Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”), together with any other document referred to within it, is incorporated into and governed by the Terms and Conditions of service (“Customer Terms”) located at: https://www.brightbox.com/legal/terms

2. Definitions

All definitions set out in the Customer Terms shall also apply in this document.

Capitalised terms, unless defined within this document, shall have the meaning given to them in the Customer Terms.

“Applicable Data Protection Legislation” means the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK), the GDPR and any other directly applicable European Union regulation relating to privacy.

“Customer Personal Data” means any Personal Data which is contained within the Customer Data.

“Data Security Incident” means a breach of data security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Personal Data.

“DPA Effective Date” means either:

  • 25 May 2018 if the Customer agreed to the Customer Terms on or prior to this date; or
  • The date that the Customer agreed to the Customer Terms, if such date is after 25 May 2018

“EEA” means the European Economic Area.

“GDPR” means the EU General Data Protection Regulation 2016/679

“Security Features” means any security related features, functionality or controls which Brightbox may make available to the Customer as part of the Services such as firewalling, access control, public key cryptography, two factor authentication and encryption.

“Sub-processor” means a third party engaged by the Processor to carry out Processing on behalf of the Controller, as described in Applicable Data Protection Legislation.

“Term” the period of time from the DPA Effective Date until the end of the provision of the Services according to clause 8 in the Customer Terms.

“Personal data”, “Data subject”, “Processing”, “Processor”, “Controller”, “Supervisory Authority” where used within this DPA have the meanings given to them in the Applicable Data Protection Legislation.

3. Data Processing General

Both parties agree that, in respect of any Processing of Customer Personal Data through the provision or use of the Services:

(3.1) Each party shall comply with the obligations that apply to it under Applicable Data Protection Legislation.

(3.2) The Customer is either:

  • a Controller of Customer Personal Data, or
  • a Processor when it Processes Customer Personal Data

Accordingly, Brightbox is a Processor when the Customer is Controller, or a Sub-processor when the Customer is Processor.

(3.3) Customer warrants that if the Customer is not the Controller, that the Customer’s instructions to Brightbox with respect to Customer Personal Data have been authorised by the relevant Controller.

(3.4) The subject matter of the Processing is the provision of the Services by Brightbox to the Customer and related support. The duration of Processing is the Term.

(3.5) The nature and purpose of the Processing is the provision of the Services by Brightbox to the Customer and the Customer’s use of the Services according to the Customer Terms.

(3.6) The type of Personal Data to be Processed is any personal data concerning natural persons contained within the Customer Data uploaded, stored, sent or received by, or on behalf of, the Customer or its end-users through the use or provision of the Services.

(3.7) The Categories of data subjects are the natural persons whose personal data is contained in the Customer Data and may include without limitation: staff, contractors, partners of the Customer or its end-users.

4. Brightbox obligations

(4.1) Brightbox shall process Customer Personal Data only on the written instruction of the Customer, unless required to do so by applicable law. In such a case, Brightbox will notify the Customer of the legal requirement to process Customer Personal Data unless the law prevents such disclosure.

(4.2) By entering into this DPA, the Customer instructs Brightbox to process Customer Personal Data:

  • As required to provide the Services;
  • As required to provide support and assistance to the Customer’s use of the Services;
  • As documented in this DPA and the Customer Terms;
  • As documented in any further written instructions provided by the Customer and acknowledged by Brightbox as Data Processing instructions for the purposes of this DPA.

(4.3) Brightbox shall ensure that all staff and subcontractors authorised to process Customer Personal Data are bound by a contractual duty of confidentiality.

(4.4) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing Brightbox shall implement appropriate technical and organisational measures as described in Appendix 1 (“Brightbox Security Measures”) to protect Customer Personal Data against Data Security Incidents.

The measures shall include, where appropriate, the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Brightbox’s systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and processes for assessing and evaluating the effectiveness of the security measures.

(4.5) Brightbox shall, in a manner and to the extent consistent with the functionality of the Services, assist the Customer to respond to requests from Data Subjects to exercise their rights in accordance with Applicable Data Protection Legislation by:

(4.5.1) providing the ability for the Customer itself to access, rectify, delete, restrict or export Customer Personal Data;

(4.5.2) responding to any direct request from a Data Subject to exercise their rights regarding Customer Personal Data, by advising the Data Subject to submit the request to the Customer or by notifying the Customer of the request. The Customer shall be solely responsible for complying with such Data Subject requests and for the costs of such requests;

(4.5.3) providing, at the Customer’s reasonable request and expense, additional assistance to the Customer with any other enquiry, complaint or correspondence from a Data Subject or third party in relation to the Processing of Customer Personal Data.

