Version: September 21 2022
If you started a subscription before September 21, 2022, your use of the Bringg Services is governed by the terms here.
This Data Processing Agreement (“DPA”) forms part of the Services Agreement by Bringg Delivery Technologies Ltd., and/or any of its Affiliates (“Bringg”) and the Customer entering into the Services Agreement for the subscription to the Services described in the Service Order (the “Customer”). Bringg and the Customer are collectively referred to as the “Parties”, and each a “Party”. All capitalized terms not defined in this DPA shall have the meanings set forth in the Services Agreement.
Unless otherwise expressly stated in the Service Order, this version of the DPA shall be effective and remain in force for the term of such Service Order. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Service Order, the terms of the Service Order shall control. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the online Terms of Service, the terms of this DPA shall control.
This DPA sets out the roles and obligations that apply when Bringg processes, transfers and gains access to Personal Data on behalf of Customer in the course of providing the Services, and when Bringg, its staff or a third party acting on behalf of Bringg receive access to Personal Data of individuals.
It is agreed that a copy of this DPA may be forwarded to the relevant Supervisory Authority, if required under Applicable Data Protection Legislation. Furthermore, the Parties agree that such authority has the right to conduct an audit of Bringg with respect to the subject matter of this DPA.
Details of Processing
This Exhibit A forms part of the DPA and describes the processing that Bringg will perform on behalf of the Customer.
Controller/ Data exporter
2. Subject Matter of the Processing:
The Personal Data is collected and processed by Processor when Controller gains access to Processor’s proprietary SaaS-based last-mile logistics and delivery management platform and driver mobile application (including the Bringg on Salesforce® offering).
3. Duration of Processing: Term of the applicable Service Order.
4. Nature of Processing: Provision of the Services (including support).
5. Categories of Data Subjects: Controller’s internal and/or external Mobile Personnel, End Customers, Admins, Dispatchers, Users, and/or any other individuals whose Personal Data is provided by the Controller to Processor
6. Categories of Personal Data: any information provided by the Controller to Processor, which may include such End-Customer’s name, telephone number, address, e-mail address, list of delivered goods, location, and other information required to process a shipment, fulfil an order until its delivery, or process a return, and any other data Customer or a carrier requires to add to the labels on the delivered goods; Mobile Personnel’s name, phone number, locations and email address, IP/MAC address. For detailed information please visit the “Services” page
7. Sensitive or Special Categories of Personal Data: Processor does not intentionally collect and Controller is not required to transfer any sensitive Personal Data in relation to the Data Subjects.
8. To the extent the Module Two of the EU SCCs applies to this DPA:
8.1. Frequency of the transfer: Continuous, as required for the Services.
8.2. Personal Data Retention Period:
Processor will retain Personal Data it processes hereunder only for as long as required to provide the Services pursuant to the Services Agreement. Unless otherwise agreed in writing by the Parties, after a request from the Controller to delete any Personal Data or upon termination or expiration of the Services Agreement, an automated process will begin that permanently deletes the data in accordance with the timelines set forth in the tables below:
8.3. For transfers to the Subprocessors, subject matter, nature and duration of the Processing: Refer to Section 7 of the DPA.
8.4. Competent Supervisory Authority: The Supervisory Authority competent under Clause 13(a) of such EU SCCs shall be the supervisory authority in the country of Bringg’s appointed EU Representative.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
In order to protect the confidentiality, integrity, and availability of the information and data shared with us by our users and customers and their end-users and customers (collectively “Users”, or “you”), Bringg Delivery Technologies Ltd. and its affiliates (“Bringg”, “us” or “we”) has implemented an information security program that includes the following technical, administrative/organizational, and physical controls:
Bringg utilizes advanced tools, security procedures and engineering practices to store in a secure fashion, and protect against accidental or unlawful destruction or loss, or unauthorized disclosure or access, all User confidential or sensitive information (“User Information”) that is collected by us as part of the operation of the services of our websites and mobile applications (the “Services”).
Bringg implements a cloud-based SaaS model, currently with the use of the cloud solutions offered by Amazon Web Services (“AWS”) and, Google Cloud Platform (“GCP”) and Heroku, Inc. (“Heroku”) for the Bringg on Salesforce® offering where we integrate seamlessly with carriers through various Salesforce clouds. By using AWS, and GCP and Heroku, we are able to leverage the high performance, durability, scalability, availability and security of the AWS and, GCP and Heroku infrastructures and procedures in the provision of our Services. All User Information collected by us as part of the operation of the Services is stored and hosted on compute resources provided by AWS and/or GCP and/or Heroku, and controlled by us (the “Database”).
Our security procedures and practices are implemented in accordance with all applicable data protection laws, are appropriate to the nature of the information collected and are aligned with industry best practices for the management, transport, and storage of User Information. We have achieved accredited certification to ISO 27001 and SOC 2 Type II demonstrating that our organization has defined and put in place best-practice information security processes.
Without limiting the foregoing, we ensure that the following systems and procedures are in place:
We have already described the details of how Bringg secures its resources, so we should now talk about how security in the cloud is slightly different from security for on premises data centers. When you move computer systems and data to the cloud, security responsibilities become shared between Bringg and the cloud service provider. To use AWS (Amazon Web Services) as an example, AWS is responsible for securing the underlying infrastructure that supports the cloud, and Bringg is responsible for anything we put on the cloud or connect to the cloud. This shared security responsibility model reduces the operational burden in many ways and improves our default security posture.
AWS operates the global cloud infrastructure that Bringg uses to provision a variety of basic computing resources such as processing and storage. The AWS global infrastructure includes the facilities, network, hardware, and operational software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of these resources. The AWS global infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards.
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:
7.1. Access Control of Processing Areas
Bringg implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the personal data are processed or used. AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
7.2. Access Control to Data Processing Systems
Bringg implements suitable measures to prevent its data processing systems from being used by unauthorized persons. AWS has implemented a world-class network infrastructure that is carefully monitored and managed. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically pushed using AWS’s ACL- Manage tool, to help ensure these managed interfaces enforce the most up-to-date ACLs. AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called API endpoints, and they allow secure HTTP access (HTTPS) using Transport Layer Security (TLS 1.2 or higher), which allows you to establish a secure communication session with your storage or compute instances within AWS. To help ensure that only authorized users and processes access Bringg’s AWS Account and resources, AWS uses several types of credentials for authentication. outlined in further detail in the next section.
7.3. Access Control to Use Specific Areas of Data Processing Systems
Bringg commits that the persons entitled to use its data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. (AWS developers and administrators on the corporate network who need to access AWS cloud components in order to maintain them must explicitly request access through the AWS ticketing system. All requests are reviewed and approved by the applicable service owner. Approved AWS personnel then connect to the AWS network through a bastion host that restricts access to network devices and other cloud components, logging all activity for security review. Access to bastion hosts require SSH public- key authentication for all user accounts on the host.) To help ensure that only authorized users and processes access Bringg’s AWS Account and resources, AWS uses several types of credentials for authentication. The following table highlights the various AWS credentials and their uses
7.4. Transmission Control
Bringg implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by using of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels.
7.5. Input Control
Bringg implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by:
7.6. Availability Control
Bringg implements suitable measures to ensure that personal data are protected from accidental destruction or loss and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Amazon’s infrastructure has a high level of availability and provides customers the features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. Data center Business Continuity Management at AWS is under the direction of the Amazon Infrastructure Group. Data centers are built in clusters in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load balanced to the remaining sites. AWS provides you with the flexibility to place instances and store data within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies by Region). In addition to discrete uninterruptible power supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers. The Amazon Incident Management team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution.