Passbolt Cloud Data Processing Agreement
This DPA, as defined below, forms part of the Contract for Services under the Passbolt Cloud Customers Terms and Conditions (the “Principal Agreement”), between a Passbolt Cloud Customer (the “Customer”, or the “Data Controller”) and Passbolt SA (“Passbolt”, or the “Data Processor”) (together as the “Parties”).
This DPA is an amendment to the Principal Agreement and is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this DPA will form a part of the Principal Agreement. The term of this DPA is the same as the term of the Principal Agreement.
(A) The Customer acts as a Data Controller.
(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data on its behalf, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
1.1.1 “DPA” means this Data Processing Agreement and all Schedules;
1.1.2 “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
184.108.40.206 a transfer of Customer Personal Data from the Customer to a Contracted Processor; or
220.127.116.11 an onward transfer of Customer Personal Data from a Contracted Processor to a subcontracted processor, or between two establishments of a Contracted Processor;
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Description of the Processing
2.1 The subject matter, duration, nature and purpose of the Processing as well as the type of Personal Data and categories of Data Subjects are set out in Schedule 1 (Details of Processing).
3. Instructions and purpose
The Controller confirms that is has assessed, established and documented, based on information exchanged and the Processor's expert knowledge, reliability, resources and reputation, that the Processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the Processing meets the requirements of the GDPR.
3.2. Documented instructions
3.2.1 The Processor shall Process the Personal Data in accordance with the documented instructions of the Controller, including as described in the Principal Agreement and this DPA, and this is the sole purpose for which the Processor may Process the Personal Data. The Controller confirms that the Processor's obligations under the Principal Agreement and this DPA constitute instructions to be followed by the Processor.
3.2.2 Any further instructions to Process Personal Data may be sent by email by the Controller to the authorised representative of the Processor at contact details provided by the Processor or making use of the contact details as set out in Section 14.2 of this DPA.
3.2.3 Notwithstanding 3.2.1 above, the Processor may also Process and/or transfer Personal Data as required by applicable EU or EU Member State law. In case of such requirement of EU or EU Member State law, the Processor shall inform the Controller of that legal requirement before Processing the Personal Data, unless that law prohibits such information to be provided to the Controller on important grounds of public interest.
3.2.4 The Processor shall immediately inform the Controller if, in its opinion, any instruction given by the Controller infringes any Data Protection Laws. The Controller shall respond to such notification from the Processor within 10 Business Days. In case of inaction from the Controller or in case the Controller persists with an unlawful instruction, the Processor shall be allowed to terminate this DPA, without indemnity, other notice or the prior intervention of a judge.
3.3 Controller's obligations
3.3.1 The Controller warrants and guarantees that (i) it has lawfully obtained the Personal Data, (ii) the Processing of the Personal Data by the Processor is lawful and has specific purpose, (iii) any required notices have been made and (iv) consent has been obtained (where applicable) or there is another appropriate lawful Processing ground enabling (a) the Controller to transfer the Personal Data to the Processor and the Processor to receive the Personal Data from the Controller and (b) the Processor to lawfully Process the Personal Data.
3.3.2 The Controller shall inform the Processor as to the risk involved in the Processing and as to any other circumstance the Processor should reasonably be informed about in order to comply with this DPA.
3.4 Compliance with Data Protection Laws
In the course of the provision of the Services and the resulting Processing of Personal Data, the Parties shall comply with all Data Protection Laws as applicable to each Party respectively.
4.1 Processor shall take reasonable steps to ensure the reliability of any of its employees, agents or contractors or those of any Contracted Processor, who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5.1 The Processor shall at all times take all appropriate technical and organisational measures to secure the Personal Data which are or will be Processed by the Processor on behalf of the Controller against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. These security measures shall include the measures set out in Schedule 2 (Passbolt's TOM) which are deemed to be approved by the Controller. The Processor will use reasonable efforts to ensure an appropriate level of security, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects. The measures shall also aim at preventing unnecessary collection and further Processing of Personal Data.
5.2 The Processor shall obtain the Controller's approval before making any material changes to its technical and organisational security measures. The Controller shall not unreasonably withhold approval for such changes.
5.3 In order to maintain an appropriate level of security as described in paragraph 5.1 above, the Processor shall perform regular security checks and implement updates where required.
5.4 Taking into account the nature of the Processing, the Processor shall provide the Controller with reasonable assistance in relation to the Controller's obligation to adopt adequate technical and organisational security measures.
6.1 Controller's authorisation
6.1.1 The Processor may not engage another Contracted Processor without the Controller's prior written authorisation. As a general written authorisation, the Processor is allowed to appoint Contracted Processors to Process Personal Data under this DPA, provided that such Contracted Processor provide sufficient guarantees to implement appropriate technical and organisational measures so that the relevant Processing meets the requirements of the GDPR.
6.1.2 The Controller is deemed to have authorised in writing the Processing of Personal Data by the Contracted Processors as listed in Schedule 3 (Approved Contracted Processors).
6.1.3 The Processor shall notify the Controller in writing of any intended changes concerning the addition or replacement of other Contracted Processors, thereby giving the Controller the opportunity to object to such changes. Objections by the Controller must be accompanied by a written justification, e.g. demonstrating that a Contracted Processor cannot ensure adequate protection of the Personal Data. If, within 10 Business Days of receipt of this notice, the Controller has not provided any reasonable objection to the intended change, the Controller is deemed to have authorised the intended change.
6.1.4 The Processor shall remain fully and unconditionally liable to the Controller for the Contracted Processor performance of any obligation or part of it arising out of the Principal Agreement, this DPA or any other agreement between the Controller and the Processor.
6.1.5 The Processor shall maintain a list of Contracted Processors including, to the extent reasonably possible, their respective locations, activities and the safeguards implemented by them.
6.2 Contract with Contracted Processor
6.2.1 The Processor shall impose on all Contracted Processor written data protection obligations that offer at least the same protection of Personal Data as the data protection obligations to which the Processor is bound on the basis of the Principal Agreement and this DPA. At the Controller's request, the Processor shall provide the Controller with a copy of any written agreement entered into by the Processor with a Contracted Processor. The Processor may remove any agreed commercial terms from such copies.
7. Personal Data Breach
7.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws. This includes, as appropriate, measures allowing the Processor to access, rectify, erase or restrict Personal Data or providing Personal Data to the Controller in a structured, commonly used and machine-readable format.
7.2 In the event where a Data Subject submits a request to exercise any of its Data Subject rights to the Processor, the Processor shall:
7.2.1 promptly notify the Customer; and
7.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the Contracted Processor responds to the request.
8. Personal Data Breach
8.1 Processor shall notify the Customer without undue delay and in any case within seventy-two (72) hours after becoming aware thereof of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.8.2 Processor shall co-operate with the Customer and take commercially reasonable steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
9.1 Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
10. Deletion or return of Customer Personal Data
10.1 Obligation to delete or return Personal Data
Upon termination of the Principal Agreement, this DPA, or at the written request of the Controller, the Processor shall, at the choice of the Controller, return the Personal Data and all copies thereof to the Controller and/or shall destroy (delete) such Personal Data and all existing copies thereof securely, taking into account its obligations pursuant to Article 32 GDPR. To the extent the Processor cannot comply with the Controller's request to return and/or destroy Personal Data, because applicable EU or EU Member State statutory provisions require longer storage, the Processor shall inform the Controller of such legal obligation, keep the Personal Data confidential and only Process the Personal Data to the extent required by the applicable EU or EU Member State law.
10.2 Deletion or return term
Any request of deletion or return of Personal Data under this section 10 shall be performed by the Processor within 30 Business Days after the date of the request from the Controller or termination of the Principal Agreement or this DPA, unless otherwise agreed upon at such time by the Parties. The Processor shall confirm in writing that the Processor has returned or destroyed all Personal Data and copies thereof in accordance with the request of the Controller.
