Data processing agreement

This Data Processing Agreement (“DPA”) together with the General Terms and Conditions (“GTCs”) and the MSA, accepted by the Customer, constitute legally binding commitment between Globus AI AS («Processor») and it’s customer(“Controller”), effective from the date the MSA is signed, unless the parties thereto have agreed to the opposite in writing.

The latest version of this DPA is available at globus.ai/dpa. Globus AI may amend this DPA and inform the Customer thereof. Such amendments shall apply beginning ten (10) days from the date of posting it on globus.ai/dpa. Notwithstanding anything to the contrary, the Processor will not change the technical or organisational measures which will reduce the level of security without informing the Controller.

Purpose

This agreement sets out the rights and obligations of the Globus AI AS Processor’s processing personal data on behalf of the Controller pursuant to the GTCs. This agreement (“DPA”) shall ensure that the processing meets the standard of the General Data Protection Regulation (GDPR),as well as any supplemental Norwegian data protection regulations.

1. The data Processor’s duties

The Processor shall:

a. Only process personal data in accordance with documented instructions of the Controller. The Processor shall notify the Controller if any of the instructions are in violations of GDPR or any other applicable data protection regulations. The Processor shall also notify the Controller if the Processor isrequired by mandatory law to process personal data contrary to the Controllers instructions;

b. Ensure that employees and sub-processors or other third parties authorised to process personal data on behalf of the Processor in accordance with Section 4 are subject to obligations of confidentiality;

c. Implement appropriate technical and organisational measures required pursuant to Article 32 of the GDPR. The data security measures are described in Appendix 2;

d. Ensure that any sub-processors processing personal data on behalf of the Processor have entered into a binding agreement with the Processor pursuant to Article 28(2) and (4) of the GDPR;

e. Notify the Controller if personal data are to be transferred outside the EEA and ensure that the personal data are adequately protected by EU model clauses orother basis for transfer pursuant to the GDPR

f. At the request of the Controller within a reasonable period of time make all information necessary to document that the Processor fulfill Article 28 of the GDPR available. The Processor shall enable the Controller to perform audits and inspections, either by the Controller or by a third party designated by the Controller and bound by a duty of confidentiality;

g. Keep a record (log) of the processing activities carried out on behalf of the Controller, which shall at least contain the information required pursuant to Article 30 of the GDPR:
the name and contact details of the processor, controller; categories of processing carried out onbehalf of each controller; international transfers of data; and a description of technical and organizational security measures in place. The Controller can request a copy of such record at any time;

h. Immediately notify the Controller if the Processor receives a request from an authority to disclose personal data processed under this DPA. The Processor is not obligedto notify if the law prohibits such notification. Unless required by law, the Processor shall not comply with such a request without prior written notification of the Controller;

i. Assist the Controller in responding to requests from the data subject pursuant to Chapter III of the GDPR (including the right to information, access, correction and erasure);

j. Assist the Controller in fulfilling their duties pursuant to Article 32-36 of the GDPR.

The scope of theProcessor’s duty to provide assistance to the Controller under i) and j) shall take the nature of the processing and the information available to the Processor into account. The Processor has the right to invoice the Controllerfor work performed in order to fulfill the duties described in i) and j)pursuant to the hourly rates agreed in the principal agreement. The Processor does not have the right to charge to fulfil other duties under this agreement.

2. Instructions

The GTCs and this DPA constitute the final instructions of the Controller (with regard to data processing) at the time ofthe conclusion of this DPA. Further instructions are reserved for the Controller but if the Controllers instructions are not covered by the scope of services agreed in the GTCs and the Offer, they shall be treated as a request for a change of services. In the event of proposed modifications, the Processors hall inform the Controller about the impact on the agreed services, in particular the possibility of providing the services, deadlines and remuneration.

