This Grokstream Data Privacy and Security Policy (the “Policy”) shall become an integral part of any Services Schedule and/or Statement of Work executed by the Parties referring to these terms. This Addendum serves as a written commissioned data processing agreement between Grokstream and each Data Controller providing Company Data in connection with its use of the Services and furthermore defines the applicable technical and organizational measures Grokstream implements and maintains to protect Company Data stored in the Services. The written form of this Addendum shall be deemed to be evidenced upon Grokstream’s receipt of a signed Services Schedule.
Customer acts as the Data Controller concerning Customer Data of its own Authorized Users as well as on behalf of and in the name of the Company, its Affiliates or third parties in their capacity as Data Controllers of Named Users authorized by Customer to use the Services. Customer shall enter into data processing agreements with its Data Controllers as required to allow Grokstream (as Data Processor or Subprocessor, as the case may be) and its Subprocessors to process any Customer Data as described in this Addendum. Customer shall serve as a single point of contact for Grokstream and is solely responsible for the internal coordination, review and submission of instructions or requests of other Data Controllers to Grokstream. Grokstream shall be discharged of its obligation to inform or notify a Data Controller when it has provided such information or notice to Customer. Grokstream is entitled to refuse any requests or instructions provided directly by a Data Controller that is not Customer.
If any provision of this Addendum is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions of this Addendum, and all provisions not affected by such invalidity shall remain in full force and effect.
I. Data Processing Purposes
A. Customer and its Affiliates, as the respective Data Controller(s), shall determine the purposes of collecting, processing, and otherwise using Customer Data stored in the Services. Unless provided otherwise in the Policy, the Addendum shall apply to such data processing.
B. The purposes for processing Customer Data by Grokstream and its Subprocessors under this Addendum are limited to:
II. Grokstream Obligations
A. Grokstream shall process Customer Data only in accordance with the Data Controller’s instructions submitted by Customer. Grokstream shall use reasonable commercial efforts to follow and comply with the instructions received from Customer if they are legally required and technically feasible and do not require any material modifications to the functionality of the Services or underlying software. Grokstream shall notify Customer if Grokstream considers an instruction submitted by Customer to be in violation of the applicable Data Protection Law. Grokstream shall not be obligated to perform a comprehensive legal examination. If and to the extent Grokstream is unable to comply with an instruction it shall promptly notify (email permitted) Customer hereof.
B. Grokstream may, upon the instruction of Customer and with Customer’s necessary cooperation, correct, erase and/or block any Customer Data if and to the extent the functionality of the Services does not allow the Customer, its Data Controllers or Named Users to do so. In the event Grokstream needs to access any of Customer’s systems or Customer’s instance of the Services remotely to execute an instruction or provide technical support, e.g. via application sharing, Customer hereby grants to Grokstream the permission for such remote access. Further, Customer will name a contact person that – if necessary – can grant to Grokstream the required access rights.
C. For processing Customer Data, Grokstream and its Subprocessors shall only use personnel who are subject to a binding obligation to observe data secrecy or secrecy of telecommunications, to the extent applicable, pursuant to the applicable Data Protection Law. Grokstream shall itself and shall require that its Subprocessors regularly train individuals to whom they grant access to Customer Data in data security and data privacy.
D. Grokstream shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Appendix I of this Addendum to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage. Since Grokstream provides the Services to all customers via a hosted, web-based application, all appropriate and then current technical and organizational measures apply to Grokstream’s entire customer base hosted out of the same data center and subscribed to the same Services. Customer understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, Grokstream is expressly allowed to implement adequate alternative measures if the security level of the measures is maintained. In the event of any detrimental change Grokstream shall provide a notification together with any necessary documentation to Customer by email or publication on a website easily accessible by Customer.
E. Grokstream shall regularly test the measures described in Appendix I. If a Data Controller believes that additional measures are required under the applicable Data Protection Law Customer shall submit an instruction according to Section 2.1 above.
F. Grokstream shall promptly inform Customer as soon as it becomes aware of serious disruptions of the processing operations, reasonable suspected or actual data protection violations or any Security Breach in connection with the processing of Customer Data which, in each case, may significantly harm the interest of the Data Subjects concerned.