(4.6) If Brightbox becomes aware of a confirmed Data Security Incident, Brightbox shall:

(4.6.1) Notify the Customer without undue delay;

(4.6.2) Provide reasonable information (to the extent that such information is known or available to Brightbox) to the Customer to assist the Customer to fulfil any reporting obligations it may have itself; and

(4.6.3) Take commercially reasonable measures to remedy, mitigate or limit the effects of such Data Security Incident and protect Customer Personal Data.

(4.6.4) Brightbox’s remediation and mitigation obligations shall be limited to Data Security Incidents resulting from a failure by Brightbox of its own security obligations under this DPA and the Customer Terms.

(4.6.5) The notification of, or response to, a Data Security Incident by Brightbox shall not be construed as an acknowledgement by Brightbox of any fault or liability with respect to the Data Security Incident.

(4.6.6) Brightbox will not assess the content of Customer Personal Data in order to identify information subject to any specific legal requirements. The Customer is solely responsible for complying with data breach notification laws applicable to the Customer and fulfilling any third party notification obligations related to Data Security Incidents.

(4.6.7) Brightbox shall not be required to notify the Customer of any routine security incidents which is not a Data Security Incident. This includes, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or other unauthorised access to traffic data that does not result in access beyond IP addresses or headers.

(4.7) Brightbox may provide Security Features as part of the Services. Customer acknowledges that:

(4.7.1) such Security Features are subject to change or removal during the Term

(4.7.2) use of such Security Features by the Customer is at the risk of the Customer and is governed by the Customer Terms

(4.7.2) Brightbox shall use commercially reasonable endeavours to assist the Customer in the use of Security Features by:

  • making available documentation and guides on its website
  • responding to email support requests from the Customer in a timely fashion

(4.8) The Customer acknowledges that Brightbox has no knowledge of Customer Personal Data which is uploaded, stored, sent or received in the course of the Customer’s use of the Services. Brightbox shall not be required to actively monitor Customer Data for compliance with Applicable Data Protection Legislation. If however, Brightbox believes or becomes aware that the Processing of Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall notify the Customer.

(4.9) Brightbox shall, taking into account the nature of the Processing, the information available to Brightbox and in a manner consistent with the functionality of the Services, assist the Customer in ensuring compliance with the Customer’s obligations under Applicable Data Protection Legislation by:

(4.9.1) Providing security features within the functionality of the Services; and

(4.9.2) Providing commercially reasonable assistance, at the Customer’s expense, regarding any data protection impact assessments or prior consultation that may be required under the Applicable Data Protection Legislation

(4.10) Brightbox shall, during the Term, enable the Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services. The Customer acknowledges that:

(4.10.1) It is solely responsible for exporting or retrieving any Customer Personal Data it wishes to, or is required to, retain before the applicable Term expires.

(4.10.2) On expiry of the applicable Term, Brightbox shall delete all Customer Personal Data from its systems. This requirement shall not apply if Brightbox is required by Applicable Data Protection Legislation to retain all or some of the Customer Personal Data.

(4.11) Brightbox shall, at the written request of the Customer, provide information reasonably requested by the Customer to assist in demonstrating compliance with the obligations contained within this DPA.

(4.12) Brightbox shall, subject to reasonable written notice, permit an audit or inspection by the Customer to verify its compliance with the obligations contained within this DPA.

(4.12.1) The Customer acknowledges that any such audit or inspection:

  • Shall not require Brightbox to breach its obligations of confidentiality to any other third party;
  • May be carried out by a third party auditor at the expense of the Customer;
  • Shall be carried out during normal business hours;
  • Shall be carried out in a manner which minimises or avoids disruption to Brightbox’s business;
  • May incur reasonable fees charged by Brightbox; and
  • Shall occur no more frequently than once per year, unless specifically mandated by a Supervisory Authority

(4.12.2) On completion, a copy of the audit or inspection report shall be provided to Brightbox without undue delay. Any such report shall be bound by the Confidentiality provisions contained herein and within the Customer Terms.

5. Customer obligations

Customer acknowledges and agrees that (without prejudice to Brightbox obligations contained within this DPA):

(5.1) Customer is solely responsible for evaluating whether the Services provided by Brightbox and the security measures and obligations described in this DPA will meet the Customer’s needs in respect of the Applicable Data Protection Legislation or any other applicable law.

(5.2) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of Data Subjects, that the Services provided by Brightbox and the Security Measures described in this DPA provide an appropriate level of security in respect of Customer Personal Data.