11. Audit rights
11.1 The Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, which may include relevant portions of the Processor's record of processing activities, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Customer in relation to the Processing of the Customer Personal Data, including by the Contracted Processors.
11.2 Information and audit rights of the Controller only arise under section 11.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11.3 The Controller shall:
a. give the Processor reasonable notice of the intention to perform (or have performed) an audit or inspection pursuant to this Section;
b. ensure that the audit or inspection is performed in compliance with the Processor's reasonable confidentiality provisions, as notified by the Processor to the Controller, and
c. ensure that reasonable efforts are used to minimise any disruption to the business of the Processor caused by the performance of the audit or inspection.
12. Data Transfer
12.1 The Processor may not transfer or authorize the transfer of Data to countries
outside the European Economic Area (EEA) unless the Controller has given its prior
written approval and:
a. an adequacy decision exists in relation to the non-EEA recipient;
b. the transfer of Personal Data is governed by the terms of appropriate EC standard contractual clauses. The Controller hereby mandates the Processor to enter into the EC standard contractual clauses with non-EEA recipients on its behalf;
c. the protection of the Personal Data is ensured through application of another appropriate safeguard within the meaning of Article 46 GDPR; or
d. in the absence of an adequacy decision or appropriate safeguard, the conditions set forth in Article 49 GDPR, regarding derogations for specific situations, are met.
12.2 When requesting the approval from the Controller under 12.1 above, the Processor shall provide the Controller with information about the relevant country of destination and the relevant data transfer mechanism.
12.3 The Processor shall ensure that all required measures, commitments, certifications and safeguards necessary to be able to rely on any data transfer mechanism are maintained. If a data transfer mechanism relied upon for a transfer under this Section 12 is no longer maintained, requires adjustment or is invalidated as a result of any change in Data Protection Laws or decision of a Supervisory Authority or other competent authority, the Processor shall immediately inform the Controller thereof and take appropriate action. The latter may include the putting in place of an alternative data transfer mechanism to ensure that the transfer(s) remain to be performed in compliance with Data Protection Laws.
12.4 For the avoidance of doubt, any written approval from the Controller to transfer Personal Data to a non-EEA recipient, including the mandate provided under 12.1.b. above, shall constitute a documented instruction within the meaning of Section 3.2 (Documented Instructions).
12.5 The Controller hereby approves transfers of Personal Data to the Contracted Processors listed in Schedule 3 (Approved Contracted Processors) which are non-EEA -recipients, provided the other terms of 12.1 above are met.
13.1 Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.
14.1 The Processor may require the Customer to reimburse Processor's costs and expenses in complying with its obligations pursuant to Sections 7 (Data Subject Rights), 5.4 (Security), 8 (Personal Data Breach), 9 (DPIA and Prior Consultation) and 11 (Audit Rights) subject to these costs and expenses being reasonable.
14.2 Any notices, information and communications under this DPA may be sent by email using the following email addresses:
For the Processor: [email protected] For the Controller: the email used to send invoice to the Customer.
Such contact details may change from time to time and shall be notified by the relevant Party.
14.3 Nothing in this DPA reduces the Processor's obligations under any other agreement between the Parties in relation to the protection of Personal Data or permits the Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by any other agreement between the Parties. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
14.4 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
14.5 The Parties agree that they will amend this DPA if reasonably required to comply with Data Protection Laws.
15. Governing Law and Jurisdiction
15.1 This DPA is governed by the laws of the Grand Duchy of Luxembourg.
15.2 Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the city of Luxembourg.
Do you have a question or require a signed version?contact us
Date of Last Update
This agreement was last updated on 15th of October 2020.
Schedule 1 – Details of Processing
Subject matter and nature of the Processing
The Data Processing performed by the Data Processor on behalf of the Controller relates to the services of credentials and password management.
The Personal Data will be Processed as necessary to operate and support the Services, as further described in the Principal Agreement, to the extent determined and controlled by the Customer in its sole discretion. Further, Passbolt and service providers it uses shall Process and enrich the Personal Data its systems to improve the availability, reliability and security of the Services.
