The following are the Data Security Standards in respect of the Cloud Service provided by Alcumus to Customer pursuant to the Alcumus Cloud Service Agreement at https://www.Alcumus.com/legal_documents (the “Agreement”). Capitalized terms shall have the meanings set forth in the Agreement or elsewhere herein.
Alcumus shall implement the following technical and organizational measures (“TOMs”) in its provision of the Cloud Service, including any underlying applications, platforms, and infrastructure components operated and managed by Alcumus in providing the Cloud Service (“Components”).
1. DEFINITIONS
Capitalized terms shall have the meanings set forth in this Schedule or elsewhere in the Agreement. The terms “Data Subjects”, “Processing”, “Personal Data Breach”, “Data Protection Impact Assessment”, “Processor” and “Controller” shall have the meanings given to them in the GDPR. The term “Supervisory Authority” shall mean a regulatory or other governmental body or authority with jurisdiction or oversight over Data Protection Laws. The term “C2P SCCs” shall mean the Standard Contractual Clauses between Controllers and Processors (Module Two) as approved by the European Commission Implementing Decision 2021/914 of June 4, 2021 (“Decision”). The term “P2P SCCs” shall mean the Standard Contractual Clauses between Processors (Module Three) as approved by the Decision. The P2P SCCs together with the C2P SCCs shall be referred to as the “EU SCCs”. The EU Standard Contractual Clauses (2010/87/EU) shall be referred to as the “2010 SCCs”. Unless otherwise indicated, references in this Schedule to Sections or Attachments means the Sections of, and Attachments to, this Schedule.
2. DATA PROTECTION
2.1. The security and privacy measures for the Cloud Service are designed to protect Customer Data input therein and to maintain the availability of such Customer Data pursuant to the Agreement. Alcumus shall treat all Customer Data as confidential by not using, maintaining, or disclosing Customer Data except for purposes of providing the Cloud Service pursuant to the Agreement or as otherwise required by applicable Law, and specifically shall not disclose Customer Data except to Alcumus Personnel, and only to the extent necessary to deliver the Cloud Service, unless otherwise specified in the Agreement.
2.2. Alcumus shall securely sanitize physical media intended for reuse prior to such reuse and shall destroy physical media not intended for reuse.
2.3. The TOMs set forth in this Schedule shall be subject to audits as set forth in the applicable Software Schedule for the Software ordered by Customer in an Order. Upon request, Alcumus shall provide evidence of stated compliance and accreditation, such as certificates or attestations resulting from accredited independent Third Party audits, and other industry standards as specified in the Agreement.
2.4. Additional security and privacy information specific to the Cloud Service may be available elsewhere in the Agreement or the Documentation to aide in Customer’s initial and ongoing assessment of the Cloud Service’s suitability for use. Alcumus shall direct Customer to available standard Documentation and/or certifications if asked to complete Customer-preferred questionnaires or forms and Customer agrees such Documentation shall be used in lieu of any such request. Alcumus may charge an additional fee to complete any Customer-preferred questionnaires or forms or to provide consultation to Customer for such purposes.
3. SECURITY POLICIES
3.1. Alcumus shall maintain and follow IT security policies and practices that will maintain commercially reasonable administrative, physical and technical safeguards for the protection, confidentiality and integrity of the Services and Client Data. Alcumus’ management shall maintain responsibility and executive oversight for such policies, including formal governance and revision management, employee education, and compliance enforcement.
3.2. Alcumus shall review its IT security policies at least annually and amend such policies as Alcumus deems reasonable to maintain protection of the Cloud Service and Customer Data processed therein.
3.3. Alcumus shall maintain and follow its standard mandatory employment verification requirements for all new hires. In accordance with Alcumus internal processes and procedures, these requirements shall be periodically reviewed and include criminal background checks, proof of identity validation, and additional checks as deemed necessary by Alcumus and permitted under applicable Law.
