TABLE OF CONTENTS
STANDARD CONTRACTUAL CLAUSES
Last modified 20.12.24
1. INTRODUCTION
This Data Processing Agreement is based on The Danish Data Protection Agency’s standard template for Data Processing Agreements. The Danish Data Protection Agency is the independent authority that supervises compliance with the rules on protection of personal data in Denmark.
Please find the Danish Data Protection Agency’s standard template here.
Following the EDPB opinion (July 2019) on the draft standard contractual clauses (SCCs) for contracts between controller and processor submitted to the Board by the Danish Supervisory Authority (SA), the final text of the Danish SCCs, as adopted by the Danish SA, has been published in the EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
This Data Processing Agreement is based on this standard processor agreement, that has been adopted by the Danish SA pursuant to art. 28(8) GDPR and aims at helping organizations to meet the requirements of art. 28 (3) and (4), given the fact that the contract between controller and processor cannot just restate the provisions of the GDPR but should further specify them, e.g. with regard to the assistance provided by the processor to the controller.
The possibility of using SCCs adopted by a SA does not prevent the parties from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects.
For the purposes of Article 28(3) of Regulation 2016/679 (the GDPR)
the data processor
and
the data controller
each a ‘party’; together ‘the parties’
have agreed on the following Contractual Clauses (the Clauses) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject.
2. PREAMBLE
- These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller.
- The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- In the context of the provision of AskCody, a Meeting Management and Resource scheduling Platform and Software Application integrated with Microsoft Exchange and Microsoft Outlook used to manage meeting room and desk booking, meeting services, visitor management and provide workplace analytics, the data processor will process personal data on behalf of the data controller in accordance with the Clauses.
- The Clauses shall take priority over any similar provisions contained in other agreements between the parties.
- Four appendices are attached to the Clauses and form an integral part of the Clauses.
- Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
- Appendix B contains the data controller’s conditions for the data processor’s use of sub-processors and a list of sub-processors authorised by the data controller.
- Appendix C contains the data controller’s instructions with regards to the processing of personal data, the minimum security measures to be implemented by the data processor and how audits of the data processor and any sub-processors are to be performed.
- Appendix D contains provisions for other activities which are not covered by the Clauses.
- The Clauses along with appendices shall be retained in writing, including electronically, by both parties.
- The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.
3. THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
- The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State* data protection provisions and the Clauses.
- The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
- The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.
4. THE PROCESSOR ACTS ACCORDING TO INSTRUCTIONS
- The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. Such instructions shall be specified in appendices A and C. Subsequent instructions can also be given by the data controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically, in connection with the Clauses.
- The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.
5. CONFIDENTIALITY
- The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.
- The data processor shall at the request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the abovementioned confidentiality.
6. SECURITY OF PROCESSING
- Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:
- Pseudonymisation and encryption of personal data;
- the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
- According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.
- Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.
- If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.
7. USE OF SUB-PROCESSORS
- The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).
- The data processor shall therefore not engage another processor (sub-processor) for the fulfilment of the Clauses without the prior general written authorisation of the data controller.
- The data processor has the data controller’s general authorisation for the engagement of sub-processors. The data processor shall inform in writing the data controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). Longer time periods of prior notice for specific sub-processing services can be provided in Appendix B. The list of sub-processors already authorised by the data controller can be found in Appendix B.
- Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the same data protection obligations as set out in the Clauses shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Clauses and the GDPR.
- The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR.
- A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the sub-processor. Clauses on business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.
- The data processor shall agree a third-party beneficiary clause with the sub-processor where – in the event of bankruptcy of the data processor – the data controller shall be a third-party beneficiary to the sub-processor agreement and shall have the right to enforce the agreement against the sub-processor engaged by the data processor, e.g. enabling the data controller to instruct the sub-processor to delete or return the personal data.
- If the sub-processor does not fulfil his data protection obligations, the data processor shall remain fully liable to the data controller as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the data controller and the data processor, including the sub-processor.
8. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
- Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Chapter V GDPR.
- In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
- Without documented instructions from the data controller, the data processor therefore cannot within the framework of the Clauses:
- Transfer personal data to a data controller or a data processor in a third country or in an international organization
- transfer the processing of personal data to a sub-processor in a third country
- have the personal data processed in by the data processor in a third country
- The data controller’s instructions regarding the transfer of personal data to a third country including, if applicable, the transfer tool under Chapter V GDPR on which they are based, shall be set out in Appendix C.5.
- The Clauses shall not be confused with standard data protection clauses within the meaning of Article 46(2)(c) and (d) GDPR, and the Clauses cannot be relied upon by the parties as a transfer tool under Chapter V GDPR.
