Data Processing Addendum

Updated: May 24, 2018

In the course of providing our service, SESSIONSTACK may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/customers we’ve developed a Data Processing Addendum (DPA) that we enter into free of charge with anyone that uses our service and requests it. This document forms part of a contract of service with SESSIONSTACK (as the Data Processor) and our users/customers (as the Controllers). The DPA reflects the parties’ agreement with regard to the processing of personal data performed using our service. As a Controller, in order to sign this addendum, you must review and request a copy in order to sign it by contacting us on support@sessionstack.com. We will countersign it and provide you with a fully executed downloadable copy via email. Upon SessionStack’s receipt of the validly completed and digitally signed Addendum, this Addendum shall be in full force and effect.

Terms and Definitions

  • Terms below shall have the following meanings:
    • “Agreement” means SESSIONSTACK’s Terms of Service.
    • “SESSIONSTACK” means SESSIONSTACK Ltd., UIC 203943168, with registered seat and address: 77 bl., entr. 1, 7th fl., app. 34, Mladost 1, Mladost Dirstrict, Sofia 1784, Bulgaria, e-mail: support@sessionstack.com.
    • “Client Data” means data stored, gathered, sent or processed in other ways via the Software.
    • “Client Personal Data” means personal data contained within the Client Data.
    • “Data Incident” means a breach of SESSIONSTACK security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data on systems managed by or otherwise controlled by SESSIONSTACK. Data Incidents will not include unsuccessful attempts or activities that do not compromise the security of Client Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
    • “Data Processing Addendum” or “DPA” means this Addendum, which is an inseparable part of the Agreement concluded between SESSIONSTACK and the Client.
    • “European Data Protection Legislation” means, as applicable, the GDPR, as well as any other applicable EU legislation.
    • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
    • “License” means the Software license of use granted to the Client by SESSIONSTACK pursuant to the Agreement.
    • “Party” means either SESSIONSTACK or the Client.
    • “Parties” means both SESSIONSTACK and the Client.
    • “Term” means the term set forth in the Agreement.
    • “SaaS model” means a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted by SESSIONSTACK. The Software is accessed by Clients via a web browser.
    • “Services” means the services, provided by SESSIONSTACK as described in the Agreement (Terms of Service).
    • “Software” means computer software, developed by SESSIONSTACK, visualized and applicable in the Web-site www.sessionstack.com.
    • “Standard Contract Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
    • “Subprocessors” means third parties authorized under this Data Processing Addendum to have logical access to and process Client Data in order to provide parts of the Services and related technical support.
    • “Third parties” means any other persons, organizations and authorities, besides SESSIONSTACK and the Client.
    • “Web-site” means the web-based site www.sessionstack.com.
  • All terms, which have not been explicitly defined above, such as “personal data”, “data subject”, “processing”, “controller”, “processor”, “supervisory authority”, etc. have the meaning meanings given in the GDPR.

