DPA – September 2022
Version: September 21, 2022
If you started a subscription before September 21, 2022, your use of the Bringg Services is governed by the terms here.
This Data Processing Agreement (“DPA”) forms part of the Services Agreement by Bringg Delivery Technologies Ltd., and/or any of its Affiliates (“Bringg”) and the Customer entering into the Services Agreement for the subscription to the Services described in the Service Order (the “Customer”). Bringg and the Customer are collectively referred to as the “Parties”, and each a “Party”. All capitalized terms not defined in this DPA shall have the meanings set forth in the Services Agreement.
Unless otherwise expressly stated in the Service Order, this version of the DPA shall be effective and remain in force for the term of such Service Order. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Service Order, the terms of the Service Order shall control. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the online Terms of Service, the terms of this DPA shall control.
This DPA sets out the roles and obligations that apply when Bringg processes, transfers and gains access to Personal Data on behalf of Customer in the course of providing the Services, and when Bringg, its staff or a third party acting on behalf of Bringg receive access to Personal Data of individuals.
It is agreed that a copy of this DPA may be forwarded to the relevant Supervisory Authority, if required under Applicable Data Protection Legislation. Furthermore, the Parties agree that such authority has the right to conduct an audit of Bringg with respect to the subject matter of this DPA.
For the purposes of this DPA:
(a) “Affiliate/s”means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the Services Agreement, where “control” means the ownership of a majority share of the voting stock, equity, or voting interests of such entity;
(b) “ANPD” means the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados)
(c) “Applicable Data Protection Legislation” means all applicable laws and regulations, in each case as may be amended or superseded from time to time, subject to the processing of Personal Data on behalf of the Customer under this DPA, including without limitation (as applicable), (i) the GDPR; (ii) the UK GDPR; (iii) the LGPD; and (iv) the CCPA;
(d) “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 999.300 to 999.337), and any related regulations or guidance provided by the California Attorney General;
(e) “EEA” means the European Economic Area;
(f) “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data;
(g) “IDTA” means the International Data Transfer Addendum to the EU SCC issued by the Information Commissioner’s Office in the UK and effective as of March 21, 2022;
(h) “LGPD” means the Brazilian Law No. 13.709 of 14 August 2018 which provides for the Protection of Personal Data and amends the Federal Law No. 12.965 of 23 April 2014;
(i) “Personal Data” means any information relating to an identified or identifiable natural person (data subject), an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or as otherwise referred to as “Personal Information”, “personally identifiable information” or similar term defined in the Applicable Data Protection Legislation;
(j) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed, transmitted, stored or otherwise processed;
(k) “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018;
(l) “Standard Contractual Clauses” or “SCC” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR (“EU SCC“); and (ii) where the UK GDPR applies, standard data protection clauses set out in Decision 2010/87/EC, as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR (“Prior SCC“);
(m) “Services Agreement” means the Service Order and the online Terms of Service incorporated by reference into the Service Order, and this DPA;
(n) “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419);
(o) The terms recognized by the GDPR, UK GDPR, and LGPD, such as “Controller, “Data Subject”, “Process”, “Processor”, ”Processing”, shall have the meanings set out therein even if such terms are not capitalized in this DPA.
(p) The terms “Business”, “Service Provider”, “Third Party”, “Personal Information”, “Consumer”, “sell”, and “Business Purposes” have the meanings given to them in the CCPA.
(q) The reference to “Supervisory Authority” shall have the meaning set out in the GDPR, and where applicable, shall also refer to the ANPD.
- Roles and Responsibilities
As between Bringg and Customer, Customer is the Controller of Personal Data for the purposes of the GDPR/UK GDPR/LGPD, and the Business for purposes of the CCPA with respect to the Personal Information that is provided to Bringg for processing under the Services Agreement and as described in Exhibit A, and Bringg shall process the Personal Data and/or Personal Information as a Processor and/or Service Provider, respectively, on behalf of Customer. Each Bringg and Customer may be referred to in this DPA interchangeably as “Processor” or “Bringg”, and as “Customer” or “Controller”.
