KIRURU SECURITY DATA PROCESSING AND PROTECTION MEASURES
APPLICABLE TO KIRURU SECURITY PRODUCTS & SERVICES
1. Background
These Data Processing and Protection Measures (the “Measures”) are subject to and incorporated by reference into the applicable KIRURU SECURITY Customer Agreement. Use of the Products by a Customer shall be deemed to be acceptance of the KIRURU SECURITY Customer Agreement and, by incorporation, these Measures. In the event of any conflict between the terms of the KIRURU SECURITY Customer Agreement and the terms of these Measures, the relevant terms of these Measures shall prevail, unless otherwise specified below.
These Measures incorporate as Exhibit 1, “KIRURU SECURITY Technical And Organisational Security Measures” regarding KIRURU SECURITY’s data security management practices.
These Measures shall be effective for the Subscription Term or Maintenance Term of any Order placed under the KIRURU SECURITY Customer Agreement.
2. Definitions
Capitalized terms not specifically defined in these Measures shall have the same meaning as provided for in the KIRURU SECURITY Customer Agreement(s) or applicable data protection legislation, such as CCPAor Article 4 of GDPR, e.g. for “processing”, “controller”, “processor”, “personal data” and “data subject”. All other capitalized terms have the respective meanings assigned to such terms in the KIRURU SECURITY Customer Agreement.
“Affiliates” means an entity controlling, controlled by, or under common control with KIRURU SECURITY, that may assist in the provisioning of the Product(s) or Services.
“CCPA” means the California Consumer Privacy Act of 2018.
“Customer” means the Subscriber and/or Licensee as those terms are defined in the applicable KIRURU SECURITY Customer Agreements.
“Customer Data” means any data and/or information submitted by Customer to KIRURU SECURITY or accessed by KIRURU SECURITY through the provisioning and use of the Products or Services which may include, but is not limited to, (i) “End User Personal Data” as defined in the KIRURU SECURITY Privacy Policy available at https://kirurusec.com/privacy- policy; and (ii) Personal Data given or made accessible to KIRURU SECURITY by the Customer by virtue of Customer’s subscription or license to or use of the Product(s).
“Data Processing and Protection Measures” means these commitments concerning KIRURU SECURITY’s processing of Customer Data applicable to KIRURU SECURITY’s Products and Services.
“EU Data Protection Law” means the General Data Protection Regulation (“GDPR”) (EU 2016/679) on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data, and any subsequent amending or replacing European legislation governing the Processing of Personal Data by KIRURU SECURITY during the Subscription Term or Maintenance Term.
“KIRURU SECURITY Customer Agreement(s)” means the terms and conditions governing the provision of the applicable Products or Services to Customers, which may consist of the following terms and conditions located at kirurusec.com/product-subscription-agreement, and/or the terms and conditions governing Products and Services provided to Licensees located at: https://kirurusec.com/network-security-products-license-agreement.
“Sub-processor” means any Data Processor engaged by KIRURU SECURITY or an Affiliate.
3. Processing of Data
- Access to and processing of Customer Data by KIRURU SECURITY Products and Services is done in accordance with the terms of the KIRURU SECURITY Customer Agreement and any reasonable and lawful directions received in writing from authorised personnel of Customers that obtained such Products and Services. For the avoidance of doubt, the placing of an Order by Customer shall be deemed to be a general authorization for KIRURU SECURITY to process Customer Data in accordance with these Measures.
- To the extent Customer Data includes Personal Data, the Customer will at all times be deemed to be the Data Controller and KIRURU SECURITY will at all times be deemed to be the Data Processor within the meaning of the applicable data protection laws. Customer is responsible for compliance with its obligations as Data Controller under applicable data protection laws, in particular for justification of and liability for any transmission of Customer Data to KIRURU SECURITY (including providing any required notices and obtaining any required consents), and for its decisions concerning the Processing and use of such Customer Data.
- KIRURU SECURITY will promptly notify the Customer about: (a) any legally binding request for disclosure of the Customer Data by a law enforcement authority (where Customer is identified by name by the law enforcement authority and/or the response provided by KIRURU SECURITY will result in identifying the Customer by name to the law enforcement authority) unless otherwise prohibited from doing so by law; (b) any request received for the Customer Data directly from an individual regarding that individual’s Personal Data (without responding to that request unless it has been otherwise authorised to do so); and (c) a complaint, communication or request relating to Customer’s obligations under applicable data protection laws (including requests from a data protection authority with competent jurisdiction). KIRURU SECURITY will only process Customer Data in compliance with all applicable laws including the EU or Member State law to which KIRURU SECURITY is subject, including the EU Data Protection Law.
- KIRURU SECURITY will verify the legal basis of any government authority data requests and reject those KIRURU SECURITY has reason to believe are not valid.
4. Security of Data
- KIRURU SECURITY agrees that it shall implement appropriate technical and organisational security measures to seek to prevent unauthorised or unlawful processing of, or accidental loss, destruction or damage to Customer Data, taking into account thestate of the art, the costs of implementation and the nature, scope, context and pupsoes of the processing. Technical and organisational security measures employed by KIRURU SECURITY include those described in Exhibit 1 (which may be amended by KIRURU SECURITY from time to time).
- KIRURU SECURITY shall also: (i) ensure that only its employees, agents or sub-processors who may be required by KIRURU SECURITY to assist it in performing any obligations imposed by the KIRURU SECURITY Customer Agreement will have access to the Customer Data; (ii) ensure the reliability of any KIRURU SECURITY employees who have access to the Customer Data; (ii) ensure that all employees involved in the processing of the Customer Data have committed themselves to appropriate obligations of confidentiality and have undergone adequate training in the care, protection and handling of Personal Data; and (iv) notify Customer of any actual or reasonably suspected unauthorised or unlawful processing or any accidental loss, destruction, damage, alteration or disclosure of the Customer Data (to the extent reasonably believed by KIRURU SECURITY to have targeted Customer Data) without undue delay and, where feasible, not later than 72 hours once it becomes aware of such an event and keep Customer informed of any related developments.
- KIRURU SECURITY shall take reasonable steps to ensure that KIRURU SECURITY contractors or Sub-processors employees who access Customer Data are obligated to maintain the confidentiality and integrity of Customer Data.
5. Audit
- KIRURU SECURITY shall audit the security of its data processing facilities used to Process the Customer Data. This audit will be performed annually in accordance with ISO 27001 standards (including for purposes in addition to complying with Section 4).
- Upon Customer’s request, KIRURU SECURITY will provide Customer with a copy of the relevant certification(s), such as the KIRURU SECURITY Cloud ISO 27001 Certification, (such certification(s) being KIRURU SECURITY’s confidential information) so that Customer can reasonably verify KIRURU SECURITY’s compliance with its obligation to seek to take appropriate security measures in accordance with Section 4 and Exhibit 1 of these Measures.
- In addition, upon request in writing by Customer and at Customer’s sole expense, KIRURU SECURITY and Customer will appoint a mutually agreed upon auditor who is internationally approved by the ISO 27001 certification auditing body so that Customer can reasonably verify KIRURU SECURITY’s compliance with its obligation to seek to take appropriate security measures in accordance with Section 4 and Exhibit 1 of these Measures.
- Any such audit will take place during regular business hours and no more frequently than once in any consecutive twelve-month period, and on a mutually agreed upon date, time, location and duration. Customer agrees that (i) such audits shall not adversely affect other Customers of KIRURU SECURITY or KIRURU SECURITY’s provision of Products; (ii) any such third party auditor shall comply with KIRURU SECURITY’s policies during such audit; and (iii) Customer shall ensure that any such third party auditor treat all of KIRURU SECURITY’s Confidential Information disclosed to such third party auditor as a result of such audit in the same manner Customer is required to treat such Confidential Information.
- Any audit provided for in this section shall only consist of an audit of the architecture, systems and procedures relevant to the protection of Customer Data at locations where Customer Data is stored and/or the review by such auditor of KIRURU SECURITY’s regularly-prepared records regarding its obligation to implement appropriate security measures, which in the case of Personal Data take into account the guidelines promulgated in Article 32 of the GDPR.
- The parties agree that the audits described in Clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with the specifications set out in this Section.
6. Sub-Processing
- By placing its Order(s), Customer provides KIRURU SECURITY a general authorisation to engage third party sub-processors as KIRURU SECURITY determines is necessary to assist with respect to the provisioning and use of Products and Services. KIRURU SECURITY will ensure such Sub-processors are required to comply with data protection obligations, which are no less onerous than the data protection obligations of KIRURU SECURITY contained within these Measures.
- If Customer has a reasonable basis to object to KIRURU SECURITY’s use of a Sub-processor, Customer may terminate the KIRURU SECURITY Customer Agreement by providing written notice to KIRURU SECURITY.
- For the avoidance of doubt, no refund will be due from KIRURU SECURITY in the event of termination by Customer pursuant to Section 6.3.
7. Consequences of termination of the KIRURU SECURITY Customer Agreement
On termination of the KIRURU SECURITY Customer Agreement, KIRURU SECURITY shall: (i) cease all Processing of Customer Data on behalf of Customer and upon request by Customer either (i) return to Customer (in a format accessible by Customer) all such Customer Data; or (ii) destroy or otherwise render inaccessible all Customer Data (as far as technically possible and except as may be required by law).
8. Disputes and liability
For the avoidance of doubt, the relevant provisions of the KIRURU SECURITY Customer Agreement specify the applicable law, jurisdiction, and liability of the parties in relation to any disputes or claims arising in connection with the subject matter of these Measures.
9. International Transfers and the Application of Standard Contractual Clauses
- With respect to Customer Personal Data that originates from Customers established in the European Union, and is Processed by KIRURU SECURITY outside of the European Union, KIRURU SECURITY shall take appropriate steps to ensure such Personal Data is Processed in accordance with applicable data protection laws. Customer shall execute such further documents and do any and all such further things as may be necessary to ensure that any international transfers and subsequent Processing of Personal Data by KIRURU SECURITY, Affiliates or their Sub-processors is in compliance with applicable data protection laws.
- KIRURU SECURITY and its Sub-Processors will comply with the Standard Contractual Clauses when transferring Customer Personal Data to a third country that has not received an adequacy decision from the EU in accordance with GDPR.
- For the purpose of the Standard Contractual Clauses and this Section 9, the Data Exporter shall be (i) Customer and (ii) all Customer’s affiliates (as defined in the KIRURU SECURITY Customer Agreement) established within the European Economic Area and Switzerland using the Products or Services in accordance with the KIRURU SECURITY Customer Agreement, and the Data Importer shall be KIRURU SECURITY.
- Subject to Section 6 of these Measures and pursuant to Clause 9 of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that KIRURU SECURITY and its Affiliates may be retained as Sub-processors and may engage third-party Sub-processors in connection with the provision or use of the Products or Services.
10. Assistance
To the extent technically feasible and consistent with its responsibilities related to the sale of its Products and Services to Customers, KIRURU SECURITY will assist customers through appropriate technical and organizational measures to comply with the Customer’s Data Controller responsibilities as set forth in Chapter III of GDPR Reg EU 2016/679.
EXHIBIT 1
KIRURU SECURITY TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
KIRURU SECURITY implements various technical and organizational measures designed to ensure a level of security appropriate to the risks posed to Customer Data. Such measures seek to prevent unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of access to Customer Data. Consistent with industry-standard and guidelines set forth in applicable data protection laws, such measures include:
Access Control of Processing Areas
KIRURU SECURITY implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers, and related hardware) where the Customer Data is accessed, processed, or used. This is accomplished by:
- establishing security areas;
- protection and restriction of access paths;
- securing the decentralized telephones, data processing equipment and personal computers;
- establishing access authorizations for employees and third parties, including the respective documentation;
- regulations on access card-keys;
- restriction on access card-keys;
- all access to the data center where personal data are hosted is logged, monitored, and tracked; and
- the data center where personal data are hosted is secured by a security alarm system, and other appropriate security measures.
Access Control to Data Processing Systems
KIRURU SECURITY implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
- identification of the terminal and/or the terminal user to the KIRURU SECURITY systems;
- automatic time-out of user terminal if left idle, identification and password required to reopen;
- User IDs are monitored and access revoked when several erroneous passwords are entered, log file of events (monitoring of break-in-attempts);
- issuing and safeguarding of identification codes and secure tokens;
- strong password requirements (minimum length, use of special characters, re-use etc.);
- protection against external access by means of a state-of-the-art industrial standard firewall whose connection to the intranet [if applicable] shall in addition be safeguarded by a VPN connection;
- dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions; and
- all access to data content on machines or computer systems is logged, monitored, and tracked.
Access Control to Use Specific Areas of Data Processing Systems
KIRURU SECURITY commits that the persons entitled to use its data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Customer Data cannot be read, copied or modified, or removed without authorization. This shall be accomplished by:
- employee policies and training in respect of each employee’s access rights to the Personal Data;
- allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
- monitoring capability in respect of individuals who delete, add or modify the Personal Data;
- effective and measured disciplinary action against individuals who access Personal Data without authorization;
- release of data to only authorized persons;
- control of files, controlled and documented destruction of data; and
- policies controlling the retention of back-up copies.
Transmission Control
KIRURU SECURITY implements suitable measures to prevent Customer Data from being read, copied, altered, or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer of Customer Data by means of data transmission facilities is envisaged. This is accomplished by:
- use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
- use of 128bit SSL-encryption for all http-connections;
- implementation of secure two-factor VPN connections to safeguard the connection to the internet, if applicable;
- encryption of Customer Data by state-of-the-art encryption technology;
- constant monitoring of infrastructure (i.e. ICMP-Ping at network level, disk space examination at system level, successful delivery of specified test pages at application level); and
- monitoring of the completeness and correctness of the transfer of data (end-to-end integrity check).
Input Control
KIRURU SECURITY implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by:
- an authorization policy for the input of data into hosted service, as well as for the reading, alteration and deletion of stored data;
- authentication of the authorized personnel;
- protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;
- utilization of user codes (passwords and tokens);
- providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked;
- automatic log-off of user ID’s that have not been used for a substantial period of time;
- logging or otherwise evidencing input authorization; and
- electronic recording of entries.
Instructional Control of Personal Data
KIRURU SECURITY ensures that Customer’s Personal Data may only be processed in accordance with the KIRURU SECURITY Customer Agreement together with any reasonable and relevant instructions received in writing from authorized personnel of the Customer from time to time which may be specific instructions or instructions of a general nature as set out in the KIRURU SECURITY Customer Agreement or as otherwise agreed between the Customer and KIRURU SECURITY during the term of the KIRURU SECURITY Customer Agreement. This is accomplished by binding policies and procedures for KIRURU SECURITY’s employees.
Availability Control
KIRURU SECURITY implements suitable measures to ensure that Customer Data are protected from accidental destruction or loss. This is accomplished by:
- infrastructure redundancy: reporting data is stored on hardware with redundant disks subsystem backed up in real time with off-site replication backups.
Separation of Processing for different Purposes
KIRURU SECURITY implements suitable measures to ensure that data collected for different purposes can be processed separately. This is accomplished by:
- access to data is separated through multiple diverse applications for the appropriate users; and
- interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is Processed separately.
Subprocessors
KIRURU SECURITY engages various sub-processors in connection with its cloud infrastructure. KIRURU SECURITY ensures that it has robust contractual provisions in place to ensure compliance by such sub-processors with the organizational security measures outlined herein.