Subspace is here for WebRTC applications.

LEARN MORE
SUBSPACESUBSPACE

Subspace is here for WebRTC applications.

LEARN MORE
SUBSPACESUBSPACE
Log In

Data Protection & Security Policy

Revision History

This policy shall be reviewed at least bi-annually and updated as needed to reflect changes to business objectives or the risk environment.

  • Version: 0.1 Date of Change: 2021-11-15 Section: Full Document Description of Change: Initial Draft Change Authority: Pasha Kravtsov

  • Version: 0.2 Date of Change: 2021-11-29 Section: Security and Personal Data Breaches Description of Change: Updated Language Change Authority: Pasha Kravtsov

Exhibit A

I. DATA SECURITY

This Section I of the Subspace Data Protection and Security Policy (also referred to herein as “Policy”) describes the reasonable technical and organizational security measures and procedures that Subspace maintains to help protect Subscriber Data within Subspace’s control from unauthorized access, modification, deletion, or disclosure. All capitalized terms not defined herein have the same meaning as in the body of the Master Terms and Conditions, and in case of any conflict between this Policy and the body of the Master Terms and Conditions (the “Agreement”), the more secure language shall control.

  1. Shared Responsibility Model. Subspace performs its obligations under the Agreement (“Subspace Obligations”) pursuant to a shared responsibility model, which requires, among other things, that Subscriber take certain steps to protect Subscriber systems and the data stored within Subscriber’s environment and under Subscriber’s control, including Subscriber’s account credentials. Subscriber shall not, under applicable law and the Agreement, provide more data to Subspace than is reasonably necessary to enable Subspace to perform the Subspace Obligations; and in particular, Subscriber shall not provide to Subspace any Restricted Data.

  2. Data Processing Facilities. Subspace maintains reasonable measures designed to prevent and detect unauthorized access to the data processing facilities where Subscriber Data is processed or stored by Subspace or one or more of its vendors for data center or cloud services, including:

  • establishing security areas, with 24-hour security service provided by the property owner;
  • protecting and restricting access paths;
  • securing data processing equipment;
  • establishing and documenting access authorizations for staff and third parties;
  • maintaining appropriate processes applicable to the use of physical access cards or keys;
  • providing that physical entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked;
  • logging and monitoring access to data centers where Subscriber Data is hosted; and
  • securing data centers where Subscriber Data is hosted with a security alarm system and other appropriate physical security measures.
  1. Subspace Systems. Subspace implements reasonable measures designed to prevent and detect unauthorized access of the Subspace systems used to process Subscriber Data. This is accomplished by:
  • implementation and maintenance of policies and training to inform staff about their obligations to access Subscriber Data and supporting systems only to the extent necessary to perform their job duties (e.g., need-to-know and the principle of least access), handle sensitive information, or report an incident, as well as the consequences for violation of such obligations;
  • authentication for all internal and external infrastructure federated from one source of truth;
  • requiring individual account credentials such as user IDs that, once assigned, are not reassigned to another person;
  • utilization of user credentials (passwords) with enforced complexity in accordance with industry standards and required modification of such credentials in accordance with industry standards;
  • automatic log-off of accounts after a defined idle period;
  • automatic disabling of individual account credentials when several erroneous passwords are entered and maintenance of a log file of events (e.g., monitoring of brute force attacks);
  • prohibition on simultaneous remote session log-ins and time limits on remote single sessions;
  • automatic deactivation of user authentication credentials (such as user IDs) in case of non-use for a defined period of time, except for those authorized solely for technical management and subject to alternate monitoring and reviews;
  • revocation of access rights upon termination of staff or a significant change in duties;
  • identification of the machine and/or user accessing Subspace systems;
  • dedication of individual machines and/or users to specific functions, where appropriate;
  • controlling and monitoring use of administrative privileges;
  • limitations and controls on Subspace network ports, protocols, and services;
  • implementation and maintenance of anti-virus scanning, intrusion detection systems, and other malware defenses on and for Subspace networks and systems;
  • maintenance of separate wireless networks for Subspace trusted devices versus guest access; and
  • risk-based implementation of industry standard encryption technologies.
  1. Access to Subscriber Data. Subspace implements reasonable measures designed to prevent and detect unauthorized access to, modification of, deletion of, or disclosure of Subscriber Data. This is accomplished by:
  • implementation and maintenance of a role-based access policy and related protective measures;
  • implementation and maintenance of data retention policies and secure deletion/destruction processes for Subscriber Data;
  • procedures limiting the release of Subscriber Data only to authorized persons; and
  • requiring, pursuant to a written agreement, reasonable security measures for third parties who are responsible for processing Subscriber Data on Subspace’s behalf.
  1. Subspace Asset Management. Subspace implements reasonable measures designed to ensure reasonable control and configuration of Subspace-owned hardware and software assets. This is accomplished by:
  • conducting and maintaining an inventory of Subspace hardware assets;
  • conducting and maintaining an inventory of Subspace software assets;
  • assessing risk-appropriate configurations to Subspace hardware and software on mobile devices, laptops, workstations, and servers;
  • changing default passwords prior to deploying any new Subspace hardware asset.
  1. Subspace Application Software Security. Subspace implements suitable measures designed to address privacy and security considerations in the development of its code. This is accomplished by:
  • separating production and non-production systems;
  • applying hardening configurations to underlying application databases;
  • implementing standardized coding practices and code reviews appropriate to the programming language and development environment; and
  • conducting periodic, risk-based penetration tests of the Subspace Platform.

II. DATA PROCESSING

This Section II describes the measures Subspace will take in respect of any Subscriber Data which is subject to the Data Protection Laws. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Appendix 1 to this Policy, attached hereto and incorporated herein by reference. All capitalized terms not defined herein have the same meaning as in the Agreement, and in case of any conflict between this Policy and the Agreement, the provisions of this Section II shall control.

Definitions. For the purpose of this Section II of Exhibit A to the Agreement, the following terms shall mean:

  • Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in Data Protection Laws;
  • Data Subject Rights” means all rights granted to Data Subjects by Data Protection Law, including the right to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making;
  • Subscriber Personal Data” means any Customer Data which qualifies as Personal Data;
  • International Data Transfer” means any transfer of Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom, and includes any onward transfer of Personal Data from the international organization or the country outside of the EEA, Switzerland or the United Kingdom to another international organization or to another country outside of the EEA, Switzerland and the United Kingdom;
  • Personnel” means any natural person acting under the authority of Vendor;
  • Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Law or other laws to which the Controller is subject;
  • Sub-processor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller;
  • Standard Contractual Clauses” means the clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18), and as may be approved by Supervisory Authorities from time to time; and
  • Third-Party Controller” means a Controller for which Company is a Processor.

  1. Roles. Subscriber is a Controller and appoints Subspace as a Processor on behalf of Subscriber for the Processing of any Subscriber Personal Data.

  2. Instructions. Subspace will only Process Subscriber Personal Data on documented instructions of Subscriber. Subscriber’s instructions are documented in Appendix 1, and the Agreement and in any other documents which may be agreed to by the parties from time to time. Subscriber may issue additional instructions to Subspace as it deems necessary to comply with the Data Protection Laws.

  3. Sub-processing. Subspace will obtain Subscriber’s specific prior written authorization to engage Sub-processors who will be involved in the Processing of Subscriber Personal Data. Subspace will inform Subscriber at least thirty (30) days prior to any intended change of Sub-processor. Subspace will obtain sufficient guarantees from all Sub-processors that they will implement appropriate technical and organizational measures when Processing Subscriber Personal Data in such a manner that the Processing will meet the requirements of the Data Protection Laws and this Section II. Subspace will enter into a written agreement with all Sub-processors which imposes the same obligations on the Sub-processors as this Section II imposes on Subspace in relation to the Subscriber Personal Data. Subspace will provide a copy of Subspace’s agreements with Sub-processors to Subscriber upon request. Subspace may redact commercially sensitive information before providing such agreements to Subscriber. If any Sub-processor fails to fulfil its obligations under the Data Protection Laws or the agreements between Subspace and Sub-processor in relation to the Subscriber Personal Data, Subspace will be fully liable to Subscriber for the performance of such obligations.