- Processor’s Obligations
- The Processor, and any person acting under its authority, will collect and process Personal Data under the Services Agreement, only on behalf of the Controller, during the Term and only for the purpose of fulfilling the Services Agreement, under which Bringg will provide the Controller access to its proprietary SaaS-based last-mile logistics and delivery management platform. Processor will carry out the data processing operations, including with regard to transfers of Personal Data to a third country or an international organisation, in accordance with this DPA and any documented instructions received from the Controller (including the instructions of any users accessing the Services on Customer’s behalf).
- The subject matter, nature, purpose and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.
- The Processor will comply with Applicable Data Protection Legislation while processing and using the Personal Data, including by implementing adequate measures to ensure the privacy of the Data Subjects’ Personal Data held by the Processor.
- Other than as permitted under this DPA, the Processor will not: (a) disclose, make available or transfer the Personal Data to any third party; (b) collect, process, retain, disclose or use any Personal Data made available to it for any purposes other than for the performance of the Services Agreement; (c) sell the Personal Information; (d) retain, use, or disclose the Personal Information outside of the direct business relationship between Bringg and the Customer.
- Processor shall keep records of its processing activities in accordance with the Applicable Data Protection Legislation and will grant to Controller and its designees all required information and access rights, strictly in accordance with the Processor’s security policy, in order to demonstrate and verify Processor’s compliance with the Services Agreement, this DPA and with Applicable Data Protection Legislation. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller at the Controller’s sole expense. If and to the extent Controller engages third parties to conduct the audit, such third parties have to be bound by confidentiality obligations similar to those agreed by Processor under this DPA. Notwithstanding the above, the Controller shall only be entitled to conduct such inspection during business hours and no more than once during one calendar year, provided that nothing in this section shall limit the timing and scope of any audit required to be conducted by Applicable Data Protection Legislation.
- Controller shall provide the Processor reasonable prior written notice of any audit or inspection to be conducted under this section and shall make (and ensure that each of its auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such audit or inspection.
- Processor will notify Controller without undue delay if Processor is of the opinion that a written instruction received from Controller is in violation of Applicable Data Protection Legislation and/or in violation of contractual duties under the Services Agreement.
- Processor will notify Controller without undue delay if Processor or Processor’s employees violate the provisions of this DPA. Furthermore, if Processor is of the opinion that Personal Data have been or might have been illegally transferred or otherwise illegally disclosed by it to a third party, Processor will notify Controller thereof without undue delay.
- Processor undertakes to use reasonable endeavours to fully cooperate and to comply with any instructions, guidelines and orders received from the relevant Supervisory Authority.
- Where applicable, Processor shall, taking into account the nature of the processing and the information available to the Processor, assist Controller in meeting the Controller’s obligations to Data Subjects pursuant to applicable law, including assistance in helping Data Subjects to exercise their rights under applicable law, by implementing appropriate technical and organisational measures.
- Upon termination of the Services Agreement, Processor will, at the choice of the Controller, delete or return to the Controller, all Personal Data provided by Controller during the provision of the Services, and delete existing copies of such Personal Data which are kept in its systems and/or premises, all unless Personal Data is required to be retained by Processor under Applicable Data Protection Legislation. Return or deletion of the Personal Data may be made by way of an application program interface made available to the Controller. In that case, the Processor warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.
- Obligations of Controller
- Controller is responsible for the evaluation of the admissibility of the data processing activities and for ensuring the rights of the Data Subjects concerned.
- Controller shall be entitled to issue written instructions regarding the scope and the procedure of the data processing activities, within the scope of the Services Agreement. Processor may charge applicable fees for such instructions or terminate the Services Agreement if it does not wish to comply with such instructions.