9. ASSISTANCE TO THE DATA CONTROLLER
- Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s compliance with:
- the right to be informed when collecting personal data from the data subject
- the right to be informed when personal data have not been obtained from the data subject
- the right of access by the data subject
- the right to rectification
- the right to erasure (‘the right to be forgotten’)
- the right to restriction of processing
- notification obligation regarding rectification or erasure of personal data or restriction of processing
- the right to data portability
- the right to object
- the right not to be subject to a decision based solely on automated processing, including profiling
- In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:
- The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
- the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
- the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);
- the data controller’s obligation to consult the competent supervisory authority, The Danish Data Protection Agency, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.
- The parties shall define in Appendix C the appropriate technical and organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations foreseen in Clause 9.1. and 9.2.
10. NOTIFICATION OF PERSONAL DATA BREACH
- In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.
- The data processor’s notification to the data controller shall, if possible, take place within 72 hours after the data processor has become aware of the personal data breach to enable the data controller to comply with the data controller’s obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.
- In accordance with Clause 9(2)(a), the data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, meaning that the data processor is required to assist in obtaining the information listed below which, pursuant to Article 33(3)GDPR, shall be stated in the data controller’s notification to the competent supervisory authority:
The nature of the personal data including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
the likely consequences of the personal data breach;
the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. - The parties shall define in Appendix C all the elements to be provided by the data processor when assisting the data controller in the notification of a personal data breach to the competent supervisory authority.
11. ERASURE AND RETURN OF DATA
- On termination of the provision of personal data processing services, the data processor shall be under obligation to delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so unless Union or Member State law requires storage of the personal data.
12. AUDIT AND INSPECTION
- The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.
- Procedures applicable to the data controller’s audits, including inspections, of the data processor and sub-processors are specified in appendices C.7. and C.8.
- The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.
13. THE PARTIES' AGREEMENT ON OTHER TERMS
- The parties may agree other clauses concerning the provision of the personal data processing service specifying e.g. liability, as long as they do not contradict directly or indirectly the Clauses or prejudice the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.
14. COMMENCEMENT AND TERMINATION
- The Clauses shall become effective on the date of both parties’ signature.
- Both parties shall be entitled to require the Clauses renegotiated if changes to the law or inexpediency of the Clauses should give rise to such renegotiation.
- The Clauses shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, the Clauses cannot be terminated unless other Clauses governing the provision of personal data processing services have been agreed between the parties.
- If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the data controller pursuant to Clause 11.1. and Appendix C.4., the Clauses may be terminated by written notice by either party.
- Signature
15. DATA CONTROLLER AND DATA PROCESSOR CONTACT/CONTACT POINTS
- The parties may contact each other using the following contacts/contact points:
- The parties shall be under obligation continuously to inform each other of changes to contacts/contact points.
APPENDIX A: INFORMATION ABOUT THE PROCESSING
A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller is:
The purpose of the processing of personal data from the controller is to provide a Meeting Management and Resource scheduling Platform and Software Application integrated with Microsoft Exchange and Microsoft Outlook used to manage meeting room and desk booking, meeting services, visitor management and provide workplace analytics to the controller, ultimately to fulfill the obligations under the terms of service as stated in the SLA and Terms & Conditions between AskCody, the processor, and the controller.
The Purpose is therefore to deliver and provide one or more modules and components as part of the AskCody Platform. The integrated and connected modules and components of the AskCody Platform are:
- Meeting Room Booking and Meeting Room Management
- Desk Booking and Desk Management
- Workplace Insights and Analytics
- Meeting Room Displays
- Meeting Service and Canteen Management
- Facilities and Hospitality Management
- Visitor Management and Front Desk Management
For the purposes, to provide the AskCody Platform consists of:
- Delivering functional capabilities as licensed to the data controller, configured, and used by data controller and its users, including providing personalized user experiences inside the modules and components;
- Make the platform operational and available to the controller;
- Troubleshooting (preventing, detecting, and repairing issues); and
- Ongoing improvements of the modules and components (making improvements to user productivity, reliability, efficacy, and security).
In carrying out these purposes, the data processor combines personal data through the various AskCody modules and components and authorized data sub-processors to provide users a more seamless, consistent and personalized experience. The data processer uses the personal data processed from the listed modules and components to:
Perform essential business operations:
The processor uses personal data to operate the AskCody Platform, maintaining and improving the performance of the Platform.
The processor uses personal data to develop, aggregate, and analyze business intelligence that enable the processor to operate, protect, make informed decisions, and report on the performance of our business.
Personalize the features in the AskCody Platform:
The processor uses personal data to personalize the features and experience in the AskCody Platform; that personalization includes personalized features that enhance user’s productivity and enjoyment, and tailor the AskCody Platform experiences based on users’ activities, engagement and interaction with the AskCody Platform.
