Passbolt Cloud Data Processing Agreement

This DPA, as defined below, forms part of the Contract for Services under the Passbolt Cloud Customers Terms and Conditions (the “Principal Agreement”), between a Passbolt Cloud Customer (the “Customer”, or the “Controller”) and Passbolt SA (“Passbolt”, or the “Processor”) (together as the “Parties”).

This DPA is an amendment to the Principal Agreement and this DPA, as well as any modification hereto is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this DPA will form a part of the Principal Agreement. The term of this DPA is the same as the term of the Principal Agreement.

WHEREAS

(A) The Customer acts as a Data Controller.

(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data on its behalf, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

1.1.1 “DPA” means this Data Processing Agreement and all Schedules that form an integral part of it;

1.1.2 “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.8 “Data Transfer” means disclosing Customer Personal Data or otherwise making Customer Personal Data, subject to this DPA, available to another Controller, joint controller or Processor;

1.1.9 “Services” means the services Passbolt provides. The data processing performed by the Data Processor on behalf of the Controller relates to the services of credentials and password management. The data processing details and procedure can be found in the Passbolt Privacy Policy at https://www.passbolt.com/privacy;

1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the Principal Agreement;

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly;

1.3 This DPA shall be read and interpreted in the light of the provisions of the GDPR. It shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR or in a way that prejudices the fundamental rights or freedoms of the data subjects.

2. Description of the Processing

2.1 The subject matter, duration, nature and purpose of the Processing as well as the type of Personal Data and categories of Data Subjects are set out in Schedule 1 (Details of Processing).

The Processor shall not process sensitive data, as defined in Articles 9 and 10 of the GDPR, unless the Customer gives clear and documented additional instructions. In this case, the Customer shall specify to the Processor which specific limitations and/or additional safeguards are to be applied to the processing of these categories of data and the Processor shall be free to accept them or not and, if applicable, to accept them at an additional cost.

3. Instructions and purpose

3.1 Processor

The Controller confirms that it has assessed, established and documented, based on information exchanged and the Processor's expert knowledge, reliability, resources and reputation, that the Processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the Processing meets the requirements of the GDPR.

3.2. Documented instructions

3.2.1 The Processor shall Process the Personal Data in accordance with the documented instructions of the Controller, including as described in the Principal Agreement and this DPA, and only for the specific purpose(s) of the Processing, as set out in Schedule 1 (Details of Processing), unless it receives further instructions from the Controller. The Controller confirms that the Processor's obligations under the Principal Agreement and this DPA constitute instructions to be followed by the Processor.

3.2.2 Any further instructions to Process Personal Data may be sent by email by the Controller to the authorised representative of the Processor at contact details provided by the Processor or making use of the contact details as set out in Section 13.2 of this DPA.

3.2.3 Notwithstanding 3.2.1 above, the Processor may also Process and/or transfer Personal Data as required by applicable EU or EU Member State law. In case of such requirement of EU or EU Member State law, the Processor shall inform the Controller of that legal requirement before Processing the Personal Data, unless that law prohibits such information to be provided to the Controller on important grounds of public interest.

3.3 Controller's obligations

3.3.1 The Controller warrants and guarantees that (i) it has lawfully obtained the Personal Data, (ii) the Processing of the Personal Data by the Processor is lawful and has specific purpose, (iii) any required notices have been made and (iv) consent has been obtained (where applicable) or there is another appropriate lawful Processing ground enabling (a) the Controller to transfer the Personal Data to the Processor and the Processor to receive the Personal Data from the Controller and (b) the Processor to lawfully Process the Personal Data.

3.3.2 The Controller shall inform the Processor as to the risk involved in the Processing and as to any other circumstance the Processor should reasonably be informed about in order to comply with this DPA.

3.4 Compliance with Data Protection Laws

In the course of the provision of the Services and the resulting Processing of Personal Data, the Parties shall comply with all Data Protection Laws as applicable to each Party respectively.

4. Security

4.1 The Processor shall take reasonable steps to ensure the reliability of any of its employees, agents or contractors or those of any Contracted Processor, who may have access to Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of implementing, managing and monitoring of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.2 The Processor shall at least implement the technical and organisational measures specified in Schedule 2 (Passbolt's TOM), which are deemed to be approved by the Controller, to ensure the security of Customer Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). The Processor will use reasonable efforts to ensure an appropriate level of security, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects. The measures shall also aim at preventing unnecessary collection and further Processing of Personal Data.

