and images and video captured by the Products (e.g., images of individuals inside a vehicle operating a dash cam, and other information capable of identifying individuals from such imagery e.g., vehicle registration and license plates, signposts for buildings, houses and other landmarks).
6. Type of data subjects
6.1 The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subject:
Customers, business partners and vendors of the Customer (who are natural persons)
Employees of contact persons of the Customer’s customers, business partners and vendors
Employees, agents, advisers, freelancers of the Customer (who are natural persons)
Customer’s Service user including any user of the Services, which Customer permits using the Services
7. Technical and organisational measures
7.1 Traxroot has implemented and maintains appropriate technical and organizational measures in accordance with Article 28, 3 (c) and Article 32 in particular in relation with Article 5, 1 and 2 GDPR. Such measures include but not limited to physical and IT measures, and organizational measures to protect personal data processed against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Such measures, as described in the Security Directives, and provide a level of security that is appropriate to the risks of the processing having regard to:
i) the state of the art technology;
ii) the costs of implementation;
iii) the nature, scope, context and purposes of processing, including the type of personal data; and
iv) risk for the rights and freedoms of natural persons that personal data relate to.
7.2 The Technical and Organisational Measures are subject to technical progress and further development. In this respect Traxroot may implement alternative adequate measure, however, the security level of the defined measures must never be reduced. Major changes must be documented.
8. Quality assurances and other duties of Traxroot
8.1 Traxroot shall comply with the mandatory requirements referred to in Articles 28 to 33 GDPR, and ensures in particular compliance with the following requirements:
a) Appoint a data protection officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. The data protection officers contact details are available at Traxroot web page.
b) Confidentiality in accordance with Article 28, 3 (b), Articles 29 and 32 (4) GDPR. Traxroot entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. Traxroot and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Customer, which includes the powers granted in this Amendment, unless required to do so by Privacy Laws.
c) At the Customer’s cost and expense and taking into account the nature of the processing and the information available to Traxroot, provide such information and assistance as the Customer may reasonably require and within the timescales reasonably specified by the Customer to assist the Customer to comply with its obligations under applicable Privacy Laws which may include assisting the Customer to:
i) notify the Customer of any request Traxroot receives for a data subject relating to personal data processed;
ii) comply with its security obligations;
iii) discharge its obligations to respond to requests relating to the exercise of Data Subject rights including right of access, right to rectification, right to erasure (“right to be forgotten”) right to restriction of processing (to the extent that personal data is not accessible to the Customer through the Services);
iv) carry out Data Protection Impact Assessment and audit Data Protection Impact Assessment compliance and consult with the supervisory authority following Data Protection Impact Assessment.
d) Unless prohibited by applicable law or a legally binding request of law enforcement, Traxroot shall promptly notify the Customer of any request by, any government official, data protection supervisory authority or law enforcement authority in respect of any personal data;
e) Traxroot shall periodically monitor the internal processes and the Security Directives to ensure that processing within Traxroot area of responsibility is in accordance with the requirements of Privacy Laws and the protection of the rights of the data subject.
9.1 Customer authorizes each Traxroot affiliates, as well as such other third parties noted in Documentation, to be sub-processors (each a “Subprocessor”). Traxroot may disclose Customer Personal Data to its Subprocessor for the purposes of providing the Products provided that Traxroot will impose substantially similar obligations on its Subprocessors regarding the security and confidentiality of Customer Personal Data as those set forth in this Addendum to meet the requirements of Data Protection Laws.
9.2 Customer shall be entitled to contradict any change of Subprocessors as notified by Traxroot from time to time within thirty (30) calendar days of such notification, and only for materially important reasons. Where Customer fails to contradict such change within such period of time, Customer shall be deemed to have consented to such change. Where a materially important reason for such contradiction exists and is provided in writing to Traxroot, and failing an amicable resolution of this matter by the parties (each party acting reasonably and in good faith), Customer shall be entitled to terminate the Agreement by providing written notice to Traxroot.
9.3 Traxroot will remain responsible for the acts or omissions of Subprocessors to the same extent required by Data Protection Laws as if the acts or omissions were performed by Traxroot “Subprocessor Liability”), and shall be permitted to re-perform or to procure the re-performance of any such obligations and Customer acknowledges and accepts that such re-performance shall diminish any claim that Customer has against Traxroot in respect of any Subprocessor Liability.
