DATA PROCESSING ADDENDUM

 

Last updated: September 2023

 

This Data Processing Addendum including all of its Annexes (“Addendum”) is entered into as of the effective date (the “Effective Date”) of that certain master platform agreement (“MPA”) between SundaySky Parent Inc. (“SundaySky”) and the customer specified thereon (“Customer”). This Addendum amends and forms part of the MPA, which governs the services provided by SundaySky to Customer pursuant to the MPA (“Services”). In the event that any terms and conditions contained herein are in conflict with the terms and conditions set forth in the MPA, the terms and conditions set forth in this Addendum shall be deemed to be the controlling terms and conditions, except as otherwise stated. “Controller”, “processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the applicable Data Protection Legislation. Capitalized terms not otherwise defined herein shall have the meaning given to them in the MPA or in applicable Data Protection Legislation. In the course of providing the Services to Customer pursuant to the MPA, SundaySky may process personal data on behalf of Customer. This Addendum sets out the additional terms, requirements and conditions on which SundaySky will process personal data as far as such processing relates to the performance of the Services.

1. Roles of the Parties
   This Addendum shall apply where Customer acts as a controller and SundaySky as a processor, or where Customer acts as a processor and SundaySky as a sub-processor.

2. Compliance with Data Protection Legislation
   Both parties will comply with all applicable requirements of the Data Protection Legislation. As used in this Addendum, “Data Protection Legislation” means all applicable privacy and data protection laws, their implementing regulations, regulatory guidance, and secondary legislation, each as updated or replaced from time to time, including without limitation: (i) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018; (iii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); (iv) the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); (v) U.S. legislation (e.g., the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”)); and (vi) any other privacy and data protection laws that may be applicable.

3. Processing of Personal Data
   
   3.1. Details of Processing. Annex A sets out the scope, nature and purpose of processing by SundaySky, the duration of the processing and the types of personal data and categories of data subject.
   
   3.2. Instructions. Customer appoints SundaySky to process such personal data on behalf of Customer, and in accordance with Customer’s documented instructions, as otherwise necessary to provide the Services, or as otherwise agreed in writing by the parties. The scope of such instructions are initially defined by the MPA, but also include any implied instructions resulting from actions initiated or effected by Customer or its agents through use of the Services. SundaySky shall inform Customer if, in its opinion, an instruction infringes the Data Protection Legislation, or if it cannot comply with Customer’s documented instructions for whatever reason. In any such case, the parties shall work together to find an alternative. If SundaySky notifies Customer that neither the instruction nor an alternative is feasible, Customer may either terminate the affected Services by giving written notice if such termination within thirty (30) days of SundaySky’s notice, or Customer may continue with all Services without SundaySky being required to comply with the problematic instruction. Any termination under this Section shall be deemed to be without fault by either party. Any previously accrued rights and obligations will survive such termination. Customer acknowledges that certain specific instructions may result in additional fees payable by Customer to SundaySky for carrying out those instructions.
   
   3.3. Customer Responsibilities. Customer will ensure that it has and will maintain all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to SundaySky for the duration and purposes of this Addendum. Customer shall not cause SundaySky to violate any applicable laws in its processing of the personal data in accordance with Customer’s instructions.
   
