legal

Data Processing Agreement

Template agreement - this needs to be completed with certain details before it has effect.

Between

The data controller:
[Name]
CVR [CVR Number]
[Address]
[ZIP code and city]
[Country]

and

Data processor:

Humio ApS
CVR DK37684236
Dyssen 1
8200 Aarhus N
Denmark

1. Introduction

This agreement is based on the standard template for Data Processing Agreements from the Danish Data Protection Agency. The main body, sections 2-15 are largely unchanged from the original document. Appendixes A, B, C and D lays out the specifics of this engagement.

2. Background for the Data Processing Agreement

  1. This agreement sets out the rights and obligations that apply when the data processor handles personal data on behalf of the data controller.

  2. The agreement is designed for the parties to comply with Article 28 (1). 3 of Regulation (EU) 2016/679 of the European Parliament (the General Data Protection Regulation “GDPR”) and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter the “Data Protection Regulation” ) which sets specific requirements for the content of a data processing agreement.

  3. The processing of personal data by the data processor is for the purpose of fulfilling the parties’ “main agreement”: (Professional Humio Hosted Service Agreement) concluded on ** XX date XX **.

  4. The Data Processing Agreement and the “main agreement” are interdependent and cannot be terminated separately. However, the Data Processing Agreement may - without terminating the “main agreement” - be replaced by another valid data processing agreement.

  5. This data processing agreement takes precedence over any similar provisions in other agreements between the parties, including the “main agreement”.

  6. Four appendices acts as an integral part of this data processing agreement.

  7. The Data Processing Agreement Appendix A sets out the details of the processing, including the purpose and nature of the processing, the type of personal data, the categories of registered and duration of processing.

  8. The Data Processing Agreement Appendix B sets out the data controller’s conditions for the data processor to make use of any sub-processors, as well as a list of any under-processed data that the data controller has approved.

  9. The Data Processing Agreement Appendix C sets out further instructions on the processing by the data processor on behalf of the data controller (subject matter of the processing), and which minimum security measures should be observed and how the data processor and any sub-processors are supervised.

  10. The Data Processing Agreement Appendix D details the parties ‘possible regulation of conditions, which are not otherwise stated in the data processing agreement or the parties’ “main agreement”.

  11. The data processing agreement and it’s supporting documents are stored in writing, including electronically by both parties.

  12. This data processing agreement does not release the data processor for any obligations that are directly imposed on the data processor under the Data Protection Regulation or any other law.

3. The data controller’s obligations and rights

  1. The data controller is responsible for the processing of personal data within the scope of the Data Protection Regulation and then current national laws.

  2. The data controller therefore has both the rights and the obligations to make decisions about the purposes and the means for processing.

  3. The data controller is responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to perform.

4. The data processor is acting according to instructions

  1. The data processor may only process personal data according to documented instructions from the data controller, unless required under EU law or national law to which the data processor is subject; In that case, the data processor shall notify the data controller of this legal requirement before processing unless that court prohibits such notification for reasons of important social interests, cf. Article 28 (2). 3 (a).

  2. The data processor shall immediately inform the data controller if an instruction, in the opinion of the data processor, is contrary to the data protection regulation or data protection provisions in other EU law or national law of the Member States.

5. Confidentiality

  1. The data processor ensures that only persons currently authorized to do so have access to the personal data processed on behalf of the data controller. Access to the information must therefore be immediately terminated if the authorization is cancelled or expired.

  2. Only persons authorized to access personal data may be authorized to fulfill the data processor’s obligations to the data controller.

  3. The data processor ensures that the persons authorized to process personal data on behalf of the data controller have committed themselves to confidentiality or are subject to appropriate statutory confidentiality.

  4. At the request of the data controller, the data processor should be able to demonstrate that the relevant employees are subject to the aforementioned confidentiality obligation.

6. Security of processing

  1. The data processor initiates all measures required by Article 32 of the Data Protection Regulation, taking into account the implementation costs and the nature, scale, coherence and purpose of the processing concerned, as well as the risks of varying probability and seriousness of the rights and freedoms of natural persons, appropriate technical and organizational measures must be implemented to ensure a level of safety that fits these risks.