4.3 The Processor shall obtain the Controller's approval before making any material changes to its technical and organisational security measures. The Controller shall not unreasonably withhold approval for such changes.

4.4 In order to maintain an appropriate level of security as described in Section 4.1 above, the Processor shall perform regular security checks and implement updates where required.

Taking into account the nature of the Processing, the Processor shall provide the Controller with reasonable assistance in relation to the Controller's obligation to adopt adequate technical and organisational security measures.

5. Subprocessing

5.1 Controller's authorisation

5.1.1 The Processor has the Controller’s general authorisation for the engagement of Contracted Processors from the list in Schedule 3 (Approved Contracted Processors).

5.1.2 The Controller is deemed to have authorised in writing the Processing of Personal Data by the Contracted Processors as listed in Schedule 3 (Approved Contracted Processors).

5.1.3 The Processor shall notify the Controller in writing of any intended changes of that list through the addition or replacement of other Contracted Processors at least 15 days in advance, thereby giving the Controller the opportunity to object to such changes prior to the engagement of the concerned Contracted Processor. Objections by the Controller must be accompanied by a written justification, e.g. demonstrating that a Contracted Processor cannot ensure adequate protection of the Personal Data. If, within 10 Business Days of receipt of this notice, the Controller has not provided any reasonable objection to the intended change, the Controller is deemed to have authorised the intended change. The Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object. In the event of an objection by the Controller, based on legitimate reasons with regard to the protection of the Personal Data, having as a consequence that the Processor is no longer in a position to provide its services, the Processor will have the right to terminate the Principal Agreement, without indemnity, other notice or the prior intervention of a judge.

5.1.4 The Processor shall remain fully and unconditionally liable to the Controller for the performance of the Contracted Processor's obligations in accordance with the latter's contract with the Processor. The Processor shall notify the Controller of any failure by the Contracted Processor to fulfil its contractual obligations.

5.1.5 The Processor shall maintain a list of Contracted Processors including, to the extent reasonably possible, their respective locations, activities and the safeguards implemented by them. Such information is also included in Schedule 3 (Approved Contracted Processors).

5.2 Contract with Contracted Processor

5.2.1 The Processor shall impose on all Contracted Processors written data protection obligations that offer at least the same protection of Personal Data as the data protection obligations to which the Processor is bound on the basis of the Principal Agreement and this DPA. The Processor shall ensure that the Contracted Processor complies with the obligations to which the Processor is subject pursuant to this DPA and the GDPR. At the Controller's request, the Processor shall provide the Controller with a copy of any written agreement entered into by the Processor with a Contracted Processor and any subsequent amendments. To the extent necessary to protect business secret, commercial terms or other confidential information, including Personal Data, Processor may redact the text of the agreement prior to sharing the copy.

6. Data Subject rights requests

6.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 In the event where a Data Subject submits a request to exercise any of its Data Subject rights to the Processor, the Processor shall:

6.2.1 promptly notify the Customer; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of the Customer.

7. Personal Data Breach

7.1 The Processor shall notify the Customer without undue delay and in any case within fourty-eight (48) hours after becoming aware thereof of a Personal Data Breach affecting Customer Personal Data. Such notification shall contain, at least:

(a) a description of the nature of the Data Protection Breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);

(b) the details of a contact point where more information concerning the Personal Data Breach can be obtained;

(c) its likely consequences and the measures taken or proposed to be taken to address the Data Protection Breach, including to mitigate its possible adverse effects.

7.2 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

7.3 The Processor shall cooperate with the Customer and take commercially reasonable steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach as well as notification of the Personal Data Breach to the Supervising Authority and/or the communication of the Personal Data Breach to the Data Subjects concerned.

8. Other assistance to the Controller

8.1 The Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to the Processor and, if applicable, the Contracted Processors.

8.2 The Processor shall furthermore assist the Controller in ensuring compliance with the obligation to ensure that Customer Personal Data is accurate and up to date, by informing the Controller without delay if Processor becomes aware that the Customer Personal Data it is Processing is inaccurate or has become outdated.