Scope of Addendum

  • Software License Agreement
    • SESSIONSTACK provides a SaaS (Software as a Service) web-based application which by functionality implements a method for monitoring and recording End User behaviour on Client’s websites.
    • Parties have concluded an Agreement for the use of SESSIONSTACK Software by the Client for the Client’s own internal business purposes.
    • Under the Software license agreement SESSIONSTACK agreed to provide the Client with the Services as specified in the Agreement.
    • in rendering the Services, SESSIONSTACK may from time to time be provided with, or have access to, information of the Client which may qualify as personal data within the meaning of the GDPR and other applicable European and Bulgarian data protection laws and provisions.
  • GDPR
    • This Data Processing Addendum reflects the Parties’ agreement with respect to the terms governing the processing and security of Client Data under the Agreement according to the requirements of GDPR and any other European Data Protection Legislation.
    • The parties acknowledge and agree that the European Data Protection Legislation, including the GDPR will apply to the processing of Client Personal Data if, the Client Personal Data is personal data relating to data subjects who are in the EU/EEA and the processing relates to the offering to them of goods or services in the EU/EEA or the monitoring of their behaviour in the EU/EEA as well as when the processing is carried out in the context of the activities of an establishment of Client in the territory of the EU/EEA.
    • The Parties agree that the sets of data processing and transfers covered by this DPA qualify as commissioned data processing as per Art. 28 of the GDPR with SESSIONSTACK qualifying as processor within the meaning of the GDPR and that they would like to use this DPA as the required contractual processing agreement.
    • In order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Client to SESSIONSTACK of the personal data, the Parties have entered into this DPA.
    • The Parties agree that SESSIONSTACK shall have the right to ask for changes to any part of this DPA to the extent required to satisfy any interpretations, guidance or orders issued by competent Union or Member State authorities, national implementation provisions, or other legal developments concerning the GDPR requirements for the commissioning of data processors in general or other requirements for the commissioning of data processors. The Parties will agree on the necessary changes in good faith effort taking their obligation to carry out this contractual relationship in compliance with applicable data protection law into account.
  • Processor and Controller
    • SESSIONSTACK is a processor of Client Personal Data.
    • Client is a processor of Client Personal Data.
    • Each Party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Client Personal Data.
    • Client warrants to SESSIONSTACK that Client’s instructions and actions with respect to that Client Personal Data, have been authorized by the relevant End Users, whose personal data has been entered in or recorded by the Software.
    • Client is responsible that the processing activities relating to the personal data, as specified in the Agreement and this DPA, are lawful, fair and transparent in relation to the data subjects concerned.
  • Scope of Processing
    • By entering into this Data Processing Addendum, the Client instructs SESSIONSTACK to process Client Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Client’s use of the Services and related technical support; (c) as documented in the applicable Agreement and this Data Processing Addendum; and (d) as further documented in any other written instructions given by Client and acknowledged by SESSIONSTACK as constituting instructions for purposes of this Data Processing Addendum.
    • Any further instructions of processing, given by the Client to SESSIONSTACK that go beyond the instructions contained in this DPA or the Agreement shall be considered within the subject matter of the Agreement and this DPA and SESSIONSTACK acts of processing shall be considered lawful and compliant with the GDPR and other applicable legislation. It shall be the Clients responsibility to guarantee the legality of any personal data processing of which the Client has given instructions to SESSIONSTACK to perform.
    • The Client acknowledges that the Services, provided by SESSIONSTACK to the Client include, among others described above, the provision by SESSIONSTACK to the Client of notifications on the scope of Services, their update, upgrade, amendment, new releases, development and/or termination via Newsletters, emails and other electronic and nonelectronic means of communication, which may be applicable.
    • SESSIONSTACK will comply with the instructions described above (Client’s Instructions) (including with regard to data transfers) unless EU or Bulgarian State law requires other processing of Client Personal Data by SESSIONSTACK, in which case SESSIONSTACK will inform Client (unless that law prohibits SESSIONSTACK from doing so on important grounds of public interest). Upon providing such notification, SESSIONSTACK is not obliged to follow the Client’s instruction.
    • For clarity, SESSIONSTACK will not process Client Personal Data for Advertising purposes or serve Advertising in the Services. Notifications from SESSIONSTACK to the Client and all End Users on the scope of Services, their update, upgrade, amendment, new releases, developments and/or termination via Newsletters, emails and other electronic and nonelectronic means of communication, which may be applicable, shall not be considered advertising, marketing or other activity, not included in the Services. Such notifications shall be considered part of the Services provided by SESSIONSTACK to Client.
    • If at any time the Client or any End User would like to unsubscribe from receiving future emails, he or she must follow the instructions on how to unsubscribe at the bottom of SESSIONSTACK emails.
  • Subject Matter
    • SESSIONSTACK’s provision of the Services and related technical support to Client.
  • Data Subjects
    • The personal data processed concern the following categories of data subjects: End User behaviour on Client’s websites.
  • Nature and Purpose of the Processing