  2. The above obligation implies that the data processor must carry out a risk assessment and then take measures to address identified risks. The following measures may include, inter alia, the following measures:

    • Ability to ensure continued confidentiality, integrity, accessibility and robustness of processing systems and services.
    • Ability to promptly restore availability and access for personal information in case of a physical or technical incident.
    • A procedure for periodic testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure processing security.
  3. In the above - in all cases, the data processor should at least implement the level of security and the measures that is specified in detail in this Agreement’s Appendix C.

  4. The parties’ agreement on renumeration in connection with further security measures appears in Appendix D of this agreement.

7. Use of sub-processors

  1. The data processor must comply with the conditions set out in Article 28 (2, 4) of the Data Protection Regulation, to use another data processor (sub-processor).

  2. The data processor must thus not use another data processor (sub-processor) to fulfill the data processing agreement without prior specific or general written approval from the data controller.

  3. In the case of general written approval, the data processor must notify the data controller of any planned changes regarding the addition or replacement of other sub-processors, thereby giving the data controller the opportunity to object to such changes.

  4. The data controller’s terms and conditions for the data processor’s use of any sub-processors are contained in Appendix B of this Agreement.

  5. The data controller’s approval of specific sub-processors is listed in Appendix B of this Agreement.

  6. When the data processor has the data controller’s authorization to use a sub-processor, the data processor provides to impose on the sub-processor the same data protection obligations as those set forth in this data-processing agreement through a contract or other legal document under EU law or national lawin particular providing the necessary guarantees that the subcontractor will implement the appropriate technical and organizational measures in such a way that the processing meets the requirements of the Data Protection Regulation. The data processor is thus responsible for - through the conclusion of a agreement - to impose any sub-processor at least the obligations that the data processor itself is subject to under the data Protection Regulation and this data processing agreement and its appendices.

  7. This Data Processing Agreement and any subsequent changes thereto will be sent to the data controller, upon request by the data controller, in order to ensure a valid agreement has been entered into between the data processor and the sub-processor. Any commercial terms, such as prices that do not affect the data protection content of the Sub-Processing Agreement, should not be sent to the data controller.

  8. If the sub-processor does not comply with its data protection obligations, the data processor remains fully liable to the data controller for the fulfillment of the sub-processor’s obligations.

8. Transfer of information to third countries or international organizations

  1. The data processor may only process personal data by documented instructions from the data controller, including transfer (transfer and internal use) of personal data to any third country or international organizations, unless the data processor is required to do so under EU law or national law; In that case, the data processor shall notify the data controller of this legal requirement before processing unless that court prohibits such notification for reasons of important social interests, cf. Article 28 3(a).

  2. Without the data controller’s instruction or approval, the data processor - within the framework of the data processing agreement - can, among other things, not;

    • pass personal data to a data controller in a third country or in an international organization,
    • leave the processing of personal data to a sub-processor in a third country,
    • let the information be processed in another of the data processor’s departments located in a third country.
  3. The data controller’s possible instruction or approval of the transfer of personal data to a third country will appear from Appendix C of this Agreement. Such transfer to any third country must be founded on a legal basis, e.g., the EU Commissions’ Standard Clauses for the transfer of personal data to third countries.

9. Assistance to the data controller

  1. The data processor, taking into account the nature of the processing, shall assist the data controller through appropriate technical and organizational measures, with the handling of requests for the exercise of the data subjects’ rights as defined in Chapter 3 of the Data Protection Regulation.

    This implies that, as far as possible, the data processor shall assist the data controller in connection with the data controller being responsible for ensuring compliance with:

    • disclosure obligation for collecting personal data from the data subject
    • disclosure obligation, when personal data is not being collected from the data subject
    • right to rectification
    • the right to delete (“the right to be forgotten”)
    • the right to limitation of processing
    • notification obligation in connection with the correction or deletion of personal data or limitation of processing
    • the right to data portability
    • right of objection
    • the right to object to the result of automatic individual decisions, including profiling
  2. The data processor assists the data controller in meeting the obligations pursuant to Article 32-36 of the Data Protection Regulation, taking into account the nature of the processing and the information available to the data processor, cf. Article 28 3(f).