If the Processor cannot reasonably be expected to implement the instruction, the Processor shall be entitled to reject the instructions. In the event that the Controller nevertheless insists on the instructions, the Processor has a special right of termination and can terminate the processing – and further terminate the DPA and the GTCs – at anytime with immediate effect.

3. Notification routines

In the event of a personal data breach, the Processor shall notify the Controller within 48 hours.The notification shall at least describe:

The nature of the breach of personal data, including, if possible, the categories and the approximate number of data subjects affected;

The name and contact information of the data protection officer or other contact where information can be obtained;

The likely consequences of the personal data breach;

The measures taken or proposed to be taken to address the personal data breach,including any measures to mitigate its possible adverse effects.

In the case where all of the information above cannot be given in the first notice, the information shall be provided without undue delay and no later than 72 hours after the occurrence of the personal data breach. The Controller shall ensure that an incident report is sent to the relevant Data Protection Authority in accordance with GDPR art. 33.

4. Use of sub-processors

The Controller hereby grant a general authorization to use sub-processors.

The list of sub-processors is published on the Processor’s dedicated webpage as follows:
https://globusaioutlook.sharepoint.com/sites/GDPR/StaffingProcessors

The Processor has the right to replace sub-processors or add new sub-processors, and amend the list of sub-processors published on the website (hereinafter“Changes”), as necessary. In such event, the revised list of sub-processors will be posted on the Processor's websites with an indication of its effective date.

The Controller shall be informed of any Changes, and theController shall have the right to object to such changes and inform the Processor thereof no later than 10 (ten) calendar days from the date of publication of the Changes. Failure to receive such objections within the specified period means the acceptance of the Changes.

The Controller may not reject a new sub-processor without legitimate reason. Any rejection based on well-founded suspicion that the level of data protection may be degraded asa result of the change of sub-processor shall be regarded as a legitimate reason.

If the rejection is based on illegitimate grounds, the Processor is entitled to a fee equivalent to the subscription fee for the last 12 months before the rejection and the parties should discuss possible amicable solutions in order to maintain the agreement and the present DPA in force.

5. Transfer of data to third countries

The transfer of the Controller data to a third country requires the prior consent of the Controller and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled. If these requirements are met, there   must be important data protection related reasons to refuse consent.

The Processor acknowledges that any transfer of the Controller Data to Third Countries, are subject appropriate safeguards, such as, where necessary, a contract on EU-approved terms known as standard contractual clauses (SCCs)  concluded with the respective SubProcessor located in the Third Country. The Processor should also verify that the level of protection provided to the personal data following the transfer is essentially equivalent to and does not undermine the level of protection guaranteed to data subjects under the GDPR. The approval of the list of subprocessors by the Controller acknowledges the agreement with such transfer.

6. Audits

Each party shall cover their own costs related to audits. In the event an audit reveals a material deviation from the obligations of this Agreement, all costs including the Controller’s and external auditors’ reasonable costs shall be covered by the processor.

7. Liability and compensation

The parties shall cover their own administrative fines and other penalties imposed as a result of violations of data protection laws.

In case a party becomes liable to pay compensation due to circumstances which the other party is responsible for, the responsible party shall make the compensation payment. The liability is limited as described in the GTCs and shall only cover direct loss.

8. Duration of the agreement

The agreement is in force for as long as the Processor processes personal data on behalf of the Controller pursuant to the GTCs and the Offer.

In the event of a breach of this agreement or data protection laws, the Controller may instruct the Processor to stop further processing of the data with immediate effect.

9. Return, deletion and/or destruction at the end of the Agreement

Upon termination of this Agreement, the Processor is obligated to return all personal data received on behalf of the Controller.

The Controller may require that the Processor deletes or destroys all personal data processed under this agreement. The Controller may ask the Processor to confirm in writing that the deletion is completed. The deletion shall be carried out no later than 60 days after the agreement is terminated. Deletion means that the personal data are permanently deleted from all systems, except from the backup system. Only technical personnel shall have access to the backup system.

