Ownbackup Data Processing Addendum

BAGAIMANA CARA MELAKUKAN DPA INI

1. This DPA consists of two parts: the main body of the DPA, and Schedules 1, 2, 3, 4, and 5.
2. This DPA has been pre-signed on behalf of OwnBackup.
3. To complete this DPA, the Customer must:
   1. Lengkapi Bagian Nama Pelanggan dan Alamat Pelanggan pada halaman 2.
   2. Lengkapi informasi di kotak tanda tangan dan tanda tangan di halaman 6.
   3. Verifikasi bahwa informasi pada Jadwal 3 (“Rincian Pemrosesan”) secara akurat mencerminkan subjek dan kategori data yang akan diproses.
   4. Send the completed and signed DPA to OwnBackup at privasi@ownbackup.com.

Upon OwnBackup’s receipt of the validly completed DPA at this email address, this DPA will become legally binding.
The signature of this DPA on page 6 shall be deemed to constitute the signature and acceptance of the Standard Contractual Clauses (including their Appendices) and the UK Addendum, both incorporated herein by reference.

BAGAIMANA DPA INI BERLAKU

• If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the OwnBackup entity that is a party to the Agreement is a party to this DPA.
• If the Customer entity signing this DPA has executed an Order Form with OwnBackup or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms, and the OwnBackup entity that is a party to such Order Form is a party to this DPA.
• If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement execute this DPA.
• If the Customer entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with OwnBackup but is instead a customer indirectly via an authorized reseller of OwnBackup services, this DPA is not valid and is not legally binding. Such an entity should contact the authorized reseller to discuss whether an amendment to its agreement with that reseller is required.
• In the event of any conflict or inconsistency between this DPA and any other agreement between Customer and OwnBackup (including, without limitation, the Agreement or any data processing addendum to the Agreement), the terms of this DPA shall control and prevail.

This Data Processing Addendum, including its Schedules and Appendices, (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement between OwnBackup Inc. (“OwnBackup”) and the Customer entity named above for the purchase of online services from OwnBackup (the “Agreement”) to document the parties’ agreement regarding the Processing of Personal Data. If such Customer entity and OwnBackup have not entered into an Agreement, then this DPA is void and of no legal effect.
The Customer entity named above enters into this DPA for itself and, if any of its Affiliates act as Controllers of Personal Data, on behalf of those Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the SaaS Services to Customer under the Agreement, OwnBackup may Process Personal Data on behalf of Customer. The parties agree to the following terms with respect to such Processing.

DEFINISI

• “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq., as amended by the California Privacy Rights Act of 2020 and together with any implementing regulations. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data and is deemed to also refer to a “business” as defined in the CCPA.
• “Pelanggan” berarti entitas yang disebutkan di atas dan Afiliasinya.
• “Data Protection Laws and Regulations” means all laws and regulations of the European Union and its member states, the European Economic Area and its member states, the United Kingdom, Switzerland, the United States, Canada, New Zealand, and Australia, and their respective political subdivisions, applicable to the Processing of Personal Data. These include, but are not limited to, the following, to the extent applicable: the GDPR, UK Data Protection Law, the CCPA, the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act and related regulations (“CPA”), the Utah Consumer Privacy Act (“UCPA”), and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (the “CPDPA”). “Data Subject” means the identified or identifiable person to whom Personal Data relates and includes “consumer” as defined in Data Protection Laws and Regulations. “Europe” means the European Union, the European Economic Area, Switzerland, and the United Kingdom.
• Additional provisions applicable to transfers of Personal Data from Europe are contained in Schedule 5. In the event that Schedule 5 is removed, Customer warrants that it shall not process Personal Data subject to the Data Protection Laws and Regulations of Europe.
• “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• “OwnBackup Group” means OwnBackup and its Affiliates engaged in the Processing of Personal Data.
• “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
• “Layanan Pemrosesan Data Pribadi” berarti Layanan SaaS yang tercantum dalam Jadwal 2, dimana OwnBackup dapat memproses Data Pribadi.
• “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
• “Standard Contractual Clauses” means the Annex to the European Commission’s implementing decision (EU) 2021/914 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union and subject to required amendments for Switzerland further described in Schedule 5.
• “Sub-processor” means any Processor engaged by OwnBackup, by a member of the OwnBackup Group or by another Sub-processor.
• “Supervisory Authority” means a governmental or government-chartered regulatory body having binding legal authority over Customer.
• “UK Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 21 March 2022 at https://ico.org.uk/for-organisations/guideto-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transferagreement-and-guidance/), completed as described in Schedule 5.
• “UK Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as may be amended from time to time by the Data Protection Laws and Regulations of the United Kingdom