Duration of the Processing
The Processing shall continue until the later of:
(i) the DPA being terminated;
(ii) the Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data.
Types of Personal Data
Name, email address, job title, contact details, passwords and credentials, files and documents, location, IP address, browser user agent.
Categories of Data Subjects
Employees, agents, advisors, freelancers of Customer (who are natural persons);
Users authorized by Customer to use the Services;
Schedule 2 – Technical and Organization Security Measures (TOM)
Passbolt SA implements an Information Security Management System (ISMS) aligned with the industry standards. We define and regularly review our organization’s security objectives as well as associated risks and mitigations. Our policies and their associated procedures are designed to protect personal data.
Each employee or contractor, at Passbolt, undergoes a background check and is requested to disclose any criminal record, previous employer details and education diploma, if any. They are requested to sign a confidentiality agreement as well as the acceptable use policy. They also undergo a one-on-one dedicated security training, which covers the specific security requirements needed on the basis of their role. We regularly review security policy knowledge and compliance as part of the individual performance evaluation. We educate and encourage collaborators to raise awareness, draft proposals in order to improve and innovate in the field of security and privacy.
We have dedicated site reliability and software engineers that are responsible to implement and manage our security procedures. Through the associated supporting systems they regularly monitor for suspicious activity. They organise dedicated workshops to train and evaluate other staff members' response to security incidents.
Our site reliability team uses an extensive set of systems in order to provide security in depth. All the components of our infrastructure are designed to be redundant with multiple layers of failover. We rely on trustworthy security service providers to prevent DDoS attacks on our servers. We use several layers of firewalls, including a web application firewall (WAF) to detect and restrict suspicious or undesirable traffics, as well as regular firewalls to further restrict access. The users can check service availability through the status page.
All customer data transmitted to our servers is protected using strong encryption protocols such as TLS. We ensure encryption of communication not only between the customer and our servers but also internally between all parts of our systems. We maintain and review using automated tools a list of acceptable TLS encryption algorithms.
We use an intrusion detection system (IDS) to detect and notify in case of unauthorised access to servers. We use redundant monitoring tools with real time notifications to notify downtime, performance issues and abnormal activities. We regularly review alerts from these systems as well as application logs monitor abnormal or suspicious activities. We regularly perform disaster recovery tests with unique scenarios.
All our development, test or production environments are segmented on several isolated networks and where applicable different projects. Default passwords are removed and all non necessary services are removed or disabled. All our infrastructure is automated and defined as code. We have hardened, consistent, tested, reproducible builds for our all servers. Server secrets and credentials are encrypted using keys stored in a secure storage service and can be rotated on demand.
Access control & identity
We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to reduce the risk of data exposure.
For email, Our DMARC policy uses SPF and DKIM to verify that messages are authentic.
All the code produced for the core products and associated services must adhere to the OWASP guidelines and recommendation, to prevent common security issues such as cross site scripting (XSS) or SQL injections. Every code change is signed, tracked in a versioning system and covered by a change management policy, which requires code review by a maintainer. Similarly publishing rights is reserved to a small list of maintainers. Where possible we use code analyser tools and scanners to detect issues and vulnerabilities. We perform regular third party code reviews.
We run a bug bounty program to recognise and reward the work of independent security researchers. We offer a clear and secure way to contact us to report a security vulnerability as well as a clear process defining how we respond to such a report, both of which are outlined in the help site and product readme.
We publish and maintain a security white paper for the product distributed to our customers, to help them evaluate the residual risks as per their threat model. We have a transparent process to report vulnerabilities that are reported to us or incidents on the services. We publish reports on security incidents on our website.
Cloud data security
For the cloud product, each of the customers workspace data is logically separated in individual databases. All the cloud data, including the backups, is encrypted at rest using 256-bit Advanced Encryption Standard (AES) with keys stored in a secure storage system. We run incremental backups everyday and weekly full backups. All backups are scheduled, tracked and tested regularly. We also recommend our customers to schedule regular backups of their data using export features.
