This policy shall be reviewed at least bi-annually and updated as needed to reflect changes to business objectives or the risk environment.
Version: 0.1 Date of Change: 2021-11-15 Section: Full Document Description of Change: Initial Draft Change Authority: Pasha Kravtsov
Version: 0.2 Date of Change: 2021-11-29 Section: Security and Personal Data Breaches Description of Change: Updated Language Change Authority: Pasha Kravtsov
I. DATA SECURITY
This Section I of the Subspace Data Protection and Security Policy (also referred to herein as “Policy”) describes the reasonable technical and organizational security measures and procedures that Subspace maintains to help protect Subscriber Data within Subspace’s control from unauthorized access, modification, deletion, or disclosure. All capitalized terms not defined herein have the same meaning as in the body of the Master Terms and Conditions, and in case of any conflict between this Policy and the body of the Master Terms and Conditions (the “Agreement”), the more secure language shall control.
Shared Responsibility Model. Subspace performs its obligations under the Agreement (“Subspace Obligations”) pursuant to a shared responsibility model, which requires, among other things, that Subscriber take certain steps to protect Subscriber systems and the data stored within Subscriber’s environment and under Subscriber’s control, including Subscriber’s account credentials. Subscriber shall not, under applicable law and the Agreement, provide more data to Subspace than is reasonably necessary to enable Subspace to perform the Subspace Obligations; and in particular, Subscriber shall not provide to Subspace any Restricted Data.
Data Processing Facilities. Subspace maintains reasonable measures designed to prevent and detect unauthorized access to the data processing facilities where Subscriber Data is processed or stored by Subspace or one or more of its vendors for data center or cloud services, including:
II. DATA PROCESSING
This Section II describes the measures Subspace will take in respect of any Subscriber Data which is subject to the Data Protection Laws. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Appendix 1 to this Policy, attached hereto and incorporated herein by reference. All capitalized terms not defined herein have the same meaning as in the Agreement, and in case of any conflict between this Policy and the Agreement, the provisions of this Section II shall control.
Definitions. For the purpose of this Section II of Exhibit A to the Agreement, the following terms shall mean:
Roles. Subscriber is a Controller and appoints Subspace as a Processor on behalf of Subscriber for the Processing of any Subscriber Personal Data.
Instructions. Subspace will only Process Subscriber Personal Data on documented instructions of Subscriber. Subscriber’s instructions are documented in Appendix 1, and the Agreement and in any other documents which may be agreed to by the parties from time to time. Subscriber may issue additional instructions to Subspace as it deems necessary to comply with the Data Protection Laws.
Sub-processing. Subspace will obtain Subscriber’s specific prior written authorization to engage Sub-processors who will be involved in the Processing of Subscriber Personal Data. Subspace will inform Subscriber at least thirty (30) days prior to any intended change of Sub-processor. Subspace will obtain sufficient guarantees from all Sub-processors that they will implement appropriate technical and organizational measures when Processing Subscriber Personal Data in such a manner that the Processing will meet the requirements of the Data Protection Laws and this Section II. Subspace will enter into a written agreement with all Sub-processors which imposes the same obligations on the Sub-processors as this Section II imposes on Subspace in relation to the Subscriber Personal Data. Subspace will provide a copy of Subspace’s agreements with Sub-processors to Subscriber upon request. Subspace may redact commercially sensitive information before providing such agreements to Subscriber. If any Sub-processor fails to fulfil its obligations under the Data Protection Laws or the agreements between Subspace and Sub-processor in relation to the Subscriber Personal Data, Subspace will be fully liable to Subscriber for the performance of such obligations.