G. At Customer’s expense, Grokstream shall reasonably support Customer or other Data Controllers in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the processing of Customer Data hereunder.
III. Subprocessors
A. Customer (also on behalf of its Data Controllers) hereby authorizes Grokstream (also for the purpose of Clause 11 paragraph 1 of this Addendum) to engage subcontractors for the processing of Customer Data (each a “Subprocessor”) to the extent necessary for fulfilling its contractual obligations under the Policy as long as Grokstream remains responsible for any acts or omissions of its Subprocessors in the same manner as for its own acts and omissions hereunder. Grokstream shall pass on to Subprocessors Grokstream’s obligation as Data Processor (or Subprocessor) vis-a-vis Customer and the respective Data Controllers as set out in this Addendum. Grokstream undertakes to have a selection process by which it evaluates the security, privacy and confidentiality practices of a Subprocessor regarding data handling on a scheduled basis (alternatively, the Subprocessor shall possess a security certification that evidences appropriate security measures are in place with regard to the Subprocessor’s services to be provided to Grokstream).
B. Grokstream will inform Customer upon its request by email about the name, address and role of each Subprocessor it uses to provide the Services. Grokstream may remove or appoint suitable and reliable other Subprocessors at its own discretion in accordance with this Section III. Grokstream will inform Customer by email in advance (except for Emergency Replacements under Section III.C.) of any changes to the list of Subprocessors, which shall be deemed accepted as long as they comply with and are bound by applicable Data Protection Law or, if a Subprocessor is incorporated outside the EEA, the Standard Contractual Clauses. If Customer has a legitimate reason to object to Grokstream’s use of a Subprocessor (e.g. if the Subprocessor is located in a country without an adequate level of data protection and Customer needs to complete additional formalities as a Data Controller prior to the use of such Subprocessor) Customer shall notify Grokstream thereof in writing within thirty (30) days after receipt of Grokstream’s notice. If Customer does not object during such time period, the new Subprocessor(s) shall be deemed accepted. If Customer objects to the use of the Subprocessor concerned Grokstream shall have the right to cure the objection through one of the following options (to be selected at Grokstream’s sole discretion): (a) Grokstream will abort its plans to use the Subprocessor with regard to Customer Data; or (b) Grokstream will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Subprocessor with regard to Customer Data; or (c) Grokstream may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve use of the Subprocessor with regard to Customer Data. If none of the above options are reasonably available and the objection has not been cured within thirty (30) days after Grokstream’s receipt of Customer’s objection, either party may terminate the affected Services with reasonable prior written notice.
C. “Emergency Replacement” refers to a sudden replacement of a Subprocessor where such change is outside of Grokstream’s reasonable control (such as if the Subprocessor ceases business, abruptly discontinues services to Grokstream, or breaches its contractual duties owed to Grokstream). In such case, Grokstream will inform Customer of the replacement Subprocessor as soon as possible and the process to formally appoint such Subprocessor pursuant to Section 3.2 shall be triggered.
IV. International Transfers and Country-Specific Deviations
A. Customer Data that Grokstream has received from any Data Controller hereunder shall only be exported by Grokstream or its Subprocessors from the Data Center to or accessed from a country or territory outside the EEA (“International Transfer”) if (a) the recipient itself or the country or territory in which it operates (i.e. where or from where it processes or accesses Customer Data) has been found to ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Customer Data as determined by the European Commission and subject to the scope restrictions of any such determination, or (b) when a Non-EU Entity fulfills the requirements of Section IV.B. below. The same shall apply to Grokstream receiving Customer Data directly from a Data Controller in the EEA, via Internet access to a Services hosted in a Data Center outside the EEA.
B. Grokstream (through itself or an Affiliate) has entered into this Addendum with each Non-EU Entity processing Customer Data hereunder by means of an International Transfer. Customer hereby accedes to this Addendum and may then directly enforce them against the relevant Non-EU Entity. Customer furthermore will procure that each Data Controller will accede to such Standard Contractual Clauses entered into between Grokstream and Customer. In the event such direct right does not exist for the Data Controller or is successfully challenged by a Subprocessor, Grokstream shall enforce such Standard Contractual Clauses against the Subprocessor on behalf of the Data Controller in compliance with this Addendum. Unless otherwise agreed by the Parties, Appendix I of this Addendum as attached shall apply. Nothing in the Policy shall be construed to prevail over any conflicting Clause of this Addendum. Customer acknowledges it has had the opportunity to review this Addendum or to obtain a full copy from Grokstream.
