Data Processing Policy
This Data Processing Policy and its exhibits apply to the processing of Personal Data by the Company on behalf of a client in order to provide cloud services as agreed in the agreement with the Client.
- Client is the sole controller of the client’s personal information and Client agrees to the processing of Client’s personal data by the Prometheus Ltd (the “Company”) as set out in this policy. Client appoints the Company as Processor for the mean of processing Client’s personal data.
- Categories of Data subjects, type of Client’s personal data and the processing activities are set out in the applicable Exhibit for the company’s applicable service, the duration of the processing of Client’s personal data corresponds with the duration of the service provided by the Company, the purpose of the processing of personal data reflects the provisions of the service provided to the client.
- The Company will process Client’s personal data according to the scope of service provided to the Client by the Company, as set out in the agreement between the Company and client.
- The Client will be the only point of contact for the Company and Client will be regarded as the only Controller of the Client’s personal data.
- The Company will take any measure to comply with the European General Data Protection Regulation (“GDPR”) in respect of the services applicable to the Client. The Company will not be responsible for determining the applicable privacy protection legislation of the Client and Client approves that the Company’s service meets the requirements of such legislation. Client is responsible for the lawfulness of the processing of Client’s personal data. Client undertakes to not use the service if such service violates any applicable data protection legislation.
- Company may engage with subcontractors to execute Company’s undertakings under the agreement with a Client. Company will ensure that all subcontractors are taking the security measures as the Company with regard to Client’s personal data processed, or stored on third parties digital and physical infrastructures. A list of current subcontractors engaged with the Company is annexed to this Data Processing Policy. Company may update the list of subcontractors from time to time and without notice.
- If a Client disapproves the use of a specific subcontractor used by the Company, it may inform the Company with a written notice, and Company will reply within reasonable time if that specific subcontractor may be replaced for the Client’s needs, or that Client may terminate the agreement with the Company effectively from Company’s respond.
Cross-border data transfer and data processing
- Company may use, for the purpose of its’ services, subcontractors and/or Sub-Processors which are established outside of the EU countries, by implementing the EU Standards Contractual Clauses and only to countries considered by the EU commission to have adequate protection of personal data.
Certification – Data Security
- Company takes the required security measures on its platforms and applications. Client is responsible for executing security measures to protect Client’s personal data and to comply with privacy legislation in Client’s territory. The company implemented and maintained ISO 27001 standard.
- The Company will take organizational measures and will conduct technical maintenance actions to ensure a level of security appropriate to the risk of the Company’s scope of service. The Company keeps its right to change and update those measures provided that the security and functionality of the service are not degraded.
- Client confirms that the company’s security measures provide the Client appropriate level of protection for the Client’s personal data, in consideration with risks associated with the Client’s personal data.
Data Subjects Rights
- Company will notify the Client of any requests from data subjects exercising their rights such as amending the data or deletion of the data or any other data subject right according to privacy legislation. Client will be responsible to respond to data subjects requests according to their rights. Client will have reasonable cooperation by the Company to comply with data subjects rights.
- In case a data subject initiate legal proceedings against the Company for breaching its data subject’s rights, Client will indemnify the Company for any damages or expenses which may arise as a result of such legal proceedings only if the Company notified Client for the initiated legal proceedings by the data subject and Company allowed and assisted Client to prepare its defense.
- Client has the right to claim from the Company amounts paid to data subjects for breaching its data subject rights caused due to Company’s breach of its obligation under GDPR.
- The Company will not share Client’s personal data with third parties unless the Company instructed in writing by Client or required by law. Company will notify Client about disclosure requirements received from third parties and authorities, unless company was ordered otherwise.
- Company will notify Client as it become aware of personal data breach with regard to the Client’s personal data, controlled or processed by the Company or with regard to the services provided by the Company to Client.
- Company will act with regard to Breach Notification to the Authorities, as it will be instructed to by the Client, or by any law which will apply on the Company in a specific personal data breach event.
- The Company will investigate any Client’s personal data breach and will notify the Client of such investigation’s results.
- Client will notify the company of any personal data breach, which Client becomes aware of, and the Company will assist the Client to investigate the personal data breach, with regard to the services provided to the Client on the Company’s network infrastructure and platforms.
- The Company will verify that any of the Company’s employees and contractors which have access to Client’s personal data, signed with the Company a confidentiality agreement / undertaking with regard to Client’s personal data.
- Company does not retain personal information other than for the purpose of the services it provides. If for any reason Client wishes to modify or delete Client’s Personal Information request needs to be sent to:firstname.lastname@example.org, and Company will make reasonable efforts to modify or delete any such Personal Information pursuant to any applicable privacy laws within reasonable time.
- Unless instructed otherwise Company may retain Client’s Personal Information for a period of no longer than seven (7) years since Client’s last use of the Company Services.
- Upon Client’s request to delete Personal Information, Company may depersonalize Client’s Personal Information, instead of deleting it, for the purpose of enhancing and improving the Company’s Services,
- Some information may not be deleted in order to keep the integrity of the Company’s system, but the information will be stripped off any Personal Information linked to such information and having such data be anonymized.
- Following a request to the Company from Client to: (i) delete any Personal Information or (ii) delete Personal Information data from the App’s interface or (iii) terminate a Client’s account, an automated process will begin that permanently deletes the Client’s Personal Information in accordance with the timelines set forth in the tables below. Once begun, this process cannot be reversed and data will be permanently deleted, or data will be stripped from any personalized information and shall be kept in an anonymized manner.
|Type of Data||Timeline for Deletion (after deletion process begins) for Cancellation, Termination or Migration|
Annex – A list of current subcontractors engaged with the Company
- Third Parties Platforms used for the Service (updated July 2018)
- Google Analytics
- Microsoft Azure
- Trio Hosting Services