Data Processing Agreement

This Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Alumio in connection with the Services under Alumio’s General terms and conditions (also referred to in this DPA as the “Agreement”). 

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

This Data Processing Agreement (the 'Agreement') is effective between Alumio B.V. as “Processor” and the customer as “Controller”, hereinafter referred to collectively as ‘the parties.

  

WHEREAS: 

IT IS AGREED AS FOLLOWS: 

Article 1 - Subject of the Data Processing Agreement 

  1. Controller is responsible for the processing of personal data in the context of the implementation of the Agreement. Processor does not have independent control over the Personal data. 
  2. The Processor processes Personal Data only on instructions from the Controller in the context of the execution of the Agreement, in accordance with the objectives determined by the Controller and resources and the retention periods as agreed in the assignment(s), as well as in accordance with any other instructions provided by the Controller. 
  3. Controller will guarantee that his instructions to the Processor result in processing by the Processor that will comply with applicable regulations, including - but not limited to the GDPR, and will not infringe any third party right(s). 
  4. The processing relates to the categories of Personal Data, nature, and type of Personal Data submitted by the Controller. 
  5. The processing operations are specified by the Processor in Appendix 1 of this Data Processing Agreement. 
  6. Processor only provides access to those Employees for whom this access to Personal Data is necessary for the performance of the Agreement. 
  7. The obligations of the Processor of this Data Processing Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees in the broadest sense of the word. 

Article 2 - Technical and Organizational (security facilities) 

  1. Processor ensured that the required security measures have been taken, which guarantee an adequate level of protection, taking into account the current state of IT development and the costs of the implementation, in view of the risks involved in the processing and the nature of the data to be protected. 
  2. In this context, the Processor has implemented the measures mentioned in Appendix 2. 

Article 3 - Liability 

  1. If the Processor is liable towards the Controller for direct damage that the Controller suffers as a result of a culpable shortcoming and/or wrongful act attributable to the Processor. The total liability under the Agreement, including this Data Processing Agreement, or violation by the Processor and/or Sub-processor(s) of the GDPR, will never amount to more than EUR 50.000,- per year. If the Data Subject will hold the Processor liable for the damage that he or she has suffered as a result of an infringement of his or her personal data, then the Processor will submit this claim to the Controller so that he or she can deal with this. 
  2. Processor shall never be liable for consequential damage, including pure financial loss, lost profit, and immaterial damage. In particular, Processor is not liable for any damage in connection with and/or due to: i) termination or modification of the service provided; ii) communication failures in connection with hardware, software, network, or other computer problems; iii) the use of data or data files prescribed by the Controller; iv) loss, mutilation or destruction of data or data files; and/or v) inaccessibility of the Processor's service. 
  3. Insofar as fulfillment is not permanently impossible, the Processor's liability due to culpable shortcoming in the performance of the Data Processing Agreement only arises if the Controller expressly and in writing gives notice of default in good time, a reasonable period for the purification of the shortcoming is made, and the Processor after that term falls short in the fulfillment of its obligations. The letter of formal notice must contain as complete and detailed a description of the shortcoming as possible so that the Processor is able to respond adequately. 
  4. A condition for the existence of any right to compensation is always that the Controller reports the damage to the Processor in writing as soon as possible after the occurrence thereof. Any claim for damages towards Processor expires by the mere lapse of twelve (12) months after the claim arose.
  5. An (administrative) fine imposed by the competent Supervisory Authority to the Controller can never be recovered from the Processor if the competent Supervisory Authority has not included the extent to which Processor is liable for the imposition of the (administrative) fine. 

Article 4 - Audits in the context of the GDPR 

  1. The Controller has the right to have audits carried out, with the aim of verifying whether the measures and provisions taken by the Processor are in accordance with the provisions of this Data Processing Agreement. 
  2. The Processor will cooperate and provide all information relevant to the audit in a timely manner. 
  3. The persons conducting an audit will conform to the security procedures as they apply to the Processor shall be in force, insofar as these security procedures have been made known to the Controller. 
  4. The reasonable costs for the deployment of the auditors and own personnel of the Controller and/or a Supervisor and Processor are at the expense of the Controller.
  5. If substantial irregularities are found during an initial audit, the Controller and/or a supervisor, or a third party engaged by the Controller and/or a supervisor, can take a second audit. If during this second audit it appears that the previously observed irregularities still occur, all costs of the second audit and any further audits will be for the account of the Processor. 