Providing Communications:
The processor uses personal data to deliver and personalize our communications with the controller and its users. The processor uses personal data to personalize the modules and components to improve the user experience; to send communications (in-app or by email) about AskCody modules and components, that will help users be onboarded and realize the most value of the AskCody Platform going through an implementation flow. Also, this includes communication by email; for example, the processor may contact the controller or its users by email or other means to inform users when a subscription is ending, provide information when security updates are available, update users or inquire about a service or request, or inform users that they need to take action to keep the AskCody account active. Additionally, you can sign up for email subscriptions and choose whether you wish to receive promotional communications from AskCody by email.
Please see AskCody Privacy Policy for additional information on communication between AskCody and its users.
Providing customer support:
The processor uses personal data to provide support to the controller and its users. The processor uses personal data to diagnose problems and provide other customer care and support services.
A.2. The data processor’s processing of personal data on behalf of the data controller shall pertain to (the nature of the processing):
The nature of the processing of personal data is mainly pertaining providing, operating, and improving the AskCody Platform, based on:
- Adding, using, collecting, recording, storaging, modifying and editing, structuring, organizing, analyzing, exporting, and deleting
- Meeting and Booking Data already available for data processor in Microsoft Exchange (where Microsoft store, edit, structure, organize and analyze the meeting and booking data made available for AskCody to process on behalf of the controller);
- Attendee information related to meetings and meeting bookings already available for data processor in Microsoft Exchange (where Microsoft store, edit, structure, organize and analyze the attended information made available for AskCody to process on behalf of the controller);
- Meta data related to meetings and bookings;
- Meeting Service Data and data about service requests for meetings;
- Financial data related to cost centers and cost of services for meetings; and
- Visitor Data
Some of this data is stored, collected, structured or edited directly by interaction with the AskCody Platform by the controller and its users, such as when users create an AskCody account, submit a room search, create a room booking, request meeting room services, use the AskCody modules and components, or contact us for support.
Some of this data is recorded based on user’s interaction with the AskCody Platform, modules and components by, using technologies like cookies, application logging tools, or receiving error reports.
Some of this data is made available to processor by integrations with third-party applications like Microsoft Exchange (email and calendar) and Microsoft Active Directory (identity management), where the data is already being processed and stored by Microsoft, and personal data is made available to processor, AskCody, by an integration with such third-party.
A.3. The processing includes the following types of personal data about data subjects:
The data processor process personal data based on personal data being defined as:
- "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier of that person.
The controller may submit personal data, directly or by an integration to a third party like Microsoft Exchange, to the data processor, the extent of which is determined and controlled by controller in its sole discretion, and which may include the following types of personal data.
- First and last name of data subjects
- Contact information (company, email, phone, physical business address) of data subjects
- Professional life data (Meeting data) of data subjects
- Localization data (IP address) of data subjects
Meeting data (being made available by integration with Microsoft Exchange) is defined as*:
- Organizer name of meeting
- Organizer email address of meeting
- Meeting Title/Subject
- Location for meeting (e.g. “Meeting Room Charlie”)
- Description of meeting
- Meeting Start Time
- Meeting End Time
- Meeting Attendees (Name and email for attendees)
- Resources (Name and email of Microsoft Exchange resources)
- Microsoft Exchange Meeting ID
- Microsoft Exchange Object ID (Immutable Exchange identifier for the meeting)
* No meeting data can be processed by processor without the required integration to Microsoft Exchange.
A.4. Processing includes the following categories of data subject:
The Data Processor will be processing personal data regarding the following categories of data subjects:
- Employees of data controller (who are natural persons)
- Data controller’s users of the AskCody Platform authorized by data controller to use the AskCody Platform (who are natural persons)
- Meeting attendees of data controller and its users (who are natural persons)
- Service vendors and hospitality teams, authorized by data controller to use the AskCody Platform (Canteen, Facilities Management or other service units managed by the data controller, who are natural persons)
- Visitors of data controller and its users (who are natural persons)
A.5. The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:
Reference is made to Section 9 in the AskCody Terms & Conditions covering the duration and time of the subscription. Data is only processed when a Subscription is activated and active. When a subscription expires, data is no longer processed. Terms & Conditions can be found here.
Upon termination of the agreement, AskCody will provide customer (Controller) with a notice and the customer's data will be deleted following a retention period going from last active account date. Customer account data for which AskCody is the Data Controller, will be kept as long as applicable bookkeeping laws demand. AskCody will anonymise or delete customer data, when it is no longer required for the purposes set out in Appendix A.1.
APPENDIX B: AUTHORIZED SUB-PROCESSORS
B.1. Approved sub-processors
On commencement of the Clauses, the data controller authorises the engagement of the following sub-processors, available in this document.