    • SESSIONSTACK will process Personal Data via the Software for the purposes of providing the Services and related technical support to Client in accordance with the Data Processing Addendum.
  • Duration of the Processing
    • The applicable Term plus a period of 30 days from expiry of such Term in accordance with the Data Processing Addendum, unless the Client or the GDPR requires otherwise.
  • Categories of Data and Purpose of its Processing
    • Personal data submitted, stored, sent or received by Client may include the following categories of data:
      • Name of Client representative – necessary for identification of the Client.
      • Email address of Client representative – necessary for authenticating the Client before allowing its access to the Software and Client Data, including Client Personal Data, as well as for providing technical support.
    • SESSIONSTACK shall not use any other personal data, entered by Client representative, except for categories of data, described in Section (a) above.
    • Other data, concerning behaviour of End Users on Client’s websites is at the full discretion of the Client. Client specifies the type of monitored and recorded data and is entirely responsible before End users for processing legally their personal data via the Software.
    • It is not SESSIONSTACK’s obligation to monitor or control the legality of End User personal data, processed for the Client at his instructions.
    • It is the Client’s responsibility to provide and guarantee that the processing personal data activities, performed by Client with End Users Personal Data through the Software shall be compliant with the requirements of the GDPR.
    • The Client hereby indemnifies and shall hold SESSIONSTACK harmless for all claims and damages, which may ensue from the processing personal data activities, performed by Client with End Users Personal Data through the Software. As SESSIONSTACK has no control on the content of Client’s websites, it shall not be SESSIONSTACK’s but Client’s responsibility to provide the compliance of his websites with the GDPR and to provide End User’s rights. In the event of a third-party claim or sanctions by a competent authority in respect of processing third party personal data via the Software in violation of GDPR by Client or Client representatives, Client shall compensate SESSIONSTACK for all sustained damages, including any compensations, administrative penalties and sanctions, reasonable lawyer fees, expenses, etc.
  • Method of collection
    • Client representatives provide personally the Personal data, entered or uploaded in the Software at registration.
    • Client and Client representatives shall enter third party personal data only with due authorization by such party. Client and Client representatives are responsible for entering somebody else’s personal data without due authorization. SESSIONSTACK does not control the content, entered by Client and Client representatives. SESSIONSTACK has no contact with any third parties, whose personal data the Client or Client representatives may enter in the software. In the event of a third-party claim or sanctions by a competent authority in respect of entering third party personal data in the Software in violation of GDPR by Client or Client representatives, Client shall compensate SESSIONSTACK for all sustained damages, including any compensations, administrative penalties and sanctions, reasonable lawyer fees, expenses, etc.
  • Data Subjects
    • Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: Client representatives; End Users of Client’s websites.
    • Client shall grant access to End Users after acquainting them to the information, provided to Client in this DPA, the rights of the End Users under the GDPR and the methods of their implementation. Client acknowledges that such provision of information is required by GDPR and is necessary for the implementation of GDPR principals of data protection. Client shall also grant access to End Users, who have accepted the terms and conditions of data protection, included in this DPA. In the event of a Data Subject claim or sanctions by a competent authority in respect of processing personal data with the Software in violation of GDPR by Client or End User, Client shall compensate SESSIONSTACK for all sustained damages, including any compensations, administrative penalties and sanctions, reasonable lawyer fees, expenses, etc.
  • Data Deletion
    • SESSIONSTACK will enable Client and/or End Users to delete Client Data during the applicable Term in a manner consistent with the functionality of the Services, if such deletion is in accordance with applicable law. SESSIONSTACK will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless EU or Bulgarian law requires storage.
    • With this DPA the Client instructs SESSIONSTACK to delete on expiry of the applicable Term all Client Data (including existing copies) from SESSIONSTACK’s systems in accordance with applicable law. SESSIONSTACK will comply with this instruction as soon as reasonably practicable and within a period of 30 days, unless Client requires otherwise or EU or Bulgarian law requires storage. Client acknowledges and agrees that Client will be responsible for exporting, before the applicable Term expires, any Client Data it wishes to retain afterwards.
    • To the extent any Client Data covered by the deletion instruction described in Section (b) is also processed, when the applicable Term expires, in relation to an Agreement with a continuing Term, such deletion instruction will only take effect with respect to such Client Data when the continuing Term expires.
    • For clarity, this Data Processing Addendum will continue to apply to Client Data until its deletion by SESSIONSTACK.
  • Data Security
    • SESSIONSTACK will implement and maintain technical and organizational measures to protect Client Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The Technical and organizational measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of SESSIONSTACK’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. SESSIONSTACK may update or modify the Technical and organizational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
