“Data Protection Authorities (DPAs)” means independent public supervisory authorities established under GDPR and United States Data Protection Laws and Regulations.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the United States, European Union, the European Economic Area and their member states, and the United Kingdom, to which Egnyte is bound in relation to its processing of Personal Data under the Agreement.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any Customer Content relating to an identified or identifiable natural person under applicable Data Protection Laws and Regulations.
“Security Breach” means the actual or suspected unauthorized acquisition, destruction, loss, misappropriation or access to, disclosure, use or modification of the Customer Content while stored by Egnyte. A Security Breach does not include any of those events occurring due to Customer or User actions or inactions, such as a failure to adequately protect Account access information, or the transfer of Content by Customer or a User to a third party outside of Egnyte’s network, etc.
The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the “Controller” and Egnyte is the Processor.
To the extent that Egnyte is to process Personal Data at the express written or electronic instruction of Customer or a User, Egnyte agrees to:
1.1. comply with its obligations under applicable Data Protection Laws and Regulations, as well as the confidentiality and data security provisions of this Agreement;
1.2. only process the Personal Data for the limited purposes of performing its obligations as a data processor under this Agreement;
1.3. process the Personal Data only in accordance with Customer's documented instructions (from time to time) and shall procure that any Egnyte personnel or other person acting under the authority of Egnyte does the same;
1.4. assist Customer in fulfilling its obligations to respond to requests for exercising the User’s (“data subject’s”) rights under GDPR, including by implementing appropriate technical and organisational measures to enable such assistance. To the extent legally permitted, Customer shall be solely responsible for any costs arising from Egnyte’s provision of such assistance;
1.5. promptly provide to Customer such assistance as the Customer may from time to time reasonably require to enable it to comply with its security, breach notification, impact assessment, prior consultation, record keeping and DPA cooperation responsibilities under GDPR;
1.6. allow for and contribute to audits and inspections conducted by DPAs having proper legal authority over Egnyte’s Services’ infrastructure;
1.7. only store and process Content, including Personal Data, within the EEA for Customers who have notified Egnyte of this requirement in writing prior to implementation of the Services;
1.8. maintain a record of all categories of processing activities carried out on behalf of a Customer, in accordance with GDPR;
1.9. notify Customer of any communication, including complaints, received from Users pertaining to the privacy or security of their Personal Data; and
1.10. purge all Content following termination of the Agreement as set forth in the termination provisions of the Agreement.
Notwithstanding the above, it is understood and agreed by the parties that, by the very nature of the Services provided by Egnyte, Customer and/or its Users are being provided with an ability to send and share files with third parties globally. The Content sent and shared is determined solely by Customer and/or its Users and may include, without limitation, Personal Data. In this regard, the parties understand and agree that (a) Egnyte does not actively monitor such activities; (b) the provisions in this Agreement speaking to the processing (i.e. handling, storage, transference, etc.) of Personal Data by Egnyte shall not be construed as requiring Egnyte to take on any monitoring activities or be responsible for Customer or User initiated actions taken in connection with usage of the Services (except to act on those Customer or User initiated actions in the normal course of providing the Services); and (c) Customer shall, in its use of the Services, only submit (and ensure that Users submit) instructions to Egnyte that comply with applicable Data Protection Laws and Regulations. Customer and its Users shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which they acquired Personal Data.
With respect to any Egnyte transfers of Personal Data from the EU, EEA or UK to Egnyte’s facilities in the United States (per the requests of Customer or Users), Egnyte complies with the EU-U.S. Privacy Shield Framework self-certification and is committed to handling all such Personal Data in accordance with the requirements thereof.
Egnyte may subcontract portions of the Services, provided that Egnyte shall remain the primary provider of the Services and is responsible for all such subcontracted obligations under the Agreement. If Customer is located within the EEA or has Users based in the EEA, prior to Egnyte engaging a new subcontractor during the Subscription Term that will assist in the processing of Personal Data under the Agreement, Egnyte shall provide Customer with advance notice of the engagement of the subcontractor and an opportunity to object thereto. If Customer objects on reasonable grounds to the engagement of the new subcontractor, the parties will discuss in good faith the possible options for resolving the objection. Egnyte will ensure that any sub-processor agreement at least contain the same data protection obligations as set out in this Agreement.
Security and Data Protection Impact Assessments. If requested by Customer, Egnyte will cooperate with Customer in an initial security assessment, including the completion of a risk assessment questionnaire. In addition, Egnyte will provide Customer with SSAE16 Reviews from the third party data center providers utilized in the provision of the Services as well as with the results of the penetration testing which Egnyte has periodically performed by qualified third party security consultants.
As from May 25, 2018, upon Customer’s written request and provided that i. Customer does not have access to the necessary information and ii. such information is within Egnyte’s possession (that is, without Egnyte having to expend more than nominal efforts to generate the information), Egnyte shall provide Customer with the information it possesses that is needed to fulfill Customer’s obligation under GDPR to carry out a data protection impact assessment related to Customer’s use of the Services. To the extent required under GDPR, Egnyte will provide additional, reasonable cooperation to Customer in its prior consultation with a Data Protection Authority regarding the data protection impact assessment.
All such information provided by Egnyte hereunder shall be considered the Confidential Information of Egnyte and held in confidence in accordance with the terms of the Agreement.
Backup and Business Continuity. Egnyte maintains a business continuity program, including a recovery plan, sufficient to ensure Egnyte can continue to function through an operational interruption and continue to provide Services to Customer. The program provides a framework and methodology, including a business impact analysis and risk assessment process, necessary to identify and prioritize critical business functions. In the event Egnyte experiences an event requiring recovery of systems, information or services, the recovery plan will be executed promptly. Egnyte continuously enhances the Services’ security and availability of its multi-tenant enterprise class cloud infrastructure. Egnyte maintains multiple copies of Customer’s Content across two data centers at all times to ensure availability and redundancy.