The data controller shall on the commencement of the Clauses authorise the use of the sub-processors listed in the document available above for the processing described for that party. The data processor shall not be entitled – without the data controller’s general written authorisation – to engage a sub-processor for a ‘different’ processing than the one which has been agreed upon or have another sub-processor perform the described processing.
APPENDIX C: INSTRUCTION PERTAINING TO THE USE OF PERSONAL DATA
C.1. The subject of/instruction for the processing
The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following. The instruction for the processing, being what the processor are instructed to do with the data types being processed related to the fulfilling and achieving the purpose of the processing activities on behalf of the controller and the data subjects are:
- Managing meetings, rooms and desk bookings being scheduled (add, use, collect, record, store, modify and edit, structure, organize, analyze, export, and delete personal data) by the controller and its employees and authorized users (data subjects) to provide the AskCody Platform, it’s components and features.
- The data processor process personal data available in Appendix B and A.1 of controller’s employees and authorized users when meetings are being booked or edited using the AskCody Platform.
- Managing the inviting of attendees to meetings and preregistering guest and visitors for meetings (add, use, collect, record, store, modify and edit, structure, organize, analyze, export, and delete personal data) by the controller and its employees and authorized users (data subjects).
- The data processor process personal data available in Appendix B and A.1 of controller’s meeting attendees of data controller and its users when meeting invitations and visitor-preregistrations are being managed by the AskCody Platform
- Registering visitors and guests, and managing visitors in the reception (add, use, collect, record, store, modify and edit, structure, organize, analyze, export, and delete personal data) by the controller and visitors of data controller and its employees
- The data processor process personal data available in Appendix B and A.1 of controller’s visitors when visitors are being registered by the controller in the AskCody Platform
- Managing service requests for meetings and manage meeting and workplace hospitality (add, use, collect, record, store, modify and edit, structure, organize, analyze, export, and delete personal data) for the controller and its employees and authorized users (data subjects).
- The data processor process personal data available in Appendix B and A.1 of controller’s employees and authorized users when service requests for meetings or hospitality services are being managed by the controller in the AskCody Platform.
C.2. Security of processing
The level of security shall take into account the nature, scope, context and purposes of the processing activity, as well as the risk for the rights and freedoms of natural persons.
Since processing activities involves a processing of personal data a ‘high’ level of security are established. The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller. This sets out the minimum-security requirements that the data processor and its sub-processors will adhere to in relation to the processing of personal data.
AskCody, as the data processor shall ensure by itself, and on behalf of all its sub-processors, that AskCody, as the data processor always complies with the following minimum-security requirements:
Availability
AskCody leverages the Microsoft Azure platform, and all implemented security features available on Microsoft Azure.
As such AskCody has security features in place including but not limited to firewall, DDOS protection, Antimalware protection, anomaly detection on server behaviour and anti-virus.
Further, AskCody has access restrictions implemented throughout the platform in terms of authenticating both users and applications access to services which interact with data.
AskCody monitors every service and has alarm systems in place if anything out of the ordinary occurs, and continuously evaluates the measures in place based on the implemented Information Security Policy.
Integrity
Every application in AskCody's services has logging services implemented, which record all operations on the data.
Services have both audit logs and application logs, logging historical events.
Further access to manipulating data is restricted to specific user roles and hence governed by managed access in the form of both implemented systems and organizational structures, preventing unintended and/or malicious or accidental access to data.
Being a multi-tenant environment and SaaS application AskCody's data architecture ensure the integrity and isolation of Customer's data by separating data logically based on UUIDs so customer data are separated logically and secured from other customers. Each customer therefore shares the cloud platform and application, but each tenant’s data is isolated and remains invisible to other tenants.
Confidentiality
AskCody leverages different technologies in terms of securing data, depending on the nature of the data. All databases are encrypted. Data stored in the database is further encrypted using industry-standard encryption algorithms.
Extremely sensitive data such as Exchange Credentials for Basic Auth are secured by an encryption service, using Microsoft Key Vault and Hardware Secured Modules.
AskCody has confidentiality agreements with all employees and all AskCody employees are required to use two-factor authentication and strong passwords that are unique from other services.
Furthermore, AskCody maintains automatic access and security logs in multiple locations.
Personal data access is governed by our documented security policies and limited to a small set of employees as required for support and maintenance. Access is further limited to a small whitelist of IP addresses via VPN and requires public key authentication.
Individual employee access follows a principle of least access, and access rights are reviewed quarterly.
Encryption
At rest:
All data at rest are encrypted using best practice encryption algorithms or AES 256.
Public Key: AES-256
Private Key: RSA2048
All backup data is encrypted using AES-256.
In motion:
All data in motion is encrypted using TLS 1.2+ and encrypted at rest using best practice encryption algorithms (AES-256).