- The Controller warrants and undertakes that: (i) the Personal Data has been collected, processed and transferred in accordance with the Applicable Data Protection Legislation, including if required, the Controller has received all required consents from its Data Subjects; (ii) after assessment of the requirements of the Applicable Data Protection Legislation, the security measures that the Processor implements under this DPA are appropriate to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the Personal Data to be protected having regard to the state of the art and the cost of their implementation; (iii) it will promptly respond to any inquiries from Data Subjects and the applicable authorities concerning processing of the Personal Data by the Processor; (iv) it will ensure the rights of the Data Subjects concerned, including without limitation will enable the Data Subjects to inspect and correct the Personal Data which is held by the Processor where such Personal Data is inaccurate, incomplete, unclear, outdated, all as required under Applicable Data Protection Legislation; (v) it will not provide Processor any data of Data Subjects under the age of 16; and (vi) the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer, that his/her personal data could be transmitted to a third country, outside of the EEA.
- Controller agrees to defend, indemnify and hold the Processor its officers, directors, employees, agents, vendors and third party providers, harmless against any and all claims, losses, penalties, causes of action, damages, liability, costs, expenses (including but not limited to attorney’s’ fees and costs) or claims caused by or resulting directly or indirectly from: (i) Controller’s breach of any representation, warranty or obligation under this DPA or under Applicable Data Protection Legislation which applies to the Controller; and; (ii) a third party claim, suit or proceeding that use of the Personal Data within the scope of this DPA infringes any privacy right of a third party.
- It is hereby agreed that Processor may allow its employees to access the Personal Data, all in order to perform Processor’s obligations and duties under the Services Agreement.
- Processor will be responsible for using qualified personnel with data protection training to provide the data processing activities.5.3 Processor will ensure that its personnel authorised to process the Personal Data on its behalf, will keep confidential and will not make available any Personal Data received in connection with the Services Agreement to any third party.
- Some of Processor’s obligations may be performed by Processor’s Affiliates, as detailed in the Sub-processor’s list available here. Controller acknowledges that Processor’s Affiliates may Process Personal Data on Processor’s behalf to perform the Services under the Services Agreement.
- Processor will be liable for the acts and omissions of its Affiliates to the same extent Processor would be liable if performing the Services under the Services Agreement.
- Controller hereby consents to Processor’s use of Processor’s Affiliates in the performance of the Services in accordance with the terms of this Section 6.
- The Controller hereby grants the Processor a general authorization to use the sub-processors (“Sub-Processors”) listed here (“Sub-Processors List”) to process Personal Data and/or Personal Information on Bringg’s behalf for the purpose of providing the Services under the Services Agreement. All such Sub-processors shall be Service Providers for purposes of the CCPA.
- Processor will maintain the Sub-processors List up to date and will update it in case of any change of the Sub-Processors and shall notify Customer at least seven (7) days prior to any such change. Processor shall: (i) communicate the name, address and contact details of the Sub-Processor and the tasks of the Sub-Processor, (ii) ensure that it has in place or conclude prior to engaging the Sub-Processor a sub-processing agreement between Processor and the Sub-Processor that is no less protective with respect to Controller’s interest and protection of Personal Data than required by Applicable Data Protection Legislation, and in particular providing sufficient guarantees to implement appropriate technical and organisational measures, (iii) ensure that an adequate level of data protection for Sub-Processors that are located outside of the EEA exists or is created (e.g. by concluding Standard Contractual Clauses), (iv) ensure that it has sufficient rights against the Sub-Processor to enforce a claim or request of Controller in context of the Services provided by the Sub-Processor; and (v) upon Customer’s request, provide the copies of the Sub-Processor agreements pursuant to Clause 9(c) of the EU SCCs in a manner to be determined in Bringg’s discretion and with all commercial information, or clauses unrelated to the EU SCCs or their equivalent, removed by Bringg beforehand.
- Objection to Sub-Processors. Customer may object prior to Bringg’s appointment or replacement of a Sub-Processor, provided such objection is based on reasonable grounds relating to data protection. In such event, the Parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Bringg, at its discretion, will either not appoint or replace the Sub-Processor or, will permit Customer to suspend or terminate the affected Services (without prejudice to any fees incurred by Customer prior to suspension or termination).