9. Documentation, compliance and audit rights

9.1 The Parties shall be able to demonstrate compliance with this DPA.

9.2 The Processor shall make available to the Customer on request all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from the GDPR, which may include relevant portions of the Processor's record of processing activities, and shall allow for and contribute to audits, including inspections, in relation to the Processing of the Customer Personal Data covered by this DPA, including by the Contracted Processors, at reasonable intervals - within the limit of one audit every two years, or if there are tangible indications of non-compliance.

9.3 Information and audit rights of the Controller only arise under Section 9.2to the extent that the DPA does not otherwise give the information and audit rights meeting the relevant requirements of Data Protection Law. In deciding on a review or an audit, the Controller may take into account relevant certifications held by the Processor.

The Customer may decide to carry out the audit itself or appoint an independent auditor. In the latter case, the Customer shall, prior to the audit request:

a) notify the proposed independent auditor to the Processor, which may within one (1) calendar week object to the appointment on reasonable grounds relating to the auditor's competition with Passbolt or the existence of doubts about the proposed independent auditor's ability to ensure information security and data protection; and

b) upon request of Passbolt, obtain an appropriate confidentiality undertaking from the independent auditor.

9.5 Audits may also include inspections at the Processor's premises, upon reasonable notice of at least (1) month without prejudice to a shorter period imposed by a Regulator. In connection with inspections, the Customer agrees to:

a) respect the confidentiality and security of the Processor's premises and any relevant internal procedures or policies notified by the Processor to the Customer prior to the audit;

b) minimize the risk of any disruption to the Processor and its customers' business and the risk of personal data breach arising from the audit;

c) define with the Processor the scope of the audit prior to the audit.

9.6 The costs of the audits and inspections shall be borne by the Customer except in cases where they reveal the Processor's non-compliance.

9.7 The Parties shall make the information referred to in this Section 9, including the results of any audits, available to the competent supervisory authority/ies on request.

10. Data Transfer

10.1 The Processor may not transfer or authorize the transfer of Customer Personal Data to countries outside the European Economic Area (EEA) unless the Controller has given its prior written approval or in order to fulfil a specific legal requirement and such transfer shall take place in compliance with Chapter V of the GDPR.

10.2 When requesting the approval from the Controller under 10.1 above, the Processor shall provide the Controller with information about the relevant country of destination and the relevant data transfer mechanism.

10.3 The Processor shall ensure that all required measures, commitments, certifications and safeguards necessary to be able to rely on any data transfer mechanism are maintained. If a data transfer mechanism relied upon for a transfer under this Section 10 is no longer maintained, requires adjustment or is invalidated as a result of any change in Data Protection Laws or decision of a Supervisory Authority or other competent authority, the Processor shall immediately inform the Controller thereof and take appropriate action. The latter may include the putting in place of an alternative data transfer mechanism to ensure that the transfer(s) remain to be performed in compliance with Data Protection Laws.

10.4 For the avoidance of doubt, any written approval from the Controller to transfer Personal Data to a non-EEA recipient, shall constitute a documented instruction within the meaning of Section 3.2 (Documented Instructions).

10.5 The Controller hereby approves transfers of Personal Data to the Contracted Processors listed in Schedule 3 (Approved Contracted Processors) which are non-EEA -recipients, provided the other terms of 10.1 above are met.

10.6 The Controller hereby agrees that where the Processor engages a Contracted Processor in accordance with Section 5 for carrying out specific Processing activities (on behalf of the Controller) and those Processing activities involve a transfer of Customer Personal Data within the meaning of Chapter V of the GDPR, the Processor and the Contracted Processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met.

11. Confidentiality

11.1 Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.

12. Non-compliance with this DPA and termination

12.1 The Processor shall immediately inform the Controller if, in its opinion, any instruction given by the Controller infringes any Data Protection Laws. The Controller shall respond to such notification from the Processor within 10 Business Days. In case of inaction from the Controller or in case the Controller persists with an unlawful instruction, the Processor shall be allowed to terminate this DPA, without indemnity, other notice or the prior intervention of a judge.

12.2 In the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the Processing of Customer Personal Data until the latter complies with this DPA or the Principal Agreement is terminated.

