Please read the Data Processing Addendum (“DPA”) carefully as they form a contract between You (“Customer”) and Us (“ReportGarden”). As referenced in the ReportGarden Terms of Service (“Terms”), this DPA will apply where We and Our Group Companies are processors of EU personal data. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail.
THIS DPA INCLUDES:
Standard Contractual Clauses, attached hereto as EXHIBIT 1.
In this DPA, the following terms shall have the following meanings:
a) “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”), and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law;
b) “Applicable Data Protection Law” shall mean: (i) prior to 25 May 2018,the EU Data Protection Directive (Directive 95/46/EC); and (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679)
c) “ReportGarden” means REPORT GARDEN, Inc.; and
d) “Standard Contractual Clauses” means the clauses attached hereto as Exhibit 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
2. Relationship of the parties.
Customer (the controller) appoints ReportGarden as a processor to process the personal data forming part of the Service Data (the “Data”) for the purposes described in the Terms (or as otherwise agreed in writing by the parties) (the “Permitted Purpose”). Each party shall comply with the obligations that apply to it under GDPR.
3. Prohibited data.
Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to ReportGarden for processing.
4. International transfers.
ReportGarden will transfer the Data outside of the European Economic Area (“EEA”) in compliance with the Standard Contractual Clauses (Exhibit 1).
5. Confidentiality of processing.
ReportGarden shall ensure that any person it authorizes to process the Data (an “Authorised Person”) shall protect the Data in accordance with ReportGarden’s confidentiality obligations under the Terms.
Customer consents to ReportGarden engaging third-party subprocessors to process the Data for the Permitted Purpose provided that:
Customer may object to ReportGarden’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, ReportGarden will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Terms (without prejudice to any fees incurred by Customer prior to suspension or termination).
7. Cooperation and data subjects’ rights.
ReportGarden shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to:
In the event that any such request, correspondence, enquiry or complaint is made directly to ReportGarden, ReportGarden shall promptly inform Customer providing full details of the same.
8. Data Protection Impact Assessment.
If ReportGarden believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
The processor shall implement technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”).
10. Security incidents and Data Breach.
If ReportGarden becomes aware of a confirmed Security Incident, it shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. ReportGarden shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
11. Disposal of Customer Data.
Upon the termination of Customers’ access to and use of the Service, ReportGarden will up to fifteen (15) days following such termination permit the customer to export its Service Data, at customers’ expense, in accordance with the capabilities of the Service. Following such period, Data Processor shall destroy all Service Data stored or processed by ReportGarden on behalf of the customer. In case the customer requires ReportGarden to delete the Personal Data, this will be done in accordance with ReportGarden’s data retention and disposal policies and procedures. Customer expressly consents to such deletion.
This requirement shall not apply to the extent that ReportGarden is required by applicable law to retain some or all of the Data, or to Data it has archived on backup systems, which Data ReportGarden shall securely protect from any further processing except to the extent required by such law.
Customer acknowledges that ReportGarden may be audited for technical, legal or taxation purposes. This may require ReportGarden to share some personal data with the auditor, which will be bound by confidentiality clauses.
EU MODEL CONTRACT CLAUSES
Date Effective: May 25, 2018
Standard Contractual Clauses (Processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation: __________________
Tel. __________________ ; fax __________________ ; e-mail: __________________
Other information needed to identify the organisation
(the data exporter)
Name of the data importing organisation: REPORT GARDEN, INC
Address: ReportGarden Inc355 Bryant Street, Suite 403San Francisco, CA 94107
Tel. +1 855-777-8436 e-mail: email@example.com
Other information needed to identify the organisation:
(the data importer)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
Obligations of the data exporter
The data exporter agrees and warrants:
Obligations of the data importer
The data importer agrees and warrants:
Mediation and jurisdiction
Cooperation with supervisory authorities
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Obligation after the termination of personal data-processing services
On behalf of the Data Exporter:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
Appendix 1 to the Standard Contractual Clauses
Details of Processing
This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
A. Data exporter
Data exporter is the Data controller. The data exporter is the Customer, as defined in the ReportGarden Customer Terms of Service (“Agreement”). Data exporter is the Data controller.
B. Data importer
Data importer is the Data processor. The data importer is ReportGarden, a digital marketing agency platform that helps online advertisement agencies create performance reports, invoices, manage campaign budgets, site audits and various other features that are provided on the application.
C. Data subjects
The personal data transferred concern the following categories of data subjects:
D. Subject-Matter and Nature of the Processing
The subject-matter of Processing of Personal Data by Processor is the provision of the services to the Controller that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement.
E. Categories of data
The personal data transferred concern the following categories of data:
F. Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data: N/A
G. Processing operations
The personal data transferred will be subject to basic processing activities for the following activities:
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties. ReportGarden considers protection of Customer Data a top priority. As further described in these Security Measures, ReportGarden uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of Customer Data stored on systems under ReportGarden’s control.
1. Trusted Infrastructure
ReportGarden is a unified software for marketing agencies. Our application allows agencies to focus on their marketing strategies while ReportGarden focuses on Client Reporting & Management, Prospects Management, Lead generation, Budgets monitoring and many more. This Page gives an overview of application performance and how security is designed into the ReportGarden software. ReportGarden host it services on Heroku which is a network isolated, dedicated runtime environments for enhanced privacy, power, and performance. This infrastructure provides secure integration of clients accounts, secure storage of data with end-user privacy safeguards, secure encryption of passwords and two-factor authentication, secure and private communication with customers, and safe operation by administrators.
We will describe the security of this application in progressive layers starting from the physical and network security, continuing on to how the hardware and software that underlie the infrastructure are secured, and finally, describing the technical constraints and processes in place to support the performance of the application.