3.4. Alcumus employees shall complete security and privacy education annually and certify each year that they shall comply with Alcumus security and privacy policies. Additional policy and process training may be provided to individuals depending on their role in supporting the business and as required to maintain compliance and certifications stated in the Agreement.
4. SECURITY INCIDENTS
4.1. Alcumus shall maintain and follow documented incident response policies for computer Security Incident handling and shall comply with the data breach notification terms of the Agreement.
4.2. Alcumus shall investigate unauthorized access and unauthorized use of Customer Data in connection with or through the Cloud Service of which Alcumus becomes aware (a “Security Incident”) and Alcumus shall define and execute an appropriate response plan. Customer may notify Alcumus of a suspected vulnerability or Security Incident by submitting a support ticket.
4.3. Alcumus shall notify Customer without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by Alcumus to affect the Customer Data, as may be required by applicable Law or the terms of the Agreement. Alcumus shall provide Customer with reasonably requested information about such Security Incident and the status of any Alcumus remediation and restoration activities.
4.4. Alcumus shall notify Customer without undue delay after becoming aware of a Personal Data Breach with respect to the Cloud Service. Alcumus shall promptly investigate the Personal Data Breach if it occurred on Alcumus infrastructure or in another area for which Alcumus is responsible and shall assist Customer as set forth in Section 9.
5. ACCESS, INTERVENTION, TRANSFER, AND SEPARATION CONTROL
5.1. Alcumus shall maintain documented security architecture of networks managed by Alcumus in its operation of the Cloud Service, as required by applicable compliance standards. Alcumus shall, from time to time, separately review such network architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense-in-depth standards prior to implementation.
5.2. Alcumus shall maintain measures for the Cloud Service that are designed to logically separate and prevent Customer Data from being exposed to or accessed by unauthorized Persons. Alcumus shall maintain appropriate isolation of its production and non-production environments, and, if Customer Data is transferred to a non-production environment (for example, in order to reproduce an error at Customer's request), security and privacy protections in the non-production environment shall be equivalent to those in production.
5.3. Alcumus shall encrypt Customer Data in transit using industry accepted cryptographic algorithms when transferring Customer Data over public networks and enable use of a cryptographic protocol, such as, but not limited to HTTPS, SFTP, and FTPS, for Customer’s secure transfer of Customer Data to and from the Cloud Service over public networks.
5.4. Alcumus shall use commercially reasonable encryption, technology and firewalls. Alcumus manages the cryptographic keys and shall maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.
5.5. If Alcumus requires access to Customer Data, it shall restrict such access to the minimum level required. Such access, including administrative access to any underlying Components (“Privileged Access”), shall be individual, role-based, and subject to approval and regular validation by authorized Alcumus Personnel following the principles of segregation of duties. Alcumus shall maintain measures to identify and remove redundant and dormant accounts with Privileged Access and shall promptly revoke such access upon the account owner’s separation or the request of authorized Alcumus Personnel, such as the account owner’s manager.
5.6. Consistent with industry standard practices, and to the extent natively supported by each component managed by Alcumus within the Cloud Service, Alcumus shall maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.
5.7. Alcumus shall monitor use of Privileged Access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity; (b) facilitate a timely and appropriate response; and (c) enable internal and independent Third Party audits of compliance with documented Alcumus policy.
5.8. Logs in which Privileged Access and activity are recorded shall be retained in compliance with Alcumus’ records management plan. Alcumus shall maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.
5.9. To the extent supported by native device or operating system functionality, Alcumus shall maintain computing protections for its end-user systems that include endpoint firewalls, encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.
6. SERVICE INTEGRITY AND AVAILABILITY CONTROL
6.1. To the extent required by applicable compliance standards, Alcumus shall: (a) perform security and privacy risk assessments of the Cloud Service at least annually; (b) perform penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, annually; (c) enlist a qualified independent Third Party to perform penetration testing at least annually; (d) perform automated management and routine verification of underlying Components’ compliance with security configuration requirements; and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Alcumus shall take reasonable steps to avoid Cloud Service disruption when performing its tests, assessments, scans, and execution of remediation activities.