    This implies that, in consideration of the nature of the processing, the data processor must assist the data controller in ensuring that the data controller is responsible for ensuring compliance with:

    • the obligation to implement appropriate technical and organizational measures to ensure a level of safety appropriate to the risks associated with processing
    • the obligation to report to the supervisory authority (Data Inspectorate) breach of personal data security without undue delay and, if possible, within 72 hours after the data controller has been notified of the breach unless it is unlikely that the breach of personal data security would endanger the rights of natural persons or freedoms.
    • the obligation - without undue delay - to inform the data subject of personal data breach when such a breach is likely to entail a high risk of the rights and freedoms of natural persons
    • the obligation to carry out an impact assessment on data protection if one type of processing is likely to pose a high risk to the rights and freedoms of natural persons
    • the obligation to consult the supervisory authority (Data Inspectorate) before processing if an impact assessment on data protection shows that the processing will lead to high risk in the absence of measures taken by the data controller to limit the risk
  3. The parties’ agreement on payment in connection with the data processor’s assistance to the data controller appears in Appendix D of this agreement.

10. Notification of breach of personal data security

  1. The Data Processor shall inform the data controller without undue delay after being aware that there has been a violation of the personal data security of the data processor or any sub-processor.

    The data processor’s notification to the data controller should, if possible, take place no later than 48 hours after it has become aware of the violation so that the data controller is able to comply with its obligation to report the breach to the supervisory authority within 72 hours.

  2. In accordance with paragraph 10 of this agreement, the data processor - in consideration of the nature of the processing and the information available to it - shall assist the data controller in reporting the breach of the supervisory authority.

    This may mean that the dataprocessor shall assist in providing the following information, as provided for in Article 33 (3) of the Data Protection Regulation, which shall be stated by the data controller’s notification to the supervisory authority:

    • The nature of the breach of personal data protection, including, where possible, the categories and the approximate number of registered persons, as well as the categories and the approximate number of personal data records concerned.
    • Probable consequences of the breach of personal data security
    • Measures taken or proposed to address the breach of personal data protection, including where appropriate, measures to limit its possible harmful effects

11. Deleting and retrieving information

  1. Upon termination of the processing services, the data processor is obliged to delete or retrieve all personal data to the data controller, as well as to delete existing copies, unless the European Union or national law prescribes the retention of personal data.

12. Supervision and audit

  1. The data processor shall make available to the data controller all information necessary for determine the compliance of the data processor with Article 28 of this Data Protection Regulation and this Agreement, allowing and contributing to audits, including inspections carried out by the data controller or other auditor authorized by the data controller.

  2. The detailed procedure for the data controller’s supervision of the data processor is contained in Appendix C of this agreement.

  3. The data controller’s supervision of any sub-processor is via the data processor. The detailed procedure for this is stated in Appendix C of this Agreement.

  4. The data processor is required to provide authorities, or representatives acting on behalf of the Authority, access to the physical facilities of the data processor against duly credentials.

13. Parties’ agreements on other matters

  1. Any agreement of the consequences of the parties breach of the Data Processing Agreement will be found in the parties’ “Main Agreement” or of this Agreement’s Appendix D.

  2. Any agreement of other relationships between the parties will be apparent from the parties’ “Aain Agreement” or of this Agreement’s Appendix D.

    14. Entry into force and termination

  3. This Agreement shall enter into force on both parties’ signatures.

  4. The agreement may be renegotiated by both parties if the law changes or inconsistencies in the agreement give rise to this.

  5. Any agreement of the parties regarding remuneration, conditions or the like in connection with changes to this Agreement will appear from the parties’ “Main Agreement” or from Appendix D of this Agreement.

  6. Termination of the data processing agreement may be in accordance with the termination conditions, including termination notice, as stated in the “Main Agreement”.

  7. The agreement is valid for the duration of the processing. Regardless of the termination of the “Main Agreement” and / or the Data Processing Agreement, the Data Processing Agreement will remain in force until termination of the processing and the deletion of the data by the data processor and any under-processing agents.