    • SESSIONSTACK will take appropriate steps to ensure compliance with the Technical and organizational Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    • Client agrees that SESSIONSTACK will (taking into account the nature of the processing of Client Personal Data and the information available to SESSIONSTACK) assist Client in ensuring compliance with any of Client’s obligations in respect of security of personal data and personal data breaches, including if applicable Client’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
      • (a) implementing and maintaining the Technical and organizational Measures in accordance with the GDPR;
      • (b) complying with the procedures for Data Incidents notification and regulation as required by the GDPR;
      • (c) providing Client with the necessary information and documentation as required by the GDPR.
  • Data Incidents
    • If SESSIONSTACK becomes aware of a Data Incident and if the is required by the GDPR, SESSIONSTACK will notify Client of the Data Incident promptly and without undue delay; and promptly take reasonable steps to minimize harm and secure Client Data.
    • Notifications made pursuant to this section will implement the requirements of the GDPR and will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps SESSIONSTACK recommends Client take to address the Data Incident.
    • Notification of any Data Incident will be delivered to the Email Address of the Client, recorded at registration in the Website. Client is solely responsible for ensuring that the Client’s Email Address is current and valid.
    • SESSIONSTACK will not assess the contents of Client Data in order to identify information subject to any specific legal requirements. Client is solely responsible for complying with incident notification laws applicable to Client and fulfilling any third party notification obligations related to any Data Incident.
    • SESSIONSTACK’s notification of or response to a Data Incident under this Section will not be construed as an acknowledgement by SESSIONSTACK of any fault or liability with respect to the Data Incident.
    • Client acknowledges that although SESSIONSTACK will take all reasonable precautions to keep personal data safe and secure, SESSIONSTACK shall not be liable for extraneous circumstances such as theft, communication errors or malicious tampering.
  • Client’s Security Responsibilities
    • Client agrees that Client is solely responsible for its use of the Services and the compliance of Client’s and End Users’ activities with GDPR, including:
      • (i) making appropriate use of the Services and the Software to ensure a level of security appropriate to the risk in respect of the Client Data;
      • (ii) securing the account authentication credentials, systems and devices Client uses to access the Services; and
      • (iii) backing up its Client Data; and
      • (iv) securing compliance with GDPR requirements towards End Users, including acquiring necessary consent.
    • Client agrees that SESSIONSTACK has no obligation to protect Client Data that Client elects to store or transfer outside of SESSIONSTACK’s and its Subprocessors’ systems (for example, offline or on-premise storage), or to protect Client Data by implementing or maintaining Technical and organizational Measures except to the extent Client has opted to use them.
    • Client is solely responsible for reviewing SESSIONSTACK’s Technical and Organisational Measures and evaluating for itself whether the Services, the Technical and organizational Measures and SESSIONSTACK’s commitments under DPA will meet Client’s needs, including with respect to any security obligations of Client under the European Data Protection Legislation, as applicable.
    • Client acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Client Personal Data as well as the risks to individuals) the Technical and organizational implemented and maintained by SESSIONSTACK as set out in this DPA provide a level of security appropriate to the risk in respect of the Client Data.
  • Impact Assessments
    • Client agrees that SESSIONSTACK may (taking into account the nature of the processing and the information available to SESSIONSTACK) assist Client in ensuring compliance with any obligations of Client in respect of data protection impact assessments and prior consultation, including if applicable Client’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the Client with SESSIONSTACK’s Technical and Organisational Measures and providing other information contained in the applicable Agreement including this Data Processing Addendum.
    • SESSIONSTACK may charge a fee (based on BAMP’s reasonable costs) for any assistance under Section (a) above. SESSIONSTACK will provide the Client with details of any applicable fee, and the basis of its calculation, in advance of any such assistance.
    • SESSIONSTACK may object in writing to providing any assistance under Section (a) above at its own discretion, if it will harm or may harm in any way SESSIONSTACK’s legal rights, business interests, normal course of activities or may be otherwise manifestly unsuitable.
  • Monitoring
    • In order to assist the Client with its legal obligation to diligently choose a service provider, SESSIONSTACK shall monitor, by appropriate means, its own compliance and the compliance of its employees and Sub-processors with the respective data protection obligations of a Processor laid down in Art. 28 of the GDPR and in this DPA in connection with the Services. SESSIONSTACK shall make available to the Client any information necessary to demonstrate compliance with such obligations when required by the GDPR.
  • Reviews and Audits of Compliance
    • SESSIONSTACK has made available for review by Client SESSIONSTACK’s Technical and organizational measures and Standard Contract Clauses with Subprocessors. The Client is responsible to confirm before processing is carried out that SESSIONSTACK’s technical and organizational measures are appropriate and sufficient to protect the rights of the data subjects.
    • If the European Data Protection Legislation requires, SESSIONSTACK will allow Client or an independent auditor appointed by Client to conduct audits to verify SESSIONSTACK’s compliance with its obligations under this Data Processing Addendum. SESSIONSTACK will contribute to such audits by providing information and documentation as described in Section (a) above or to the extend, required by GDPR and Bulgarian data protection legislation.