6.2. Alcumus shall maintain policies and procedures reasonably designed to manage risks associated with the application of changes to the Cloud Service. Prior to implementation, changes to the Cloud Service, including its systems, networks, and underlying Components, shall be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, and documented approval by authorized Alcumus Personnel.
6.3. Alcumus shall maintain a reasonably up to date inventory of all information technology assets used in its operation of the Cloud Service. Alcumus shall monitor and manage the health, including capacity, and availability of the Cloud Service and its underlying Components.
Alcumus shall implement, test, and maintain business continuity and disaster recovery plans consistent with applicable compliance standards and in line with documented Alcumus policy.
6.4. Alcumus shall maintain measures, as required by applicable laws and regulations, designed to assess, test, and apply security advisory patches to the Cloud Service and its associated systems, networks, applications, and underlying Components. Upon determining that a security advisory patch is commercially reasonable, applicable and appropriate, Alcumus shall implement the patch pursuant to documented severity and risk assessment guidelines. Implementation of security advisory patches shall be subject to Alcumus change management policy.
7. PROCESSING OF CUSTOMER PERSONAL DATA
7.1. Processing.
7.1.1. Customer is (a) a Controller and exporter of any Personal Data that Alcumus Processes on behalf of Customer (“Customer Personal Data”) or (b) acting as a Processor and exporter on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Personal Data by Alcumus as importer and Customer’s Subprocessor as set out in the Agreement. Customer appoints Alcumus as a Processor to Process Customer Personal Data. If there are other Controllers, Customer shall identify and inform Alcumus of any such other Controllers prior to providing their Personal Data, in accordance with this Schedule.
7.1.2. Customer shall comply with all applicable requirements of the Data Protections Laws and Customer will ensure that it has a lawful basis and all necessary appropriate consents and notice in place to enable the lawful transfer of Personal Data to Alcumus for the duration and purposes of the Agreement.
7.1.3. A list of categories of Data Subjects, types of Customer Personal Data, Special Categories of Personal Data and the Processing activities is set out in Attachment A (Personal Data Processing Attachment). The duration of the Processing corresponds to the applicable Subscription Term, unless otherwise stated in Attachment A. The purpose and subject matter of the Processing is the provision of the Cloud Service as described in the Agreement.
7.1.4. Alcumus shall Process Customer Personal Data according to Customer’s instructions set forth in the Agreement, and, if applicable, Customer’s and its Authorized Users’ use and configuration of the features of the Cloud Service. Customer may provide further legally required instructions regarding the Processing of Customer Personal Data (“Additional Instructions”) as described in Section 9.2. If Alcumus notifies Customer that an Additional Instruction is not feasible, the Parties shall work together to find an alternative. If Alcumus notifies Customer that neither the Additional Instruction nor an alternative is feasible, Customer may terminate its use of the Cloud Service which cannot be accommodated by Alcumus within 14 days of Alcumus’ notification to the Customer. If Alcumus believes an instruction violates the Data Protection Laws, Alcumus shall immediately inform Customer, and may suspend the performance of such instruction until Customer has modified or confirmed its lawfulness in documented form. As of the Effective Date, Alcumus does not believe that the laws and practices in any third country of destination applicable to its Processing of the Customer Personal Data prevent Alcumus from fulfilling its obligations herein.
7.1.5. Customer shall serve as a single point of contact for Alcumus. As other Controllers may have certain direct rights against Alcumus, Customer undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. Alcumus shall be discharged of its obligation to inform or notify another Controller when Alcumus has provided such information or notice to Customer. Similarly, Alcumus shall serve as a single point of contact for Customer with respect to its obligations as a Processor under the Agreement.
7.1.6. Alcumus shall comply with all Data Protection Laws in respect of the Cloud Service applicable to Alcumus as Processor. Alcumus is not responsible for determining the requirements of Laws applicable to Customer’s business or that the Cloud Service meets the requirements of any such applicable Laws. As between the Parties, Customer is responsible for the lawfulness of the Processing of Customer Personal Data. Customer shall not use the Cloud Service in a manner that would violate applicable Data Protection Laws.