International Data Transfers. Subspace must obtain Subscriber’s specific prior written authorization to perform International Data Transfers of Subscriber Personal Data. Subscriber hereby authorizes Subspace to perform International Data Transfers of such Subscriber Personal Data: (i) to any country subject to a valid adequacy decision of the EU Commission; or (ii) to any data importer who has acceded to Standard Contractual Clauses between Subscriber and Subspace. To the extent any Subscriber Personal Data is subject to the Data Protection Laws, Subscriber and Subspace conclude the Standard Contractual Clauses by entering into the Agreement, which are hereby incorporated and completed as follows: the “data exporter” is Subscriber; the “data importer” is Subspace; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the EEA (including Switzerland and the United Kingdom) member state in which Subscriber is established; Appendix 1 to the Standard Contractual Clauses is Appendix 1 to this Section II, and Appendix 2 to the Standard Contractual Clauses is Section I of this Policy; and the optional indemnification clause is struck. Subspace must inform Subscriber at least thirty (30) days prior to any intended change of International Data Transfers, including the country, and the legal basis of the International Data Transfer pursuant to this Section II.
Data Protection Laws applicable to International Data Transfers, and any applicable legal instrument for International Data Transfers. If such compliance is affected by circumstances outside of Subspace’s control, including circumstances affecting the validity of an applicable legal instrument, Subscriber and Subspace will work together in good faith to reasonably resolve such non-compliance.
Personnel. Subspace will implement appropriate technical and organizational measures to ensure that Personnel do not Process Subscriber Personal Data except as set out in the Agreement. Subspace must ensure that all Personnel authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality. Subspace will regularly train Personnel regarding the protection of Personal Data.
Security and Personal Data Breaches. Subspace will implement technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing of Personal Data, in particular those set out in Section I to this Policy. Subspace must inform Subscriber without undue delay after becoming aware of a Personal Data Breach involving Subscriber Personal Data. Subspace will, either in the initial notice or in subsequent notices promptly as the information becomes available, inform Subscriber of: (i) the nature of the Personal Data Breach, the categories and number of Data Subjects, the categories and amount of Subscriber Personal Data impacted, the likely consequences of the Personal Data Breach, to the extent reasonably known; and (ii) commercially reasonable measures taken or proposed to be taken to address the Personal Data Breach and mitigate possible adverse effects, in Subspace’s sole discretion. If Subspace’s notice or subsequent notices are delayed, Subspace will also provide reasons for the delay. Subspace will document all Personal Data Breaches involving Subscriber Personal Data.
Assistance. Subspace will assist Subscriber, including by implementing appropriate technical and organizational measures at no additional cost to Subscriber, and, at reasonable cost, with the fulfilment of Subscriber’s own obligations under the Data Protection Laws in relation to Subscriber Personal Data. Unless prohibited by Swiss, United Kingdom, EU, EEA, or their respective member states’ law, Subspace must inform Subscriber without undue delay if Subspace: (i) receives a request, complaint or other inquiry regarding the Processing of Subscriber Personal Data from a Data Subject or Supervisory Authority; (ii) receives a binding or non-binding request to disclose Subscriber Personal Data from law enforcement, courts or any government body; (iii) is subject to a legal obligation that requires Subspace to Process Subscriber Personal Data in contravention of Subscriber’s instructions; or (iv) is otherwise unable to comply with the Data Protection Laws or this Section II in relation to the Subscriber Personal Data. Unless prohibited by Swiss, United Kingdom, EU, EEA, or their respective member states’ law, Subspace will obtain Subscriber’s written authorization before responding to, or complying with any requests, orders, or legal obligations referred to in this Section, unless prohibited from doing so by applicable law.
Audit. Subspace will make available to Subscriber all information reasonably necessary to demonstrate compliance with the obligations of the Data Protection Laws and this Section II, which relate to the Processing of Subscriber Personal Data, and allow for and contribute to reasonable audits, including inspections, conducted by a Supervisory Authority, Subscriber or another auditor mandated by Subscriber. Subscriber and Subspace will each bear their own costs related to an audit. In the absence of a Personal Data Breach caused by or resulting from Subspace’s acts or omissions or a request by a Supervisory Authority, in no event shall Subspace be subject to any audit or inspection more than once annually.