10. Audits and inspections
10.1 In the event that the Customer, a regulator or data protection authority requires additional information or an audit related to the Services, then, Traxroot agrees to submit its data processing facilities, data files and documentation needed for processing personal data to audit by the Customer (or any third party such as inspection agents or auditors, selected by Customer) to ascertain compliance with this DPA, subject to being given reasonable notice and compliance with Traxroot’s Security Directives and the auditor entering into a non-disclosure agreement directly with Traxroot. Traxroot agrees to provide reasonable cooperation to Customer in the course of such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc. used for the performance of Services, including processing of personal data. Such audits shall be carried out at the Customer’s cost and expense.
11. Notification of a data breach
11.1 In the event of Traxroot aware of any breach of security that results in the accidental, unauthorised or unlawful destruction or unauthorised disclosure of or access to personal data Traxroot shall, among other things:
a) Notify the Customer in writing immediately but not later than 24 hours after becoming aware of the breach of security
b) Assist the Customer with regard to the Customers obligation to provide information to the data subject and to provide the Customer with relevant information in this regard
c) Support the Customer in consultations with data protection authority.
11.2 To the extent legally possible, Traxroot may claim compensation for support services under this clause 10 which are not attributable to failures on the part of Traxroot.
11.3 Customer shall retain all rights, copyright or other intellectual property rights, title and interest to any and all personal data, including all rights relating to databases. Traxroot understands and agrees that such personal data constitutes Customer proprietary and Confidential Information.
11.4 Traxroot understands and agrees that such personal data constitutes Customer proprietary and Confidential information.
12. Deletion and return of personal data
12.1 Upon expiration of the Agreement or in the event of early termination for any reason whatsoever, Traxroot and its subcontractors shall promptly provide to Customer all personal data held by them for the duration of the Agreement for the performance of the Services. Upon Customer’s request, Traxroot will destroy copies of personal data held in its systems and confirm this to Customer in writing unless required to keep certain personal data in order to comply with applicable laws.
13. Traxroot’s obligations as Data Controller
14. Customer’s obligations
14.1 The Customer shall comply at all times with applicable Privacy Laws in relation to the processing of personal data in connection with the Agreement and the Services.
15. Limitation of liability
15.1 Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA.
Appendix 1 to the data protection addendum
Description of the technical and organizational measures implemented by Traxroot:
Traxroot shall implement the measures described in this appendix, provided that the measures directly or indirectly contribute or can contribute to the protection of personal data under the agreement concluded between the Parties for the processing of data. If Traxroot believes that a measure is not necessary for the respective Service or part thereof, Traxroot will justify this and come to an agreement with the Customer.
The technical and organisational measures are subject to technical progress and development. In this respect Traxroot is permitted to implement alternative adequate measures. The level of security must align with industry security best practice and not less than, the measures set forth herein. All major changes are to be agreed with the Customer and documented.
1. Risk management
1.1 Security risk management
a. Traxroot shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk.
b. Traxroot shall have documented processes and routines for handling risks within its operations.
c. Traxroot shall periodically assess the risks related to information systems and processing, storing and transmitting information.
1.2 Security risk management for personal data
a. Traxroot shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk of the specific personal data types and purposes being processed by Traxroot, including inter alia as appropriate:
(i) The pseudonymisation and encryption of personal data
(ii) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
(iii) The ability to restore the availability and access to the Customer’s Data in a timely manner in the event of a physical or technical incident
(iv) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
b. Traxroot shall have documented processes and routines for handling risks when processing personal data on behalf of the Customer.
c. Traxroot shall periodically assess the risks related to information systems and processing, storing and transmitting personal data.
2. Information security policies
2.1 Traxroot shall have a defined and documented information security management system (ISMS) including an information security policy and procedures in place, which shall be approved by Traxroot’s management. They shall be published internally within Traxroot´s organization and communicated to relevant Traxroot Personnel.
2.2 Traxroot shall periodically review Traxroot’s security policies and procedures and update them if required to ensure their compliance with the Security Directives.