10. Law and legal venue

The law and legal venue are pursuant to the GTCs.

Date: May 28th, 2021

Appendix 1: The scope of the processing

The purpose of the processing
The processor will process personal data to provide its virtual staffing assistance service (the “Service”), and to improve the products and services as set out in the GTCs. The processor has been assured that the controller has complied with all applicable data protection laws and regulations, and that the controller is able to lawfully transfer its data to the processor to be processed as set out in the GTCs.

Types of personal data processed
Personal data: Name, telephone number, address, e-mail address, work schedule, educational background, employment information (regular employee/temporarily employed etc.), time reports (hours worked, hours scheduled, overtime, absence etc.), salary information (salary, bank account etc.), personal information including identity number (CPR number, assignment activities, HR- activities etc.).

Work-related data: job application information (CV, personal letter, picture, test score, references etc.), Work history (which employees have attended which assignments), work schedules and future assignments, assignment information, activities and visits, names, addresses, team, Gerica ID.

Processing activities
Organisation, matching of data sets, data administration, structuring, storage, alteration, retrieval, use, data transfer,  erasure or destruction.

The categories of data subjects
Personnel/employees of the Controller - for use of services directed to sales, assignments and candidates; Candidates - for the use of Processor’s services directed to the career opportunities.

The duration of the processing
The Processor will process personal data on behalf of the controller for the duration of the agreement between the parties, unless otherwise agreed in writing.  Data is deleted as soon as possible and no later than sixty (60) days after the agreement has been terminated, or the Controller has requested the personal data to be deleted.

Appendix 2: Security measures

Organizational and technical security measures that are to be implemented by Globus AI (Processor):

  1. Physical access control
  2. System access control
  3. Personal data access control
  4. Transfer access control
  5. Pseudonymization measures
  6. Encryption measures
  7. Access control and password routines
  8. Routines for critical events
  9. Control of entry of personal data
  10. Control of availability
  11. Control of separation
  12. Storage Policy

1. Physical access control
The Processor’s office is categorized by risk including:

  1. A control accessed area assigned to hosting customers and visitors (corresponding to the office).
  2. A Service area assigned to the service (a delimited area of the office corresponding to the part of the offices where data are processed).
  3. A security area assigned to housing switches for the office internet connections, computer and telephony equipment not assigned to a specific employee (a delimited, control accessed area of the office).

The Processor maintains an up-to-date list of individuals (including employees, service providers and temporary staff) who have access to the office and are authorized to enter the office without escort. Individuals needing to access the Processor’s service area or the security area are escorted (from the time they arrive, during their visit and until they exit the office) by an authorized member of the organization. Access rights to the security area is further restricted. The list of persons with access to the security area is regularly reviewed and persons are deleted if necessary.

The Processor’s office has an alarm system installed to detect an unauthorized entry.

  1. The main office door is locked and all entries are registered digitally.
  2. Alarm system is automatically activated at night.

2. System access control
Measures to prevent unauthorized use of IT systems:

Processor has access to Controller’s system through an administrative and support interface by using a personal login combined with a generic user profile. Processor access to Controller’s system through a generic user profile is given only to authorized users where:

  1. Access has been validated from top management and implemented within administrative and support interfaces.
  2. Authorized users have filled out an attendance record before accessing the Controller’s data.
  3. A unique personal login and access time has been registered for the accesses.

Access to administrative and support interfaces are limited to authorized persons within the Processor organization and contracting parties. Processors elevated privileges to operational aspects of the service and data are limited to the administrative accounts that require them. Administrators use an account with more limited rights when they perform normal support operations. Access rights of Processor employees and contracting parties are withdrawn or adjusted when they are no longer authorized to access a resource, when their employment contract ends or in the event of a job transfer. An annual review of privileges is conducted to identify and delete unused accounts and to realign the privileges with each user's functions.