  8. Signature

On behalf of the data controller

Name:
Role:
Date:
Signature:

On behalf of the data processor

Name:
Role:
Date:
Signature:

15. Contact persons / contact points of the data controller and data processor

  1. The parties can contact each other via the following contact persons / contact points:

  2. The parties are required to continuously inform each other of changes regarding the contact / contact point.

Data Processor

Name: Geeta Schmidt
Role: CEO
Phone numbers: +45 20215590
E-Mail: geeta@humio.com

Data Controller

Name:
Role:
Phone numbers:
E-Mail:

Appendix A: Information on the processing

The data processor performs processing on customer supplied content (A.1) (the primary processing), and audit log data (A.2).

A.1. Processing of customer supplied content

The purpose of the data processor’s processing of personal data on behalf of the data controller is: The data controller may use the system Humio Hosted Service, owned and administered by the data processor, to store and process log data from the data controller’s systems.

The data processor’s processing of personal data on behalf of the data controller is primarily about (the nature of the processing): The data processor makes the system Humio Hosted Service available to the data controller and hereby stores log data of the data controller’s systems on the company’s servers.

The processing includes the following types of personal data about the data subjects:

Personal data submitted, stored, sent or received via the Humio Hosted Service may concern the following categories of data subjects: End Users including Customer’s employees and contractors; the personnel of Customer’s customers, suppliers and subcontractors; and any other person who transmits data via Humio Hosted Service, including individuals collaborating and communicating with End Users.

It is the data controller’s responsibility to ensure that this does not include sensitive data as described in the GDPR Article 9 (sensitive data).

The data processor’s processing of personal data on behalf of the data controller may commence after the entry into force of this Agreement. The processing has the following duration: The processing is limited to the scope of this contract. Data will be automatically deleted by the end of the retention period as specified inside Humio Hosted Services configuration panel.

A.2. Processing of audit log data

The data processor maintains an extensive audit log of all actions performed by operators of the services offered by the data processor (typically employees of the data controller).

The purpose of the data processor’s processing of personal data on behalf of the data controller is: The purpose of processing audit log data is to

The data processor’s processing of personal data on behalf of the data controller is primarily about (the nature of the processing): The data processor makes the system Humio available to the data controller, and hereby stores personal data about the users and operators of the services; and hereby stores personal data on the company’s servers.

The processing includes the following types of personal data about the data subjects: IP-address, email address. This data is stored along with actions performed such as queries executed, data being deleted, or user-admin operations.

The processing includes the following categories of data subjects: Persons (employees) who operate the services provided by the data processor.

The data processor’s processing of personal data on behalf of the data controller may commence after the entry into force of this Agreement. The processing has the following duration: The processing of audit log data is not limited to the terms of this agreement. Audit log data is maintained for 24 months. Query log data, which may be voluminous, may be deleted earlier due to storage size restrictions.

Appendix B. Conditions for the data processor’s use of sub-processor and list of authorized sub-processors.

Conditions for the data processor’s use of any sub-processors:

The data processor has the data comtroller’s general authorization to use sub-processors. However, the data processor must notify the data controller of any planned changes regarding the addition or replacement of other data services, thereby giving the data controller the opportunity to object to such changes. Notification of one (1) month must be given to the data controller before the application or amendment is to take effect. If the data controller opposes the changes, the data controller must notify the data processor within two (2) weeks after receiving notification. The data controller can raise objections only if the data controller has reasonable, and substantiated reasons for this.

Approved sub-processors

At the entry this data processing agreement, the data controller has approved the following sub-processors:

Name Company ID Address Description of processing
Hetzner GmBH DE 812871812 Industriestr. 25, 91710 Gunzenhausen, Germany Hosting Provider

At the entry this data processing agreement, the data controller has specifically approved the use of the above sub-processors for the processing. The data processor cannot, without the data controller’s specific and written approval, appoint the individual sub-processor to a “second” processor and/or to agree/ allow another sub-processor to complete the described processing.

In addition to using the above sub-processors, Humio Hosted Service supports a number of 3rd party providers to deliver notifications. At the time of this writing these include PostmarkApp, OpsGenie, PagerDuty, Slack, VictorOps, and other services supporting generic WebHooks. The full list can be found online at humio.github.io/legal/subcontractors. These notification delivery providers are not sub-processors with respect to this agreement, as the use of these is entirely optional. Should the data controller wish to obtain a Data Processing Agreement with these third party providers we encourage data controller to obtain such themselves.