3. Organization of information security
3.1 Traxroot shall have defined and documented security roles and responsibilities within its organization.
3.2 Traxroot shall appoint at least one data protection officer who has appropriate security competence and who has an overall responsibility for implementing the security measures under the Security Directives and who will be the contact person for the Customer’s security staff. .
4. Human resource security
4.1 Traxroot shall ensure that Traxroot personnel handles information in accordance with the level of confidentiality required under the Agreement.
4.2 Traxroot shall ensure that relevant Traxroot personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities and systems under the Agreement.
4.3 Traxroot shall ensure that any Traxroot personnel performing assignments under the Agreement is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification.
4.4 Traxroot shall ensure that Traxroot personnel with security responsibilities is adequately trained to carry out security related duties.
4.5 Traxroot shall provide or ensure periodical security awareness training to relevant Traxroot personnel. Such Traxroot training shall include, without limitation:
a. How to handle customer information security (i.e. the protection of the confidentiality, integrity and availability of information);
b. Why information security is needed to protect customers information and systems;
c. The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);
d. The importance of complying with information security policies and applying associated standards/procedures;
e. Personal responsibility for information security (such as protecting customer’s privacy-related information and reporting actual and suspected data breaches).
5. Access control
5.1 Traxroot shall have a defined and documented access control policy for facilities, sites, network, system, application and information/data access (including physical, logical and remote access controls), an authorization process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for Traxroot personnel in place.
5.2 Traxroot shall have a formal and documented user registration and de-registration process implemented to enable assignment of access rights.
5.3 Traxroot shall assign all access privileges based on the principle of need-to-know and principle of least privilege.
5.4 Traxroot shall use strong authentication multi-factor) for remote access and users connecting from an untrusting network.
5.5 Traxroot shall ensure that Traxroot Personnel has a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.
6.1 Traxroot shall ensure proper and effective use of cryptography on information classified as confidential and secret (such as personal data).
6.2 Traxroot shall protect cryptographic keys.
7. Physical and environmental security
7.1 Traxroot shall protect information processing facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.
7.2 Traxroot shall protect goods received or sent on behalf of the Customer from theft, manipulation and destruction.
8. Admissing to the Customer’s premises and the Customer’s leased premises
8.1 Traxroot’s admission to the Customer’s premises and property (such as datacenter buildings, office buildings, technical sites) is subject to the following:
(i) Traxroot shall follow local regulations (such as regulations for “restricted areas”) for the Customer’s premises when performing the assignments under the Agreement;
(ii) Traxroot personnel shall carry ID card or a visitor’s badge visible at all times when working within the Customer’s premises;
(iii) After completing the assignment, or when Traxroot personnel is transferred to other tasks, Traxroot shall without delay inform the Customer of the change and return any keys, key cards, certificates, visitor’s badges and similar items.
(iv) Keys or key cards shall be personally signed for by Traxroot personnel and shall be handled accordingly to the written rules given upon receipt.
(v) Loss of the Customer’s key or key card shall be reported without delay to the Customer.
(vi) Photographing in or at the Customer’s premises without permission is prohibited.
(vii) The Customer’s goods shall not be removed from the Customer’s premises without permission.
(viii) Traxroot personnel shall not allow unauthorized persons access to the premises.
9. Operations security
9.1 Traxroot shall have an established change management system in place for making changes to business processes, information processing facilities and systems. The change management system shall include tests and reviews before changes are implemented, such as procedures to handle urgent changes, roll back procedures to recover from failed changes, logs that show, what has been changed, when and by whom.
9.2 Traxroot shall implement malware protection to ensure that any software used for Traxroot’s provision of the Services to the Customer is protected from malware.
9.3 Traxroot shall make backup copies of critical information and test back-up copies to ensure that the information can be restored as agreed with the Customer.
9.4 Traxroot shall log and regularly review activities towards processed data. Anomalies / incidents / indicators of compromise shall be reported according to the data breach management requirements as set out in clause 13, below.
9.5 Traxroot shall manage vulnerabilities of all relevant technologies such as operating systems, databases, applications proactively and in a timely manner.
9.6 Traxroot shall ensure development is segregated from test and production environment.
10. Communications security
10.1 Traxroot shall implement network security controls such as service level, fire-walling and segregation to protect information systems.