- International Transfer
- The Parties agree that when the transfer of Personal Data from Customer to Bringg is a Restricted Transfer, it shall be subject to the appropriate Standard Contractual Clauses as follows:
(a) in relation to Personal Data that is protected by the GDPR, the Module Two of the EU SCCs will apply, and the Parties elect as follows: (i) include optional Clause 7; (ii) in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 7.2 of this DPA; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Exhibit A to this DPA; (vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Exhibit B to this Agreement; and
(b) in relation to Personal Data that is protected by the UK GDPR, for so long as it is lawfully permitted to rely on Prior SCC for transfers of Personal Data from the United Kingdom, the Prior SCC shall apply between the Customer and Bringg on the following basis: (i) Appendix 1 shall be completed with the relevant information set out in Exhibit A to this DPA; (ii) Appendix 2 shall be completed with the relevant information set out in Exhibit B to this DPA; (iii) the optional illustrative indemnification Clause will not apply, references in the Prior SCC to “the law of the Member State in which the data exporter is established” shall be deemed to mean “the laws of England and Wales”; and (iv) any other obligation in the Prior SCCs determined by the Member State in which the data exporter is established shall be deemed to refer to an obligation under UK GDPR.
(c) Where the Prior SCCs do not apply and the Parties are lawfully permitted to rely on the EU SCC for transfers of Personal Data from the UK subject to completion of the IDTA, then the EU SCC, completed as set out above in Section 8.1(a) of this DPA shall also apply to transfers of such Personal Data, subject to the provision that the IDTA shall be deemed executed between Bringg and Customer, and the EU SCC shall be deemed amended as specified by the IDTA in respect of the transfer of such Personal Data.
(d) If neither sub-section (b) or sub-section (c) applies, then Customer and Bringg shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay.
- In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- The Parties agree that when the transfer of Personal Data from Customer to Bringg is a Restricted Transfer, it shall be subject to the appropriate Standard Contractual Clauses as follows:
- Data Subjects Rights
- Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, or to object to processing, each a “Data Subject Request”. Processor will not respond to any such requests unless authorized to do so by Controller or as required under Applicable Data Protection Legislation or under the instructions of a Supervisory Authority.
- Processor shall provide commercial reasonable assistance to Controller by taking appropriate technical and organisational measures for the fulfilment of Controller’s obligation to respond to requests for exercising the Data Subjects’ rights as laid down by Applicable Data Protection Legislation. Unless prohibited under the Applicable Data Protection Legislation, Controller will reimburse Processor with any costs and expenses related to Processor’s provision of such assistance.
- Personal Data Breach
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach and take necessary and reasonable action to remediate such violation. Additionally, Bringg shall, taking into account the nature of the Processing and the information available to Bringg, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its statutory obligations under the Applicable Data Protection Legislation. Each party will reasonably assist the other party to mitigate any potential damages in connection with this Section 10.
- Technical and Organizational Measures
Processor will implement the technical and organizational security measures as stipulated in Exhibit B of this DPA and as further detailed at: https://www.bringg.com/trust-center/. The technical and organizational security measures are aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing.
This DPA shall become effective upon the effective date of the Services Agreement that expressly incorporates the terms of this DPA by reference. This DPA shall remain in full force until the Services Agreement terminates (the “Term“).
In the event that the Processor is in breach of its obligations under this DPA, then the Controller may temporarily suspend the transfer of Personal Data to the Processor until the breach is repaired or the DPA is terminated.
Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the applicable limitation of liability section of the Services Agreement, and any reference in such section to the liability of a party means the aggregate liability of that Party and all of its Affiliates under the Services Agreement and this DPA together. This DPA represents the complete agreement concerning the subject matter hereof. The Parties may amend this DPA, from time to time by mutual agreement of both Parties, and subject to compliance with any required obligations under Applicable Data Protection Legislation (i.e., to inform the applicable authority where required). This DPA shall be governed by and construed under the laws stipulated in the Services Agreement, without reference to principles and laws relating to the conflict of laws. The competent courts of the law stipulated in the Services Agreement shall have the exclusive jurisdiction with respect to any dispute and action arising under or in relation to this DPA. If Processor makes a material change to this DPA, which it may do from time to time, then Processor will post the updated DPA to its website. Controller is responsible for checking for any change to this DPA. Continued use of the Services after a change has been posted constitutes Controller’s acceptance of any new or modified DPA.