7.2. Data Subject Rights and Requests.
7.2.1. Alcumus shall inform Customer of requests from Data Subjects exercising their Data Subject rights (including access, rectification, deletion, and blocking of data) addressed directly to Alcumus regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Alcumus shall reasonably assist Customer in handling such Data Subject requests in accordance with Section 9.2.
7.2.2. If a Data Subject brings a claim directly against Alcumus for a violation of their Data Subject rights, Customer shall reimburse Alcumus for any cost, charge, damages, expenses, or loss arising from such claim, to the extent that Alcumus has notified Customer about the claim and given Customer the opportunity to cooperate with Alcumus in the defense and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from Alcumus damages resulting from Data Subject claims for a violation of their Data Subject rights caused by Alcumus’ breach of its obligations under Section 7.1 of the Agreement or this Schedule.
7.3. Third Party Requests and Confidentiality.
7.3.1. Alcumus shall not disclose Customer Personal Data to any Third Party unless authorized by Customer or required by applicable Law. If a government or Supervisory Authority demands access to Customer Personal Data, Alcumus shall notify Customer prior to disclosure, unless such notification is prohibited by applicable Law.
7.3.2. Alcumus requires all of its Personnel authorized to Process Customer Personal Data to commit themselves to confidentiality and not Process such Customer Personal Data for any other purposes, except on instructions from Customer or unless required by applicable Law.
7.4. Return or Deletion of Customer Personal Data. Upon termination or expiration of the Agreement, Alcumus shall delete Customer Personal Data in its possession as set out in the Agreement, unless otherwise required by applicable Law.
7.5. Subprocessors.
7.5.1. Customer authorizes the engagement of other Processors to Process Customer Personal Data (“Subprocessors”), including Alcumus entities in Canada, the United States, and the United Kingdom (as identified in Section 13.4 of the Agreement) who may provide Professional and Support Services. A list of the current third party Subprocessors is set out in in the applicable Software Schedule for the Software ordered by Customer in an Order. Alcumus shall notify Customer in advance of any addition or replacement of such Subprocessors. Within thirty (30) days after Alcumus’ notification of the intended change, Customer can object to the addition of a Subprocessor on the basis that such addition would cause Customer to violate applicable Law. Customer’s objection shall be in writing and include Customer's specific reasons for its objection and options to mitigate, if any. If Customer does not object within such period, the respective Subprocessor may be commissioned to Process Customer Personal Data. Alcumus shall impose substantially similar but no less protective data protection obligations as set out in this Schedule on any approved Subprocessor prior to the Subprocessor initiating any Processing of Customer Personal Data, as deemed appropriate by Alcumus taking into account factors such as the nature, scope, context, purposes.
7.5.2. If Customer legitimately objects to the addition of a Subprocessor and Alcumus cannot reasonably accommodate Customer’s objection, Alcumus shall notify Customer and Customer may terminate the Cloud Service within 14 days of Alcumus’ notification to the Customer; otherwise, the Parties shall cooperate to find a feasible solution.
7.6. Transborder Data Processing.
7.6.1. In the case of a transfer of Customer Personal Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (a “Non-Adequate Country”), the Parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in this Section 7.6. If either Party believes the measures set out below are not sufficient to satisfy applicable Law, they shall notify the other Party and the Parties shall work together to find an alternative.
7.6.2. By entering into the Agreement, Customer is entering into the following with (i) each Subprocessor (referenced in Section 7.5.1 above or listed in the applicable Software Schedule for the Software ordered by Customer in an Order) that is a Alcumus Affiliate located in a Non-Adequate Country (“Alcumus Data Importers”) and (ii) Alcumus, if located in a Non-Adequate Country:
a. if Customer is a Controller of all or part of the Customer Personal Data, Customer is entering into the C2P SCC in respect to such Customer Personal Data; and
b. if Customer is acting as Processor on behalf of other Controllers of all or part of the Customer Personal Data, then Customer is entering into the P2P SCCs, provided that, Customer has entered into separate EU Standard Contractual Clauses with the Controllers; or (ii) on behalf of the other Controller(s).
