Data Processing Addendum
This Data Processing Addendum (“DPA”) between GALOOLI and Customer is incorporated into and forms an integral part of the terms of use pursuant to which Customer will access and use GALOOLI product (the “Terms of Use”). GALOOLI and Customer are sometimes referred to herein individually as a “Party” or collectively as the “Parties”.
Background
- Customer has licensed from GALOOLI the right to use the Product under the Terms of Use;
- The Parties acknowledge that the use by Customer of the GALOOLI Product may involve the processing by GALOOLI, on Customer’s behalf, of personal data of certain individuals, including, but not limited to, Customer’s clients, employees and service providers; and
- This DPA is incorporated into and forms part of the Terms of Use to reflect the agreement between GALOOLI and the Customer with regard to the processing of such personal data in accordance with the requirements of the GDPR.
Interpretation
“GDPR” means the General Data Protection Regulation ((EU) 2016/679), as amended or re-enacted from time to time, and any successor legislation to the GDPR. The terms “controller”, “processor”, “data subject”, “personal data”, “processing” and any other terms used in this DPA that are defined in the GDPR shall have meaning set out in the GDPR. Capitalized terms not defined hereunder shall have the meaning ascribed to them in the Terms of Use.
1. Application Of This DPA
The Parties acknowledge that for the purposes of the GDPR, with respect to the processing of personal data by GALOOLI, Customer is the controller and GALOOLI is the processor. Each party will comply with all applicable requirements of the GDPR to which such party is subject. The provisions of this DPA are in addition to, and do not relieve, remove or replace, a party’s obligations under the GDPR.
2. Subject Matter, Purpose, Nature And Duration Of Processing
2.1
Where GALOOLI is processing personal data on Customer’s behalf, the parties agree that such processing shall:
1.1.1.
involve only the processing of personal data of Customer’s clients, employees, and service providers and/or any other type of individuals designated or authorized by Customer from time to time;
1.1.2.
involve only the processing of personnel data that Customer collects from its clients, employees and service providers (e.g., personal contact details), information concerning the driving behavior of said individuals, including the location, speed, direction, fuel consumption, engine readings, and other asset-related information, and/or any other type of personal data designated or authorized by Customer from time to time;
1.1.3.
be solely for the purposes of enabling the operation of, and for supporting, maintaining, updating and hosting, the GALOOLI Product and otherwise performing the Terms of Use; and
1.1.4.
take place only during the term of the Terms of Use (or, where and to the extent strictly necessary to perform any post termination obligations, if any, for as long as the processing remains necessary for these purposes).
2.2
Customer shall be responsible to ensure that the categories of data subjects and the types of personal data processed under Sections 2.1.1 and 2.1.2 above comply with the GDPR.
3. The Parties Rights And Obligations
3.1
Customer will ensure that it has all necessary appropriate lawful basis, consents and notices in place to enable lawful transfer of the personal data to GALOOLI, and for the processing thereof by GALOOLI, for the duration and purposes of the Terms of Use.
3.2
GALOOLI shall, in relation to any personal data processed by GALOOLI:
1.1.5.
process that personal data only on the written instructions of Customer, unless required to do so by applicable law to which GALOOLI is subject (it being agreed that this DPA is to be considered as a written instruction by Customer to GALOOLI to process personal data);
1.1.6.
ensure that it has in place appropriate technical and organizational measures to protect against unlawful or accidental destruction, loss alteration or unauthorized disclosure of personal data, appropriate to the harm that might result from the foregoing and taking into account the state of technological development, the costs of implementation and the nature, scope, context and purposes of processing;
1.1.7.
ensure that GALOOLI’s personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
1.1.8.
taking into account the nature of processing and the information available to GALOOLI, assist Customer, at Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
1.1.9.
notify Customer without undue delay on becoming aware of any breach of the GDPR in respect of such personal data and/or any other loss, damage to or corruption of such Personal Data;
1.1.10.
at the written direction of Customer, delete or return the personal data and copies thereof to Customer on termination of the Terms of Use unless required by applicable law to maintain records of the personal data; and
1.1.11.
maintain records and information reasonably necessary to demonstrate its compliance with this DPA and allow for the audit of its records by Customer’s designated auditor, reasonably acceptable to GALOOLI. The audit will take place during normal business hours and in a manner that will not interfere with GALOOLI’s business activities. Customer must send GALOOLI a written request for audit at least 30 days in advance. Following receipt by GALOOLI of such request, GALOOLI and Customer will discuss and agree in advance on the reasonable date(s) for the audit, the scope and duration thereof and reasonable security procedures, including the execution by the Customer and the auditor of appropriate confidentiality undertakings towards GALOOLI.