   3.4. Service Provider Requirements. SundaySky acknowledges and agrees that it shall act in the role of a Service Provider as defined under the CCPA and the CPRA. Customer discloses personal data to SundaySky solely for performing the Services, which includes the following limited and specified business purposes: the business purposes set out under section 1798.140(e) of the CPRA (“Business Purposes”). SundaySky is prohibited from: (i) selling or sharing Customer’s personal data; (ii) retaining, using, or disclosing Customer’s personal data for any purpose other than providing the Business Purposes to Customer and as otherwise permitted by the CCPA, the CPRA and their implementing regulations; (iii) retaining, using, or disclosing Customer’s personal data for any commercial purpose other than the Business Purposes, unless expressly permitted by the CCPA, the CPRA and their implementing regulations; (iv) retaining, using, or disclosing Customer’s personal data outside of the direct business relationship between SundaySky and Customer, unless expressly permitted by the CCPA, the CPRA and their implementing regulations; and (v) combining or updating Customer’s personal data with personal data that SundaySky obtains from other sources, unless expressly permitted by the CCPA, the CPRA and their implementing regulations. SundaySky certifies that it understands the prohibitions outlined in this Section 3.4 and will comply with them. Customer understands and agrees that SundaySky may use sub-processors to provide the Services and process personal data on Customer’s behalf in accordance with Section 8 below. The parties agree that any monetary consideration provided by Customer to SundaySky is provided for the provision of the Services and not for the provision of personal data. SundaySky shall notify Customer no later than five (5) business days after it makes a determination that it can no longer meet its obligations under the CCPA, the CPRA and their implementing regulations. SundaySky permits Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate SundaySky’s unauthorized use of Customer’s personal data.

4. Security
   
   4.1. Security Measures. SundaySky shall implement appropriate technical and organizational measures for processing Customer’s personal data which shall, at minimum, meet the requirements in Annex B.
   
   4.2. Breach Notification. SundaySky shall, to the extent permitted by law, notify Customer without undue delay upon discovery of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by SundaySky on behalf of Customer. SundaySky’s notification of or response to a situation described in this Section will not be construed as an acknowledgement by SundaySky of any fault or liability with respect to such situation.
   
   4.3. Personnel. SundaySky shall ensure that all personnel who process (including having access to) personal data have committed themselves to keep the personal data confidential in accordance with SundaySky’s confidentiality obligations under the MPA.
   
   
5. Assistance
   
   5.1. Cooperation with Customer. Taking into account the nature of the processing and the information available to SundaySky, SundaySky shall reasonably assist Customer, at Customer’s expense, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, privacy impact assessments, litigation, inquiries or consultations with supervisory authorities or regulators.
   
   5.2. Third-Party Requests. SundaySky shall inform Customer of any data subject’s request or communications from a regulator, government body, or other supervisory authority relating to personal data that SundaySky or its sub-processors receive, unless applicable law prohibits such notification on important grounds of public interest. SundaySky will not respond to such requests except as instructed by Customer, unless otherwise required by Data Protection Legislation, in which case SundaySky will inform Company of such legal requirement prior to responding to such request.
   
   5.3. Reimbursement. To the extent that SundaySky’s cooperation and assistance according to this section 5 involve significant costs, the parties agree to negotiate in good faith to reimburse SundaySky for such costs.
   
   
6. Return and Deletion of Personal Data
   Following the termination of the MPA, or upon Customer’s prior written request, SundaySky shall delete or return all personal data and copies thereof to Customer, unless otherwise required under the applicable laws (including any Data Protection Legislation) and in accordance with SundaySky’s data retention policies. Should SundaySky be required under the applicable law to process Customer’s personal data following the termination of the MPA, this Addendum shall stay in full force and effect until the complete deletion or return of all Customer’s personal data.
   
   
7. Audit
   
   7.1. Audit Requirements. The parties acknowledge that Customer must be able to assess SundaySky’s compliance with its obligations under Data Protection Legislation, to the extent that SundaySky is acting as a processor on behalf of Customer. Customer further agrees that the audits described in Section 7.3 below meet Customer’s audit requirements, and Customer agrees to exercise any right it may have to conduct an inspection or audit (including under the Standard Contractual Clauses, as applicable) by written notice to SundaySky to carry out the audits described in Section 7.3.
   
   7.2. Certification. Without prejudice to the rights granted in Section 7.3 below, if the requested audit scope is addressed in an ISO certification, SOC report or similar audit report issued by a qualified third party auditor within the prior twelve months and SundaySky provides such report to Customer upon request confirming that there are no known material changes in the controls audited, Customer agrees to accept the findings presented in such third party audit report in lieu of requesting an audit of the same controls covered in the report.
   
