Privacy and Data Protection Supplement
Last updated: September 1st, 2019
This Privacy and Data Protection Supplement (“Supplement“) supplements the hubsell Terms of Service (“hubsell TOS”) and as such is part of the agreement that we have with you for your use of the Services (the “Agreement“).
The contents of the hubsell TOS shall apply to this Supplement.
Next to the definitions as provided in article 1 below, terms used in this Supplement have the same meaning as those used in the hubsell TOS, unless explicitly provided otherwise. If there are any conflicts or inconsistencies between this Supplement and hubsell TOS, the provisions in this Supplement prevail.
Article 1: DEFINITIONS
“Applicable Data Protection Law” means all laws and regulations and sectoral recommendations containing rules for data protection and privacy which are applicable to the processing of Personal Data under the Agreement (e.g. the General Data Protection Regulation 2016/679/EC), including without limitation security requirements.
“Approved Measure” means a code of conduct or certification mechanism as meant in article 46 of the General Data Protection Regulation.
“EC Standard Contractual Clauses” means the EC Standard Contractual Clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC).
“Data Subjects” means any individual whose Personal Data is processed by hubsell in the course of the performance of the Agreement.
“Non-Adequate Country” means a country that is deemed not to provide an adequate level of protection of Personal Data within the meaning of the General Data Protection Regulation 2016/679/EC.
“Personal Data” means any information relating to a Data Subject.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Sub-Processor” means any Third Party that processes Personal Data under the instruction or supervision of hubsell but that does not fall under the direct authority of hubsell.
“Third Party” means any party other than the parties to the Agreement.
1. Description of the processing
1.1 The subject-matter of this Supplement is the processing of Personal Data by hubsell on behalf of you and in accordance with your written instructions as described in the Agreement (which includes this Supplement) or otherwise in writing.
1.2 This Supplement shall be valid for the duration of the Agreement. The nature and purpose of the processing, the types of Personal Data and the Data Subjects concerned are described in the Agreement.
2.1 hubsell shall process Personal Data as described in this Supplement only (i) on behalf and for the benefit of you, (ii) in accordance with the instructions you provide to us through your Member Account and (iii) for the purposes authorised by the Agreement. hubsell shall comply with Applicable Data Protection Law when carrying out the obligations under the Agreement.
2.2 hubsell shall not process the Personal Data further than as instructed in writing and as strictly necessary for the performance of the Agreement, or as required by applicable EU or EU member state law. In case of such requirement of EU or EU member state law, hubsell shall inform you of that legal requirement before the processing takes place, unless that law prohibits such information on important grounds of public interest.
3. Non-disclosure and confidentiality
3.1 hubsell shall keep Personal Data confidential and shall not disclose Personal Data in any way to any Third Party without your prior written approval, except where, subject to this Supplement, (i) such disclosure is required for the performance of the Agreement or the processing by a Sub-Processor, (ii) where Personal Data need to be disclosed as required for audit purposes as described in article 10 or (iii) such disclosure is allowed in accordance with article 11 of this Supplement.
3.2 hubsell shall ensure that any employee, agent, contractor or any other person working under the direct authority of hubsell is committed to respect and maintain the confidentiality and security of the Personal Data.
4.1 hubsell applies technical, physical and organisational security measures to it systems and data as described in the Annex to this Supplement. You agree that these security measures ensure an appropriate level of information security as required per article 32 GDPR. Please note that the security measures may be updated in the future if required to enable hubsell to meet the conditions of article 32 GDPR. If that happens then we will make sure to provide you with an updated Annex.
5.1 hubsell shall only permit Sub-Processors to process Personal Data with your prior written consent. hubsell will remain fully liable to you for the Sub-Processor’s performance of the Agreement and this Supplement.
5.2 hubsell shall ensure that Sub-Processors are contractually bound to the same restrictions and obligations with respect to the processing as those to which hubsell is bound under the Agreement and this Supplement.
5.3 You are deemed to have consented in writing to the processing of Personal Data by our current Sub-Processors. The identity of these current Sub-Processors will be communicated to you by hubsell subject to your prior request. hubsell shall inform you of any intended changes concerning the addition of processor or their replacement, thereby giving you the opportunity to object to such changes.
6. Cooperation obligations
6.1 hubsell shall deal promptly and appropriately and in a commercially reasonable manner with your enquiries or requests for assistance of related to the processing under the Agreement.
6.2 hubsell shall cooperate with you and provide assistance in cases where Data Subjects wish to exercise their rights of access, rectification, erasure, restriction or data portability in the following manner. Our cooperation and assistance is provided to you exclusively by providing you with the functionality of the Software. The Software will enable you to delete, extract and amend Personal Data or unsubscribe a particular Data Subject from receiving further communications from you. If a record is deleted on the request of a Data Subject you must retain a record of such deletion to ensure that the record of that Data Subject remains deleted over time in the database that is connected to the Software.
6.3 hubsell shall cooperate with and you in as far as this is reasonably necessary for you to be able to comply with your data protection impact assessment and prior consultation obligations under Applicable Data Protection Law. You agree that we are entitled to (partly) provide this cooperation by sending you a copy of a data protection impact assessment that we have conducted ourselves.
7. Personal Data Breaches
7.1 hubsell shall, without undue delay, inform you if hubsell or a Sub-Processor has become aware of the occurrence of a Personal Data Breach.
7.2 In the event of a Personal Data Breach, hubsell shall promptly take adequate remedial measures. Furthermore, hubsell shall promptly provide you with all relevant information as requested by you regarding the Personal Data Breach, cooperate with you to investigate the nature and scope of the Personal Data Breach and provide any other assistance as reasonably required by you to allow you to comply with any legal obligations, including notification obligations to regulators and Data Subjects, in this respect.
8. Return and destruction of Personal Data
8.1 Upon termination of the Agreement you may delete the Personal Data from your Member Account. If you fail to delete it, we will delete all data in your Member Account within thirty (30) days of the termination of the Agreement. If we are required by applicable EU or EU member state law to continue storing your Personal Data, hubsell shall inform you of such legal obligation, shall keep the Personal Data confidential and shall only process the Personal Data to the extent required by the applicable EU or EU member state law.
8.2 You accept that when you delete Personal Data from your Member Account this means that hubsell will remove your label from the record of the deleted Personal Data from its database. Deleted Personal Data may continue to be available for other customers that process the Personal Data. The Personal Data will be finally deleted from the hubsell database if no other customers process the Personal Data or, if other customers process the Personal Data, these other customers also have deleted the Personal Data from their member accounts.
9. Compliance and right of audit
9.1 hubsell shall make available to you all information necessary to demonstrate compliance with the provisions of this Supplement. Such information will in any case include information on (i) the security measures, (ii) Sub-Processor agreements (including copies thereof with commercial elements blacked-out), (iii) Personal Data Breaches, (iv) deletion of Personal Data, (v) international data transfers and the safeguards taken to address transfer restrictions and (vi) measures in place to allow you to comply with your obligations in relation to Data Subject’s rights.
9.2 You shall have the right to inspect hubsell’s and Sub-Processor’s compliance of the obligations under this Supplement. Any such inspection shall be conducted on behalf of you by and independent professional auditor subject to professional secrecy rules, like an EDP auditor or an accountant.
You shall: 1) give hubsell reasonable notice of the intention to have an audit performed pursuant to Clause 9.2; 2)procure that the audit is performed in compliance with hubsell’s and Sub-Processor’s reasonable confidentiality provisions, as notified by hubsell to you; and 3) procure that reasonable efforts are used to minimise any disruption to hubsell’s or Sub-Processor’s business caused by the performance of the audit.
10. International data transfer
10.1 hubsell may transfer Personal or make Personal Data accessible to approved Sub-Processor(s) established in Non-Adequate Country/Countries, including but not limited to India.
10.2 You hereby provide hubsell with a mandate to enter into EC Standard Contractual Clauses (Processor-Processor) with a Sub-Processor that is located in a Non-Adequate Country on your behalf.
10.3 Article 10.2 will not apply if the transfer is or the transfers are covered by Approved Measures. In such case, hubsell shall ensure that all required measures, commitments, certifications and safeguards necessary to be able to rely on such Approved Measure are maintained. If hubsell no longer maintains the Approved Measure, hubsell will immediately inform you thereof and ensure that the necessary EC Standard Contractual Clauses are concluded in absence of the Approved Measure.
10.4 Where any of the EC Standard Contractual Clauses or Approved Measures applying to a transfer under this article 11 requires adjustment or is invalidated as a result of any change in, or decision of a competent authority under, Applicable Data Protection Law, hubsell will ensure that the necessary adjustments to the EC Standard Contractual Clauses or Approved Measure are made or the necessary alternative EC Standard Contractual Clauses or Approved Measure are implemented to ensure that the transfer(s) remain to be performed in compliance with Applicable Data Protection Law.
Annex to Privacy and Data Protection Supplement: Technical and Organisational security measures (TOMs):
Introduction: This Annex describes the current technical and organisational security measures applied by hubsell for its systems and data.
1. Technical measures:
1.1. the system is hosted on Amazon Web Services servers, with strict firewall rules, you may review the AWS security process at the following link: https://aws.amazon.com/whitepapers/overview-of-security-processes/
1.2 access from the web is only possible via https based on SHA-256 certificates with RSA Encryption
1.3 Full Database Backups are done on a daily basis with a weekly rolling period
2. Organisational measures:
2.1 the registration and activation of a new account is only possible by contacting our personnel
2.2 he password choice is logically enforced by hubsell to be a long and secure format
2.3 ssh access to the servers and data is only possible from specific IP addresses and only by a limited number of people of the staff (only the CTO at the moment)
2.4the research team can only access the data they’re assigned to find and enrich, only from a segregated web application with the same security level of the main web app
2.5 the sub-processor (research team) has signed an NDA.
3. Confidentiality, integrity, availability and resilience of processing systems and services;
3.1 The registration and activation of a new accounts is only possible by contacting our personnel.
3.2 The password choice is logically enforced by hubsell to be a long and secure format.
3.3 SSH access to the servers and data is only possible from specific IP addresses and only by a limited number of people of the staff (only the CTO at the moment).
3.4 Full Database Backups are done on a daily basis with a weekly rolling period
3.5 The system is hosted on Amazon Web Services servers, the servers are physically located in Frankfurt (Germany), with 99.99% uptime.
4. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4.1 In case of partial or complete data loss, we can, depending on the event, restore the entire database or part of the data from the latest available backup. See point 3.4.
5. Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing:
5.1 We enforce a continuous assessment to assure that the security policies are respected: 1) during the development of new features, 2) while executing the unit test, integration tests and system tests, and 3) while processing data to be delivered to the customers.