    • Following receipt by SESSIONSTACK of a request for an audit, SESSIONSTACK and Client will discuss and agree in advance on reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit.
    • SESSIONSTACK may charge a fee (based on SESSIONSTACK’s reasonable costs) for any audit. SESSIONSTACK will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit.
    • SESSIONSTACK may object in writing to an auditor appointed by Client to conduct any audit, if the auditor is, in SESSIONSTACK’s reasonable opinion, not suitably qualified or independent, a competitor of SESSIONSTACK, or otherwise manifestly unsuitable. Any such objection by SESSIONSTACK will require Client to appoint another auditor or conduct the audit itself.
  • Data Subject Rights
    • During the applicable Term, SESSIONSTACK will, in a manner consistent with the functionality of the Services, enable Client to access, rectify and restrict processing of Client Data, including via the deletion functionality provided by SESSIONSTACK as described in this DPA and to export Client Data.
    • SESSIONSTACK agrees and warrants that it will deal promptly and properly with all inquiries from the Client relating to its processing of the Client personal data and to abide by the advice of the supervisory authorities with regard to the processing of the Client personal data data.
    • Client agrees that (taking into account the nature of the processing of Client Personal Data) SESSIONSTACK will assist Client in fulfilling any obligation to respond to requests by data subjects, when required to do so in its capacity of a Processor, including if applicable Client’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by complying with the GDPR obligatory requirements. However, the obligation for providing information and acquiring consent by End Users is borne entirely by the Client.
  • Transfers of Data Out of the EU/EEA
    • Client agrees that SESSIONSTACK may store and process Client Data in the United States and any other country in which SESSIONSTACK or any of its Subprocessors maintains facilities.
    • If the storage and/or processing of Client Personal Data involves transfers of Client Personal Data out of the EU/EEA and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), SESSIONSTACK may enter into Standard Contract Clauses with Subprocessors as provided by the respective Subprocessors and that the transfers are made in accordance with such Standard Contract Clauses.
    • In respect of Transferred Personal Data, Client agrees that any such Transfer of Data shall be considered as a contractual obligation of BAMP in fulfilling SESSIONSTACK obligation to provide the Services and more specifically as a Client’s instruction in the meaning of GDPR.
    • In respect of Transferred Personal Data, Client agrees that entering into Subprocessors’ Standard Contract Clauses shall be considered as suitable guarantees and effective legal tools for personal data protection.
    • Whenever BAMP has entered into Standard Contract Clauses, SESSIONSTACK will ensure that any disclosure of Client’s personal data, and any notifications relating to any such disclosures, will be made in accordance with such Standard Contract Clauses.
  • Subprocessors
    • Client generally authorizes the engagement of any other third parties as Subprocessors.
    • Information about the SESSIONSTACK Subprocessors is available in Appendix 1 below and may be updated by SESSIONSTACK from time to time.
    • When engaging any Subprocessor, SESSIONSTACK will ensure via a written contract or another suitable electronic form that: (i) the Subprocessor only accesses and uses Client Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with any Standard Contract Clauses entered into by SESSIONSTACK; and (ii) if the GDPR applies to the processing of Client Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as required by the GDPR, are imposed on the Subprocessor.
    • Subprocessor remain fully liable for all obligations subcontracted to them and all acts and omissions of the Subprocessor.
    • When any Additional service is engaged via a Subprocessor during the applicable Term, which impacts personal data processing, SESSIONSTACK will inform the Client of the engagement either by sending a Newsletter or an email to the Client Email Address or via the Admin Console.
    • Client may object to any new Subprocessor by terminating the applicable Agreement or the Service, provided by the Subprocessor immediately upon written notice to SESSIONSTACK, on condition that Client provides such notice within 30 days of being informed of the engagement of the Subprocessor. This termination right is Client’s sole and exclusive remedy if Client objects to any new Subprocessor.
  • Records
    • Client acknowledges that SESSIONSTACK is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which SESSIONSTACK is acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Client Personal Data, Client will, where requested, provide such information to SESSIONSTACK and will ensure that all information provided is kept accurate and up-to-date.
  • Liability.
    • Nothing in this DPA will affect the remaining terms of the applicable Agreement relating to liability (including any specific exclusions from any limitation of liability).
  • Effect of Addendum
    • To the extent of any conflict or inconsistency between the terms of this Data Processing Addendum and the remainder of the applicable Agreement, the terms of this Data Processing Addendum will govern. For clarity, this Data Processing Addendum will, as from the Effective Date be effective and replace any previously applicable data processing provisions.
    • Effective Date means, as applicable:
      • (a) 25 May 2018, if Client clicked to accept or the parties otherwise agreed to this Data Processing Addendum in respect of the applicable Agreement prior to or on such date; or
      • (b) the date on which Client clicked to accept or the parties otherwise agreed to this Data Processing Addendum in respect of the applicable Agreement, if such date is after 25 May 2018.
    • This Data Processing Addendum will take effect on the Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Client Data by SESSIONSTACK.
  • Applicable law
    • This DPA shall be governed by the law of Bulgaria. The place of jurisdiction for all disputes regarding this DPA shall be Sofia, Bulgaria, except as otherwise stipulated by applicable data protection law.