(5.3) Customer is solely responsible for its use of the Services for Processing Customer Personal Data during the Term, including:

(5.3.1) taking all necessary measures to secure Customer Personal Data including, without limitation, the use of available security features provided by Brightbox;

(5.3.2) securing account and authentication credentials to prevent unauthorised access; and

(5.3.3) retaining back-ups of Customer Personal Data where appropriate

(5.4) In respect of any data which the Customer uploads, stores, sends or receives in connection with its use of the Services, the Customer is responsible for the integrity, security, maintenance and appropriate protection of Customer Personal Data and ensuring compliance with any Applicable Data Protection Legislation relating to its own Processing and use of the Services.

(5.5) Customer controls how Customer Personal Data is stored, classified, exchanged or otherwise Processed when using the Services and taking into account the nature, scope, context and purposes of Processing that Brightbox has no knowledge of Customer Personal Data.

(5.6) Customer will not cause Brightbox to infringe any Applicable Data Protection Legislation and will ensure it has all necessary consents, notices and other requirements in place to enable lawful Processing of Customer Personal Data using the Services.

6. Subcontractors

(6.1) Customer agrees that Brightbox may appoint third parties in the course of provision of the Services to the Customer.

(6.2) If subcontractors are appointed by Brightbox to Process Customer Personal Data as Sub-processors, the parties agree:

(6.2.1) Brightbox shall maintain and make available to the customer an up-to-date list of its Sub-processors;

(6.2.2) Brightbox shall give notice to the Customer of the appointment of any new or replacement Sub-processors by updating the list of Sub-processors accordingly;

(6.2.3) Brightbox shall impose appropriate written terms on any Sub-processor it appoints that:

  • limit Processing of Customer Personal Data by the Sub-processor to only what is required to fulfil the purpose for which it has been appointed, and
  • protect Customer Personal Data to at least the standard required by this DPA and Applicable Data Protection Legislation

(6.2.4) Brightbox shall remain liable for any breach of this DPA caused by an act or omission by a Sub-processor

(6.2.5) Customer may object to the appointment or replacement of a Sub-processor by terminating the Customer Terms within 14 days of Brightbox’s notice of appointment. Termination shall be the Customers sole and exclusive remedy if Customer objects to the appointment of a new Sub-processor, without prejudice to to any fees incurred by the Customer by its use of the Services before Termination.

(6.3) Both parties agree that third party data centres used by Brightbox to securely house its Systems, for provision of the Services to the Customer, shall not Process any Customer Personal Data and accordingly shall not be considered Sub-processors under this DPA.

7. Cross border data transfer

(7.1) Brightbox will not transfer Customer Personal Data outside of the EEA, unless withdrawal of the UK from the EU (“Brexit”) results in the withdrawal of the UK from the EEA. In such a case, Customer Personal Data provided by the Customer will be transferred outside of the EEA, to the UK, subject to the following conditions:

(7.1.1) Brightbox shall comply with its obligations under the Applicable Data Protection Legislation and this DPA to ensure an adequate level of protection for any Customer Personal Data transferred; and

(7.1.2) The Data Subjects whose personal data is contained within Customer Personal Data shall have enforceable rights and effective legal remedies;

8. Termination

This DPA shall terminate automatically upon termination or expiry of the Customer Terms.


Appendix 1 - Brightbox Security Measures

Brightbox will implement and maintain the Security Measures described in this Appendix.

Brightbox may update or modify these Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

1. Data Centre Security

Brightbox uses multiple physically secure and geographically diverse data centres to house infrastructure and systems to deliver services.

Redundancy

Infrastructure and systems are designed to avoid single points of failure by using redundancy. We use multiple (N+1) network devices, circuits, power and environmental control systems and other equipment to provide this. Systems are designed so that we perform routine maintenance without interruption.

Power

Data center power systems are redundant and designed to allow maintenance without interruption to continuous operations. Data centre facilities are connected to the grid using multiple geographically diverse feeds. Equipment in the data centres is connected to multiple feeds from redundant (N+1) UPS systems, which supply power protection during brownouts, blackouts, over- voltage, under-voltage, and out-of-tolerance frequency conditions. In the event of a prolonged interruption to grid power, on-site diesel generators capable of handling the full load are used to provide backup power. Sufficient on-site fuel reserves are maintained to run the generators for several days.

Environmental

Data centre facilities are purpose built in areas at low risk of flooding, water ingress or other natural disasters. The facilities use redundant environmental control systems to manage temperature and humidity.

Fire Suppression

Automatic fire detection and suppression systems with VESDA (Very Early Smoke Detection) are used in all data centre facilities.

Business Continuity and Disaster Recovery

Critical systems and data are replicated across multiple, geographically diverse data centres to provide fault tolerance, disaster recovery and protection against accidental destruction or loss of data.