Details of Processing
This Exhibit A forms part of the DPA and describes the processing that Bringg will perform on behalf of the Customer.
- The Parties
Controller/ Data exporter
|Name:||Customer and/or any of its Affiliates, where applicable under the Service Order and/or the Services Agreement|
|Address:||The addresses of each of the Customer and/or its Affiliates as identified in the Service Order|
|Contact:||As specified in the applicable Service Order|
|Activities relevant to the data transferred under the SCCs:||Receipt of the Services|
|Signature and Date:||This Exhibit A shall be deemed executed upon execution of the DPA.|
|Name:||Bringg Delivery Technologies Ltd., and/or any of its Affiliates, as specified in the appliable Service Order|
|Address:||The addresses of each of Bringg and/or its Affiliates as identified in the Service Order|
|Contact:||As specified in the applicable Service Order|
|Activities relevant to the data transferred under the SCCs:||Provision of the Services|
|Signature and Date:||This Exhibit A shall be deemed executed upon execution of the DPA.|
2. Subject Matter of the Processing:
The Personal Data is collected and processed by Processor when Controller gains access to Processor’s proprietary SaaS-based last-mile logistics and delivery management platform and driver mobile application (including the Bringg on Salesforce® offering).
3. Duration of Processing: Term of the applicable Service Order.
4. Nature of Processing: Provision of the Services (including support).
5. Categories of Data Subjects: Controller’s internal and/or external Mobile Personnel, End Customers, Admins, Dispatchers, Users, and/or any other individuals whose Personal Data is provided by the Controller to Processor
6. Categories of Personal Data: any information provided by the Controller to Processor, which may include such End-Customer’s name, telephone number, address, e-mail address, list of delivered goods, location, and other information required to process a shipment, fulfil an order until its delivery, or process a return, and any other data Customer or a carrier requires to add to the labels on the delivered goods; Mobile Personnel’s name, phone number, locations and email address, IP/MAC address. For detailed information please visit the “Services” page
7. Sensitive or Special Categories of Personal Data: Processor does not intentionally collect and Controller is not required to transfer any sensitive Personal Data in relation to the Data Subjects.
8. To the extent the Module Two of the EU SCCs applies to this DPA:
8.1. Frequency of the transfer: Continuous, as required for the Services.
8.2. Personal Data Retention Period:
Processor will retain Personal Data it processes hereunder only for as long as required to provide the Services pursuant to the Services Agreement. Unless otherwise agreed in writing by the Parties, after a request from the Controller to delete any Personal Data or upon termination or expiration of the Services Agreement, an automated process will begin that permanently deletes the data in accordance with the timelines set forth in the tables below:
|Type||Timeline for Deletion|
|Order information (including Personal Data contained in such order)||Following 90 days from the placement of each such order by an End-Customer the data will be hashed for anonymization|
|Personal Data in Customer’s account||Upon request following the termination of the contractual relationship, within 14 days from such request|
|Database backups||Following 30 days|
|Labels||Up to 3 months|
8.3. For transfers to the Subprocessors, subject matter, nature and duration of the Processing: Refer to Section 7 of the DPA.
8.4. Competent Supervisory Authority: The Supervisory Authority competent under Clause 13(a) of such EU SCCs shall be the supervisory authority in the country of Bringg’s appointed EU Representative.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
In order to protect the confidentiality, integrity, and availability of the information and data shared with us by our users and customers and their end-users and customers (collectively “Users”, or “you”), Bringg Delivery Technologies Ltd. and its affiliates (“Bringg”, “us” or “we”) has implemented an information security program that includes the following technical, administrative/organizational, and physical controls:
Bringg utilizes advanced tools, security procedures and engineering practices to store in a secure fashion, and protect against accidental or unlawful destruction or loss, or unauthorized disclosure or access, all User confidential or sensitive information (“User Information”) that is collected by us as part of the operation of the services of our websites and mobile applications (the “Services”).