ReportGarden’s computing platform assumes ongoing hardware failure, and it uses robust software failover to withstand disruption. All ReportGarden systems are inherently redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation. Data is replicated multiple times across Heroku dynos(third party) so that, in the case of a machine failure, data will still be accessible through another system. We also replicate data to secondary data centers in different seismic and geographic zones to ensure protection from data center failures.
ReportGarden’s services are designed to scale to hundreds of thousands of users. We run multiple different performance tests, including load testing our applications under high load over a long period, to observe effects on factors, such as memory use and response time. ReportGarden also performs stress testing to examine system performance in unusual situations, including system functional testing while under unusually heavy loads, heavy repetition of certain actions or inputs, or input of large numerical values and large, complex queries to a database system.
We do everything in our power to protect agencies from attempts to compromise their data. We vigorously resist any unlawful attempt to access or block access to our customers’ data, whether it be from a hacker or any malicious software. Whether it is an integration or client’s contact, ReportGarden does not own that data.
That means two key things:
4. Application Security
ReportGarden servers can be accessed only via HTTPS using Comodo SSL Certificate. We use industry-standard encryption for data traversing to and from the application servers.
All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided.
All POST requests are checked for CSRF token before processing the request.
ReportGarden interacts with a database through ActiveRecord. The default and convenient Object Relational Mapping (ORM) layer which provides abstraction, safety and allow developers to avoid manually building SQL queries.
ReportGarden also uses Brakeman which is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
ENCRYPTED DATA STORAGE
ReportGarden does not store any sensitive details on it’s network. We store sensitive details in our database in an encrypted form.
We use Cloudflare for increasing internet pressures. Cloudflare is a web performance and security company. Cloudflare’s WAF, DDoS protection, and SSL defend website owners and their visitors from all types of online threats.
a. CLOUDFLARE WAF
Cloudflare’s enterprise-grade web application firewall (WAF) detects and block common application layer vulnerabilities at the network edge, utilizing the OWASP Top 10, application-specific and custom rulesets. It has two-factor authentication so that the accounts get an added layer of login security, ultimately adding another layer of security to our website.
b. CLOUDFLARE IPF
Cloudflare IP Firewall avoids the most common security attacks which run over a public network, such as the Internet.
c. CLOUDFLARE RATE LIMITING
Rate Limiting protects critical resources by providing fine-grained control to block or qualify visitors with suspicious request rates.
d. CLOUDFLARE DDoS MITIGATION
DDos Mitigation resists the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the applications, websites, and APIs from malicious traffic targeting network and application layers and maintains the performance and availability.
Ensuring the availability of ReportGarden application is just as important as protecting them from malicious requests. We have a dedicated team working 24/7 for application monitoring. We use both internal and multiple external monitoring services to monitor ReportGarden. Our monitoring system will alert our team through emails and phone calls if there are any errors or abnormality in the request pattern. We take utmost care in picking the right external tools and here are the four tools which are woven together to monitor ReportGarden application 24 hours.
ReportGarden uses Scout which is a Rails monitoring app for serving: the performance metrics, a layer of analysis, and a generous helping of workflow improvements. These features reduce the stress on us in identifying the root cause of Rails app performance woes.
ReportGarden uses Rollbar which is a real-time, full-stack error monitoring and debugging tool for developers used to monitor the impact of our code changes and measures the performance, track errors and analyze our application. It integrates with GitHub to link stack traces to the underlying source code, correlate exceptions to code changes, and create GitHub issues allowing us to manage errors in the existing workflow.
ReportGarden uses Instrumental for sending metrics and building graphs to monitoring servers and services. It serves us,
ReportGarden uses Librato for monitoring and understanding the metrics that impact the software at all levels of the stack.
7. Vulnerability scanning and audits
Third party security testing of the Heroku application is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed by the assessors, risk ranked and assigned to the responsible team.
ReportGarden undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of the application, architecture, and implementation. Our third-party security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation. ReportGarden works closely with external security assessors to review the security of the platform and applications and applies the best practices. We also hold open bug bounty programs which allows the security researchers, report a vulnerability on ReportGarden application as long as the vulnerability is discovered without using intrusive testing techniques.
ReportGarden offers a 99.99% app uptime and 99.99% API uptime. Furthermore, ReportGarden hardly has downtime or maintenance windows. To minimize service interruption due to hardware failures, natural disasters or other incidents, ReportGarden, takes the data backup and save in a different server in a different and highly redundant availability zone. In case our server downs, we spin the server in an hour.
9. Indemnity Clauses
10. Employee Screening and Policies
As a condition of employment, all ReportGarden employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.
We are working continuously to make our system secure. If you find any security issues, please submit it to firstname.lastname@example.org. We take security as our highest priority. We will make sure the issue is fixed and updated at the earliest.
Appendix 3 to the Standard Contractual Clauses
EU Representative Contact Information
This Appendix forms part of the Clauses and must be completed and signed by the parties. REPORT GARDEN, Inc. takes their clients’ (and the customers of their clients) data protection seriously, and has appointed DPR Group as their Data Protection Representative in the European Union so that you can contact them directly in your home country. DPR Group has locations in each of the 28 EU countries, so that REPORT GARDEN, Inc.’s customers can always raise the questions they want with them.
To raise a question to the DPR Group on behalf of REPORT GARDEN, Inc., you may do so by mailing your inquiry to DPR Group at the most convenient of the addresses in the subsequent pages.
PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DPR Group’ and not ‘REPORT GARDEN, Inc.’, or your inquiry may not reach us. Please refer clearly to REPORT GARDEN, Inc. in your correspondence. On receiving your correspondence, REPORT GARDEN, Inc. is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.
Alternatively, you may reach out to ReportGarden by sending an email to email@example.com stating <Data Privacy Query / Data Subject Right> in the subject line.