10.1 Upon expiry or termination of the Services Agreement or this Addendum, or upon earlier request by Company, Asap Lab shall – at the choice of Company - return to Company or securely delete or destroy all Customer Data and existing copies (including Personal Data) in a manner appropriate to the sensitivity thereof, unless applicable Data Protection Laws require storage of the Customer Data. Asap Lab shall provide written confirmation to Company that the deletion process has been completed.
10.2 The Addendum is an attachment to and integral part of the Services Agreement. This Addendum is the entire agreement between Asap Lab and Company regarding data protection and privacy issues regarding the Company's use of the Services and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. Accordingly, any Asap Lab representations, warranties and covenants in the Services Agreement regarding the privacy, security or disaster recovery measures with respect to the Services or any data submitted to or accessed via the Services, are superseded and replaced hereby. This Addendum has been entered into on the date first written above. Annex 1:
Description of the Technical and Organizational Security Measures taken by Asap Lab
Asap Lab has implemented the following technical and organizational security measures to provide the ongoing confidentiality, integrity, availability and resilience of processing systems and services: 1. Confidentiality
Asap Lab has implemented the following technical and organizational security measures to protect the confidentiality of processing systems and services, in particular:
Asap Lab processes all customer data on remote server sites owned and operated by industry leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data processing equipment (namely telephones, database and application servers and related hardware). Such measures include:
- a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection;
- data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders;
- access logs, activity records, and camera footage are available in case an incident occurs;
- data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training;
- access to the data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics;
- only approved employees with specific roles may enter.
Asap Lab implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
- automatic time-out of user terminal if left idle, identification and password required to reopen;
- issuing and safeguarding identification codes, requiring two-factor authentication for all Authorized Users;
- letting customers define individual user accounts with permissions across Asap Lab resources;
- industry standard encryption and requirements for passwords (minimum length, use of special characters, etc.);
- all access to data content is logged, monitored, and tracked.
Asap Lab's employees entitled to use its data processing systems are only able to access personal data within the scope of and to the extent covered by their respective access permission (authorization). In particular, access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. This is accomplished by:
- employee policies and training;
- effective and measured disciplinary action against individuals who access personal data without authorization;
- limited access to personal data to only authorized persons;
- industry standard encryption;
- policies controlling the retention of back-up copies.
Asap Lab has implemented the following technical and organizational security measures to protect the integrity of processing systems and services, in particular:
Asap Lab implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
- industry standard encryption;
- avoiding the storage of personal data on portable storage media for transportation purposes and on company issued laptops or other mobile devices.
Asap Lab does not access any customer content except as necessary to provide that customer with the Asap Lab products and professional services it has selected. Asap Lab does not access customers' content for any other purposes. Accordingly, Asap Lab does not know what content customers choose to store on its systems and cannot distinguish between personal data and other content, so Asap Lab treats all customer content the same. In this way, all customer content benefits from the same robust Asap Lab security measures, whether this content includes personal data or not. 3. Availability
Asap Lab has implemented the following technical and organizational security measures to protect the availability of processing systems and services, in particular:
Asap Lab implements suitable measures to provide that personal data is protected from accidental destruction or loss. This is accomplished by:
- infrastructure redundancy;
- policies prohibiting permanent local (work station) storage of personal data;
- performing regular data back-ups.
Asap Lab has implemented the following technical and organizational security measures to protect the resilience of processing systems and services, in particular:
Asap Lab designs the components of its platform to be highly resilient. This is accomplished by:
- selection of best-in-class infrastructure providers with data centers that have daily backups with an assured uptime and availability of 99.9999% by the service providers;
- geographically distributed data centers to minimize the effects of regional disruptions on global products such as natural disasters and local outages;
- in the event of hardware, software, or network failure, platform services and control planes are automatically and instantly shifted from one facility to another so that platform services can continue without interruption.