Versions Compared

Old Version 4

changes.mady.by.user Monica Rüegg

Saved on

compared with

New Version Current

changes.mady.by.user Monica Rüegg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

g) The provisions of this Addendum shall be governed by and construed in accordance with the substantive laws of Switzerland. All disputes arising out of or in connection with this Addendum shall be submitted to the jurisdiction of Zürich.

...

ANNEX A:

...

DESCRIPTION OF THE PROCESSING

Subject matter/purpose of the Processing:

Processing any Personal Data, entered by Controller and/or his End Users for the use of the SaaS-Services.

Categories of data subjects:

  • People who use the SaaS-Services (End Users).

  • People whose Personal Data is processed using the SaaS-Services by Controller and/or his End Users.

  • People whose data is transmitted via the SaaS-Services by Controller and/or his End Users.

  • Other possible data subject categories whose Personal Data is processed using the SaaS-Services.

Categories of personal data:

Any data that Controller or its End Users enter into the SaaS-Services (may contain special categories of personal data).

Nature of the Processing:

Hosting, transmitting and backup of personal data.

Duration of the Processing:

Processing of personal data as long as the controller uses the SaaS-services. Deletion of personal data upon request.

...

ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES

Others:

Logische Trennung der als Auftragsbearbeiter bearbeiteten Daten von anderen Daten

Physical security and access control

Access controls (key, badge)

Keys/badges are assigned to individuals

User and access control (identity and access management)

All access require authentication

Rules for password complexity and renewal

Role-based identity and access management

Tools are locked when not in use

Multi-factor authentication for external access

Least privilege principle

Privileged Access Management (PAM);

Access logging

Use of admin accounts only when necessary

Authorization concept (need-to-know principle)

Confidentiality, integrity, availability and traceability

Encryption of data "at rest"

Backup concept

Encryption of end devices

BCM concept, emergency plan

Encryption of data "in transit"

Regular review of the backup

State-of-the-art encryption

Inventory of hardware and software

Penetration tests, external security audits

Hardware and software continuously checked/updated

Staff signs non-disclosure agreement (clause in the employment contract)

Technical redundancy (e.g. RAID, two systems)

Logged changes of data/systems

Logical separation of the data processed as an processor from other data

Measures to comply with data protection principles and data subject rights

Privacy Policy for all applications

Responsibility for data subject rights established

Separation of productive data/test data

List of processing activities

Responsibility for edits defined

Organisation, monitoring and certifications

TOMS are regularly checked/adjusted

Internal or external data protection representative

Instructions and training

Information security training

Training on data protection

Awareness measures data protection

...

ANNEX C:

...

APPROVED SUB-

...

PROCESSORS

The Parties agree to the commissioning of the following Sub-Processors:

...