PROCESSING OF PERSONAL DATA

• Scope. The parties agree that this DPA shall apply solely to the Processing of Personal Data within the Personal Data Processing Services.
• Roles of the Parties. The parties agree that with regard to the Processing of Personal Data, Customer is the Controller and OwnBackup is the Processor.
• OwnBackup’s Processing of Personal Data. OwnBackup shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Orders; (ii) Processing initiated by Customer personnel in their use of the SaaS Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
• Processing Restrictions. OwnBackup shall not: (i) “sell” or “share” Personal Data, as such terms are defined in Data Protection Laws and Regulations; (ii) retain, use, disclose or Process Personal Data for any commercial or other purpose other than to perform the SaaS Services; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Customer and OwnBackup. OwnBackup shall comply with applicable restrictions under Data Protection Laws and Regulations on combining Personal Data with personal data that OwnBackup receives from, or on behalf of, another person or persons, or that OwnBackup collects from any interaction between it and any individual.
• Notification of Unlawful Instructions; Unauthorized Processing. OwnBackup shall immediately inform Customer if, in its opinion, an instruction by Customer infringes any Data Protection Law or Regulation. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including uses of Personal Data not authorized in this DPA.
• Details of the Processing. The subject matter of the Processing of Personal Data by OwnBackup is the performance of the SaaS Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 3 (Details of the Processing).
• Data Protection Impact Assessment. Upon Customer’s request, OwnBackup shall reasonably assist Customer in fulfilling Customer’s obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the SaaS Services, to the extent Customer does not otherwise have access to the relevant information and such information is available to OwnBackup. OwnBackup shall reasonably assist Customer in its cooperation or prior consultation with a Supervisory Authority regarding any such data protection impact assessment to the extent required under applicable Data Protection Laws and Regulations.
• Customer Obligations Regarding Personal Data. In its use of the SaaS Services, Customer will comply with the Data Protection Laws and Regulations, including any applicable requirements to provide notice to and/or obtain consent from Data Subjects for Processing by OwnBackup. Customer shall ensure that its instructions for the Processing of Personal Data comply with Data Protection Laws and Regulations.
• Customer shall be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer shall ensure that its use of the SaaS Services will not violate the rights of any Data Subject that has opted-out from sales, sharing, or other disclosures of Personal Data, to the extent applicable. Customer shall ensure that Customer Data does not contain any data which qualifies as personal health data protected under Article L.1111-8 of the French Public Health Code

REQUESTS FOR CUSTOMER DATA

• Requests from Data Subjects. OwnBackup shall, to the extent legally permitted, promptly notify Customer if OwnBackup receives a request from a Data Subject to exercise the Data Subject’s right of access, right of rectification, right to restrict Processing, right of erasure (“right to be forgotten”), right of data portability, right to object to the Processing, or right not to be subject to automated individual decision making, each such request being a “Data Subject Request.” Taking into account the nature of the Processing, OwnBackup shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the SaaS Services, does not have the ability to address a Data Subject Request, OwnBackup shall upon Customer’s request use commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent OwnBackup is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. Where such assistance exceeds the scope of the contracted SaaS Services, and to the extent legally permitted, Customer will be responsible for any additional costs arising from the assistance.
• Requests from Other Third Parties. If OwnBackup receives a request from a third party other than a Data Subject (including, without limitation, a government agency) for Customer Data, OwnBackup shall where permitted by law direct the requesting party to the Customer and promptly notify the Customer of the request. Where OwnBackup is not permitted by law to notify the Customer of the request, OwnBackup shall only respond to the requesting party if required by law to do so and will make reasonable efforts to work with the requesting party to narrow the scope of the Customer Data request.

OWNBACKUP PERSONNEL

• Confidentiality. OwnBackup shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. OwnBackup shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
• Reliability. OwnBackup shall take commercially reasonable steps to ensure the reliability of any OwnBackup personnel engaged in the Processing of Personal Data.
• Limitation of Access. OwnBackup shall ensure that OwnBackup’s access to Personal Data is limited to those personnel who require such access to perform the SaaS Services in accordance with the Agreement.
• Data Protection Officer. Members of the OwnBackup Group will appoint a data protection officer where such appointment is required by Data Protection Laws and Regulations. The appointed person may be reached at privasi@ownbackup.com.

SUB-PROCESSORS

• Appointment of Sub-processors. Customer grants OwnBackup a general authorization to appoint thirdparty Sub-processors in connection with the SaaS Services, in accordance with the procedures outlined
  in this DPA. OwnBackup or an OwnBackup Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this DPA with respect to
  the protection of Customer Data, to the extent applicable to the services provided by such Sub-processor.
• Current Sub-processors and Notification of New Sub-processors. A list of Sub-processors for the SaaS Services, as of the date this DPA is executed, is attached in Schedule 1. OwnBackup shall notify Customer in writing of any new Sub-processor before authorizing such new Sub-processor to Process Personal Data.
• Objection Right for New Sub-processors. Customer may object to OwnBackup’s use of a new Subprocessor by notifying OwnBackup in writing within 30 days after receipt of a notice described in the preceding paragraph. If Customer objects to a new Sub-processor as permitted in the preceding sentence, OwnBackup will use commercially reasonable efforts to make available to Customer a change in the SaaS Services or recommend a change to Customer’s configuration or use of the SaaS Services, to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If OwnBackup is unable to make available such change in the SaaS Service, or to recommend such a change to Customer’s configuration or use of the SaaS Services that is satisfactory to Customer, within a reasonable period of time (which shall in no event exceed 30 days), Customer may terminate the applicable Order Form(s) by providing written notice to OwnBackup. In such event, OwnBackup will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination, without imposing a penalty for such termination on Customer.
• Liability for Sub-Processors. OwnBackup shall be liable for the acts and omissions of its Sub-processors to the same extent OwnBackup would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

