Passbolt Cloud Data Processing Agreement

1. Definitions and Interpretation

2. Description of the Processing

3. Instructions and purpose

3.1 Processor

3.2. Documented instructions

3.3 Controller's obligations

3.4 Compliance with Data Protection Laws

4. Security

5. Subprocessing

5.1 Controller's authorisation

5.2 Contract with Contracted Processor

6. Data Subject rights requests

7. Personal Data Breach

8. Other assistance to the Controller

9. Documentation, compliance and audit rights

10. Data Transfer

11. Confidentiality

12. Non-compliance with this DPA and termination

13. Miscellaneous

14. Governing Law and Jurisdiction

Date of Last Update

[email protected]

Schedule 1 – Details of Processing

Subject matter and nature of the Processing

Duration of the Processing

Types of Personal Data

Categories of Data Subjects

Schedule 2 – Technical and Organization Security Measures (TOM)

Organizational Security

Information Security Program

Third-Party Penetration Testing

Roles and Responsibilities

Confidentiality

Background Checks

Product security

Development best practice

Change management

Security whitepaper

Cloud Security

Cloud Infrastructure Security

Data Hosting Security

Encryption at Rest

Encryption in Transit

Vulnerability Scanning

Logging and Monitoring

Business Continuity and Disaster Recovery

Incident Response

Access Security

Permissions and Authentication

Least Privilege Access Control

Quarterly Access Reviews

Endpoint Security

Password Requirements

Password Managers

Physical Security

Vendor and Risk Management

Annual Risk Assessments

Vendor Risk Management

Schedule 3 – Approved Contracted Processors

Contracted processorProcessor activitiesType of personal dataHeadquarters locationImplemented safeguards & data transfer mechanism
Amazon Web ServicesEmail delivery (AWS SES)Name, email address, location, IP address of customer and authorized usersUSAISO 27001:2013, 27018, 27701, SOC2 (Ref)
Standard Contractual Clauses (Ref)
Using services located in Ireland and Germany.
ChargebeeSubscription & invoice managementName, email address, location, IP address of customer.USAISO 27001:2013, SOC 1, SOC 2, PCI DSS certifications. (Ref)
Standard Contractual Clauses.
Using datacenter located in Europe.
ChartmogulSubscription & invoice managementName, email address, location, IP address of customer.GermanySecurity best practices. (Ref)
Standard Contractual Clauses.
CloudFlareWeb Application Firewall and Content Delivery NetworkName, email address, location, IP address of customer and user of service.USAISO 27001:2013, SOC 2 type II, SOC 3, PCI DSS 3.2.1 certifications. (Ref)
Standard Contractual Clauses.
Google Cloud Platform (GCP)Hosting of passbolt websites and cloud dataName, email address, credentials, location including IP address of cloud service users.USAISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, PCI DSS certifications. (Ref)
Cloud Site data is hosted in Belgium and Germany.
Standard Contractual Clauses.
HubspotCustomer relation management and supportName, email address, address of customer.USASecurity best practices & infrastructure providers with SOC 2 Type II and ISO 27001 certifications. (Ref)
Standard Contractual Clauses.
New relicPerformance and security monitoringLog information (may contain email, name of customer and service user).USASOC 2 type II certification. (Ref)
Standard Contractual Clauses.
SlackSupport and alertsName, email address, location of customer or service user asking for support.USAISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3 certifications. (Ref)
Standard Contractual Clauses.
StripePayment managementName, email address, location, credit card of customer.USAPCI Service Provider Level 1 certification. (Ref)
Standard Contractual Clauses.
ZohoAccountingName, email address, location of customer.USAISO 27001:2013, ISO 27701, ISO 27017, ISO 27018, ISO 9001, SOC 2 type 2, PCI DSS certifications. (Ref)
Standard Contractual Clauses.
Excellium ServicesSecurity Operation Center / Computer Security Incident ResponseLocation including IP address of cloud service users, Log information (can contain email, name of customer and service user).LuxembourgISO 27001:2013 certification
Flag of European UnionMade in Europe. Privacy by default.