1. Background and purpose
1.1 As part of the Main Agreement CtrlPrint will be processing personal data on behalf of the Customer.
1.2 The Customer is the data controller and CtrlPrint is the data processor in relation to the personal data processed under this DPA (the “Included Personal Data”). The Included Personal Data is described in the document in Schedule 1 (the “Instruction”).
1.3 This DPA governs the conditions for CtrlPrint’s processing of, and access to, personal data on behalf of the Customer in accordance with the General Data Protection Regulation (EU) 2016/679 (”GDPR”), the United Kingdom Data Protection Act 2018 (“UK GDPR”) and other applicable data protection legislation (all together ”Applicable Data Protection Legislation”).
1.4 The DPA comprises this document and the appendices. In the event of any contradictions between this document and the appendices or the Main Agreement, this document shall take precedence.
1.5 All terms defined in Article 4 of GDPR shall have the same meaning in the DPA, unless expressly stated otherwise.
2. CtrlPrint’s obligations
2.1 Scope of processing. CtrlPrint shall process the Included Personal Data solely in accordance with this DPA, the Main Agreement, and any relevant amendments, as well as the Applicable Data Protection Legislation and instructions provided by the Customer. However, if further processing is necessary under applicable EU or member state law that applies to CtrlPrint, CtrlPrint will notify the Customer of this legal obligation, unless prohibited by law.
2.2 Security. CtrlPrint is responsible for implementing suitable technical and organizational measures to ensure the security of Included Personal Data. These measures aim to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data during transmission, storage, or processing. The security measures are set out in Schedule 2.
2.3 Sub-processors. CtrlPrint may engage sub-processors for processing personal data on behalf of the Customer ("Sub-processors"). If CtrlPrint engages Sub-processors, they must enter into a sub-processing agreement with obligations similar to those in this DPA. The current list of Sub-processors is provided in Schedule 3. CtrlPrint will notify the Customer of any intended addition or replacement of Sub-processors at least 30 days prior to the change, through the Services. If the Customer does not object within 14 days of the notice, it will be assumed that the engagement is approved. CtrlPrint will maintain an updated list of Sub-processors and provide a copy upon request by the Customer. In case a Sub-processor fails to fulfil its obligations, CtrlPrint will be fully liable to the Customer for the Sub-processor's performance, undertakings, and obligations.
2.4 Third country transfers. CtrlPrint is granted general authorization by the Customer to transfer personal data to third countries either independently or through its Sub-processors. However, before initiating any such transfer or granting access, CtrlPrint or the Sub-processor must fulfil the obligations and commitments outlined by the Applicable Data Protection Legislation pertaining to third-country transfers. These obligations may involve the execution of EU Commission Standard Contractual Clauses (“EU SCC”) or the UK International Data Transfer Addendum to the EU SCC (“UK Addendum”), as applicable.
2.5 Requests from data subjects. CtrlPrint shall implement appropriate technical and organisational measures necessary to assist the Customer in fulfilling its obligation to respond to requests by data subjects to exercise their rights under the Applicable Data Protection Legislation, such as the right of access, deletion, correction and data portability.
2.6 Information request. In the event that a data subject, supervisory authority, or any other third party requests information from CtrlPrint regarding the processing of Included Personal Data, CtrlPrint shall promptly inform the Customer about the request. However, CtrlPrint is not authorized to act on behalf of the Customer or represent the Customer in any manner concerning the data subject, authority, or other third party.
2.7 Assistance. CtrlPrint shall provide reasonable assistance to the Customer in fulfilling its obligations under the Applicable Data Protection Legislation, particularly concerning the security of processing and personal data breaches. In the event that CtrlPrint becomes aware of a personal data breach affecting Included Personal Data, CtrlPrint shall promptly notify the Customer without any unnecessary delay, and within twenty-four (24) hours.
2.8 Return of information. Upon termination of the Main Agreement or upon receiving notice from the Customer, CtrlPrint shall, at the Customer’s discretion, either return or delete all Included Personal Data. This action will be taken unless CtrlPrint is obligated to retain the Included Personal Data due to mandatory legislation, establishment, exercise, or defence of legal claims or backup and disaster recovery.
2.9 Audit and inspection. CtrlPrint shall provide the Customer with all the information necessary, upon the Customer’s request, to demonstrate that CtrlPrint is fulfilling its obligations under the DPA and the Applicable Data Protection Legislation. Furthermore, CtrlPrint shall facilitate and assist in audits, including inspections, conducted by the Customer or by a third party authorized by the Customer. These audits and inspections will be carried out at the cost of the Customer.
3. Confidentiality
3.1 In addition to any confidentiality obligations stated in the Main Agreement, CtrlPrint agrees not to disclose Included Personal Data or any other information regarding the processing of Included Personal Data to any third party without explicit instruction from the Customer. However, this undertaking does not apply to information disclosed to Sub-processors for the purpose of fulfilling their obligations under a Sub-processor agreement. It also does not apply to information that is generally known (not due to a breach of the DPA), information that CtrlPrint is obligated to disclose under mandatory legislation, or under a decision or ruling of a court or competent authority. In such cases, CtrlPrint shall promptly inform the Customer and request confidentiality when disclosing the requested information.
3.2 CtrlPrint shall ensure that each Sub-processor, employee or third party that is given access to Included Personal Data is subject to at least the same obligation of confidentiality as outlined in this Section 3.
3.3 The obligation of confidentiality pursuant to this Section 3 shall remain in effect without limitation in time.
4. Term
The DPA shall remain in force for as long as CtrlPrint processes Included Personal Data on behalf of the Customer.