   7.3. Audit Procedures. Upon not less than thirty (30) days’ advance written notice to SundaySky and no more frequently than once annually, with SundaySky’s reasonable costs of complying with any such request to be met by Customer, SundaySky shall (i) make available all information necessary to demonstrate to Customer its compliance with Article 28 of the GDPR, including without limitation, executive summaries of its information security and privacy policies, and (ii) cooperate with and respond promptly to Customer’s reasonable privacy and/or security questionnaire(s). Notwithstanding the above, if Customer’s request for audit occurs during SundaySky’s quarter or year end, or such other time during which SundaySky cannot reasonably accommodate such request, the parties shall mutually agree on an extension to the thirty (30) days’ advance written notification. Customer shall execute a confidentiality agreement in form and substance reasonably satisfactory to SundaySky prior to such audit. For the avoidance of doubt, nothing contained herein will allow Customer to review data pertaining to SundaySky’s other customers or partners. Customer shall bear its own costs and expenses with respect to the audits described in this Section 7.3. The parties shall use all reasonable endeavours when exercising rights under this Section 7 to minimize disruption to SundaySky’s business activities.
   
   
8. Sub-Processors
   
   8.1. Use of Sub-Processors. Customer provides general written authorization for: (a) SundaySky and/or its Affiliates to engage the sub-processors set out in Annex D or otherwise published on the SundaySky website. For purposes of this Addendum, “Affiliate” means an entity controlling, controlled by, or under common control with a party (an entity will be deemed to have control if it owns over 50% of another entity). SundaySky and its Affiliates may engage such sub-processors to process personal data, provided that SundaySky and its Affiliates have entered into a written agreement with the third-party processor containing data protection terms that require it to protect the personal data to the same standard required under this Addendum.
   
   8.2. Changes to Sub-Processors. If SundaySky or its Affiliates appoint a new (or remove an existing) sub-processor, it shall update the applicable list accordingly and send an email publicizing the change, to the email address of Customer on file with SundaySky. Customer may object to SundaySky’s appointment or replacement of a sub-processor, provided Customer notifies SundaySky in writing of its specific objection within ten (10) days of receiving such notification from SundaySky. If Customer does not object within such period, the addition of the new sub-processor shall be deemed accepted. If Customer does object to the addition of a new sub-processor and SundaySky, in its reasonable opinion, cannot reasonably accommodate Customer’s objection, Customer may terminate the affected Service(s) upon written notice to SundaySky. If Customer has not given notice of termination within 30 days after SundaySky’s notice of non-accommodation, Customer will be deemed to have accepted the new sub-processor. Any termination under this Section shall be deemed to be without fault by either party. Any previously accrued rights and obligations will survive such termination.
   
   8.3. General authorization under the Standard Contractual Clauses. If the Standard Contractual Clauses apply, then the Parties agree to select Option 2 (general written authorization) under clause 9(a) of the Standard Contractual Clauses (Module Two). Customer acknowledges and agrees that it will be informed of any intended changes to the list of Sub-Processors and have the ability to exercise the corresponding right to object under Clause 9(a) of the Standard Contractual Clauses (Module Two) in the manner described under Clause 8.2 of this Addendum
   
   8.4. Liability. SundaySky remains liable for the acts and omissions of its sub-processors to the same extent SundaySky would be liable if performing the Services of each sub-processor directly under the terms of this Addendum.
   
   8.5. Copies of Sub-processor Agreements. The parties agree that the copies of the sub-processor agreements that must be provided by SundaySky to Customer pursuant to Clause 9(c) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by SundaySky beforehand. SundaySky will provide such copies in a manner to be determined in its sole discretion, upon request by Customer.
   
   
9. International Transfers of Personal Data
   
   9.1. General Obligation. SundaySky shall comply with all applicable requirements for cross-border transfers of personal data under Data Protection Legislation.
   