3. Personal data access control
Measures to ensure that persons authorized to use the IT system only have access to personal data restricted to the person's established authority:

The Controller manages user profiles through the Controller interface. The Controller interface, supports features for defining users’ profiles, separating tasks and areas of responsibility to limit users access to personal data exclusively to authorized users by applying need-to-know and least-privilege principles.

  1. User profiles can be designed in centralized fashion (with specific privileges for the use of functions and creation, read access, modification, deletion and transfer of data)
  2. Each person can be assigned one or more of the defined profiles when the employment contract takes effect or upon changing roles or jobs.

4. Transfer access control
Measures to ensure that personal data cannot be read, copied, modified or deleted by electronic transmission or transfer or storage on storage devices without permission, and that recipients can be identified and verified when transfer of personal data is performed via electronic transmission:

All electronic transfers are encrypted with SSL/TLS. Recipients are identified and verified using access tokens.

At Globus AI data transfer access control is implemented through Microsoft Azure Active Directory. Additionally, the Microsoft Azure Cloud encrypts all electronic transfers. The senders and recipients are identified and verified using electronic access tokens.

As a result, no personal data can be read, copied, modified or deleted by electronic transmission or transfer or storage on storage devices without explicit permission. Additionally, all recipients can be identified and verified when transfer of personal data is performed via electronic transmission.

5. Pseudonymization measures

All personal or sensitive data will be kept in a restricted database with separate login access. The rest of the data can be stored in an unrestricted database. The separation enables accountability, as only individuals with restricted access and proper training in handing personal data may work with such data. The data in the unrestricted database will have undergone anonymization or pseudonymization and thus cannot be correlated with personal identifiers. The data in the unrestricted database may also be persistent and need not be forgotten. It is enough to remove it from the restricted database, where personal identifiers can be correlated with other data.

When data is collected, each attribute will be inspected to understand if there is a legitimate reason for collecting it or not. When data is ingested into the system, it will be tokenized, and a separate lookup file will be created to associate between the original entry and the token. The lookup file will be stored in the restricted database.

6. Encryption measures

Azure Storage Services Encryption helps protect and safeguard data, including personal data, in support of organizational security commitments and compliance requirements defined by frameworks and regulations such as the GDPR. Azure Storage Service Encryption allows to request that the storage service automatically encrypt the data when writing it to Azure Storage. Microsoft handles all the encryption, decryption, and key management in a fully transparent fashion. All data is encrypted using 256-bit AES (Advanced Encryption Standard) encryption, also known as AES-256, one of the strongest block ciphers available. We can enable this feature on all available redundancy types of Azure File Storage, since both options – LRS (locally redundant storage) and GRS (geo-redundant storage) – are included.

The processor will also use Azure Disk Encryption for virtual machines that are hosted in Azure and have Windows or Linux running as a local operating system. By doing so, all data inside these virtual machines is encrypted automatically as well.

Transparent Data Encryption with Azure SQL Database will help protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest. All of this takes place without requiring changes to the applications.

7. Access control and password routines

We will use Azure Role-Based Access Control (RBAC) to enforce separation of duties. This Azure service enables defining fine-grained access permissions to grant only the amount of access that users need to perform their jobs. Instead of giving everybody unrestricted permissions for Azure resources, we allow only certain actions for accessing personal data.

Azure Key Vault, a cloud-hosted service for managing cryptographic keys and other secrets used in cloud applications, provides capabilities to help with the protection of data and access to data. This Azure service enables us to safeguard cryptographic keys, certificates, and passwords. Azure Key Vault uses specialized hardware security modules (HSMs) for maximum protection and is designed in a way that allows us to maintain control of keys and data.

To minimize the number of people who have access to certain information, such as personal data, we can also use Azure Active Directory Privileged Identity Management. This functionality allows discovering, restricting, and monitoring privileged identities and their access to resources. It is also possible to enforce on-demand, just-in-time administrative access when needed.