Customer agrees in advance that any new Alcumus Data Importer engaged by Alcumus in accordance with Section 7.5 shall become an additional data importer under the applicable SCCs.
7.6.3. If a Subprocessor located in a Non-Adequate Country is not a Alcumus Data Importer (a “Third Party Data Importer”) then, Alcumus or a Alcumus Data Importer shall enter into P2P SCCs with such Third Party Data Importer.
7.6.4. The following specifications shall also apply to C2P and P2P SCC clauses between Customer and Alcumus:
a. Docking Clause. The option under clause 7 shall not apply;
b. Instructions. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in Section 7.1 of this Schedule;
c. Certification of Deletion. The certification of deletion of Personal Data described in clauses 8.5 and 16(d) shall be provided by Alcumus only upon Customer's written request;
d. Security of Processing. For the purpose of clause 8.6(a), Customer agrees that the TOMs set forth in this Schedule provide a level of security appropriate to the risk with respect to its Personal Data. For the purpose of clause 8.6(c), Personal Data breaches will be handled in accordance with Section 4 of this Schedule; with respect to P2P SCC clauses 8.6(c) and (d), Alcumus shall provide breach notifications only to Customer;
e. Audits. The audits described in clause 8.9 shall be carried out in accordance with Section 8 of this Schedule; with respect to P2P SCCs, all inquiries from other Controllers shall be provided to Alcumus by Customer;
f. Use of Sub-processors. Option 2 under clause 9 shall apply; Alcumus shall be entitled to engage Subprocessors in accordance with Section 7.5 of this Schedule;
g. Data Subject Rights. For the purpose of clause 10, Data Subject requests and related assistance shall be handled in accordance with Sections 7.2 and 9 of this Schedule, respectively; with respect to P2P SCCs, Alcumus shall be required to communicate requests only to Customer;
h. Liability. For the avoidance of doubt, Alcumus liability under clause 12(b) shall be limited as specified in Article 82 of the GDPR;
i. Supervision. For the purpose of clause 13, data exporter’s competent supervisory authority will be determined in accordance with the GDPR;
j. Notification of Government Access Requests. For the purpose of clause 15(1), Alcumus shall provide notification to Customer only and not individual Data Subjects;
k. Governing Law and Choice of Forum. For the purpose of clauses 17 and 18, governing law and jurisdiction shall be that which is outlined in Section 13.4 of the Agreement. If the Agreement is not governed by EU law, the SCCs will be governed by the laws and courts of Ireland; or (ii) where the Agreement is governed by the laws and courts of the United Kingdom, the laws of England and Wales.
l. Appendices. With respect to the SCC Annexes, the contents of Attachment A to this Schedule shall form Annex 1B; the contents of Annex 1C shall be determined in accordance with the GDPR; the TOMs herein shall form Annex 2.
7.6.5. To the extent Personal Data subject to the GDPR as implemented under United Kingdom (“UK”) laws (“UK GDPR”), data protection laws of Switzerland (“Swiss Data Protection Laws”), is transferred to a Non-Adequate Country: (A) Sections 7.6.2-7.6.4 shall apply if the EU SCCs are a legally valid data protection mechanism; or (B) where the 2010 SCCs are a legally valid data protection mechanism, Customer and Alcumus Data Importers are deemed to enter into the 2010 SCCs, with Appendix 1 of the 2010 SCCs being populated with Customer details outlined in the applicable Order and the contents of Attachment A to this Schedule, and Appendix 2 of the 2010 SCCs being populated with the TOMs herein; Alcumus will enter into back-to-back SCCs with Third Party Data Importers as legally required and applicable to their Services. The following shall apply to the foregoing options: (i) references and obligations in the EU SCCs and 2010 SCCs shall have the same meaning as the equivalent reference and obligation in the UK GDPR or Swiss Data Protection Laws, as applicable; (ii) references to the EU or member states in the EU SCCs and 2010 SCCs shall be amended to refer to the United Kingdom and Switzerland, as applicable; and (iii) references to supervisory authorities in the EU SCCs and 2010 SCCs shall be amended to refer to the UK Information Commissioner's Office and the Swiss Federal Data Protection and Information Commissioner, respectively.