C. This Addendum shall be governed by the law of the Member State in which the EEA based Data Exporter is established.
D. Switzerland. To the extent a Data Controller in Switzerland or its Named Users intend to enter Customer Data of legal entities (also considered Customer Data under the Swiss Federal Act on Data Protection) into the Services, Customer agrees to first obtain the consent (in the sense of Art. 6 para. 2, lit. b. of the Swiss Federal Act on Data Protection) of such legal entity (Data Subject) before using the Services, as described herein, for such Data Subject(s). Grokstream agrees to afford to such Customer Data a similar level of protection as set forth in Sections I, II and V of this Addendum.
E. Austria. To the extent a Data Controller in Austria or its Named Users intend to enter Customer Data of legal entities (also considered Customer Data under the Federal Act concerning the Protection of Customer Data (DSG 2000) into the Services, Customer agrees to first obtain the consent (in the sense of § 12 para. 3 of the DSG 2000) of such legal entity (Data Subject) before using the Services, as described herein, for such Data Subject(s). Grokstream agrees to afford to such Customer Data a similar level of protection as set forth in Sections I, II and V of this Addendum.
F. Russian Federation. The Parties agree that Grokstream is accepting from the Customer certain Customer Data of Russian Citizens for storing and shall ensure availability of such stored Customer Data to the extent technically feasible for the Customer’s own processing. Customer or Customer Affiliates as Data Controllers remain operators of Customer Data submitted for processing to Grokstream and are responsible for determining (i) if Customer will be able to comply with applicable Russian privacy law in use of Services which involve processing of Russian citizen’s Customer Data and (ii) whether Services can be used inside or outside the Russian Federation.
G. Turkey. To the extent a Data Controller in Turkey or its Named Users intend to enter Customer Data into the Services, Customer agrees to first obtain the consent of each Data Subject to an International Transfer as contemplated under this Addendum if and to the extent required under the applicable data protection law in Turkey. The Customer hereby confirms and commits that it has received the Customer Data and informed the related persons regarding the transfer/process of the Customer Data in accordance with the applicable law.
H. United States. Unless Grokstream and Customer have executed a Business Associate agreement for the exchange of protected health information (“PHI”) as defined in the United States Health Insurance Portability and Accountability Act of 1996, as amended, in relation to the Services, Customer hereby represents that Customer will not submit PHI to the Services nor solicit such information from partners or customers as part of use of the Service.
I. South Korea. To the extent a Data Controller in Republic of Korea or its Named Users intend to enter Customer Data into the Services, Customer agrees to first obtain the consent of each Data Subject to an International Transfer as contemplated under this Addendum if and to the extent required under the applicable Personal Information Protection Act in Republic of Korea. The Customer hereby confirms and commits that it has received the Customer Data and informed the related persons regarding the transfer/process of the Customer Data in accordance with the applicable law.
V. Monitoring Rights of Customer
A. For the production systems which run the Services itself and during the term of the Policy Grokstream shall maintain directly or through its Subprocessors, at its own expense, applicable certifications or audit reports. Unless provided otherwise in a Services Schedule, Grokstream, directly or through its Subprocessors, engages an internationally recognized independent third-party auditor to review the measures in place in protection of the Service(s). Certifications may be based on ISO 27001 or other standards (scope as defined in certificate). For certain Grokstream Services, Grokstream through its Subprocessors, performs regular audits (at least annually) via certified auditors to provide a valid SOC 1 Type 2 (SSAE 16 or ISAE 3402) and/or SOC 2 Type 2 report. Audit reports are available through the third-party auditor or Grokstream, as applicable. Upon Customer’s request, Grokstream shall inform the Customer about the applicable certifications and audit standards available for the Services concerned.
B. If Grokstream fails to perform its audit obligations under Section V.A. and has not provided sufficient evidence of its compliance after Customer’s written request, Customer (or an independent third party auditor on its behalf that is subject to confidentiality obligations consistent with those in the Policy) may audit Grokstream’s control environment and security practices relevant to Customer Data processed hereunder for Customer once in any twelve (12)-month period, with reasonable prior written notice (at least 60 days unless a data protection authority requires Customer’s earlier control under applicable Data Protection Law) and under reasonable time, place and manner conditions.