12.3 The Controller shall be entitled to terminate the Principal Agreement insofar as it concerns Processing of Customer Personal Data in accordance with this DPA if:

(a) the Processing of Customer Personal Data by the Processor has been suspended by the Controller pursuant to 13.2 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;

(b) the Processor is in substantial or persistent breach of this DPA or its obligations under the GDPR;

(c) the Processor fails to comply with a binding decision of a competent court or the competent Supervisory Authority/ies regarding its obligations pursuant to this DPA or the GDPR.

12.4 Upon termination of the Principal Agreement, this DPA, or at the written request of the Controller, the Processor shall, at the choice of the Controller, return the Customer Personal Data and all copies thereof to the Controller and/or shall destroy (delete) such Customer Personal Data and all existing copies thereof securely, taking into account its obligations pursuant to Article 32 GDPR. To the extent the Processor cannot comply with the Controller's request to return and/or destroy the Customer Personal Data, because applicable EU or EU Member State statutory provisions require longer storage, the Processor shall inform the Controller of such legal obligation, keep the Customer Personal Data confidential and only Process the Customer Personal Data to the extent required by the applicable EU or EU Member State law. Until the Customer Personal Data is deleted or returned, Processor shall continue to ensure compliance with this DPA.

12.5 Any request of deletion or return of Personal Data under this Section 12 shall be performed by the Processor within 30 Business Days after the date of the request from the Controller or termination of the Principal Agreement or this DPA, unless otherwise agreed upon at such time by the Parties. The Processor shall confirm in writing that the Processor has returned or destroyed all Personal Data and copies thereof in accordance with the request of the Controller.

13. Miscellaneous

13.1 The Processor may require the Customer to reimburse Processor's costs and expenses in complying with its obligations pursuant to Sections 6 (Data Subject rights requests), 4.4 (Security), 7 (Personal Data Breach), 8 (Other assistance to the Controller) and 9 (Documentation, compliance and audit rights) subject to these costs and expenses being reasonable.

13.2 Any notices, information and communications under this DPA may be sent by email using the following email addresses:

For the Processor: [email protected]

For the Controller: the email used to send an invoice to the Customer.

Such contact details may change from time to time and shall be notified by the relevant Party.

13.3 Nothing in this DPA reduces the Processor's obligations under any other agreement between the Parties in relation to the protection of Personal Data or permits the Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by any other agreement between the Parties. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.

13.4 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

13.5 The Parties agree that they will amend this DPA if reasonably required to comply with Data Protection Laws.

14. Governing Law and Jurisdiction

14.1 This DPA is governed by the laws of the Grand Duchy of Luxembourg.

14.2 Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the city of Luxembourg.

Date of Last Update

This agreement was last updated on 16th of January 2024.


Schedule 1 – Details of Processing

Subject matter and nature of the Processing

The Data Processing performed by the Data Processor on behalf of the Controller relates to the services of credentials and password management.

The Personal Data will be collected, received, used, stored and otherwise Processed as necessary to operate and support the Services, as further described in the Principal Agreement, to the extent determined and controlled by the Customer in its sole discretion. Further, Passbolt and service providers it uses shall Process and enrich the Personal Data its systems to improve the availability, reliability and security of the Services.

The Data Processing details and procedure can be found in the Passbolt Privacy Policy at https://www.passbolt.com/privacy.

Duration of the Processing

The Processing shall continue until the later of:

(i) the DPA being terminated;

(ii) the Processor no longer being subject to an applicable legal or regulatory requirement to continue to store the Personal Data.

Types of Personal Data

Name, email address, job title, contact details, passwords and credentials, files and documents, location, IP address, browser user agent.

Categories of Data Subjects

Employees, agents, advisors, freelancers of Customer (who are natural persons);

Users authorized by Customer to use the Services;


Schedule 2 – Technical and Organization Security Measures (TOM)

Organizational Security

Information Security Program

We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework.

We define and regularly review our organization’s security objectives as well as associated risks and mitigations. Our policies and their associated procedures are designed to protect personal data. Third-Party Audits.

Our organization undergoes independent third-party assessments to test our security and compliance controls.

Third-Party Penetration Testing

We perform an independent third-party penetration test at least annually to assess the security posture of our services. You can read more about our latest test results on the dedicated incident pages.

We run a bug bounty program to recognise and reward the work of independent security researchers. We offer a clear and secure way to contact us to report a security vulnerability as well as a clear process defining how we respond to such a report, both of which are outlined on the help site and products' readme file.

Roles and Responsibilities

Roles and responsibilities related to our Information Security Program and the protection of personal and sensitive data are well defined and documented. Our team members are required to review and accept all of the security policies.

We have dedicated staff responsible to implement and manage our security procedures. Through the associated supporting systems they regularly monitor for suspicious activity. They organise dedicated workshops to train and evaluate other staff members' response to security incidents. Security Awareness Training

All of our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management. They also undergo one-on-one dedicated security training, which covers the specific security requirements needed on the basis of their role. We educate and encourage collaborators to raise awareness, draft proposals in order to improve and innovate in the field of security and privacy.

Confidentiality

All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.

Background Checks

Each employee or contractor undergoes a background check and is requested to disclose any criminal record, previous employer details and education diploma, if any.

Product security

Development best practice

All the code produced for the core products and associated services must adhere to the OWASP guidelines and recommendation, to prevent common security issues such as cross site scripting (XSS) or SQL injections.

Change management

Every code change is signed, tracked in a versioning system and covered by a change management policy, which requires code review by a maintainer. Similarly publishing rights is reserved to a small list of maintainers.

Security whitepaper

We publish and maintain a security white paper for the product distributed to our customers, to help them evaluate the residual risks as per their threat model.

Cloud Security

Cloud Infrastructure Security

Our cloud services are hosted in Europe with Google Cloud Platform (GCP). They employ a robust security program with multiple certifications including ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, PCI DSS. (Ref.).

Our site reliability team uses an extensive set of systems in order to provide security in depth. All the components of our infrastructure are designed to be redundant with multiple layers of failover. All our development, test or production environments are segmented on several isolated networks and where applicable different projects. Default passwords are removed and all non necessary services are removed or disabled. All our infrastructure is automated and defined as code. We have hardened, consistent, tested, reproducible builds for our all servers. Server secrets and credentials are encrypted using keys stored in a secure storage service and can be rotated on demand.

We use several layers of firewalls, including a web application firewall (WAF) to detect and restrict suspicious or undesirable traffics, as well as regular firewalls to further restrict access.

Data Hosting Security

All of our data is hosted on Google Cloud Platform (GCP) databases. These databases are all located in the Europe. For the cloud product, each of the customers workspace data is logically separated in individual databases.

We hold the data for as long as a customer chooses to use the service. Once they terminate their Passbolt cloud account the data are automatically deleted from our backups within 6 weeks.

Encryption at Rest

All the cloud data, including the backups, is encrypted at rest using 256-bit Advanced Encryption Standard (AES) with keys stored in a secure storage system.

Encryption in Transit

All customer data transmitted to our servers is protected using strong encryption protocols such as TLS. We ensure encryption of communication not only between the customer and our servers but also internally between all parts of our systems. We maintain and review using automated tools a list of acceptable TLS encryption algorithms.

Vulnerability Scanning

We perform vulnerability scanning and actively monitor for new threats. We use static code analyser tools and software dependencies scanners to detect issues and vulnerabilities.

Logging and Monitoring

We actively monitor and log various cloud services. We use an intrusion detection system (IDS) to detect and notify in case of unauthorised access to servers. We regularly review alerts from these systems as well as application logs monitor abnormal or suspicious activities.

Business Continuity and Disaster Recovery

We use redundant monitoring tools with real time notifications to alert the team in the event of any failures affecting users, to notify downtime, performance issues and abnormal activities. We rely on trustworthy security service providers to prevent DDoS attacks on our servers.

We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. Additionally we run incremental backups everyday. All backups are scheduled, encrypted, tracked and tested regularly. We regularly perform disaster recovery tests with unique scenarios.

We also recommend our customers to schedule regular backups of their data using export features.

Incident Response

We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication. The users can check service availability through a dedicated status page. The users can check for incident response on dedicated incident pages.

Access Security

Permissions and Authentication

Where available we have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.

Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role. Access to test, staging and production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Only a minimal number of individuals have access to the production environments.

For email, Our DMARC policy uses SPF and DKIM to verify that messages are authentic.

Least Privilege Access Control

We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to reduce the risk of data exposure.

Quarterly Access Reviews

We perform quarterly access reviews of all team members with access to sensitive systems.

Endpoint Security

We require every employee's workstations and mobile devices to be selected from a short list of respectable and officially supported devices and operating systems. They must be set up to be automatically kept up to date and with data encryption at rest. Workstation must have an up to date firewall and anti-virus software installed. Employees' workstations must be set to automatically lock when they are idle. Mobile devices used for business purposes are individually reviewed to ensure they meet our security standards.

Password Requirements

All employees must use a password manager and use it to generate strong unique passwords. They must have a strong master passphrase. Employees are provided with a physical security token to be used for second factor authentication.

Password Managers

All company members use our flagship product, passbolt, a password manager for team members to manage passwords and maintain password complexity.

Physical Security

Access to building and facilities are controlled and limited via the use of access cards. Dedicated staff is available at the reception to orient and control access of visitors during work hours. Access is monitored using CCTV cameras. Each collaborator is provided with an access card to access the office space. Each visitor of the office space must be accompanied by an employee at all times.

Further sensitive documentation, such as employee files are stored in secure storage space requiring a separate set of keys and only provided to selected C-level executives.

Vendor and Risk Management

Annual Risk Assessments

We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud. We do background checks and a risk assessment of our consultants and service providers as part of our procurement processes.

Vendor Risk Management

Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor. Where applicable we request them to agree to our General Terms and Conditions of Purchase and Contracting, or alternatively make sure that their general terms and conditions / our contract with them, enforce them to maintain the highest possible level of confidentiality and privacy when it comes to sensitive and personal data protection.

We make sure all of our service providers that have access to personal data are certified according to industry security standards and compliance instruments such as ISO27001, PCI-DSS, SOC 2 that enforce strict procedures for both physical and digital security.

As part of our Data Protection Agreement we maintain the list of approved data processors with the processors activities, type of personal data, location, implemented safeguards and data transfer mechanism.


Schedule 3 – Approved Contracted Processors

The Service Provider currently uses the following Contracted Processors:

Contracted processorProcessor activitiesType of personal dataHeadquarters locationImplemented safeguards & data transfer mechanism
Amazon Web ServicesEmail delivery (AWS SES)Name, email address, location, IP address of customer and authorized usersUSAISO 27001:2013, 27018, 27701, SOC2 (Ref)
Standard Contractual Clauses (Ref)
Using services located in Ireland and Germany.
ChargebeeSubscription & invoice managementName, email address, location, IP address of customer.USAISO 27001:2013, SOC 1, SOC 2, PCI DSS certifications. (Ref)
Standard Contractual Clauses.
Using datacenter located in Europe.
ChartmogulSubscription & invoice managementName, email address, location, IP address of customer.GermanySecurity best practices. (Ref)
Standard Contractual Clauses.
CloudFlareWeb Application Firewall and Content Delivery NetworkName, email address, location, IP address of customer and user of service.USAISO 27001:2013, SOC 2 type II, SOC 3, PCI DSS 3.2.1 certifications. (Ref)
Standard Contractual Clauses.
Google Cloud Platform (GCP)Hosting of passbolt websites and cloud dataName, email address, credentials, location including IP address of cloud service users.USAISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, PCI DSS certifications. (Ref.)
Cloud Site data is hosted in Belgium and Germany.
Standard Contractual Clauses.
HubspotCustomer relation management and supportName, email address, address of customer.USASecurity best practices & infrastructure providers with SOC 2 Type II and ISO 27001 certifications. (Ref) Standard Contractual Clauses.
New relicPerformance and security monitoringLog information (may contain email, name of customer and service user).USASOC 2 type II certification. (Ref)
Standard Contractual Clauses.
SlackSupport and alertsName, email address, location of customer or service user asking for support.USAISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3 certifications. (Ref)
Standard Contractual Clauses.
StripePayment managementName, email address, location, credit card of customer.USAPCI Service Provider Level 1 certification. (Ref)
Standard Contractual Clauses.
ZohoAccountingName, email address, location of customer.USAISO 27001:2013, ISO 27701, ISO 27017, ISO 27018, ISO 9001, SOC 2 type 2, PCI DSS certifications. (Ref)
Standard Contractual Clauses.
Excellium ServicesSecurity Operation Center / Computer Security Incident ResponseLocation including IP address of cloud service users, Log information (can contain email, name of customer and service user).LuxembourgISO 27001:2013 certification
h
b
f
c
j
g
i
l
k
h
b