KEAMANAN

• Controls for the Protection of Customer Data. OwnBackup shall maintain appropriate physical, technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, including Personal Data, in accordance with Schedule 4 (OwnBackup Security Controls). OwnBackup will not materially decrease the overall security of the SaaS Services during a subscription term.
• Third-Party Audit Reports and Certifications. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations in the Agreement, OwnBackup shall make available to Customer a copy of OwnBackup’s then most recent third-party audit report SOC 2 audit report, and of any other audit reports and certifications that OwnBackup makes available to customers, provided Customer is not a competitor of OwnBackup.

CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

OwnBackup maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by OwnBackup or its Sub-processors of which OwnBackup becomes aware (a “Customer Data Incident”). OwnBackup shall make reasonable endeavours to identify the cause of such Customer Data Incident and take steps as OwnBackup deems necessary and reasonable to remediate the cause of such Customer Data Incident to the extent the remediation is within OwnBackup’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or its personnel.

RETURN AND DELETION OF CUSTOMER DATA
OwnBackup shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Agreement.

PEMERIKSAAN

Upon Customer’s request, and subject to the confidentiality obligations in the Agreement, OwnBackup shall make available to Customer (or Customer’s third-party auditor and that has signed a nondisclosure agreement reasonably acceptable to OwnBackup) information necessary to demonstrate the OwnBackup Group’s compliance with the obligations set forth in this DPA and its obligations as a Processor under Data Protection Laws and Regulations in the form of OwnBackup’s completed standardized security questionnaires, third-party certifications and audit reports (e.g., its completed Standardized Information Gathering (SIG) and Cloud Security Alliance Consensus Assessments Initiative (CSA CAIQ) questionnaires, SOC 2 report and summary penetration test reports) and, for its Sub-processors, the third-party certifications and audit reports made available by them. Following any notice by OwnBackup to Customer of an actual or reasonably suspected unauthorized disclosure of Personal Data, upon Customer’s reasonable belief that OwnBackup is in breach of its Personal Data protection obligations under this DPA, or if such audit is required by Customer’s Supervisory Authority, Customer may contact OwnBackup to request an audit of the procedures relevant to the protection of Personal Data. Any such audit shall be conducted remotely, except Customer and/or its Supervisory Authority may conduct on onsite audit at OwnBackup’s premises if so required by the Data Protection Laws and Regulations. Any such request shall occur no more than once annually, except in the event of an actual or reasonably suspected unauthorised access to Personal Data. Before the commencement of any audit, Customer and OwnBackup shall mutually agree upon the scope, timing, and duration of the audit. In no event will any audit of a Sub-processor, beyond a review of reports, certifications and documentation made available by the Subprocessor, be permitted without the Sub-processor’s consent.

AFILIASI

• Contractual Relationship. The Customer entity signing this DPA does so for itself and, as applicable, in the name and on behalf of its Affiliates, thereby establishing a separate DPA between OwnBackup and each such Affiliate subject to the provisions of the Agreement, this Clause 10, and Clause 11 below. Each such Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, such Affiliates are not and do not become parties to the Agreement, and are only parties to this DPA. All access to and use of the SaaS Services by such Affiliates must comply with the Agreement, and any breach of the Agreement by an Affiliate shall be deemed a breach by Customer.
• Communication. The Customer entity signing this DPA shall remain responsible for coordinating all communication with OwnBackup under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.
• Rights of Customer Affiliates. Where a Customer Affiliate becomes a party to this DPA with OwnBackup, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
• Except where applicable Data Protection Laws and Regulations require the Customer Affiliate toexercise a right or seek any remedy under this DPA against OwnBackup directly, the parties agree that
  • solely the Customer entity that signed this DPA shall exercise any such right or seek any such remedy on behalf of the Customer Affiliate, and (ii) the Customer entity signing this DPA shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for itself and all of its Affiliates together (as set forth, for example, in Clause 10.3.2 below).
  • The Customer entity signing this DPA shall, when carrying out a permitted audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on OwnBackup and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Affiliates in one single audit.

BATASAN TANGGUNG JAWAB

• To the extent permitted by Data Protection Laws and Regulations, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Liability Limit” clauses, and such other clauses that exclude or limit liability, of the Agreement, and any reference in such clauses to the liability of a party means the aggregate liability of that party and all of its Affiliates.

PERUBAHAN MEKANISME TRANSFER

• Apabila mekanisme transfer yang ada saat ini yang diandalkan oleh para pihak untuk memfasilitasi transfer Data Pribadi ke satu atau lebih negara yang tidak menjamin tingkat perlindungan data yang memadai sesuai dengan makna Undang-undang dan Peraturan Perlindungan Data tidak berlaku, dilakukan perubahan. , atau para pihak yang digantikan akan bekerja dengan itikad baik untuk memberlakukan mekanisme transfer alternatif tersebut untuk memungkinkan kelanjutan Pemrosesan Data Pribadi sebagaimana dimaksud dalam Perjanjian. Penggunaan mekanisme transfer alternatif tersebut harus tunduk pada pemenuhan seluruh persyaratan hukum untuk penggunaan mekanisme transfer tersebut oleh masing-masing pihak.