7.6.6. If Customer is unable to agree to C2P SCCs or the 2010 SCCs on behalf of another Controller, as set out in Section 7.6, Customer shall procure the agreement of such other Controller to enter into those agreements directly with the applicable Alcumus Data Importer. Customer agrees on behalf of itself and all other Controllers that the EU SCCs and 2010 SCCs, including any claims arising from them, are subject to the terms set forth in the Agreement including the exclusions and limitations of liability. In case of conflict with the Agreement, the EU SCCs and 2010 SCCs, as applicable, shall prevail.
8. AUDIT
8.1. Alcumus shall allow for, and contribute to, audits, including inspections, conducted by Customer or another auditor mandated by Customer solely in order for Customer to determine that Alcumus is processing Personal Data in accordance with the Agreement, in accordance with the following procedures:
8.1.1. Upon Customer's written request, Alcumus shall provide Customer or its mandated auditor with the most recent certifications which Alcumus has procured to regularly test, assess, and evaluate the effectiveness of Alcumus’ TOMs.
8.1.2. Alcumus shall reasonably cooperate with Customer by providing available additional information concerning the TOMs reasonably required by Customer to help Customer better understand them.
8.1.3. If further information is needed by Customer (acting reasonably) to comply with its own or other Controllers’ audit obligations or a competent Supervisory Authority’s request, Customer shall inform Alcumus in writing to enable Alcumus to provide such information or to grant access to it. For the avoidance of doubt, Alcumus shall be under no obligation to disclose confidential or commercially sensitive information as part of such audits.
8.1.4. To the extent it is not possible to otherwise satisfy an audit right mandated by applicable Law or expressly agreed by the Parties in writing, only legally mandated entities (such as a governmental regulatory agency having oversight of Customer’s operations), Customer, or its mandated auditor may (on no less than 14 days prior written notice to Alcumus) conduct an onsite visit of the Alcumus facilities used to provide the Cloud Service, during normal business hours and only in a manner that causes minimal disruption to Alcumus’ business.
8.2. All such audits shall be subject to the auditing party’s execution of a confidentiality agreement acceptable to Alcumus and shall be conducted at Customer’s expense.
8.3. Any auditor mandated by the Customer shall not be a direct competitor of Alcumus and shall be bound to an obligation of confidentiality.
8.4. Each Party shall bear its own costs in respect of Section 8.1.1 and Section 8.1.2; otherwise, Section 9.2 applies.
9. ASSISTANCE
9.1. Alcumus shall assist Customer by TOMs for the fulfillment of Customer’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Customer’s obligations relating to the security of Processing, the notification and communication of a Personal Data Breach, and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the Processing and the information available to Alcumus.
9.2. Customer shall make a written request for any assistance referred to in this Schedule. Alcumus may charge Customer no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a Change Order and agreed in writing by the Parties. If Customer does not agree to the Change Order, the Parties agree to reasonably cooperate to find a feasible solution.
ATTACHMENT A: PERSONAL DATA PROCESSING ATTACHMENT
1. CATEGORIES OF DATA SUBJECTS
Data Subjects of any Customer Personal Data that generally can be processed in the Cloud Service may include Customer’s and its Affiliates’ employees, contractors, business partners, or customers, and, to the extent required by applicable Law, any other Persons whose Personal Data is processed by the Cloud Service. Alcumus shall process Personal Data of all Data Subjects listed above in accordance with the Agreement. Given the nature of the Cloud Service, Customer acknowledges that Alcumus is not able to verify or maintain the above list of categories of Data Subjects. Therefore, if Customer shall not use the Cloud Service with all the Data Subjects set out above, Customer is responsible for providing complete, accurate, and up-to-date information to Alcumus on the actual Data Subjects from within the above list that Customer shall process in the Cloud Service via Additional Instructions to Alcumus as set forth in the Data Security Standards.