   9.2. Transfers to third countries. To the extent that SundaySky processes any personal data under this Addendum that originates from the European Economic Area (“EEA”) or Switzerland in a country that has not been designated by the European Commission or the Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for personal data, or from one jurisdiction to another jurisdiction not recognized as adequate by the authorities of the exporter’s jurisdiction, the parties agree to enter into the Standard Contractual Clauses for the transfer of personal data to third countries as set out in the Annex to Commission Decision (EU) 2021/914 adopted on June 4, 2021 (“Standard Contractual Clauses”) which are hereby incorporated into and form part of this Addendum. The Parties agree to include the optional Clause 7 (Docking clause) to the Standard Contractual Clauses incorporated into this Addendum. With regards to clauses 8 to 18 of the Standard Contractual Clauses, the different modules will apply as follows:

   9.2.1. Where Customer acts as a processor and SundaySky as a sub-processor (as applicable), both parties agree that Module Three will apply;

   9.2.2. Where Customer acts as a controller and SundaySky as processor (as applicable), both parties agree that Module Two will apply;

   9.2.3. In both of the cases set out in clauses 9.2.1. and 9.2.2. above, the option at Clause 11(a) (Redress) shall not apply, option 2 (General Written Authorisation) at Clause 9(a) shall apply and the period shall be 30 days;

   9.2.4. Where Standard Contractual Clauses apply to transfers of personal data from Switzerland, the term ‘member state’ in the Standard Contractual Clauses must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses; and

   9.2.5. Where the Standard Contractual Clauses apply to the transfer of personal data from one jurisdiction (not being the EEA, the UK or Switzerland) to another jurisdiction not recognized as adequate by the authorities of the exporter’s jurisdiction, the competent supervisory authority and the governing law shall be those of the exporter’s jurisdiction. The term ‘member state’ in the Standard Contractual Clauses shall refer to the jurisdiction of the exporter.

   9.3. Transfers from the UK by Customer to SundaySky. To the extent that SundaySky processes under this Addendum any personal data that originates from the UK in a country that has not been designated by the UK Government as providing an adequate level of protection for personal data, the parties agree (i) that the UK International Data Transfer Addendum (“UK Addendum”) to the EU Commission Standard Contractual Clauses as in force from 21 March 2022 as issued by the Information Commissioner’s Office under s.119A (1) of the UK Data Protection Act 2018 shall apply and is hereby incorporated by reference and (ii) that:
   
   

   9.3.1. Table 2 of the UK Addendum shall be read by reference to clause 9.2;

   9.3.2. Table 3 of the UK Addendum shall be read by reference to clause 9.4;

   9.3.3. For the purposes of Table 4, both parties shall have the ability to terminate the UK Addendum.

   9.4. Annexes. The parties hereby agree that data processing details set out in Annex A of this Addendum shall apply for the purposes of Annex 1 of the Standard Contractual Clauses and the technical and organizational security measures set out in Annex B of this Addendum shall apply for the purpose of Annex 2 to the Standard Contractual Clauses. SundaySky shall be deemed the “data importer” and Customer the “data exporter” under the Standard Contractual Clauses, and the parties will comply with their respective obligations under the Standard Contractual Clauses. Customer grants SundaySky a mandate to execute the Standard Contractual Clauses (Module 3) with any relevant sub-processor (including SundaySky Affiliates). Unless SundaySky notifies Customer to the contrary, if the European Commission subsequently amends the Standard Contractual Clauses at a later date, such amended terms will supersede and replace any Standard Contractual Clauses executed between the parties. Annex C shall apply to the use of the Standard Contractual Clauses.
   
   9.5. Alternative Data Export Solution. The parties agree that the data export solution identified in Section 9.2 and 9.3 will not apply if and to the extent that Customer adopts an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation), in which event, Customer shall reasonably cooperate with SundaySky to implement such solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which personal data is transferred under this Addendum).
   
   
10. Miscellaneous
    
    10.1. Interpretation. Any words following the terms “including” and similar expressions shall not limit the sense of the words preceding those terms.
    