3.3
Customer grants to GALOOLI and its Affiliates a non-exclusive, royalty-free, perpetual, worldwide, license to aggregate, measure and analyze personal data, to create analytics, metrics, metadata, measurements, evaluations, statistics and other derivatives on the basis thereof (collectively “Analytics”), and to use said Analytics in any manner and through any means and technology (including in all sorts of publications), without attribution or compensation to Customer, for purposes of supporting, improving, enhancing and/or optimizing the GALOOLI Product, and for statistical, research and promotional purposes. Such Analytics may be used solely in an anonymized, aggregated form that will not identify the Customer or any data subject.
4. International Transfers
Customer acknowledges and agrees that personal data may be exported to, or remotely accessed from, any territory in the world where GALOOLI or any of its Sub-Processors (as defined below) maintain a presence, for purposes of GALOOLI or any of its Sub-Processors supporting, maintaining, updating, hosting or otherwise providing services in respect of the GALOOLI Product from that territory. Such transfer shall be conditioned on one of the following: (i) the adoption of an adequacy decision pursuant to Article 45(3) of the GDPR in respect of the territory to which the personal data is exported to or from which it is accessible (it being agreed that such decision includes, without limitation, in the case of transfer of personal data to Israel, EU Commission decision of 31 January, 2011 (2011/61/EU)), or (ii) provided that enforceable rights and effective legal remedies are available to the data subject, the implementation, at GALOOLI’s reasonable discretion, of appropriate safeguards pursuant to Article 46 of the GDPR.
5. Sub-Processors
5.1
Pursuant to Article 28(3) of the GDPR, Customer specifically authorizes the engagement of GALOOLI’s hosting provider, affiliates and authorized distributors as sub-processors of personal data (“Sub-processor”), and generally authorizes the engagement of other third parties (e.g., third party software providers which software is embedded in or interacts with the GALOOLI Product) as Sub-processors for the purpose of enabling the operation of, and for supporting, maintaining, updating and hosting, the GALOOLI Product and otherwise performing the Terms of Use.
5.2
The initial list of GALOOLI’s Sub-processors will, at GALOOLI’s discretion, be posted on GALOOLI’s website or notified to Customer in writing (email will suffice). GALOOLI will inform Customer of its intent to add or replace a Sub-processor included in the initial list by posting a notice on GALOOLI’s website or by sending Customer a written notice (email will suffice). Customer is advised to periodically visit GALOOLI’s website in order to make itself familiar with any changes to the list of Sub-processors.
5.3
GALOOLI will enter into a written agreement with each Sub-processor incorporating terms which are substantially similar to those set out in this DPA. GALOOLI will be liable for the acts and omissions of its Sub-processor, as if such acts or omissions were undertaken by GALOOLI.
6. General Provisions
6.1
The Parties will discuss in good faith revising this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme. If agreed to by the parties, such revisions shall apply by the execution of an attachment to this DPA.
6.2
The governing law and jurisdiction provisions governing this DPA shall be those as set out in the Terms of Use.
6.3
This DPA does not amend the Terms of Use except with respect to specific matters set forth in this DPA. All terms and conditions of the Terms of Use not explicitly amended hereby remain in full force and effect.
Annex I: Addendum to Data Protection Agreement
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Capitalized terms not expressly defined herein shall have the meanings ascribed thereto in the Data Protection Agreement
Galooli, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the legally protected interests of natural persons, shall implement the necessary technical and organizational measures to ensure a level of security appropriate to the risk when Processing Personal Data, in particular as regards the processing of special categories of Personal Dataץ
These measures may include pseudonymization and encryption of personal data, if such means are possible in view of the purposes of Processing.
In particular:
Galooli takes steps to restrict access to Customer Personal Data to Customer, its users, and authorized Galooli personnel and Sub-processors. Other than being ISO 27001 certified, Galooli has processes designed to protect its systems containing or accessing the Customer’s Personal Data against Personal Data Breaches. The underlying infrastructure leverages its cloud environment, which is ISO 27001 certified. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic.
Data is logically separated across distributed databases with required authentication checks for every application-layer and data-layer access made to any tenant’s data. The logical separation is designed to associate data with exactly one customer and required authentication checks at the application and data layers aim to isolate data by customer and accounts provisioned for that customer.
The Products are protected by IP- and port-based firewalls. Administrative access to Galooli’s infrastructure is restricted and verified by its cloud environment identity and access management. Distributed Denial of Service (DDoS) attacks can, in due course, be mitigated with elastic load balancing and highly available DNS services.
When Customer Personal Data has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent the data from being exposed to unauthorized individuals. All decommissioned data is protected and or deleted in accordance with industry-standard practices.
Galooli implements measures designed to enhance the physical security of its networks, servers, cloud and other information systems in which Customer Data is stored, processed, transmitted, or accessed and to maintain them in a secure manner that satisfies the requirements of this Appendix.
Galooli reviews information technology security measures annually. On an annual basis a qualified independent third-party conducts penetration tests of Galooli’s system for security vulnerabilities. Galooli maintains suitable processes to identify, isolate and remediate security vulnerabilities.