Bringg implements a cloud-based SaaS model, currently with the use of the cloud solutions offered by Amazon Web Services (“AWS”) and, Google Cloud Platform (“GCP”) and Heroku, Inc. (“Heroku”) for the Bringg on Salesforce® offering where we integrate seamlessly with carriers through various Salesforce clouds. By using AWS, and GCP and Heroku, we are able to leverage the high performance, durability, scalability, availability and security of the AWS and, GCP and Heroku infrastructures and procedures in the provision of our Services. All User Information collected by us as part of the operation of the Services is stored and hosted on compute resources provided by AWS and/or GCP and/or Heroku, and controlled by us (the “Database”).
Our security procedures and practices are implemented in accordance with all applicable data protection laws, are appropriate to the nature of the information collected and are aligned with industry best practices for the management, transport, and storage of User Information. We have achieved accredited certification to ISO 27001 and SOC 2 Type II demonstrating that our organization has defined and put in place best-practice information security processes.
Without limiting the foregoing, we ensure that the following systems and procedures are in place:
- Governance and organizational controls:
1.1 Reporting relationships, organizational structures, and proper assignment of responsibilities for system controls, including the appointment of the Chief Information Security Officer (CISO) with responsibility for oversight of service organization controls for security, availability, processing integrity, confidentiality, and privacy of User Information, are documented and communicated.
1.2 Bringg has established a risk assessment framework used to evaluate risks throughout the company on an ongoing basis. The risk management process incorporates management’s risk tolerance, and evaluations of new or evolving risks.
- Business Continuity
The infrastructure of the data storage facilities used to host the Database has a high level of availability and provides a resilient IT architecture. Such infrastructure is designed to tolerate system or hardware failures with minimal User impact.
- Network Security
3.1 The Database is protected by effective network security, to control both inbound and outbound data transport, including proper monitoring of Bringg network components to detect unauthorized access.
3.2 The Database is protected by network devices, including firewall and other boundary devices, in order to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists, and configurations to enforce the flow of User Information to or from the Database.
3.3 Access control lists, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of User Information traffic.
3.4 Access to the Database may only be made through a limited number of access points. These access points are encrypted in transit using SSL communication protocol, which establishes a secure communication session with the Database.
3.5 All User Information transmitted to or from the Database and kept in the Database is protected by a minimum of 256-bit AES encryption.
- Network Monitoring and Protection
4.1. The network on which User Information is transmitted to or from the Database is constantly monitored by a wide variety of automated monitoring systems, which are designed to detect unusual or unauthorized activities and conditions at communication points.
4.2. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts and set custom performance metrics thresholds for unusual activity.
4.3. We implement Network Intrusion Detection or Prevention Systems (NIDS/NIPS) to monitor traffic of User Information to or from the Database.
4.4. Security monitoring tools help identify, and where applicable initiate a response process against or prevent, several types of denial of service (DoS) attacks, including distributed, flooding, and software/logic attacks and also against other traditional network security issues such as Distributed Denial Of Service (DDoS) Attacks, Man in the Middle (MITM) Attacks, IP Spoofing, Port Scanning and Packet Sniffing.
4.5. We review the security of the Services on a periodic basis including testing for common vulnerabilities such as for the malicious activities mentioned above and also including uninformed outsider testing and informed insider testing.
4.6. All security issues that are identified shall be addressed within an appropriate timeframe.
- Organizational Security
5.1. Only authorized staff can grant, modify or revoke access to the Database.
5.2. We apply internal security policies and procedures, which define Bringg personnel roles and their privileges, how access to the Database is granted, changed and terminated, addresses appropriate segregation of duties, and defines the logging/monitoring requirements and mechanisms.
5.3. We implement internal security policies and procedures required to classify sensitive information assets and clarify security responsibilities.
5.4. Our development team utilizes secure coding techniques and best practices, focused around the OWASP Top Ten. Developers are formally trained in SDL (Secure Development lifecycle) practices annually by the Security Engineering team.
5.5.We implement a security awareness program to train Bringg personnel about their security obligations. This program includes training about data classification obligations; physical security controls; security practices and security incident reporting.
5.6. We have clearly defined roles and responsibilities for our personnel. We conduct appropriate screening before hiring any personnel who may have access to the Database or User Information.