    10.2. Entire Agreement. This Addendum shall replace and supersede any existing data processing addendum (including any privacy addendums), attachment or exhibit (including any standard contractual clauses) between the parties, except as provided for in section 9.4, if applicable. Any addenda, attachments, or exhibits related to security shall remain in place and supplement any security measures set out in Annex B. In the event of a conflict between Annex B and any other agreement that Customer has entered into with SundaySky governing information security, including administrative, physical, or technical safeguards regarding the protection of data, the provisions more protective of the data shall prevail.
    
    10.3. Liability. Notwithstanding anything to the contrary in the MPA or this Addendum, the liability of each party and each party’s Affiliates under this Addendum shall be subject to the exclusions and limitations of liability set out in the MPA or, in the absence of such a provision in the MPA, the following will apply: (a) in no event will either party’s maximum aggregate liability arising out of or related to this Addendum exceed the total amount paid or payable to SundaySky under the MPA during the twelve (12) month period preceding the date of initial claim, and (b) neither party will have any liability to the other party for any loss of profits or revenues, loss of goodwill, loss or corruption of data or for any indirect, special, incidental, consequential or punitive damages arising out of, or in connection with the MPA or this Addendum.
    
    10.4. Governing Law and Jurisdiction. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the MPA, unless required otherwise by applicable Data Protection Legislation.
    
    10.5. Termination of Addendum. This Addendum will terminate on the later of the following events: (1) upon termination or expiry of the MPA; and (2) the complete deletion and/or return of Customer’s personal data

 

IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the MPA upon the duly execution the MPA by both SundaySky and Customer with effect as of the Effective Date.

ANNEX A
PERSONAL DATA PROCESSING PURPOSES AND DETAILS

A. LIST OF PARTIES

Data exporter(s): Customer

Legal entity(ies) and date of signature: See preamble of the MPA

Address: See preamble of the MPA

Role (controller/processor): Controller

Contact person for data protection matters position and contact details of the data protection officer and/or representative in the European Union (if different): data exporter shall provide these details by email to privacy@SundaySky.com upon signature of the MPA.

Activities relevant to the data transferred under these SCCs: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the MPA.

Data importer(s): SundaySky

Legal entity(ies) and date of signature: See preamble of the MPA

Address: See preamble of the MPA

Contact details for data protection matters: privacy@SundaySky.com

Role (controller/processor): Processor

Activities relevant to the data transferred under these SCCs: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the MPA.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer may submit personal data to SundaySky to enable SundaySky to perform the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

• Customers, business partners, and vendors of Customer (who are natural persons)
• Employees or contact persons (both of whom are natural persons) of Customer customers, business partners, and vendors
• Employees, agents, advisors, contractors, or any user authorized by Customer to use the Services (who are natural persons)

Categories of personal data transferred

Customer may submit personal data to SundaySky to enable SundaySky to perform the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include (depending on the nature of the Services):

• First and last name and title;
• Employer and position;
• Contact information (email, username, cell / mobile phone number, physical business address);
• Device identification data (Device ID);
• Electronic identification data (IP address; MAC address);
• Technical data (operating system information; software logs; crash reports);
• Username and password to SundaySky Services; and
• In relation to certain SundaySky Services, including the SundaySky Identity services, the geolocation of the device using such Services.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sensitive data is limited by the terms of the MPA, however, in the specific circumstances where sensitive data is permitted to be transferred by Customer to SundaySky, Customer will do so solely where and to the minimal extent Customer needs to transfer such data to SundaySky for the provision of the Services as described pursuant to the MPA.

The safeguards applying to the processing of such data are as described under Annex B.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Customer may submit personal data to SundaySky on a frequency it may determine, including without limitation, on a continuous basis or on a regular or irregular cadence via batch delivery.

Nature of the processing

SundaySky will process personal data as necessary to perform the Services pursuant to the MPA, as further instructed by Customer (as expressly set forth in this Addendum) in its use of the Services.

Purpose(s) of the data transfer and further processing

SundaySky will process personal data for the purposes necessary to perform the Services pursuant to the MPA, as further instructed by Customer (as expressly set forth in this Addendum) in its use of the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The personal data will be retained as long as needed for the provision of Services by SundaySky under the MPA.

For transfers to (sub)processors, also specify subject matter, nature and duration of the processing

Matter and nature of the processing, as set out at SundaySky.com/sub-processors, for the duration required for the data importer to provide the Services to the data exporter.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/les in accordance with Clause 13 of the Standard Contractual Clauses
Data exporter shall provide this information by email to privacy@SundaySky.com upon signature of the MPA.

ANNEX B
TECHNICAL AND ORGANIZATIONAL MEASURES

This Annex B sets forth the security measures that SundaySky shall maintain in connection with the personal data submitted by Customer to SundaySky to enable it to provide the services under the MPA.

1. Measures of pseudonymisation and encryption of personal data:

SundaySky encrypts Customer personal data it processes while in transit over corporate networks and from and to SundaySky’s SaaS products.

2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

SundaySky maintains documented business continuity and disaster recovery plans that are designed to ensure that business functions can respond quickly and continue with minimum disruption in case of an unexpected interruption that may materially impact Customer personal data or SundaySky’s ability to provide products and services under the MPA.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

SundaySky performs ongoing data replication and backup as necessary, designed to prevent data loss and to facilitate service recovery for the Customer.

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

SundaySky utilizes various tools designed to continuously track and monitor security vulnerabilities to identify, report, and remediate network vulnerabilities. As part of the ongoing information security activities, the security vulnerabilities are prioritized and assigned an appropriate remediation process according to the type of vulnerability, its severity and its potential impact.
SundaySky also frequently performs penetration testing to its networks, infrastructure and products, including to identify security vulnerabilities. SundaySky further leverages automated penetration testing tools for a wide and comprehensive view over existing vulnerabilities and attack vectors to mitigate the risk of cyberattacks

5. Measures for user identification and authorization

SundaySky controls, monitors and protects the credentials and secrets related to users’ access by utilizing industry standard tools, including its own security products. SundaySky also secures physical access to its equipment used to store Customer personal data by using industry standard processes to limit access to authorized personnel.

SundaySky’s policies governing internal access to Customer personal data are designed on a least privilege and need-to-know basis, based on individual roles and responsibilities. SundaySky maintains methods and procedures designed to prevent unauthorized access to the Customer personal data and the systems that host it. Appropriate authentication methods are used to control access to the network applications and systems that contain Customer personal data (which may include Virtual Private Network (VPN) and Multi-Factor Authentication (MFA) and more).

6. Measures for the protection of data during transmission

SundaySky encrypts all Customer personal data it processes while in transit over corporate networks and from and to SundaySky’s SaaS products.

7. Measures for the protection of data during storage

Where possible, in light of the Services being provided to Customer, SundaySky encrypts Customer personal data it processes while at rest.

8. Measures for ensuring physical security of locations at which personal data are processed

SundaySky applies security measures to its offices and facilities that host servers that contain sensitive or critical information, including Customer personal data, (“Facilities”) and limits access to these Facilities only to authorized personnel. These measures include:
• 24/7 monitoring and access control of these Facilities;
• CCTV cameras;
• Procedure to promptly disable any (1) lost access cards and; (2) identifiable badges no longer needed in case of employee termination.
• Policies and training of employees to secure workstations and prevent unauthorized disclosure of Customer personal data (e.g., screen locks and least privilege access).

9. Measures for ensuring events logging

SundaySky uses processes and policies to ensure that incidents are dealt with and logged in accordance with the following process:
• Identification,
• Classification,
• Reported to appropriate internal (and where required external) stakeholders,
• Mitigated and remediated throughout incident response stages including post-incident assessments.

10. Measures for ensuring system configuration, including default configuration

SundaySky develops, documents, and maintains under configuration control, a current baseline configuration for systems, and reviews these configurations at least annually. Default configurations of technical controls are removed prior to operational use.

11. Measures for internal IT and IT security governance and management

SundaySky has implemented policies and processes to ensure that roles and responsibilities regarding the management and monitoring of SundaySky’s security requirements and procedures, are clearly determined. For example, SundaySky’s organizational roles and responsibilities include the following roles:
• Chief Information Technology Officer;
• Director of Information Security;
• Product security managers and production services security managers.

12. Measures for certification/assurance of processes and products

SundaySky currently adopts industry practices to develop its products and services such as (but not limited to), Open Web Application Security Project (OWASP), Application Security Verification Standard (ASVS) and CSA Consensus Assessments Initiative Questionnaire (CAIQ).

In addition, SundaySky undergoes security audits on an annual basis and adheres to industry recognized security practices, such as SOC 2 Type II as applicable, or other certificates or standards in line with industry practice.

13. Measures for ensuring data minimization

All of SundaySky’s personnel are required to undergo onboarding and refresher training courses on information security and GDPR compliance. This includes specific modules about data minimization.

SundaySky handles the data which the Customer provides to SundaySky. The extent of the processed data is determined and controlled by Customer in its sole discretion.

14. Measures for ensuring data quality

SundaySky handles the data which the Customer provides to SundaySky. SundaySky isn’t responsible for the accuracy and quality of the data provided by Customers. The quality of the data generated by SundaySky’s products is ensured by the implementation of secure development practices.

15. Measures for ensuring limited data retention

SundaySky retains Customer personal data only for as long as specified within the MPA or Documentation, except to the extent that a longer retention period is required by applicable law or regulations or by SundaySky’s data retention policies. SundaySky securely disposes of Customer personal data in accordance with applicable law and the MPA, in a manner that Customer personal data cannot be read or reconstructed.

16. Measures for ensuring accountability

SundaySky’s information security framework includes practices and procedures such as asset management, access management, physical security, people security, network security, third-party security, product security, vulnerability management, security monitoring and incident response. Information security policies and standards are approved by management and available to all SundaySky employees.

17. For transfers to (sub) processors, also describe the specific technical and organisational measures to be taken by the (sub) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Prior to engaging with a new third party that may have access to Customer personal data, SundaySky evaluates such third party’s data security standards using a qualification risk assessment and, if necessary at SundaySky’s reasonable determination, maintains ongoing oversight of such third party in order to meet its information security standards. This includes measures replicating SundaySky’s own assistance obligations towards Customer as indicated under the Data Processing Addendum.

ANNEX C
STANDARD CONTRACTUAL CLAUSES – SUPPLEMENTARY TERMS TO PROVIDE ADDITIONAL SAFEGUARDS

1. This Annex is supplemental to, and should be read in conjunction with, the Standard Contractual Clauses. Any references to the ‘Clauses’ in this Annex should be read as references to the Standard Contractual Clauses.

2. The data subject can enforce, as third-party beneficiary, this Paragraph 2 and Paragraph 4 of this Annex against the data importer in accordance with Clause 3 of the Clauses.

3. The data importer shall reasonably assist the data exporter with the data exporter’s continuing assessment of the adequacy of the protection of the personal data in accordance with the requirements of the applicable data protection law.

4. Upon receipt of any legally binding order or request for disclosure of the personal data by a law enforcement authority or other competent government authority, the data importer will, in accordance with and supplementing Clause 15 of the Clauses:

4.1. use reasonable efforts to re-direct the relevant authority to request or obtain the personal data directly from the data exporter;
4.2. in addition to promptly notifying the data exporter of the request or order pursuant to Clause 15.1(a) of the Clauses, use reasonable efforts to assist the data exporter in its efforts to oppose the request or order, if applicable; and
4.3. in the event it is prohibited by applicable laws from notifying the data exporter of the request or order, use reasonable efforts to challenge such request or order.

 
ANNEX D
SUB-PROCESSORS

For a current list of Sub-Processors, see this page.