  4. International Data Transfers. Subspace must obtain Subscriber’s specific prior written authorization to perform International Data Transfers of Subscriber Personal Data. Subscriber hereby authorizes Subspace to perform International Data Transfers of such Subscriber Personal Data: (i) to any country subject to a valid adequacy decision of the EU Commission; or (ii) to any data importer who has acceded to Standard Contractual Clauses between Subscriber and Subspace. To the extent any Subscriber Personal Data is subject to the Data Protection Laws, Subscriber and Subspace conclude the Standard Contractual Clauses by entering into the Agreement, which are hereby incorporated and completed as follows: the “data exporter” is Subscriber; the “data importer” is Subspace; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the EEA (including Switzerland and the United Kingdom) member state in which Subscriber is established; Appendix 1 to the Standard Contractual Clauses is Appendix 1 to this Section II, and Appendix 2 to the Standard Contractual Clauses is Section I of this Policy; and the optional indemnification clause is struck. Subspace must inform Subscriber at least thirty (30) days prior to any intended change of International Data Transfers, including the country, and the legal basis of the International Data Transfer pursuant to this Section II.

  5. Data Protection Laws applicable to International Data Transfers, and any applicable legal instrument for International Data Transfers. If such compliance is affected by circumstances outside of Subspace’s control, including circumstances affecting the validity of an applicable legal instrument, Subscriber and Subspace will work together in good faith to reasonably resolve such non-compliance.

  6. Personnel. Subspace will implement appropriate technical and organizational measures to ensure that Personnel do not Process Subscriber Personal Data except as set out in the Agreement. Subspace must ensure that all Personnel authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality. Subspace will regularly train Personnel regarding the protection of Personal Data.

  7. Security and Personal Data Breaches. Subspace will implement technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing of Personal Data, in particular those set out in Section I to this Policy. Subspace must inform Subscriber without undue delay after becoming aware of a Personal Data Breach involving Subscriber Personal Data. Subspace will, either in the initial notice or in subsequent notices promptly as the information becomes available, inform Subscriber of: (i) the nature of the Personal Data Breach, the categories and number of Data Subjects, the categories and amount of Subscriber Personal Data impacted, the likely consequences of the Personal Data Breach, to the extent reasonably known; and (ii) commercially reasonable measures taken or proposed to be taken to address the Personal Data Breach and mitigate possible adverse effects, in Subspace’s sole discretion. If Subspace’s notice or subsequent notices are delayed, Subspace will also provide reasons for the delay. Subspace will document all Personal Data Breaches involving Subscriber Personal Data.

  8. Assistance. Subspace will assist Subscriber, including by implementing appropriate technical and organizational measures at no additional cost to Subscriber, and, at reasonable cost, with the fulfilment of Subscriber’s own obligations under the Data Protection Laws in relation to Subscriber Personal Data. Unless prohibited by Swiss, United Kingdom, EU, EEA, or their respective member states’ law, Subspace must inform Subscriber without undue delay if Subspace: (i) receives a request, complaint or other inquiry regarding the Processing of Subscriber Personal Data from a Data Subject or Supervisory Authority; (ii) receives a binding or non-binding request to disclose Subscriber Personal Data from law enforcement, courts or any government body; (iii) is subject to a legal obligation that requires Subspace to Process Subscriber Personal Data in contravention of Subscriber’s instructions; or (iv) is otherwise unable to comply with the Data Protection Laws or this Section II in relation to the Subscriber Personal Data. Unless prohibited by Swiss, United Kingdom, EU, EEA, or their respective member states’ law, Subspace will obtain Subscriber’s written authorization before responding to, or complying with any requests, orders, or legal obligations referred to in this Section, unless prohibited from doing so by applicable law.

  9. Audit. Subspace will make available to Subscriber all information reasonably necessary to demonstrate compliance with the obligations of the Data Protection Laws and this Section II, which relate to the Processing of Subscriber Personal Data, and allow for and contribute to reasonable audits, including inspections, conducted by a Supervisory Authority, Subscriber or another auditor mandated by Subscriber. Subscriber and Subspace will each bear their own costs related to an audit. In the absence of a Personal Data Breach caused by or resulting from Subspace’s acts or omissions or a request by a Supervisory Authority, in no event shall Subspace be subject to any audit or inspection more than once annually.