2. Network Security

Data centres are connected via high-speed private interconnects with a minimum of two (N+1) geographically diverse and resilient paths between any two sites. Data is transferred across our network using widely-adopted industry standard protocols.

Encryption

Where appropriate, encryption is used to protect Customer Personal Data during transmission across networks operated by Brightbox. Protocols and ciphers used to encrypt data during transmission are based on widely accepted industry standards.

Firewalling

Access to Brightbox networks is controlled using multiple layers of firewalling to protect both external and internal attack surfaces. Incoming connections from untrusted networks are denied by default and permitted services are limited in scope as tightly as possible.

Incident Identification and Response

Monitoring systems are used to collect network performance and security data to ensure the network is performing within expected parameters, allowing us to identify and respond to any abnormal conditions.

3. Access Controls

Brightbox maintains strict access control and security procedures to protect access to physical equipment, networks, systems and data.

Data Centre Physical Security

Data centre environments are protected by 24/7 on-site security operations. Security personnel monitor CCTV surveillance and conduct regular patrols. CCTV cameras are recorded on-site and recordings are retained for at least 30 days. External and internal access is controlled using Access Controlled locks (key locks, digital locks, biometrics or access tokens) linked to alarm and logging systems. All activity is recorded so unauthorised or failed access attempts can be investigated.

Data Centre Access

Data centre access is restricted to authorised personnel and is controlled by formal access procedures. Personnel without access authorisation must be accompanied all times when accessing secure environments. Access is granted only when necessary and to the minimum level necessary for authorised personnel to perform the tasks required.

Access requests must be made in advance by authorised personnel. All visitors are required to provide either biometric or government-issued photographic proof of identification to security staff before entering. Visitors are issued with an electronic keycard which permits access only to the areas required.

Systems Access

Brightbox maintains formal procedures to control access to networks, systems, applications and data. Procedures are designed to prevent unauthorised use of systems and to ensure that Customer Personal Data cannot be read, copied, altered or removed without authorisation during storage, transmission, processing or use.

Access is restricted to the minimum level necessary for authorised personnel to perform their function and granted on a “need to know” basis. Authentication is performed using encrypted methods (key-based or strong, single-use passwords) and remote administrative access is via encrypted channels (VPN, SSH2) utilising strong ciphers. Administration access logs are recorded to separate logging servers to provide an audit trail. Where passwords are employed for authentication, password policies that follow industry standard practices are implemented.

Documentation and Configuration Management

All systems processing or storing Customer Personal Data are registered in our internal documentation system. Configuration changes to all systems follow the appropriate change management procedures and are recorded in the documentation system. Unused services and applications are disabled or removed from all systems. All systems are kept up to date with the latest security updates as soon as practical.

4. Data Security

Customer Personal Data is stored in a multi-tenant environment running on systems owned by Brightbox and located in secure data centres. Data is logically isolated while being stored (at rest), held in memory and processed.

Data Isolation

Hardware assisted virtualisation technology is used to logically isolate the processing and storage of data in memory between tenants. Stored data (at rest) is logically isolated using virtualisation and access controls.

Encryption

Where appropriate, encryption is used to protect Customer Personal Data while at rest. Ciphers used to encrypt data at rest are based on widely accepted industry standards.

Secure Storage

Physical media containing Customer Personal Data is only stored in secure environments protected by the physical security measures and access controls described in this appendix. Removable media (e.g. USB keys) is not used for storing or transporting any Customer Personal Data.

Secure Disposal

Brightbox maintains a formal data disposal procedure which specifies the required standards for destruction of sensitive data. All media containing sensitive data is disposed of securely.

Brightbox tracks and records the use, decommissioning and destruction of all media by serial number across the device lifecycle.

5. Personnel Security

All Brightbox personnel and subcontractors are bound by contracts which include confidentiality clauses and enforce adherence to our Information Security policies and procedures. Staff and contractors are vetted according to BS7858. All personnel are provided with suitable security training appropriate to their role.

Brightbox maintains formal onboarding and exit procedures for all personnel to ensure access to systems processing Customer Personal Data is granted according to our policies and revoked in a timely manner.

6. Incident Handling

Brightbox maintains a formal incident management procedure. In the event of a confirmed Data Security Incident Brightbox will notify all affected customers without delay, provide reasonable information (to the extent that such information is known or available to Brightbox) to assist the customer in fulfilling any legal obligations it may have and will take commercially reasonable measures to remedy, mitigate or limit the effects of such Data Security Incident and protect Customer Personal Data.

Last updated: 24 May 2018 at 12:32 UTC