Data Processing Agreement

This Data Processing Agreement reflects the requirements of the General Data Protection Regulation (“GDPR”), into effect since May 25, 2018. This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service (“Agreement”) between Consortium GARR, (“GARR”) and the User of the GARR Cloud Platform (“User”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

The parties agree as follows:

1. Definitions

Controller” means an entity that determines the purposes and means of the processing of Personal Data.

User Data” means any data that GARR processes on behalf of User in the course of providing the Services under the Agreement.

Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded or replaced).

Personal Data” means any User Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.

Processor” means an entity that processes Personal Data on behalf of the Controller.

Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.

Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.

Services” means any service provided by GARR to User pursuant to and as more particularly described in the Agreement.

Sub-processor” means any Processor engaged by GARR to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties.

2. Scope and Applicability of this DPA

2.1 This DPA applies where and only to the extent that GARR processes Personal Data on behalf of the User in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

2.2 Role of the Parties. User is the Controller of Personal Data and GARR shall process Personal Data only as a Processor on behalf of User. Nothing in the Agreement or this DPA shall prevent GARR from using or sharing any data that GARR would otherwise collect and process independently of User’s use of the Services.

2.3 User Obligations. User agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to GARR; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for GARR to process Personal Data and provide the Services pursuant to the Agreement and this DPA.

2.4 GARR Processing of Personal Data. As a Processor, GARR shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; and (iii) to comply with other reasonable instructions provided by User to the extent they are consistent with the terms of this Agreement and only in accordance with Use’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Use’s complete and final instructions to GARR n relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between User and GARR.

2.5 Nature of the Data. GARR handles User Data provided by User. Such User Data may contain special categories of data depending on how the Services are used by User. The User Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to User; (ii) to provide User and technical support to User; and (iii) disclosures as required by law or otherwise set forth in the Agreement.

2.6 GARR Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), User acknowledges that GARR shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate operational purposes, such as billing, account management, technical support, product development. To the extent any such data is considered personal data under Data Protection Laws, GARR is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.

3. Subprocessing

GARR does not currently engage any Sub-processor.

4. Security

4.1 Security Measures. GARR shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with GARR’s security standards described in Annex 1 (“Security Measures”).

4.2 Confidentiality of Processing. GARR shall ensure that any person who is authorized by GARR to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.3 Security Incident Response. Upon becoming aware of a Security Incident, GARR shall notify User without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by User.

4.4 Updates to Security Measures. User acknowledges that the Security Measures are subject to technical progress and development and that GARR may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the User.

5. Security Reports and Audits

5.1 GARR shall maintain records of its security standards. Upon User’s written request, GARR shall provide (on a confidential basis) copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by User to verify GARR’s compliance with this DPA. GARR shall further provide written responses (on a confidential basis) to all reasonable requests for information made by User, including responses to information security and audit questionnaires, that User (acting reasonably) considers necessary to confirm GARR’s compliance with this DPA, provided that User shall not exercise this right more than once per year.

6. International Transfers

6.1 Processing Locations. GARR stores and processes EU Data (defined below) in data centers located in Italy. GARR shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

6.2 Transfer Mechanism. GARR does not processes or transfers (directly or via onward transfer) Personal Data under this DPA from the European Union (“EU Data”) in or to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories.

6.3 Return or Deletion of Data. Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent GARR is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data GARR shall securely isolate and protect from any further processing, except to the extent required by applicable law.

8. Cooperation

8.1 To the extent that User is unable to independently access the relevant Personal Data within the Services, GARR shall (at User’s expense) taking into account the nature of the processing, provide reasonable cooperation to assist User by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement.

In the event that any such request is made directly to GARR, GARR shall not respond to such communication directly without User’s prior authorization, unless legally compelled to do so. If GARR is required to respond to such a request, GARR shall promptly notify User and provide it with a copy of the request unless legally prohibited from doing so.

8.2 To the extent GARR is required under Data Protection Law, GARR shall (at User’s expense) provide reasonably requested information regarding GARR’s processing of Personal Data under the Agreement to enable the User to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

9. Miscellaneous

9.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

9.2 This DPA is a part of and incorporated into the Agreement so references to “Agreement” in the Agreement shall include this DPA.

9.3 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

9.4 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Annex 1 – Security Measures

GARR implements and maintains the Security Measures set out in this Appendix 1.

1. Data Center Security

Infrastructure. GARR uses distributed data centers, all located in Italy, either within its own premises or the premises of research organizations associated with GARR.

Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow GARR to perform certain types of preventative and corrective maintenance without interruption. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.

Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity, typically for over one day.

Server Operating Systems. GARR servers use a Linux based implementation suitable for the application environment. Data is stored using Open Source algorithms that provide data security and redundancy.

Businesses Continuity. GARR replicates data over multiple systems to help to protect against accidental destruction or loss.

2. Networking

Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. GARR transfers data via Internet standard protocols.

Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents.

Incident Response. GARR monitors a variety of communication channels for security incidents through its CERT team, who will react promptly to known incidents.

3. Access Control

Infrastructure Security Policy. GARR maintains a security policy for its personnel.

Access Control and Privilege Management. User’s administrators must authenticate themselves via a federated authentication system in order to administer the Services.

3.1 Site Control

Data Center Access Procedures. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. Only authorized employees, contractors and visitors are allowed entry to the data centers.

3.2 Internal Data Access Policy

GARR’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. GARR designs its systems to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. GARR employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. SSH certificates are thoroughly used to provide a secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. GARR requires the use of unique user IDs, strong passwords to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis.

Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.

4. Data

Data Storage, Isolation and Logging. GARR stores data in a multi-tenant environment on GARR-owned servers. The data and file system architecture are replicated between multiple geographically dispersed data centers. GARR also logically isolates the User’s data. User will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable User to determine the product sharing settings applicable to User End Users for specific purposes. User may choose to make use of certain logging capability that GARR may make available via the Services.

Decommissioned Disks and Disk Erase Policy. Disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving GARR’s premises either for reuse or destruction.

5. Personnel Security

GARR personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. GARR conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, GARR’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling User Data are required to complete additional requirements appropriate to their role (eg., certifications). GARR’s personnel will not process User Data without authorization.