We hold the data for as long as a customer chooses to use the service. Once they terminate their Passbolt cloud account the data are automatically deleted from our backups within 6 weeks.
Access to test, staging and production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Only a minimal number of individuals have access to the production environments.
We require every employee's workstations and mobile devices to be selected from a short list of acceptable and officially supported devices and operating systems. They must be set up to be automatically kept up to date and with data encryption at rest. Workstation must have an up to date firewall and anti-virus software installed. Employees' workstations must be set to automatically lock when they are idle. Mobile devices used for business purposes are individually reviewed to ensure they meet our security standards.
All employees must use a password manager and use it to generate strong unique passwords. They must have a strong master passphrase. Employees are provided with a physical security token to be used for second factor authentication. Additionally our email provider implements prevention mechanisms for malware and spam protection.
Access to building and facilities are controlled and limited via the use of access cards. Dedicated staff is available at the reception to orient and control access of visitors during work hours. Access is monitored using CCTV cameras. Each collaborator is provided with an access card to access the office space. Each visitor of the office space must be accompanied by an employee at all times. Further sensitive documentation, such as employee files are stored in secure storage space requiring a separate set of keys and only provided to selected C-level executives.
We do background checks and a risk assessment of our consultants and service providers as part of our procurement processes. Where applicable we request them to agree to our General Terms and Conditions of Purchase and Contracting, or alternatively make sure that their general terms and conditions / our contract with them, enforce them to maintain the highest possible level of confidentiality and privacy when it comes to sensitive and personal data protection.
We make sure all of our service providers are certified according to industry security standards and compliance instruments such as ISO27001, PCI-DSS, SOC 2 that enforce strict procedures for both physical and digital security.
Schedule 3 – Approved Contracted Processors
The Service Provider currently uses the following Contracted Processors:
|Contracted processor||Processor activities||Type of personal data||Location||Implemented safeguards & data transfer mechanism|
|Chargebee||Subscription & invoice management||Name, email address, location, IP address of customer.||USA||
ISO 27001:2013, SOC 1, SOC 2, PCI DSS certifications.
Standard Contractual Clauses.
|Chartmogul||Subscription & invoice management||Name, email address, location, IP address of customer.||Germany||
Security best practices.
Standard Contractual Clauses.
|CloudFlare||Web Application Firewall and Content Delivery Network||Name, email address, location, IP address of customer and user of service.||USA||
ISO 27001:2013, SOC 2 type II, SOC 3, PCI DSS 3.2.1 certifications.
Standard Contractual Clauses.
|Google Cloud Platform (GCP)||Hosting of passbolt websites and cloud data||Name, email address, credentials, location including IP address of cloud service users.||USA||
ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, PCI DSS
Cloud Site data is hosted in Belgium.
Standard Contractual Clauses.
|Hubspot||Customer relation management and support||Name, email address, address of customer.||USA||Security best practices & infrastructure providers with SOC 2 Type II and ISO 27001 certifications. (Ref) Standard Contractual Clauses.|
|Mailchimp||Email newsletter and notifications||Name, email address, IP address of customer or user who opted-in.||USA||Security best practices, SOC 2, PCI DSS Certification. (Ref.). Standard Contractual Clauses.|
|New relic||Performance and security monitoring||Log information (can contain email, name of customer and service user).||USA||
SOC 2 type II certification.
Standard Contractual Clauses.
|Slack||Support and alerts||Name, email address, location of customer or service user asking for support.||USA||
ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3 certifications.
Standard Contractual Clauses.
|Stripe||Payment management||Name, email address, location, credit card of customer.||USA||PCI Service Provider Level 1 certification.
Standard Contractual Clauses.
|Zoho||Accounting||Name, email address, location of customer.||USA||ISO 27001:2013, ISO 27701, ISO 27017, ISO 27018, ISO 9001, SOC 2 type 2,
PCI DSS certifications.
Standard Contractual Clauses.