Article 5 - Notification Requirement 

  1. In the event of an actual breach or threatened or suspected breach of security, leading to (or likely to lead to) the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, the data which is likely to result (a) in a risk for the rights and freedoms of a data subject (such as discrimination, identity theft or fraud) or (b) in financial loss, damage to reputation, loss of confidentiality of data or (c) in any other significant economic or social disadvantage ("Security Breach"), Processor shall: 
    i.      without delay, but at the latest within 48 hours after having become aware of it, notify the Security Breach to Controller, including all information indicating the facts and circumstances of the Security Breach; and
    ii.      provide Controller with all information it may need or require in order to be able to learn and limit the (possible) consequences of such Security Breach as much as possible; and 
    iii.     act in accordance with Controller's instructions and its obligations resulting from the applicable law regarding such data breach; and
    iv.     make sure that any evidence relating to the Security Breach is contained and stored for the duration of this Processing Agreement (e.g. log files, network analysis data, access control data).
  2. Processor will provide to Controller with the information on:
    i.      the nature of the Security Breach and the most up-to-date facts as far as known or suspected; and 
    ii.     the (possibly) affected Personal Data; and
    iii.    the ascertained and anticipated consequences of the Security Breach for the processing of the Personal Data and the persons involved therein; and
    iv.    the measures that the Processor has taken and will take to mitigate or undo the negative consequences of the Security Breach.
  3. Processor will, at the request of Controller, render the requested assistance that Controller deems necessary in order to notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or any other competent supervisory authority and/or the data subjects of a Security Breach. Processor may not submit such as notification without the explicit prior permission of Controller. 
  4. Processor will continuously inform Controller of possible new developments regarding a Security Breach as well as the measures taken to prevent repetition in the future.
  5. Possible costs linked to Processor's duties under clauses 1, 2, and 3 will be borne by Processor.

 

Article 6 - Confidentiality 

  1. The Processor is bound to secrecy of all Personal Data and information that it processes as a result of this Data Processing Agreement, except to the extent that such Personal Data or information apparently has no secret or confidential character or is already generally known. 
  2. Parties will contractually oblige persons working for them (including employees) involved in the Processing of confidential (Personal) data (for example, by means of a clause in the employment contract) to maintain the confidentiality of said confidential (Personal) data and other information. 
  3. If the Processor is required to provide data on the basis of a statutory obligation, the Processor shall verify the basis of the request and the identity of the applicant and inform the Controller immediately, if possible and/or allowed, prior to the provision. 

Article 7 - Engaging Subprocessor(s) 

  1. The Processor is permitted to make use of Subprocessor(s) within the framework of this Data Processing Agreement. The Subprocessors that are engaged in the performing of services within the scope of the Agreement are mentioned in Appendix 3
  2. The Processor will always inform the Controller of any changes in the Subprocessors in writing, giving reasonable notice to the proposed change (the “Sub-processor Notification”). The Controller has the possibility to object to such changes. If the Controller has reasonable grounds for objecting to the use of new or additional Sub-processors, it should immediately notify the Processor of this in writing within 14 days of receipt of the Sub-processor Notification. Should the Controller object to a new or additional Sub-processor and this objection is not unreasonable, the Processor will make reasonable efforts to make changes in the Services available to the Controller or to recommend a commercially reasonable alteration in the Controller’s configuration or the Controller’s use of the Services in order to avoid Personal Data being processed by the new or different Sub-processor to whom/which an objection has been made, without thereby placing an unreasonable burden on the Controller. If the Processor is unable to make this alteration available within a reasonable period, namely not exceeding sixty (60) days, the Controller may terminate the part of the Agreement affected, albeit solely in respect of those Services that cannot be provided by the Processor without the use of the new or different Sub-processor against whom/which an objection has been made by means of a written notification sent to the Processor.
  3. The Processor contractually lays down the same data protection obligation as that stated in this DPA on all Sub-processors. In particular, the agreement between Processor and Sub-processor provides adequate guarantees for the implementation of the technical and organizational security measures as referred to in Appendix 2, insofar as these security measures are important for the services provided by the Sub-processor.

Article 8 - Transfer of Personal Data 

  1. Personal Data may be transferred to third countries or international organizations only if there is an appropriate level of protection and the Controller has given specific consent for this in writing. 
  2. The Controller may attach further conditions to the consent in writing as referred to in Clause 8.1, including but not limited to demonstrating that the requirements included in Clause 8.3 have been satisfied. 
  3. The Controller may only give the Processor consent for a transfer of Personal Data to third countries or international organizations if either: 
    i.      An adequacy decision in accordance with Article 45(3) GDPR has been taken in respect of the third country involved or the international organization involved; or 
    ii.     Appropriate safeguards in accordance with Article 46 GDPR, including binding rules as referred to in Article 47 GDPR, have been taken in respect of the third country involved or the international organization involved; or 
    iii.    One of the specific conditions from Article 49(1) of GDPR has been met in respect of the third country involved or the international organization involved.           