Appendix 1: Subprocessors

For providing quality services to the Client SESSIONSTACK engages Subprocessors, carefully selected according to their capacity for Client personal data protection and processing in compliance with SESSIONSTACK’s obligations under this DPA and the GDPR. All Subprocessors, situated out of EU, whose services require transfer of personal data out of EU, shall be compliant with the requirements of Section 22. Transfers of Data Out of the EU/EEA, including Privacy Shield Compliance SESSIONSTACK uses as Subprocessors and Client personal data may be transferred to the following service providers:
  1. Customer relationship management;
  2. Email automation software;
  3. Email server;
  4. Hosting services;
  5. Billing software services;
  6. Communications software;
  7. Survey software.
  8. Analytics software.
  9. Issue tracking software.

Appendix 2: Description of the Technical and Organizational Security Measures Implemented by SESSIONSTACK:

SECURITY AREAS SECURITY MEASURES FOR PERSONAL DATA PROTECTION
NETWORK AND SYSTEMS SECURITY Firewall and router configurations have to be set-up, in order to restrict the traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts. Deny all other traffic except, for protocols necessary for the personal data environment (PDE).
Production (real) data should only be allowed in production environments. Upon exception and with all necessary approvals, QA environments may process (real) personal data only to the extent that they are protected as production environments. The environment of testing and development, as well as pre-production environments must use either anonymized or synthetic data.
Standard hardening configuration templates have to be developed for databases, applications, operating systems and applications containing personal data.
DATA SECURITY Personal data retention time must be limited to the extent which is necessary for each single processing activity, albeit in compliance with legal and/or regulatory (retention) obligations.
Strong cryptography and security protocols have to be implemented, in order to protect personal data during the transmission over open, public or untrusted networks.
In case the channel encryption is not possible, files and attachments containing personal data have to protected by means of encryption whenever they are transmitted over open, public or untrusted networks.
Security tools should be used, to monitor and control the flow of personal data through endpoints and towards external networks.
Databases/data storages encryption should be based upon a proper classification of assets in scope, according to the level of criticality. As a sample, databases/data storages serving bank’s core business processes/services or storing a large amount of personal data may be protected by strong encryption. Each Legal Entity shall decide whether to implement encryption or not, as well as the granularity of encryption to be enforced (e.g. at storage level or table level).
Personal data at rest should be protected by encryption when they are stored by Cloud Providers and/or other Third Parties Data Processors.
Media containing personal data must be protected against unauthorized access, through adequate physical (e.g. lock) and logical (e.g. encryption, access control, etc.) security measures.
Upon return and/or dismissal of ICT assets and resources, secure clean-up procedures (e.g. wiping) should be put in place, in order to remove all personal data and/or securely overwrite prior to disposal or re-use.
Paper documents or magnetic/optical media (e.g.: hard disks, DVDs, CDs, smart cards, USB flash drives) have to be destroyed or rendered unusable to ensure that the data and information they contain cannot be reconstructed and/or used (even partially) by unauthorized Third Parties. Paper documents have to be physically destroyed before being trashed, through specific shredder devices.
Employees must be adequately educated and trained on the correct rules of conduct to be adopted for the protection of personal data contained in paper documents (example: in case of removal from the workstation make sure that nobody can access confidential information, protect the original documents and the photocopies from theft or unauthorized use, keep the documentation in drawers and closets locked at the end of the working session)
DATA AVAILABILITY Proper procedures should be put in place in order to restore the availability of personal data (as a right of the data subject) in a timely manner. Back-up procedures should ensure copies of personal data at least weekly.
IDENTITY AND ACCESS MANAGEMENT Access authorization to production environments containing personal data, they should be given according to the “need to know” and “least privilege” principles.
Policies and procedures must be implemented to ensure the proper identification of users and administrators accessing system components managing personal data. All users should be assigned with a unique user name before allowing them to access system components or personal data.