Transparency
AskCody has a DPA in place for all Sub-processors. Controllers may request that AskCody audit third-party providers / sub-processors, or provide confirmation that such an audit has occurred, or, where available, obtain or assist the customers in obtaining a third-party audit report concerning the sub-processors operations, to ensure compliance with applicable data protection laws. Controllers will also be entitled, upon written request, to receive copies of the relevant terms of AskCody's agreement with sub-processors that may process personal data
Isolation (purpose limitation)
AskCody has implemented user roles granting access to individual parts of the system. This includes employees managing the product, and employees at AskCody maintaining the product. Authorization to any given data is granted only if the user has access to said data, as such personal data can only be accessed by either a person with adequate roles (Customer Owner, Administrator etc.) or AskCody employees with special work tasks. This includes employees in Support, in order to give meaningful support and some developers for advanced support or development.
To administrate this privileged access, organizational structures are in place to govern who is granted access to what in accordance with our Information Security Policy.
Intervenability
All personal data in the AskCody platform is based on the integration with either Microsoft Exchange or Active Directory. Both systems are systems and platforms, that controllers fully manage themselves, therefore having the full ability to access, rectify, delete, block and manage the processing of personal data. Full access to all data types and data subjects is therefore controlled by the controller.
Portability
AskCody supports export of data in CSV.
Accountability
AskCody has audit logs on all applications as well as application logs detailing what the application has done. Further, access to any services, such as specific Microsoft Azure Services or AskCody administration features, has been granted based on organizational investigations. As such only the relevant and required amount of people have access to any given service.
Data retention and deletion
AskCody stores all data with redundancy on Microsoft Azure. Our databases support point-in-time backups to the minute, with 31-day retention. All data is stored digitally and as such can easily be deleted or moved.
Resilience of systems
All AskCody services operate on a redundant server setup on Microsoft Azure. For European customers (controllers and users in Europe), the primary server cluster is Europe NORTH and our secondary backup is Europe WEST. For customers (controllers and users in Europe), in North and South America, the primary server cluster is East US and our secondary backup is West US.
The availability of this system is guaranteed through the Microsoft Azure Cloud.
An Information Security Policy has been implemented and regularly tested and performed throughout the organisation. Each employee is instructed in how to act in the event of a physical or technical incident, following the practices set forth in the Information Security Policy. A clear document for guidance along with controls aid in running a reliable operation.
Incident Management
AskCody has established a contingency plan in case of emergency.
AskCody has a status page, where the required information is available to relevant controllers following the occurrence of an incident.
Procedure is to identify required changes that have come to attention since last quarterly check.
Procedure is to enforce and audit knowledge of incident management procedures for all relevant employees through ongoing training and periodical spot checks.
Communicating status with both internal stakeholders and customers through StatusPage helps keep everyone in the loop.
The AskCody Statuspage is the main communication channel for all issues affecting the operational status of AskCody Products. This includes both our infrastructure and services, referred to as components on StatusPage. These are divided into Europe (onaskcody.com) and North America (goaskcody.com) based on the two cloud platforms.
Current status and ongoing incidents can be found on https://status.askcody.com.
Procedure for notification of breach
In the event of a breach, i.e. a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, the AskCody will without undue delay but no later than in 24 hours after becoming aware of it notify the Data Controller in writing and additionally in any other reasonable and prompt manner (e.g. by phone).
In the event of a security breach, our team will promptly notify you of unauthorized access to your data. Service availability incidents are published to our status page at https://status.askcody.com with additional information.
Should your security team need additional logs for their investigation of an incident determined to affect your organization, our security team will coordinate responsibly provide access as needed.
The breach notification will contain at least the following:
- A description of the nature of the Breach including, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of data records concerned
- The name and contact details of the person responsible for AskCody’s data protection matters
- A description of likely consequences and/or realized consequences of the Breach
- A description of the measures taken to address the Breach and to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information listed at the same time, the information may be provided in phases without undue further delay.
AskCody takes all the necessary steps to protect the data after having become aware of the Breach. After having notified the controller in accordance with above, AskCody will, in consultation with the controller, take appropriate measures to secure the data and limit any possible detrimental effect to the data subjects. AskCody will cooperate with the controller, and with any third parties designated by the controller, to respond to the breach. The objective of the breach response will be to restore the confidentiality, integrity, and availability of the AskCody Platform, to establish root causes and remediation steps, preserving evidence and to mitigate any damage caused to data subjects or the customer.
Pseudonymization
Throughout our platform, we pseudonymize personal data. We do not keep personal data outside of production environments, nor in our logs, but are instead reliant on pseudonymized data in order to obtain and keep confidentiality and integrity of our services. This is a requirement for all processing internally. Every type of processing consists of steps enforced in AskCody’s Secure Software Development policy, which requires written approval for all developers, and feedback is given to developers.
At AskCody, we only transfer personal data in such a manner that the personal data can no longer be attributed to a specific data subject, while additional information is held exclusively by the Data Processor (us) and stored separately.
Additionally, the Data Processor (AskCody) must ensure that the Data Processor retain sole control of the algorithm that enables re-identification using the additional information kept separately, while, ensuring that pseudonymized personal data cannot be attributed to an identifiable person if cross-referenced with the additional information.
Physical security of locations at which personal data is processed
AskCody’s Information Security Policy contains specific controls, rules and guidelines regarding the locations at which personal data is processed, such as Password Policy, rules of the Password Manager and enforcement of 2-Factor Authentication.
Servers used by AskCody belong to Microsoft, where main access to the data center facilities are typically restricted to a single point of entry that is manned by security personnel. The main interior or reception areas have electronic card access control devices on the perimeter door(s), which restrict access to the interior facilities. Rooms within the Microsoft data centers that contain critical systems (servers, generators, electrical panels, network equipment, etc.) are restricted through various security mechanisms, such as electronic card access control, keyed lock on each individual door, man traps, and / or biometric devices.
Requirements for the use of home/remote working
AskCody employees are instructed in appropriate technical and organizational measures in order to uphold CIA principles at the AskCody office, and when remote working.
Requirements for logging
Usage of Azure Application Insights and Azure Monitor Cloud Services to automate logging of relevant data. Procedure is to assert that Azure logs relevant data by performing spot checks of log data contained in the logs on Azure.
AskCody uses Azure Application Insights and Azure Monitor Cloud Services to automate logging of relevant data. Procedure is to assert that Azure continues to log data for 90 days by printing their official documentation on the matter.
AskCody uses Azure Application Insights and Azure Monitor and Microsoft Office 365 Cloud Services to automate logging and alerting of relevant data. Procedure is to perform spot checks on the automated alerts implemented in the relevant services.
AskCody notifies data controllers and stakeholders through Atlassian StatusPage. Usage of Azure Application Insights and Azure Monitor Cloud Services to automate notifications and alerting of service interruptions, whether internal or external. Procedure is to perform spot checks of the implemented automation.
AskCody uses Azure Application Insights and Azure Monitor and Microsoft Office 365 Cloud Services to automate logging and alerting of relevant data. Procedure is to perform spot checks on the automated alerts implemented in the relevant services.
C.3. Assistance to the data controller
The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organizational measures:
Assistance to the data controller is provided by implementing a suitable set of standards and controls, including policies, processes, communication channels, procedures, organizational structures, software, and hardware systems, that enable the data processor to provide the right level assistance to the controller. These controls and standards are established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and compliance objectives, as well as the purposes of the data protection law GDPR are met.
The data processor has implemented an Information Security Policy and will maintain for personal data the following technical and organizational measures to assist the data controller:
Scope |
Assistance practices |
Organization of Information Security, risk assessment and treatment |
Appointed responsible for Information Security and Assistance to controller. The processor, AskCody, has appointed a responsible for delegating, coordinating and monitoring the security rules and procedures. Information Security Policy. An Information Security policy governing how data processing, protection and privacy of personal data is ensured in compliance with relevant legislation, regulations and as required in the AskCody Information Security Policy[1], and to ensure assistance of the controller with compliance for exercising the data subject’s rights, assistance of the controller in relation to audits and inspections, and assistance of the controller in relation to ensuring compliance with the obligations pursuant to Articles 32 – 36 are implemented. Security Roles and Responsibilities. AskCody personnel with access to personal data are subject to confidentiality obligations. Risk Management. AskCody performs a risk assessment on processing activities before processing the personal data or launching new modules, components and features as part of the AskCody Platform. AskCody retains its security documents pursuant to its retention requirements after they are no longer in effect. Information Security Policy may be sent via request. |
Asset Management |
Asset Inventory. All critical assets required for running the business are identified, have an owner and are documented in a register that is kept up-to-date by the pointed-out employer. Asset Handling AskCody classifies personal data to help identify it and to allow for access to it to be appropriately restricted. AskCody personnel must obtain authorization prior to storing personal data on portable devices or remotely accessing personal data. |
Human Rescources security |
Security Training, Education and Awareness. AskCody informs its personnel about relevant security procedures and their respective roles. AskCody also informs its personnel of possible consequences of breaching the security rules and procedures. AskCody will only use anonymous data in training. |
Physical and Environmental Security |
Access to processing physical processing activities. AskCody personnel and authorized and approved third party users protect assets from unauthorized access, disclosure, modification, destruction or interference. Physical Access to Components. AskCody personnel has no physical access to physical components nor data centers for processing activities since the AskCody Platform is a hosted Cloud Platform. Component Disposal. AskCody controls that vendors uses industry standard processes to delete personal data when it is no longer needed. |
Communications and Operations Management |
Operational Policy. AskCody maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to personal data. Data Recovery Procedures. Backups are made continuously of all critical data and software, and everything is stored in the cloud by approved cloud vendors (sub-processors). - On an ongoing basis, to a specific point in time within 31 days, AskCody maintains a full backup of personal data from which personal data can be recovered. - Monitoring of data recovery procedures are in place to timely detect and correct errors in the backup process - In case of a disruption recovery procedures are defined in the Incident Management Process - AskCody has specific procedures in place governing access to copies of personal data. AskCody ensure backups are not corrupt and can be used to restore data. - AskCody reviews data recovery procedures at least every six months, except for data recovery procedures for Azure Government Services, which are reviewed every twelve months. - AskCody logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process. Malicious Software. AskCody has anti-malware controls to help avoid malicious software gaining unauthorized access to personal data, including malicious software originating from public networks. Encryption. All personal data is to be encrypted and protected against physical or digital theft of the raw data. This implies all data is encrypted from the outside. Further some data is to be encrypted and or inaccessible by unauthorized access such as AskCody personnel who are not required to see the data in its raw format. Application and Event Logging. All applications and/or services are required to log their internal behavior with respects to understanding failures and daily operation. Any application and/or service that deals with sensitive information is required to keep an audit log which allows for complete auditing of the service. The log format is required to be viewable in a way which does not compromise data security in terms of sensitive information. Data deletion. Data is continuously deleted after respective retention period has ended or upon request by the data controller. |
Access Control |
Access Policy. AskCody maintains a record of security privileges of individuals having access to personal data. Access Authorization - AskCody maintains and updates a record of personnel authorized to access AskCody systems that contain personal data. - AskCody deactivates authentication credentials that have not been used for a period of time not to exceed six months. - AskCody identifies those personnel who may grant, alter or cancel authorized access to personal data and resources. - AskCody ensures that where more than one individual has access to systems containing personal data, the individuals have separate identifiers/log-ins. Least Privilege - Technical support personnel are only permitted to have access to personal data when needed. - AskCody restricts access to personal data to only those individuals who require such access to perform their job function. Integrity and Confidentiality - AskCody instructs AskCody personnel to disable administrative sessions when computers are otherwise left unattended. - AskCody stores passwords in a way that makes them unintelligible while they are in force. Authentication - AskCody uses industry standard practices to identify and authenticate users who attempt to access information systems with personal data. - Where authentication mechanisms are based on passwords, AskCody requires that the passwords are renewed regularly accordingly with our password policy. - Where authentication mechanisms are based on passwords, AskCody requires the password to be at least eight characters long accordingly with our password policy. - AskCody ensures that de-activated or expired identifiers are not granted to other individuals. - AskCody uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage. |
Information Security Incident Management |
Incident Response Process - AskCody maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data. - In the event of a breach, i.e. a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, AskCody will without undue delay but no later than in 24 hours after becoming aware of it notify the data controller in writing and additionally in any other reasonable and prompt manner (e.g. by phone). - AskCody tracks, or enables controller to track, disclosures of personal data, including what data has been disclosed, to whom, and at what time. Additional logs for investigation of an incident determined to affect their organization, we must responsibly provide access as needed Service Monitoring. AskCody personnel verify logs at least every six months to propose remediation efforts if necessary, accordingly with the Information Security Policy. Incident Management. AskCody takes all necessary steps to protect the personal data after having become aware of an incident. After having notified the controller in accordance with above, AskCody will, in consultation with the controller, take appropriate measures to secure the personal data and limit any possible detrimental effect to the data subjects. AskCody will cooperate with the controller, and with any third parties designated by the controller, to respond to the incident. The objective of the incident response will be to restore the confidentiality, integrity, and availability of the AskCody Platform and personal data affected, to establish root causes and remediation steps, preserving evidence and to mitigate any damage caused to data subjects or the controller. |
Business Continuity Management |
AskCody maintains emergency and contingency plans for the facilities and the devices in which AskCody access and process personal data. AskCody redundant storage and its procedures for recovering personal data are designed to attempt to reconstruct personal data in its original or last-replicated state from before the time it was lost or destroyed. |
C.4. Storage period/erasure procedures
Personal data processed from meeting invitations and meeting bookings in Microsoft Outlook and Microsoft Exchange are processed as long as the AskCody Platform is active and integrated with the data controllers Microsoft Exchange tenant as documented in the AskCody Help Center.
Personal data not based on data types made available for AskCody to process by third parties (example: Microsoft Exchange or Microsoft AD) is stored and processed for the duration of the agreement or until such data is being deleted by the controller.
Upon termination of the provision of personal data processing services, the data processor shall either delete or return the personal data in accordance with Clause 11.1., unless the data controller – after the signature of the contract – has modified the data controller’s original choice. Such modification shall be documented and kept in writing, including electronically, in connection with the Clauses.
C.5. Processing location
Processing of the personal data under the Clauses cannot be performed at other locations than the following without the data controller’s prior written authorisation:
Please see table in Appendix B1, locations of data processing.
C.6. Instruction on the transfer of personal data to third countries
If the data controller does not in the Clauses or subsequently provide documented instructions pertaining to the transfer of personal data to a third country, the data processor shall not be entitled within the framework of the Clauses to perform such transfer.
C.7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor
The data processor shall once a year at the data processor’s expense obtain an Auditor’s Report from an independent third party concerning the data processor's compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
The parties have agreed that the following types of Auditor’s Report may be used in compliance with the Clauses:
- Independent Auditor`s ISAE 3000 type II assurance Report
The Auditor’s Report shall without undue delay be submitted to the data controller for information. The data controller may contest the scope and/or methodology of the report and may in such cases request a new audit/inspection under a revised scope and/or different methodology.
Based on the results of such an audit/inspection, the data controller may request further measures to be taken to ensure compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
The Controller can at all time request and download the current available ISAE 3000 report by third party Auditor here: AskCody ISAE 3000 Documentation
Further, at any time during the term of the DPA, the Data Controller and/or a recognized, independent third party auditor appointed by the Data Controller with proven experience and procedures shall have the right (exercisable by giving prior written notice to the Data Processor, such notice to be given at least fourteen (14) calendar days prior to any audit) to perform audits and inspections of the Data Processor in order to verify compliance of the Data Processor with the DPA and especially with the technical and organizational security measures required to be implemented.
The Data Processor shall ensure that the Data Controller is able to conduct an audit in accordance with Section 4.3 and undertakes to assist the Data Controller in the execution of such inspections and audits. In the event of an audit request directly from a relevant supervisory authority, the Data Processor shall assist the Data Controller in answering the request and organizing the audit.
If the data processor does not provide the agreed Independent Auditor’s ISAE 3000 report within the agreed deadline, the data controller or the data controller’s representative shall be entitled to perform a physical inspection of the places, where the processing of personal data is carried out by the data processor, including physical facilities as well as systems used for and related to the processing to ascertain the data processor’s compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
The data controller’s costs, if applicable, relating to physical inspection shall be defrayed by the data processor, if the data processor does not provide the agreed Independent Auditor’s ISAE 3000 report within the agreed deadline.
Each Party shall bear its own costs in connection with an audit. However, if there are more than one (1) audit per year, the Data Controller shall bear the costs starting from the second (2nd) audit.
C.8. Procedures for audits, including inspections, of the processing of personal data being performed by sub processors
The data processor shall once a year at the Data Processor’s expense obtain an Auditor’s Report from an independent third party concerning the data processor's compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
The parties have agreed that the following types of Auditor’s Report may be used in compliance with the Clauses:
- Independent Auditor`s ISAE 3000 Report type II assurance Report and SOC 2
The Auditor’s Report shall without undue delay be submitted to the data controller for information. The data controller may contest the scope and/or methodology of the report and may in such cases request a new audit/inspection under a revised scope and/or different methodology.
The Controller may request that the Processor audit the Sub-Processor or provide confirmation that such an audit has occurred, or, where available, obtain or assist the Controller in obtaining a third-party audit report concerning Sub-Processor’s operations to ensure compliance with Applicable Data Protection Laws. The Controller will also be entitled, upon written request, to receive copies of the relevant terms of the Processors agreement with Sub-Processors that may Process Personal Data.
If the data processor does not provide the agreed Independent Auditor’s ISAE 3000 (or SOC 2) report within the agreed deadline, the data controller or the data controller’s representative shall be entitled to perform a physical inspection of the places, where the processing of personal data is carried out by the sub-data processor, including physical facilities as well as systems used for and related to the processing to ascertain the sub-data processor’s compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
The data controller’s costs, if applicable, relating to physical inspection of the sub-data processor, shall be defrayed by the data processor, if the data processor does not provide the agreed Independent Auditor’s ISAE 3000 report within the agreed deadline.
The Data Processor’s and the Sub-Processor’s costs related to audit of the Sub-Processor’s facilities shall not concern the Data Controller – irrespective of whether the Data Controller has initiated and participated in such inspection.
APPENDIX D: THE PARTIES' TERMS OF AGREEMENT ON OTHER SUBJECTS
*References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”.
*Information Security Policy can be sent on request