5. Liability and indemnification
Subject to mandatory law, the limitations of liability set out in the Main Agreement shall apply to this DPA.
Schedule 1: Instruction
All processing of personal data by CtrlPrint on behalf of the Customer shall be done in accordance with this Instruction.
Nature and purpose of the processing
Personal data will be processed to the extent necessary to provide:
a) The Services in accordance with the Main Agreement and the Customer’s instructions, which includes a cloud service and storage solution for annual reports projects;
b) Technical support, issue analysis and error correction to ensure the efficient and proper use of the Services and to identify, analyse and resolve technical issues. This activity may relate to all aspects of personal data processed but will be limited to anonymised data where possible.
Categories of data subjects
The processing concerns the following categories of individuals:
a) Users of the Services, including employees, consultants and other individuals that the Customer has granted access to the Services in accordance with the Main Agreement.
b) Other individuals identifiable from the Customer Content.
Categories of personal data
CtrlPrint will process the following types of personal data:
a) Contact details, such as name, phone number, and email address;
b) User information such as username, password, IP address, download tokens;
c) Information derived from the Users use of the Services such as records of who have access to and reviewed documents, changes made in the documents, and business intelligence information;
d) Information entered into the Customer Content such as documentation related to annual reports and financial related documents such as business transactions, incoming and outgoing payments and salaries of employees; and
e) Special categories of personal data in the form of data concerning health that is available in salary documentation regarding sick leave.
Retention period or criteria for data retention
CtrlPrint may process and store personal data only for as long as necessary for the purpose of performing its obligations under the Main Agreement and to comply with mandatory legislation.
CtrlPrint shall delete all personal data within a reasonable period, however not later than thirteen months, after termination of all or relevant parts of the Main Agreement.
Schedule 2: Security measures
CtrlPrint applies the following technical and organizational security measures to protect the Included Personal Data.
Organisational measures
a) Methodology. CtrlPrint performs full security audits of its product and infrastructure regularly, including third-party audits. CtrlPrint is ISO27001:2013 certified. CtrlPrint’s security controls are assessed by a third party auditor on an annual basis producing a SOC 1 Type II report.
b) Availability. The CtrlPrint service is hosted by AWS in three different geographically separated data centres (availability zones) to gain redundancy. All service components are constantly monitored by both CtrlPrint and the data centre. Daily snapshots of the replicated and encrypted database are stored in AWS S3 and monitored for completion. Operations KPI are performed monthly. Even if disaster strikes and one of the data centres becomes inaccessible, the Services keep on running.
c) Physical security. The data centres where CtrlPrint’s servers are hosted are compliant with ISO 27001 and the PCI Data Security Standard. The data centres feature 24-hour manned security, biometric access control, video surveillance, and physical locks.
Technical measures
a) Data at rest. All document data is stored in AWS S3 and is automatically encrypted using strong encryption. CtrlPrint uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt document data.
b) Data in transit. All communication with the service is encrypted over TLS 1.2.
Account setup and use
a) Access control. Each User is identified with a unique username and password, and all access to data within the Services is governed by access rights. The Admin of the Customer account can define granular access privileges to certain parts in different levels. The security architecture ensures segregation of customer data.
b) Two-step authentication. With two-step authentication, Users' accounts are protected by both a username and password combination, as well as a time-based one-time password generated by their phone.
c) Application security. CtrlPrint maintains a robust application audit log, to include security events such as user logins and configuration changes. Additionally, CtrlPrint follows secure credential storage best practices by encrypting stored passwords using multiple iteration, one-way, strong algorithm. This means that not even CtrlPrint’s employees can view or recover passwords.
Prevention and detection
a) Vulnerability management. CtrlPrint’s application and its supporting infrastructure are reviewed for potentially harmful vulnerabilities. CtrlPrint maintains a dedicated application security team in-house to test and remediate any discovered issues.
b) Data backup and recovery. CtrlPrint’s platform is built to be resilient – the application servers, the database, the data storage, as well as load balancer and firewalls are all redundant across geographically separate data centres. CtrlPrint maintains complete backups of everything required to restore the complete system at a different data centre, should it prove necessary.
c) Independent audits. CtrlPrint performs annual vulnerability tests on the service as well as regular security reviews on system architecture. Tests are performed by accredited 3rd party security specialists.
Schedule 3: Sub-processors
The Customer approves that CtrlPrint engages the following Sub-processors.
Sub-processor
Zendesk, Inc.
Purpose of processing
Providing customer support ticketing system and related services.
Country of processing
Data is stored on data centers in Ireland, however, data may be transferred to other regions, including the USA.
Lawful ground and additional safeguards for processing outside of EU/EEA
EU SCC and/or UK Addendum, as applicable.
Sub-processor
Amazon Web Services EMEA SARL.
Purpose of processing
Hosting and storage of data, including customer information and support tickets.
Country of processing
Data is stored on data centers in Ireland, however, data may be transferred to other regions, including the USA.
Lawful ground and additional safeguards for processing outside of EU/EEA
EU SCC and/or UK Addendum, as applicable.
Google, Inc.
Purpose of processing
Google Mail is used to route incoming support emails to Zendesk.
Google Groups is used as a backup channel for the Zendesk platform.
Country of processing
Data is stored on data centres in the United States
Lawful ground and additional safeguards for processing outside of EU/EEA
EU SCC and/or UK Addendum, as applicable.
Any intended addition or replacement of Sub-processors will be notified to the Customer through a notice on the CtrlPrint platform available at secure.ctrlprint.net (login required).