Individual remote administrative accesses to systems managing personal data have to be protected, by means of an authentication mechanism requiring password or private encryption key changes every 90 days. Additionally, password vaulting tools should be evaluated in order to increase credentials’ security.
Passwords for systems and devices managing personal data must contain at least 8 digits, not easily attributable to the user, and they must be changed at least every 3 months.
Remote access (from external networks) to PDE have to be protected by means of multi-factor authentication.
All accesses to databases containing personal data should be protected/controlled as follows: – Application credentials to access databases cannot be used by individual users or other non-application processes – Such application/system user credentials must be appropriately protected against potential misuse. – Access must be granted only to the personnel who really needs it for the performance of own job/tasks (need to know principles) – A formal user registration and de-registration process should be implemented to enable assignment of access rights to manage personal data.
Number of personal data repositories (databases, files, copies, archives) should be kept to an absolute minimum, avoiding unnecessary duplication. Instead of duplication, preference should be given to pseudonymised databases, that perform look-ups into master repositories for specific personal data, if, and when needed.
Visibility of personal data must be limited to the sole set of information which is necessary for the single processing activities. No unnecessary personal data should be made available to users.
Users’ access rights to personal data should be reviewed/re-certified at regular intervals and, in any case, at least annually – as per the regular Identity and Access Management process.
Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged onto the machine without administrative privileges, the administrator should gain administrative privileges.
LOGGING AND MONITORING Access to production environments containing personal data – and where technically possible access to personal data –  should be monitored and logged, in order to precisely record the link between access and individual user accessing personal data
Record at least the following audit log entries for all system components processing personal data for each event: – User identification – Type of event – Date and Time – Success or failure indication – Source of event – Identity of affected data (NDG for client and the ID for others), system component, or resource.
Upon necessity and/or regulatory request, the Data Controller has the right to obtain logs from the Third-Party Data Processor and/or Cloud Provider processing personal data on its behalf.
ORGANISATION AND HUMAN SECURITY Adequate procedures should be put in place to ensure the continuous availability of personal data: back-up personnel should be identified to ensure the continuity of the service to the data subject willing to access own personal data.
A formal security awareness program has to be implemented, to make all personnel aware of policy and procedures related to personal data security. Periodic tests or simulations may be performed, to assess whether employees click on a link from suspicious e-mail or provide personal/sensitive information without following appropriate security procedures to verify the reliability of the source. As a consequence, targeted training should be provided to those employees falling victim to the test.
Clear contractual agreements have to be signed-off with service providers, in order to state their responsibility for the security of personal data they process/store/transmit on behalf of the Data Controller.
Employees responsibilities and duties on the confidentiality of personal data should be clearly stated as valid also after the termination or change of employment.
Personal data must not be copied on removable media, except from those media expressly authorized by the Processor for specific tasks.
DATA PROTECTION BY DESIGN Processes and tools for the Secure Software Development Lifecycle (SDLC) have to be integrated with appropriate security check/controls and requirements, in order to ensure that new ICT software/applications are designed and developed taking into consideration the requirements of embedded security.
Processes of ICT Change Management have to be integrated with appropriate security check/controls and requirements, in order to ensure the continuous protection of ICT software/applications in place, upon relevant changes.
PERSONAL DATA BREACH NOTIFICATION Processes and tools for Incident Management have to properly implemented and/or improved, in order to enable the detection and classification of personal data breaches so that they are correctly communicated to the Controller within the terms established in the paragraph “Notification obligation and Security Breach“.
A register of personal data breaches should be created and maintained.

 

1,000 sessions / mo. No credit card required.

Get Started
Login Sign up Free