2. PERSONAL DATA
The lists as set out below are the Types of Personal Data and Special Categories of Personal Data that generally can be processed within the Cloud Service. Alcumus shall process all Types of Personal Data and Special Categories of Personal Data listed below in accordance with the Agreement. Given the nature of the Cloud Service, Customer acknowledges that Alcumus is not able to verify or maintain the below lists of Types of Personal Data and Special Categories of Personal Data. Therefore, if Customer shall not use the Cloud Service for all the Types of Personal Data and Special Categories of Personal Data set out below, then Customer is responsible for providing complete, accurate, and up-to-date information to Alcumus on the actual Types of Personal Data and Special Categories of Personal Data from within the below list that Customer shall process in the Cloud Service via Additional Instructions to Alcumus as set forth in the Data Security Standards.
2.1. Types of Personal Data.
- Basic Personal Information (such as name, email, etc.); and[GT41] [SJ42]
- Technically Identifiable Personal Information (such as device IDs, usage based identifiers, static IP address, etc. - when linked to an individual).
Customer should not include Personal Data in text fields that are not intended for or do not request Personal Data.
2.2. Special Categories of Personal Data. The Cloud Service was not designed to process any Special Categories of Personal Data.
3. PROCESSING ACTIVITIES
The Processing activities with regard to Customer Data (including Customer Personal Data) within the Cloud Service include:
- Receipt of Customer Data from Data Subjects and/or third parties;
- Computer processing of Customer Data, including data transmission, data retrieval, data access, and network access to allow data transfer if required;
- Technical customer support involving Customer Data at Customer request, including monitoring, problem determination, and problem resolution;
- Transformation and transition of Customer Data as necessary to deliver the Cloud Service;
- Storage and associated deletion of Customer Data; and
- Backup of Customer Data.
4. DURATION OF PROCESSING
The duration of Processing within the Cloud Service corresponds to the duration of the applicable Subscription Term. Alcumus shall remove Customer Data (including any Customer Personal Data) that is stored or persisted within the Cloud Service at the time of termination or expiration of the applicable Subscription Term.
5. TECHNICAL AND ORGANIZATIONAL MEASURES
The TOMs set forth in the Data Security Standards apply to all Customer Data processed by Alcumus within the Cloud Service, including Customer Personal Data.
6. DELETION AND RETURN OF DATA
6.1. During the term of the Agreement, so long as Customer’s access to the Cloud Service is not suspended pursuant to Section 2.5 of the Agreement, Customer may download from the Cloud Service a copy of the Customer Data.
6.2. Customer may also request removal of Customer Data (including Customer Personal Data) at any time prior to termination or expiration of the Agreement.
7. ALCUMUS HOSTING AND PROCESSING LOCATIONS
The Alcumus data hosting and processing locations used for the Cloud Service are set forth in the Software Schedule for the Software ordered by Customer in an Order. Customer may be able to request that Alcumus use a subset of these locations. Alcumus may add additional hosting and processing locations in accordance with the Data Security Standards.
8. THIRD PARTY SUBPROCESSORS
The Cloud Service involves third party Subprocessors in the Processing of Customer Data, including Customer Personal Data, as set forth in the Software Schedule for the Software ordered by Customer in an Order.
9. PRIVACY CONTACT AND CUSTOMER NOTIFICATIONS
The general privacy contact for the Cloud Service is [email protected].
10. DATA PRIVACY OFFICER AND OTHER CONTROLLERS
Customer is responsible for providing to Alcumus complete, accurate, and up-to-date information about its data privacy officer and any other Controllers (including their data privacy officer).