5.7. We ensure that User Information contained in the Database cannot be read, copied, modified or deleted by any Bringg personnel without proper authorization, for the purpose of facilitating provision of Services.
5.8. We insure that our hosting service provider or we conduct, on at least a yearly basis, an SSAE-16 SOC 2 audit, by an authorized auditor and/or inspector. Such audit shall include the facilities on which the Database is stored and the applicable network systems.
- Account Security
6.1. When a User subscribes to use our Services it is required to create one or more user, administrator or “super-user” accounts, each providing deferred functions made available by the Services.
6.2. We utilize a variety of tools and features to keep your accounts safe from unauthorized disclosure or use.
6.3. To help ensure that only authorized Users can login and access their accounts, we use several types of credentials for authentication, including a unique user identification and passwords.
6.4. You specify the password when you first create the account, and you can change it at any time. Passwords may contain text, numeric figures and special characters, so we encourage you to create a strong password that cannot be easily guessed.
6.5. Because credentials passwords can be misused if they fall into the wrong hands, we encourage you to save them in a safe place.
- Cloud Data Security Example – AWS
We have already described the details of how Bringg secures its resources, so we should now talk about how security in the cloud is slightly different from security for on premises data centers. When you move computer systems and data to the cloud, security responsibilities become shared between Bringg and the cloud service provider. To use AWS (Amazon Web Services) as an example, AWS is responsible for securing the underlying infrastructure that supports the cloud, and Bringg is responsible for anything we put on the cloud or connect to the cloud. This shared security responsibility model reduces the operational burden in many ways and improves our default security posture.
AWS operates the global cloud infrastructure that Bringg uses to provision a variety of basic computing resources such as processing and storage. The AWS global infrastructure includes the facilities, network, hardware, and operational software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of these resources. The AWS global infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards.
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- DOD CSM Levels 1-5
- PCI DSS Level 1
- ISO 9001 / ISO 27001
- FIPS 140-2
- MTCS Level 3
7.1. Access Control of Processing Areas
Bringg implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the personal data are processed or used. AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
7.2. Access Control to Data Processing Systems
Bringg implements suitable measures to prevent its data processing systems from being used by unauthorized persons. AWS has implemented a world-class network infrastructure that is carefully monitored and managed. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically pushed using AWS’s ACL- Manage tool, to help ensure these managed interfaces enforce the most up-to-date ACLs. AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called API endpoints, and they allow secure HTTP access (HTTPS) using Transport Layer Security (TLS 1.2 or higher), which allows you to establish a secure communication session with your storage or compute instances within AWS. To help ensure that only authorized users and processes access Bringg’s AWS Account and resources, AWS uses several types of credentials for authentication. outlined in further detail in the next section.
7.3. Access Control to Use Specific Areas of Data Processing Systems
Bringg commits that the persons entitled to use its data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. (AWS developers and administrators on the corporate network who need to access AWS cloud components in order to maintain them must explicitly request access through the AWS ticketing system. All requests are reviewed and approved by the applicable service owner. Approved AWS personnel then connect to the AWS network through a bastion host that restricts access to network devices and other cloud components, logging all activity for security review. Access to bastion hosts require SSH public- key authentication for all user accounts on the host.) To help ensure that only authorized users and processes access Bringg’s AWS Account and resources, AWS uses several types of credentials for authentication. The following table highlights the various AWS credentials and their uses
7.4. Transmission Control
Bringg implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by using of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels.
7.5. Input Control
Bringg implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by:
7.5.1 An authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;
7.5.2 Authentication of the authorized personnel; and
7.5.3 Protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; and
7.5.4 Electronic recording of entries and logs of configuration changes and logins
7.6. Availability Control
Bringg implements suitable measures to ensure that personal data are protected from accidental destruction or loss and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Amazon’s infrastructure has a high level of availability and provides customers the features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. Data center Business Continuity Management at AWS is under the direction of the Amazon Infrastructure Group. Data centers are built in clusters in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load balanced to the remaining sites. AWS provides you with the flexibility to place instances and store data within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies by Region). In addition to discrete uninterruptible power supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers. The Amazon Incident Management team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution.