Unless otherwise stated, definitions used in this addendum shall have the same meaning as those in the Enbecom Service Agreement.
Purpose and scope of Enbecom Data Processing on behalf of Data Controllers
For the purpose of providing some Services, Enbecom will process Customer Hosted Data. To the extent that Customer Hosted Data is comprised of Personal Data, the parties acknowledge that Enbecom acts as a Data Processor for all Customer Hosted Data supplied to Enbecom by the Customer as well as the Customer’s own customers or agents.
The Services are provided on the basis that either:
- the Customer is the Data Controller for all Customer Hosted Data supplied to Enbecom under the Services and has complied with its obligations under the applicable Data Protection Laws, including but not limited to obtaining the required consents (“Data Protection Consents”); or
- where the Customer is a Data Processor on behalf of a Data Controller, that Enbecom is a sub-Data Processor and that the Customer:
- has ensured that all necessary Data Protection Consents have been obtained or other lawful grounds for Processing have been correctly established;
- has entered into the required contractual arrangements, including arrangements with the relevant Data Controller for Enbecom and any sub-processors it may appoint to act as sub-processors legally;
- has complied with its obligations as Data Processor under the applicable Data Protection Laws; and
- shall be liable to the Data Controller for Enbecom’s acts and omissions and a sub-Data Processor.
By accepting this addendum the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Addendum is accurate.
Nature of the Processing
Enbecom undertakes a range of Processing as defined by the Services, i.e. the provision of hosting services to the Customer, the choice of which is determined by the Customer. The Customer acknowledges that the scope of the Services explicitly excludes the access to, manipulation, transformation or optimisation of or decision-making based on Customer Hosted Data for the purposes of such Processing by Enbecom. Enbecom and/or its suppliers provide hosting infrastructure to support the Customer’s or Customer’s agents’ processing of data to that end.
Enbecom has no intention to access or manipulate Customer Hosted Data, even in the case where Enbecom maintains technical access for the purposes of management of the infrastructure of the Customer Hosted Solution. This is due to the Customer’s position as the Primary System Administrator. Further, any processing by Enbecom of Customer Hosted Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.
Enbecom classifies all Customer Hosted Data as the same type of data and does not maintain visibility of different types or Customer Hosted Data or categories of Personal Data within this set. Enbecom applies the same level of generic security controls to all Customer Hosted Solutions.
Enbecom provides a service which constitutes among other things the provision of hosting solutions to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the Operating Systems, applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues not related to the underlying services.
Duration of Processing
The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Hosted Data. While the Agreement is in force, Enbecom will Process all such Personal Data in accordance with the Customer’s written instructions.
Responsibilities of Enbecom, its infrastructure suppliers and third-party service suppliers
Security and compliance of the underlying hosting infrastructure
Enbecom and its infrastructure suppliers will be responsible for maintaining the GDPR compliance of the underlying hosting infrastructure.
Enbecom and its infrastructure suppliers have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. A non-exhaustive list of technical and organisational measures are as set out below. By entering into this addendum, the Customer confirms that it has reviewed and approved the following measures:
Security management & Policy
- Maintenance of an overarching information security management system
- Security and Compliance personnel to help ensure operational and policy/audit security matters receive appropriate attention and resourcing.
Physical & Environmental security
- Sufficient physical and environmental security controls at all Enbecom facilities and those of its suppliers
- Appropriate availability, performance and security logging, monitoring and audit controls for the underlying infrastructure
- Vulnerability management systems to help ensure the patch and configuration levels of the underlying infrastructure appropriate to scale and policies
- Hardening of underlying infrastructure devices to levels that are materially in accordance with good industry practice
- Appropriate encryption in transit and at rest for sensitive operational data such as API calls, control panel access, customer credentials and key material managed by Enbecom and Enbecom privileged user access to all infrastructure and Customer Hosted Solution devices, including a commitment to continually manage the strength of associated cryptosystems and ciphers
- Regular third party tests of the security posture of the underlying hosting infrastructure
- Backups and infrastructure redundancy within the underlying hosting infrastructure appropriate to our Terms and Conditions and SLAs
- Appropriate security of all Enbecom end-user devices used by Enbecom to access the underlying hosting infrastructure, Customer Hosted Data and Customer Hosted Solutions
Availability of Customer Hosted Solutions and Services
Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.
As set out in the applicable Service Definitions, Enbecom cannot guarantee the Availability of individual Customer Hosted Solutions in an Available state at an application or data level, as this availability is primarily a result of decisions taken by the Primary System Administrator. Enbecom guarantees the availability of data centre services, e.g. availability of core network connection, power and cooling, and the availability of sufficient hypervisor capacity where Cloud services are procured in line with the provisions of the services’ respective SLAs and Enbecom’s definition of Availability. In accordance with the Services being provided, Enbecom is not able to decide how Personal Data comprising Customer Hosted Data is processed. The Customer Hosted Solutions are inevitably Infrastructure-as-a-Service-based and control of the data thereon is with the Customer.
Customer data protection responsibilities
As the Primary System Administrator and / or Data Controller the Customer has the following responsibilities under GDPR:
- Maintain appropriate technical controls to secure and monitor for security:
- the Operating System
- the Applications
- logical data stores (data bases, or storage structures built by or on behalf of the Customer using Enbecom Storage-as-a-Service products)
- Configuration of network security controls specific to the Customer Hosted Solution (e.g. configuration of any Managed Firewall, security groups and local firewalls)
- Monitoring of the Customer Hosted Solution for signs of security incident or intrusion
- all user access by parties other than Enbecom and suppliers
- Ongoing management of any anti-malware controls residing on Customer virtual machines or dedicated servers
- Undertake any required third party testing or certification of their Customer Hosted Solution
- Where the above is included within the scope of a Customer SLA, Enbecom will undertake the work based on instructions from the Customer in written form, but the Customer remains responsible for the efficacy of the controls implemented.
- Undertaking all organisational measures required to ensure compliance with the basic principles for processing (articles 5, 6, 7 and 9 of the GDPR) and Subject’s rights (Articles 12-22 of the GDPR) at point of collection of data, and be aware of the technical and organisational security controls put in place by Enbecom, maintain additional technical and organisational controls to ensure compliance during processing, storage, any transfer not undertaken solely by Enbecom and at point of destruction, if not reliant on Enbecom’s underlying solution-level data destruction processes. (I.e. deletion of a VM or decommissioning of a dedicated server and associated storage media.)
- Undertake and manage all communication with Data Subjects
- Maintain any required relationship with the Information Commissioner’s Office on behalf of the Data Controller
Enbecom use of Data Sub-Processors
By entering into this Data Protection Addendum, the Customer hereby permits Enbecom to appoint sub-processors of Personal Data and, for the term that the Data Protection Addendum is in force, shall have a general right to appoint sub-processors of Personal Data. Enbecom shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Data Processing Addendum.
Enbecom will maintain written contracts with all Enbecom Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular audits to confirm their continuing conformance with Data Protection Laws.
Third-party service suppliers
Some services are provided in full or in part by third-party suppliers. Use of these services may involve hosted data and personally identifiable information being transmitted to/from and stored by these providers. Full details are provided within the services.
Processing in accordance with written instructions
Enbecom will only processing Customer Hosted Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this addendum are taken to be in whole contained within the section ‘Purpose and scope of Enbecom Data Processing on behalf of Data Controllers.’ No other written instructions can be accepted as they will fall outside of the scope of our services.
Assistance with Customer data protection obligations
Insofar as Enbecom provides a hosting infrastructure to the Customer and its suppliers may supply services on which the Enbecom services rely, Enbecom will reasonably assist the Data Controller in meeting their data protection obligations on a reasonable time and materials basis, except where provision at no cost is required by law.