Sub-processors processing of personal data pertaining to Humio’s prospects, customers, partners, service providers and suppliers as part of Humio’s general operations can also be found at humio.github.io/legal/subcontractors.

Appendix C. Instructions for processing personal data

C.1. The subject of the processing

The data processor’s processing of personal data on behalf of the data controller is done by the data processor performing the following:

The data processor facilitates storage and retrieval of log data provided by the data controller, according to the provisions set forth in the main agreement.

C.2. Security of processing

The security level is defined in consideration of porcessing personal data outside the scope of Article 9 of the GDPR (special categories of personal data that requires high level of security).

The data processor is entitled to and obliged to make decisions about the technical and organisational security measures to be used to create the required (and agreed) security level around the information. However, the data processor must - in all cases and at least - implement the following measures agreed with the data controller (based on the risk assessment performed by the data controller):

At least once per year, data processor will perform security training of staff, and review and assess security procedures.

Data processor is not obliged to perform pseudonymization of personal data delivered by the data controller. Such processing must be performed by data controller before delivery of Personal Data to the Humio Hosted Service service.

The data processor should make reasonable effort to endure the continued confidentiality, integrity, accessibility and robustness of processing systems and services.

Data must be stored in an environment with appropriate physical security. This is enforced through data processor’s internal policies as well as the appropriate physical security requirements set forth in agreements with sub-processors.

The data processor should make reasonable efforts to ensure the ability to timely restore the availability and access to personal data in case of a physical or technical event.

Data processor should define procedures for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure processing safety.

Access to the Humio Hosted Service system via the internet must be protected using industry standard TLS or similar measures. The data processor must employ firewalls, DDoS protection services and other industry best practices..

When thedata processor’s employees perform operations and support, it must be done from a protected computer, and only from a “Safe Juristriction” (see C.5 below).

The data processor must keep an audit log of all operations performed by users of the Humio Hosted Services system. This includes operations performed by operators designated by data controller (users) and operations performed by the data controlles employees on Humio Hosted Service operators. These audit logs should be kept for up to 24 months.

C.3. Storage Period / erase routine

The personal data is stored with the data processor until the data controller requests the data to be deleted or returned. For some deletion procedures this can be done directly from the product. Entirely deleting account information requires contacting the data processor directly.

As described, Audit Logs are kept for 24 months.

C.4. Location of processing

The processing of the personal data contained in the agreement can not be done without the data controller’s prior written consent at locations other than the following:

For the purposes of performing perations on the servers used to run Humio Hosted Services, operations management can be performed in countries set forth in section C.5.

Humio Operations is designated to be controlled by a Humio Employee with EU citizenship, using a secured personal computer as set forth in section C.2 of this agreement.

C.5. Instructions or approvals regarding the transfer of personal data to third countries.

The data processor cannot transfer personal data to third countries, except to the US if the destination facility is covered by the EU-US Privacy Shield programme and a contract is draw up i accordance with the EU Commissions’ Standard Clauses for the transfer of personal data to third countries. s

Data processors’ employees can bring their mobile computers and other devices to a “Safe Juristriction”, and perform operations as per the customers instruction from such locations. Such countries are determined at any time by Humio management.

C.6. Further procedures for the data controller’s supervision of the processing performed by the data processor.

The data controller can appoint a independant representative of the data controller to make annual physical supervision regarding compliance with this data processing agreement. In addition to the planned supervision, the data processor may be supervised when the data controller assesses a need for this. In any case, such supervision must be planned and agreed before taking place.

Supervision of sub-processors is done via the data processor, and on-site supervision of these cannot be performed by the data controller. Data processor relies on third parties certification of sub-processors.

Any costs incurred by the data processor and/or sub-processor in connection with being physically supervised / inspected is covered by the data controller according to Appendix D.

Appendix D. Parties’ agreement on other matters

For services rendered by data processor in assistance in response to work mentioned in this agreement’s section 6.4 (Specific security enhancements), section 9 (Assistance to the data controller) and C.7 (supervision) the data controller will pay a hourly rate for relevant personnel plus documented expenses.