The parties’ authorized signatories have duly executed this Agreement, including all applicable Schedules, Annexes, and Appendices incorporated herein

PELANGGAN 

• Ditandatangani:
• Nama:
• Judul:
• Tanggal:

Daftar Jadwal

• Jadwal 1: Daftar Sub-Prosesor Saat Ini
• Jadwal 2: Layanan SaaS Berlaku untuk Pemrosesan Data Pribadi
• Jadwal 3: Detail Pemrosesan
• Jadwal 4: Kontrol Keamanan Cadangan Sendiri
• Jadwal 5: Ketentuan Eropa

Daftar Sub-Prosesor Saat Ini

Pelanggan dapat memilih Amazon Web Layanan atau Microsoft (Azure) dan Lokasi Pemrosesan yang diinginkan selama pengaturan awal Layanan SaaS oleh Pelanggan.
Applies only to OAwnBackup Archive customers that choose to deploy in the Microsoft (Azure) Cloud.

Saas Services Applicable to Personal Data Processing

• Perusahaan OwnBackup untuk Salesforce
• OwnBackup Tidak Terbatas untuk Salesforce
• Tata Kelola OwnBackup Plus untuk Salesforce
• Arsip Cadangan Sendiri
• Bawa Manajemen Kunci Anda Sendiri
• Penyemaian Kotak Pasir

Detail Pemrosesan

Pengekspor Data

• Nama Lengkap Resmi: Nama Pelanggan sebagaimana ditentukan di atas
• Alamat Utama: Alamat Pelanggan seperti yang ditentukan di atas
• Kontak: Jika tidak ditentukan lain, ini akan menjadi kontak utama di akun Pelanggan.
• Email Kontak: Jika tidak ditentukan lain, ini akan menjadi alamat email kontak utama pada akun Pelanggan.

Importir Data

• Nama Lengkap Resmi: OwnBackup Inc.
• Alamat Utama: 940 Sylvan Ave, Englewood Cliffs, NJ 07632, USA
• Kontak: Petugas Privasi
• Email Kontak: privasi@ownbackup.com

Sifat dan Tujuan Pengolahan

• OwnBackup will Process Personal Data as necessary to perform the Saa Services pursuant to the
• Agreement and Orders, and as further instructed by Customer in its use of the SaaS Services.

Durasi Pemrosesan

OwnBackup akan Memproses Data Pribadi selama jangka waktu Perjanjian, kecuali disepakati lain secara tertulis.

Penyimpanan
OwnBackup akan menyimpan Data Pribadi dalam Layanan SaaS selama jangka waktu Perjanjian, kecuali disepakati lain secara tertulis, dengan tunduk pada periode penyimpanan maksimum yang ditentukan dalam Dokumentasi.

Frekuensi Transfer
Sebagaimana ditentukan oleh Pelanggan melalui penggunaan Layanan SaaS.

Transfers to Sub-processors
Sebagaimana diperlukan untuk melaksanakan Layanan SaaS sesuai dengan Perjanjian dan Pesanan, dan sebagaimana dijelaskan lebih lanjut dalam Jadwal 1.

Kategori Subjek Data
Pelanggan dapat mengirimkan Data Pribadi ke Layanan SaaS, yang cakupannya ditentukan dan dikendalikan oleh Pelanggan berdasarkan kebijakannya sendiri, dan yang dapat mencakup namun tidak terbatas pada Data Pribadi yang berkaitan dengan kategori subjek data berikut:

• Prospek, pelanggan, mitra bisnis dan vendor Pelanggan (yang merupakan perorangan)
• Karyawan atau contact person calon pelanggan, pelanggan, mitra bisnis, dan vendor
• Employees, agents, advisors, freelancers of Customer (who are natural persons)
• Customer’s users authorized by Customer to use the SaaS Services

Jenis Data Pribadi
Customer may submit Personal Data to the SaaS Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to the following categories of

Data Pribadi:

• Nama depan dan belakang
• Judul
• Posisi
• Pemberi pekerjaan
• data identitas
• Data kehidupan profesional
• Informasi kontak (perusahaan, email, telepon, alamat bisnis fisik)
• Data kehidupan pribadi
• Data lokalisasi

Kategori data khusus (jika sesuai)
Customer may submit special categories of Personal Data to the SaaS Services, the extent of which is determined and controlled by Customer in its sole discretion, and which for the sake of clarity could include the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning health. See the measures in Schedule 4 for how OwnBackup protects special categories of data and other personal data.

Perkenalan

1. Aplikasi perangkat lunak sebagai layanan OwnBackup (Layanan SaaS) dirancang sejak awal dengan mempertimbangkan keamanan. Layanan SaaS dirancang dengan berbagai kontrol keamanan di berbagai tingkatan untuk mengatasi berbagai risiko keamanan. Kontrol keamanan ini dapat berubah sewaktu-waktu; namun, perubahan apa pun akan mempertahankan atau meningkatkan postur keamanan secara keseluruhan.
2. Deskripsi kontrol di bawah ini berlaku untuk implementasi Layanan SaaS di kedua Amazon Web Platform Layanan (AWS) dan Microsoft Azure (Azure) (bersama-sama disebut sebagai Penyedia Layanan Cloud kami, atau CSP), kecuali sebagaimana ditentukan dalam bagian Enkripsi di bawah. Deskripsi kontrol ini tidak berlaku untuk perangkat lunak RevCult kecuali sebagaimana ditentukan dalam “Pengembangan Perangkat Lunak Aman” di bawah.

Web Kontrol Keamanan Aplikasi

• Akses pelanggan ke Layanan SaaS hanya melalui HTTPS (TLS1.2+), yang menetapkan enkripsi data dalam transit antara pengguna akhir dan aplikasi dan antara OwnBackup dan sumber data pihak ketiga (misalnya, Salesforce).
• Administrator Layanan SaaS pelanggan dapat menyediakan dan membatalkan penyediaan pengguna Layanan SaaS dan akses terkait bila diperlukan.
• Layanan SaaS menyediakan kontrol akses berbasis peran untuk memungkinkan pelanggan mengelola izin multi-organisasi.
• Administrator Layanan SaaS pelanggan dapat mengakses jejak audit termasuk nama pengguna, tindakan, waktuamp, dan bidang alamat IP sumber. Log audit bisa viewdiedit dan diekspor oleh administrator Layanan SaaS pelanggan yang masuk ke Layanan SaaS serta melalui API Layanan SaaS.
• Akses ke Layanan SaaS dapat dibatasi berdasarkan alamat IP sumber.
• Layanan SaaS memungkinkan pelanggan mengaktifkan autentikasi multifaktor untuk mengakses akun Layanan SaaS menggunakan kata sandi satu kali berbasis waktu.
• Layanan SaaS memungkinkan pelanggan mengaktifkan sistem masuk tunggal melalui penyedia identitas SAML 2.0.
• Layanan SaaS memungkinkan pelanggan mengaktifkan kebijakan kata sandi yang dapat disesuaikan untuk membantu menyelaraskan kata sandi Layanan SaaS dengan kebijakan perusahaan.

Enkripsi

• OwnBackup menawarkan opsi Layanan SaaS berikut untuk enkripsi data saat istirahat:
  • Penawaran standar.
    • Data dienkripsi menggunakan enkripsi sisi server AES-256 melalui sistem manajemen kunci yang divalidasi berdasarkan FIPS 140-2.
    • Enkripsi amplop digunakan sedemikian rupa sehingga kunci utama tidak pernah meninggalkan Modul Keamanan Perangkat Keras (HSM).
    • ncryption keys are rotated no less than every two years.
  • Opsi Manajemen Kunci Tingkat Lanjut (AKM).
    • Data dienkripsi dalam wadah penyimpanan objek khusus dengan kunci enkripsi master (CMK) yang disediakan pelanggan.
    • AKM memungkinkan pengarsipan kunci di masa mendatang dan memutarnya dengan kunci enkripsi master lainnya.
    • Pelanggan dapat mencabut kunci enkripsi utama, sehingga data tidak dapat diakses secara langsung.
  • Opsi Bawa Sistem Manajemen Kunci Anda Sendiri (KMS) (hanya tersedia di AWS).
    • Kunci enkripsi dibuat di akun milik pelanggan yang dibeli secara terpisah menggunakan AWS KMS.
    • Pelanggan menentukan kebijakan kunci enkripsi yang mengizinkan akun Layanan SaaS pelanggan di AWS untuk mengakses kunci dari AWS KMS milik pelanggan.
    • Data dienkripsi dalam wadah penyimpanan objek khusus yang dikelola oleh OwnBackup, dan dikonfigurasi untuk menggunakan kunci enkripsi pelanggan.
    • The customer may instantly revoke access to the encrypted data by revoking OwnBackup’saccess to the encryption key, without interacting with OwnBackup.
    • Karyawan OwnBackup tidak memiliki akses ke kunci enkripsi kapan pun dan tidak mengakses KMS secara langsung.
    • Semua aktivitas penggunaan kunci dicatat di KMS pelanggan, termasuk pengambilan kunci oleh penyimpanan objek khusus.
• Enkripsi saat transit antara Layanan SaaS dan sumber data pihak ketiga (misalnya, Salesforce) menggunakan HTTPS dengan TLS 1.2+ dan OAuth 2.0.

Jaringan

• Layanan SaaS menggunakan kontrol jaringan CSP untuk membatasi masuk dan keluarnya jaringan.
• Kelompok keamanan negara digunakan untuk membatasi masuk dan keluarnya jaringan ke titik akhir resmi.
• Layanan SaaS menggunakan arsitektur jaringan multi-tingkat, termasuk beberapa Amazon Virtual Private Clouds (VPC) atau Azure Virtual Networks (VNets) yang terpisah secara logis, memanfaatkan zona privat, DMZ, dan tidak tepercaya dalam infrastruktur CSP.
• Di AWS, pembatasan VPC S3 Endpoint digunakan di setiap wilayah untuk mengizinkan akses hanya dari VPC resmi.

Pemantauan dan Audit

• Sistem dan jaringan Layanan SaaS dipantau untuk mengetahui insiden keamanan, kesehatan sistem, kelainan jaringan, dan ketersediaan.
• Layanan SaaS menggunakan sistem deteksi intrusi (IDS) untuk memantau aktivitas jaringan dan memperingatkan OwnBackup tentang perilaku mencurigakan.
• Penggunaan Layanan SaaS web firewall aplikasi (WAF) untuk semua publik web jasa.
• OwnBackup mencatat peristiwa aplikasi, jaringan, pengguna, dan sistem operasi ke server syslog lokal dan SIEM khusus wilayah. Log ini secara otomatis dianalisis dan diproses ulangviewed untuk aktivitas dan ancaman yang mencurigakan. Setiap anomali akan dieskalasi sebagaimana mestinya.
• OwnBackup menggunakan sistem informasi keamanan dan manajemen peristiwa (SIEM) yang menyediakan analisis keamanan berkelanjutan terhadap jaringan dan lingkungan keamanan Layanan SaaS, peringatan anomali pengguna, pengintaian serangan perintah dan kontrol (C&C), deteksi ancaman otomatis, dan pelaporan indikator kompromi (IOC ). Semua kemampuan ini dikelola oleh staf keamanan dan operasi OwnBackup.
• Tim respons insiden OwnBackup memantau alias security@ownbackup.com dan merespons sesuai dengan Incident Response Plan (IRP) perusahaan bila diperlukan.

Isolasi Antar Akun

• Layanan SaaS menggunakan sandbox Linux untuk mengisolasi data akun pelanggan selama pemrosesan. Hal ini membantu memastikan bahwa setiap anomali (misalnyaampfile, karena masalah keamanan atau bug perangkat lunak) tetap terbatas pada satu akun OwnBackup.
• Akses data penyewa dikontrol melalui pengguna IAM unik yang memiliki data tagging yang melarang pengguna yang tidak sah mengakses data penyewa.

Pemulihan Bencana

• OwnBackup menggunakan penyimpanan objek CSP untuk menyimpan data pelanggan terenkripsi di beberapa zona ketersediaan.
• Untuk data pelanggan yang disimpan di penyimpanan objek, OwnBackup menggunakan pembuatan versi objek dengan penuaan otomatis untuk mendukung kepatuhan terhadap kebijakan pemulihan bencana dan pencadangan OwnBackup. Untuk objek ini, sistem OwnBackup dirancang untuk mendukung tujuan titik pemulihan (RPO) selama 0 jam (yaitu, kemampuan untuk memulihkan ke versi objek apa pun seperti yang ada dalam periode 14 hari sebelumnya).
• Pemulihan instans komputasi apa pun yang diperlukan dapat dilakukan dengan membangun kembali instans tersebut berdasarkan otomatisasi manajemen konfigurasi OwnBackup.
• Rencana Pemulihan Bencana OwnBackup dirancang untuk mendukung tujuan waktu pemulihan (RTO) 4 jam.

Manajemen Kerentanan

• OwnBackup bekerja secara berkala web penilaian kerentanan aplikasi, analisis kode statis, dan penilaian dinamis eksternal sebagai bagian dari program pemantauan berkelanjutan untuk membantu memastikan kontrol keamanan aplikasi diterapkan dengan benar dan beroperasi secara efektif.
• Setiap setengah tahun, OwnBackup mempekerjakan penguji penetrasi pihak ketiga independen untuk melakukan pengujian jaringan dan web penilaian kerentanan. Ruang lingkup audit eksternal ini mencakup kepatuhan terhadap Keterbukaan Web Proyek Keamanan Aplikasi (OWASP) 10 Teratas Web Vulnerabilities (www.owasp.org).
• Hasil penilaian kerentanan dimasukkan ke dalam siklus hidup pengembangan perangkat lunak OwnBackup (SDLC) untuk memulihkan kerentanan yang teridentifikasi. Kerentanan spesifik diprioritaskan dan dimasukkan ke dalam sistem tiket internal OwnBackup untuk dilacak hingga penyelesaiannya.

Respon Insiden

In the event of a potential security breach, the OwnBackup Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies. If a potential breach is confirmed, OwnBackup will immediately act to mitigate the breach and preserve forensic evidence, and will notify impacted customers’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates

Pengembangan Perangkat Lunak yang Aman

OwnBackup menerapkan praktik pengembangan yang aman untuk aplikasi perangkat lunak OwnBackup dan RevCult sepanjang siklus hidup pengembangan perangkat lunak. Praktik ini mencakup analisis kode statis, keamanan Salesforceview untuk aplikasi RevCult dan untuk aplikasi OwnBackup yang diinstal di instans Salesforce pelanggan, peer review perubahan kode, membatasi akses repositori kode sumber berdasarkan prinsip hak istimewa paling rendah, dan mencatat akses dan perubahan repositori kode sumber.

Tim Keamanan Khusus

OwnBackup memiliki tim keamanan khusus dengan lebih dari 100 tahun gabungan pengalaman keamanan informasi multi-segi. Selain itu, anggota tim memiliki sejumlah sertifikasi yang diakui industri, termasuk namun tidak terbatas pada CISM, CISSP, dan Auditor Utama ISO 27001.

Privasi dan Perlindungan Data
OwnBackup memberikan dukungan asli untuk permintaan akses subjek data, seperti hak untuk menghapus (hak untuk dilupakan) dan anonimisasi, untuk mendukung kepatuhan terhadap peraturan privasi data, termasuk Peraturan Perlindungan Data Umum (GDPR), Undang-Undang Portabilitas dan Akuntabilitas Asuransi Kesehatan (HIPAA), dan Undang-Undang Privasi Konsumen California (CCPA). OwnBackup juga menyediakan Adendum Pemrosesan Data untuk memenuhi undang-undang privasi dan perlindungan data, termasuk persyaratan hukum untuk transfer data internasional.

Pemeriksaan Latar Belakang

OwnBackup melakukan panel pemeriksaan latar belakang, termasuk pemeriksaan latar belakang kriminal, terhadap personelnya yang mungkin memiliki akses ke data pelanggan, berdasarkan yurisdiksi tempat tinggal karyawan tersebut selama tujuh tahun sebelumnya, dengan tunduk pada hukum yang berlaku.

Asuransi

OwnBackup memiliki, setidaknya, perlindungan asuransi berikut: (a) asuransi kompensasi pekerja sesuai dengan hukum yang berlaku; (b) asuransi pertanggungan kendaraan untuk kendaraan yang tidak dimiliki dan disewa, dengan gabungan batas tunggal sebesar $1,000,000; (c) asuransi tanggung jawab umum komersial (tanggung jawab publik) dengan pertanggungan batas tunggal sebesar $1,000,000 per kejadian dan pertanggungan agregat umum sebesar $2,000,000; (d) asuransi kesalahan dan kelalaian (indemnitas profesional) dengan batas $20,000,000 per peristiwa dan total $20,000,000, termasuk lapisan primer dan tambahan, dan termasuk tanggung jawab dunia maya, teknologi dan layanan profesional, produk teknologi, keamanan data dan jaringan, respons terhadap pelanggaran, peraturan pertahanan dan hukuman, pemerasan dunia maya dan tanggung jawab pemulihan data; dan (e) asuransi ketidakjujuran/kejahatan karyawan dengan nilai pertanggungan sebesar $5,000,000. OwnBackup akan memberikan bukti asuransi tersebut kepada Pelanggan berdasarkan permintaan.

Ketentuan Eropa

Jadwal ini hanya berlaku untuk transfer Data Pribadi (termasuk transfer selanjutnya) dari Eropa yang, jika ketentuan ini tidak diterapkan, akan menyebabkan Pelanggan atau OwnBackup melanggar Hukum dan Peraturan Perlindungan Data yang berlaku.

Mekanisme Transfer untuk Transfer Data.
The Standard Contractual Clauses apply to any transfers of Personal Data under this DPA from Europe to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations of such territories, to the extent such transfers are subject to such Data Protection Laws and Regulations. OwnBackup enters into the Standard Contractual Clauses as data importer. The additional terms in this Schedule also apply to such data transfers.

Transfer Tunduk pada Klausul Kontrak Standar.

• Customers Covered by the Standard Contractual Clauses. The Standard Contractual Clauses and the additional terms specified in this Schedule apply to (i) Customer, to the extent Customer is subject to the Data Protection Laws and Regulations of Europe and, (ii) its Authorized Affiliates. For the purpose of the Standard Contractual Clauses and this Schedule, such entities are “data exporters”.
• Modul. Para Pihak sepakat bahwa jika modul opsional dapat diterapkan dalam Klausul Kontrak Standar, maka hanya modul yang berlabel “MODUL KEDUA: Transfer pengontrol ke prosesor” yang akan diterapkan.
• Instructions. The instructions described in Clause 2 above are deemed to instructions by Customer to process Personal Data for the purposes of Clause 8.1 of the Standard Contractual Clauses.
• Appointment of New Sub-processors and List of Current Sub-processors. Pursuant to OPTION 2 to Clause 9(a) of the Standard Contractual Clauses, Customer agrees that OwnBackup may engage new Sub-processors as described in Clauses 5.1, 5.b, and 5.c above and that OwnBackup’s Affiliates may be retained as Sub-processors, and OwnBackup and OwnBackup’s Affiliates may engage third-party Subprocessors in connection with the provision of the Data Processing Services. The current list of Subprocessors as attached as Schedule 1.
• Perjanjian Sub-pemroses. Para pihak sepakat bahwa transfer data ke Sub-pemroses dapat bergantung pada mekanisme transfer selain Klausul Kontrak Standar (misalnyaample, binding corporate rules), and that OwnBackup’s agreements with such Sub-processors may therefore not incorporate or mirror the Standard Contractual Clauses, notwithstanding anything to the contrary in clause 9(b) of the Standard Contractual Clauses. However, any such agreement with a Sub-processor shall contain data protection obligations not less protective than those in this DPA regarding protection of Customer Data, to the extent applicable to the services provided by such Sub-processor. Copies of the Sub-processor agreements that must be provided by OwnBackup to Customer pursuant to Clause 9(c) of the Standard Contractual Clauses will be provided by OwnBackup only upon the written request of Customer and may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by OwnBackup beforehand.
• Audits and Certifications. The parties agree that the audits described in Clause 8.9 and Clause 13(b) of the Standard Contractual Clauses shall be carried out in accordance with Clause 9 above.
• Erasure of Data. The parties agree that the erasure or return of data contemplated by Clause 8.5 or Clause 16(d) of the Standard Contractual Clauses shall be done in accordance with Clause 8 above and any certification of deletion shall be provided by OwnBackup only upon Customer’s request.
• Third-Party Beneficiaries. The parties agree that based on the nature of the SaaS Services, Customer shall provide all assistance required to allow OwnBackup to meet its obligations to data subjects under Clause 3 of the Standard Contractual Clauses.
• Impact Assessment. In accordance with Clause 14 of the Standard Contractual Clauses the parties have conducted an analysis, in the context of the specific circumstances of the transfer, of the laws and practices of the destination country, as well as the specific supplemental contractual, organizational, and technical safeguards that apply, and, based on information reasonably known to them at the time, have determined that the laws and practices of the destination country do not prevent the parties from fulfilling each party’s obligations under the Standard Contractual Clauses
• Hukum dan Forum yang Mengatur. Para pihak sepakat, sehubungan dengan OPSI 2 pada Klausul 17, bahwa jika Negara Anggota UE tempat pengekspor data didirikan tidak mengizinkan hak penerima manfaat pihak ketiga, Klausul Kontrak Standar akan diatur oleh hukum Irlandia. Sesuai dengan Klausul 18, perselisihan yang terkait dengan Klausul Kontrak Standar akan diselesaikan oleh pengadilan yang ditentukan dalam Perjanjian, kecuali pengadilan tersebut tidak berlokasi di Negara Anggota UE, dalam hal ini forum perselisihan tersebut adalah pengadilan Irlandia. .
• Annexes. For purposes of execution of the Standard Contractual Clauses, Schedule 3: Details of the Processing shall be incorporated as ANNEX IA and IB, Schedule 4: OwnBackup Security Controls (which may be updated from time to time at https://www.ownbackup.com/trust/) akan dimasukkan sebagai LAMPIRAN II, dan Jadwal 1: Daftar Sub-Pemroses Saat Ini (sebagaimana dapat diperbarui dari waktu ke waktu di https://www.ownbackup.com/legal/sub-p/) akan dimasukkan sebagai LAMPIRAN III.
• Penafsiran. Ketentuan dalam Lampiran ini dimaksudkan untuk memperjelas dan bukan untuk mengubah Klausul Kontrak Standar. Apabila terdapat pertentangan atau inkonsistensi antara isi Lampiran ini dan Klausul Kontrak Standar, maka Klausul Kontrak Standar yang akan berlaku.

Ketentuan Berlaku untuk Transfer dari Swiss

Para pihak sepakat bahwa untuk tujuan penerapan Klausul Kontrak Standar untuk memfasilitasi transfer Data Pribadi dari Swiss, ketentuan tambahan berikut akan berlaku: (i) Setiap referensi terhadap Peraturan (UE) 2016/679 akan ditafsirkan untuk merujuk pada ketentuan terkait Undang-Undang Federal Swiss tentang Perlindungan Data dan undang-undang perlindungan data Swiss lainnya (“Undang-undang Perlindungan Data Swiss”), (ii) Setiap referensi ke “Negara Anggota” atau “Negara Anggota UE” atau “UE” akan ditafsirkan untuk merujuk pada Swiss , dan (iii) Setiap referensi ke Otoritas Pengawas, harus ditafsirkan merujuk pada Komisaris Perlindungan Data dan Informasi Federal Swiss.

Provisions Applicable to Transfers from the United Kingdom

Para pihak sepakat bahwa Adendum Inggris berlaku untuk transfer Data Pribadi yang diatur oleh Undang-undang Perlindungan Data Inggris dan akan dianggap selesai sebagai berikut (dengan istilah dalam huruf kapital yang tidak didefinisikan di tempat lain yang memiliki definisi yang ditetapkan dalam Adendum Inggris):

• Tabel 1: Para pihak, rinciannya, dan kontak mereka tercantum dalam Jadwal 3.
• Tabel 2: “Klausul Kontrak Standar UE yang Disetujui” adalah Klausul Kontrak Standar sebagaimana tercantum dalam Jadwal 5 ini.
• Tabel 3: Lampiran I(A), I(B), dan II dilengkapi sebagaimana diatur dalam bagian 2(k) dari Jadwal 5 ini.
• Table 4: OwnBackup may exercise the optional early termination right described in Section 19 of the UK Addendum.

Dokumen / Sumber Daya

Ownbackup Data Processing Addendum [Bahasa Indonesia:] Instruksi Data Processing Addendum, Processing Addendum, Addendum

Referensi

• Panduan Pengguna