Article 9 - Informing Data Subject(s) 

  1. The Processor will fully cooperate in order for the Controller to fulfill its legal obligations in the event that a Data Subject exercises his rights under the terms of the GDPR or other applicable regulations regarding the Processing of Personal Data. 
  2. If a Data Subject directly contacts the Processor with regard to the execution of his / her rights under the GDPR, then the Processor will not - in the first instance - answer this (unless explicitly instructed otherwise by the Controller), but the Processor will immediately inform the Controller of this with a request for further instructions. 

Article 10 - Term and termination 

  1. This Data Processing Agreement has a term equal to the Agreement. Articles that, given their nature, include the framework of the settlement of the Data Processing Agreement, are intended to be completed after the end of the Data Processing Agreement and remain in force after termination of the Data Processing Agreement. 
  2. Within one month after the Agreement ends, the Processor - for a limited fee that does not exceed the costs reasonably incurred by Processor for this purpose - shall destroy and/or return all Personal Data, and/or the Processor shall transfer the same Personal Data to another party to be designated by the Controller, at the Controller's discretion. All existing (other) copies of Personal Data, whether or not held by (legal) persons engaged by the Processor, including but not limited to Employees and/or Sub-processors, will also be permanently deleted. 

Article 11 - Other provisions 

  1. In case of conflict of (one or more provisions from) the Data Processing Agreement with (one or more provisions from) other agreements between the Controller and the Processor, the Data Processing Agreement prevails. 
  2. Dutch law applies to this Data Processing Agreement. 
  3. Any and all disputes or claims arising out of this Agreement or the execution thereof will be settled exclusively by the competent court in Rotterdam, the Netherlands.

Appendix 1 - Subject matter of the Agreement

Categories of Data Subjects whose Personal Data is Transferred

Alumio delivers a cloud-based integration platform for data exchange between third-party software. This part is also described in the Alumio license agreement and relating documentation. Controller may submit Personal Data in the course of using the Services of Alumio, the extent of which is determined and controlled by the Controller.

Purpose of the processing

The processing activities carried out by Alumio as Processor via its provision of the Services are described in the Alumio license agreement and relating documentation. 

As a Processor, Alumio processes personal data at the request of the Controller for the following purpose(s): 


 

Appendix 2 - Technical and organizational measures of the Processor

The Processor shall undertake the following technical and organizational measures for data security in accordance with Art. 32 GDPR.

1. Confidentiality

1.1. Access Control

Employee access
A person can access the main office of Alumio with an assigned key fob provided by a security officer, or by manual access given by an office manager. 

Surveillance
The entrances of the office are monitored and recorded by video surveillance systems. 

Alarm system
An alarm system is in place to secure the building outside of working hours. 

Visitor access
A visitor access policy is in place to ensure visitors are being tracked and documented and visitors are given access to the office after they have been verified by the inviter.

1.2. System Access Control

The access explained:

Role-Based Access Control (RBAC)
Our employees have access based on user roles with the concept of least privilege, so no access is granted to a level that is not described as needed in the ‘role’.

Remote access security
Logging in to the Alumio application can only be achieved by a two-factor authentication login procedure. 

IP whitelisting
Access to Alumio’s codebase and infrastructure is only possible after logging in to the company’s VPN. These IP addresses are static and are whitelisted by our system administrators.

User tracking
All user login actions are logged, like login IDs (username Fan ID), date/time of the last login, location of login (example: IP address), and the device identifier (example: MAC address). The logs are pushed to a location with a special access requirement for a period of 4 weeks.

Regular access reviews
Alumio has a process in place, so regular access reviews will be held. These will notify managers of issues in offboarding, enabling Alumio to update our processes and remediate any changes necessary. ‍

Storing login credentials
Software with two-factor authentication is being used to store and generate all credentials used to perform job functions. The software is provisioned to the employee with the least required access to fulfill a certain job function.

Security training
Engineering employees with access to production systems are required to undergo varying levels of security training on a regular basis. 

Local development
In no case, it is allowed to have customer data on a local machine, for development or testing purposes. It is obligated to follow standard procedures to remove or scramble sensitive data for local purposes.

Hard drive encryption
Alumio employees are obligated to apply hard drive encryption on their local machines, as stated in the onboarding policies for employees.

Firewall configuration
Alumio employees are obligated to apply firewall configuration on their local machines, as stated in the onboarding policies for employees.

Data Access Control
Alumio follows the ISO27001 guidelines to ensure general security and authorization checks are in place. Application access is checked every month, general security checks are done every three months. 
Accounts are being provisioned from Microsoft 365 and where possible, single sign-on and Azure Active Directory are being used. User credentials are stored in specialized software, and provisioning access is determined at the group level. There are standard protocols in place to ensure the removal or blocking of users who are no longer allowed to access certain systems, data, or credentials.

Separation
Alumio offers the ability to create routes, that are responsible for delivering a specific task regarding the transfer of data. Implementation partners are trained to configure these routes according to best practices. By configuring these routes, it is guaranteed that - for example - customer data is being processed separately from inventory data.
When following the best practices of Alumio, every object of data that is being processed by Alumio is isolated into a Task. That Task contains data of only one customer.
Alumio offers a separate user acceptance testing (UAT) version of Alumio, and a separate production version.  


1.3. Pseudonymization & Encryption

Alumio offers the ability to create environment variables to encrypt sensitive data. Incoming data (for example customer data) is not being pseudonymized or encrypted by default, as Alumio’s purpose is to restructure data as soon as possible and sent out the data via an Outgoing to a third-party system.

2. Integrity

2.1. Data Entry Control 

It is not possible to manually edit, update or delete in Alumio, as it’s not a data management platform. Changes in configurations are being tracked by Alumio’s Audit trail. By default, Alumio stores data for 4 weeks. This can be adjusted and tailored to the requirements of Alumio’s Customer. The SysOps of Alumio have access to the logs.

Alumio’s iPaaS has three ways of storing data:

2.2. Transmission Control

Alumio offers a cloud-based platform to process data, which may include personal data. The configuration of the actual data that will be processed between systems is being done by Alumio’s Customer and/or Alumio’s Customer’s system integrator. Personal data is not actively being transferred between the Processor and the Controller, as Alumio offers the software to be able to configure connections between third-party systems. 

All communication from and to the data center of Amazon Web Services, Elastic Stack, and Alumio uses a minimum SSL 256-bit encryption and runs via HTTPS, port 443. 

Default settings:

Data at rest:

No encryption is applied, and access to data in rest is limited to authorized users

Data In transit:

Secured depending on the situation, usually by HTTPS, SSH tunneling, VPN, etc.

3. Availability and resilience

Backups

To prevent data loss, it is necessary to make regular backups. Unlike many providers, Alumio opts for backups based on le-based backup technology. This gives Alumio the ability to also restore a single file. This can significantly reduce the restore time and offers more comfort to developers looking for specific files.

Alumio uses R1Soft, which is the market leader in the high-end backup software market. By default, the backup assumes 1 restore point, which is supplemented with the 'changes' from the restoring moment. These backups are made outside your cloud environment and are primarily intended to quickly access a complete copy of your environment in the event of a calamity. The backup is a full backup and will be written every night to a NAS (Network Attached Storage) server in the network, but outside your cloud environment. This backup can be used if your server unexpectedly breaks down. Within Alumio’s standard service levels, the backup is made 1 time per day and stored for 7 days.

Alumio can restore every day within this period. Additionally, it is possible to extend and intensify the backup schedule, to send the backups to your physical location, and to create multiple restore points.

Disaster recovery

Alumio ensures that recovery can always take place in the event of serious malfunctions. Disaster recovery takes time. As a result, the time planned in advance differs per SLA variant. The default SLA states that Alumio requires between 1 - 2 hours during office hours to start recovering your data. The time required to recover the application in its entirety depends on the size of your application (number of GB) but is +/- 1 hour per 10 GB of data to be recovered. Alumio infrastructure management also relies on the Amazon Disaster Recovery and Elastic Disaster Recovery policy and procedures.

Deployment regions and strategy

When Alumio deploys your iPaaS instance, Alumio chooses a primary deployment region for your business. Your primary deployment region holds all of your Alumio data and is where your main organization processes take place. This regards the hosting infrastructure, delivered upon Amazon Web Services and Elastic Stack.

4. Procedure for the regular review, assessment, and evaluation

Alumio regularly reviews its information security policies and measures and, where necessary, improves them.

Alumio regularly tests and reviews its measures to ensure they remain effective and act on the results of those tests where they highlight areas for improvement.

Appendix 3 - Subcontractors

For the processing of data on behalf of the Controller, Alumio uses the services of Third Parties who process data on behalf of Alumio ("subcontractors").

These companies are:

Cloud hosting provider: Amazon Web Services
Amazon Web Services is a Cloud hosting provider, that supplies hardware and software to its customers. The sub-processors and affiliated operational entities of AWS can be found here: https://aws.amazon.com/
compliance/sub-processors/

Hosting supplier: Youwe Hosting
Youwe Hosting is an ISO 27001 certified company that specializes in delivering services (SysOps, DevOps, IT management) for setting up, maintaining, and monitoring the AWS Cloud hosting provider.

Data service provider: Elastic Stack
Elastic Stack provides Elastic Kibana to store data for logging purposes and Elastic Search for analyzing purposes. Alumio offloads its logging information to store and analyze data and onloading it to the graphical user interface for end-user purposes.