11. System acquisition, development and maintenance (when software development or system development is provided to the Customer by Traxroot)
11.1 Traxroot shall implement rules for development life-cycle of software and systems including change and review procedures.
11.2 Traxroot shall test security functionality during development in a controlled environment.
12. Traxroot relationship with sub-suppliers
12.1 Traxroot shall reflect the content of these Security Directives in its agreements with Subprocessors that perform tasks assigned under the Agreement.
12.2 Traxroot shall regularly monitor, review and audit Subprocessor’s compliance with the Security Directives.
12.3 Traxroot shall, at the request of the Customer, provide the Customer with evidence regarding Subprocessor’s compliance with the Security Directives.
13. Data breach management
13.1 Traxroot shall have established procedures for data breach management.
13.2 Traxroot shall inform the Customer about any data breach (including but not limited to incidents in relation to the processing of personal data) as soon as possible but no later than within 24 hours after the data breach has been identified.
13.3 All reporting of security related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods.
13.4 The data breach report shall contain at least the following information:
a. The nature of the data breach,
b. The nature of the personal data affected,
c. The categories and number of data subjects concerned,
d. The number of personal data records concerned,
e. Measures taken to address the data breach,
f. The possible consequences and adverse effect of the data breach, and
g. Any other information the Customer is required to report to the relevant regulator or data subject.
13.5 To the extent legally possible, Traxroot may claim compensation for support services under this clause 13 which are not attributable to failures on the part of Traxroot.
13.6 In the event of a security breach, Traxroot engineering may cut off some or all access to Traxroot services in order to mitigate any possible intrusion damage. Once the threat has been contained or neutralized, a thorough and immediate investigation by high-level Traxroot staff will be conducted, specifically to determine names and / or location of attacker(s), method(s) of breach, what kind of data was exposed (if any), and customers who may be affected.
13.6.1 If Traxroot determines that customer data has been accessed by unauthorized persons, Traxroot will inform affected customers immediately (within 24 hours), as required by applicable law, and work with them to ensure that the data is secured, moved, removed or changed.
13.6.2 Traxroot is committed to continually improving and updating our Incident Response capabilities by incorporating lessons learned from previous responses that occur both internally and in the greater security community.
13.6.3 Any information or knowledge of any suspected security weakness, security breach, attempted security breach or any other information that may be related to Traxroot and its services can be forwarded to firstname.lastname@example.org.
14. Business continuity management
14.1 Traxroot shall identify business continuity risks and take necessary actions to control and mitigate such risks.
14.2 Traxroot shall have documented processes and routines for handling business continuity.
14.3 Traxroot shall ensure that information security is embedded into the business continuity plans
14.4 Traxroot shall periodically assess the efficiency of its business continuity management, and compliance with availability requirements (if any).
Appendix 2 to the data protection addendum
In particular: Traxroot takes steps to restrict access to Customer Personal Data to Customer, its users, and authorized Traxroot personnel and Subprocessors. In addition, Traxroot has processes designed to protect its systems containing or accessing the Customer's Personal Data against Personal Data Breaches. The underlying infrastructure leverages Amazon AWS, which is ISO 27001 and SOC 1 Type II certified. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic.
Data is logically separated across distributed databases with required authentication checks for every application-layer and data-layer access made to any tenant's data. The logical separation is designed to associate data with exactly one customer, and required authentication checks at the application and data layers aim to isolate data by customer and accounts provisioned for that customer.
The Services employ a Virtual Private Cloud to provide resource isolation and minimize attack surface area. The Services are protected by IP- and port-based firewalls. Administrative access to Traxroot’s infrastructure is restricted and verified by AWS Identity and Access Management. Distributed Denial of Service (DDoS) attacks can be mitigated with elastic load balancing and highly available DNS services.
When a storage device containing Customer Personal Data has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent the data from being exposed to unauthorized individuals. Techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) are used to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
Traxroot implements measures designed to enhance the physical security of its networks, servers, cloud and other information systems in which Customer Data is stored, processed, transmitted, or accessed and to maintain them in a secure manner that satisfies the requirements of this Appendix.
Traxroot reviews information technology security measures annually. On an annual basis a qualified independent third-party conducts penetration tests of Traxroot’s system for security vulnerabilities. Traxroot maintains suitable processes to identify, isolate and re-mediate security vulnerabilities.