8. Routines for critical events

We have adopted Microsoft Azure routines for critical events: https://docs.microsoft.com/en-us/azure/architecture/resiliency/disaster-recovery-azure-applications

9. Control of entry of personal data

Measures to ensure that persons authorized to use the IT system only have access to personal data restricted to the person's established authority:

The Controller manages user profiles through the Controller interface. The Controller’s interface, supports features for defining users’ profiles, separating tasks and areas of responsibility to limit users access to personal data exclusively to authorized users by applying need-to-know and least-privilege principles.

  1. User profiles can be designed in centralized fashion (with specific privileges for the use of functions and creation, read access, modification, deletion and transfer of data)
  2. Each person can be assigned one or more of the defined profiles when the employment contract takes effect or upon changing roles or jobs.

At Globus AI we use Azure Information Protection to automate the process of classifying categories of data, including personal data. The classification is identifiable always, regardless of where the data is stored or with whom it is shared. The persistent labels include visual markings as well as metadata that is added to files and email headers in clear text, so that other services (such as data loss prevention solutions) can identify the classification and take appropriate action.

In addition to tagging personal data in Azure Information Protection, we will use Azure Data Factory and/or Azure HDInsight for this purpose. Azure Data Factory has capabilities to help trace and locate personal data, including visualization and monitoring tools to identify when data arrived and where it came from. There are also capabilities for automating data pipelines with on-demand cloud resource management.

This ensure security and control of access to personal information. Additionally, the foundational customer data protection in Microsoft Azure ensures data segregation, encryption and redundancy.

10. Control of availability

Backup of personal data is done regularly by the Processor

  1. A complete backup is performed at least weekly
  2. Incremental backup is performed at least daily

Backups are saved 5 weeks and verified regularly (at least yearly) by producing a full restore and by verifying access and integrity of the restored data. Backups are transmitted to location separated from the data. Backups have the same level of security as the original data. A disaster recovery plan is held by the Processor to ensure that the organization, staff, systems and premises necessary to carry out the processing are available within a timeframe that corresponds to the agreed level of service.

At Globus AI we secure Data Redundancy at 3 different levels through Microsoft Azure:Locally redundant storage (LRS): Locally redundant storage maintains three copies of data. LRS is replicated three times within a single facility in a single region. LRS protects data from normal hardware failures, but not from a failure of a single facility.

Zone-redundant storage (ZRS): Zone-redundant storage maintains three copies of data. ZRS is replicated three times across two to three facilities to provide higher durability than LRS. Replication occurs within a single region or across two regions. ZRS helps ensure that data is durable within a single region.

Geo-redundant storage (GRS): Geo-redundant storage is enabled for storage accounts by default when they are created. GRS maintains six copies of data. With GRS, data is replicated three times within the primary region. Data is also replicated three times in a secondary region hundreds of miles away from the primary region, providing the highest level of durability. In the event of a failure at the primary region, Azure Storage fails over to the secondary region. GRS helps ensure that data is durable in two separate regions.

11. Control of separation
Measures to ensure that personal data collected for different purposes can be treated separately:

The Processor processes Controller’s data only for providing and improving the Processors products and services. The Processor does not use Controller’s data for other purposes that would require separate processing.

12. Storage Policy
Measures to ensure that personal data are deleted during and after the term of agreement when use is no longer necessary for the initial purpose:

Data is kept during the term of the agreement and deleted as soon as possible and no later than within sixty (60) days from that the Controller terminates any of the agreements or request the personal data to be deleted.

Security measures (including those described in the present Agreement) are subject to change at any time by the Processor. The Controller will be informed by the Processor of any significant changes in advance and may obtain up to date information on security measures by sending an email to privacy@globus.ai.

In a case of objections to the changes to these security measures, the Controller informs the Processor about the objections no later than 10 (ten) calendar days. Failure to receive such objections within the specified period means the acceptance of the changes.