C. Furthermore, (i) following an event set out in Section II.F. above, or (ii) if Customer or another Data Controller has reasonable ground to suspect the non-compliance of Grokstream with its obligations under this Addendum, or (iii) if a further audit is required by Customer’s or another Data Controller’s data protection authority, Customer (or an independent third party auditor on its behalf that is subject to confidentiality obligations consistent with those in the Policy) may audit Grokstream’s control environment and security practices relevant to Customer Data processed hereunder for Customer in accordance with applicable Data Protection Law.
D. Grokstream shall reasonably support Customer throughout these verification processes and provide Customer with the required information. Customer shall bear any costs (including Grokstream’s internal resource based on then-current daily professional service rates per the Grokstream price list for any Grokstream efforts exceeding four (4) hours per year.
VI. Definitions. Any capitalized terms used herein, such as Affiliates, Policy, Customer, Named User (sometimes also referred to as User or Authorized User), Services Schedule or Services, shall have the meaning given to them in the Policy.
“Customer Data” has the meaning given to that expression in the Data Protection Law and, for the purposes of this Addendum, includes only such Customer Data entered by Customer or its Named Users into or derived from their use of the Services or supplied to or accessed by Grokstream or its Subprocessors in order to provide support in accordance with the Policy. Customer Data is a sub-set of Customer Data and used herein when any Data Protection Law applies. Customer determines the categories of data per Services subscribed. Customer’s data fields can be configured as part of the implementation of the Services or as otherwise permitted in the Services. The Customer Data transferred usually concern (a subset of) the following categories of data: name, phone numbers, e-mail address, time zone, address data, system access I usage I authorization data, company name, contract data, invoice data, plus any application- specific data which Customers’ Named Users enter into the Services including Bank Account data, Credit or Debit Card data. The Customer Data transferred will be subject to the following basic processing activities:
“Data Center” means the location where the production instance of the Services is hosted for the Customer in its region or notified to Customer or otherwise agreed in an Services Schedule.
“Data Controller” has the meaning given to this term in the applicable Data Protection Law.
“Data Exporter” as used in this Addendum means Customer as listed in the Services Schedule of which this is a part, or its Data Controller(s). The Data Exporter is subscribed to certain Grokstream Services which allow its Named Users to enter, amend, use, delete or otherwise process Customer Data as contemplated under the Policy.
“Data Importer” as used in this Addendum means the applicable Non-EU Entity. Grokstream and its Subprocessors provide certain Services which include the hosting of the Services and the provision of technical support to Customer, its Affiliates and their respective Named Users as contemplated under the Policy.
“Data Processor” has the meaning given to this term in the applicable Data Protection Law.
“Data Protection Law” means the legislation protecting the fundamental rights and freedoms of persons, and particularly their right to privacy, with regard to the processing of Customer Data by a data processor both in the EEA and, if different, such legislation of the country where the data center is located. Grokstream may agree in a Services Schedule to comply with other compelling local data protection laws applicable to Grokstream as the Data Processor, if and to the extent agreed.
“Data Subject” means and identified or identifiable individual or a legal entity (where so defined under the applicable Data Protection Law). Unless provided otherwise by Data Exporter, Data Subjects may include employees, contractors, business partners or other individuals whose Customer Data is stored in the Service.
“EEA” means the European Economic Area.
“Grokstream” means the Grokstream entity that is the party to the Services Schedule.
“Non-EU Entity” means any Grokstream entity or Subprocessor incorporated in a country which does not provide an adequate level of data protection according to European Union (EU) laws and regulations.
“Security Breach” means any acts or omissions by Grokstream or its Subprocessors that led to an unauthorized disclosure of Customer Data in breach of the measures set forth in Appendix I or similar incident for which the Data Controller is legally required to provide notice to the Data Subject or the data protection authority concerned.
“Standard Contractual Clauses” means the (Standard Contractual Clauses (processors)) based on the Commission Decision of 5 February 2010, on standard contractual clauses for the transfer of Customer Data to processors established in third countries, under Directive 95/46/EC (notified under document number C(2010) 593), or any subsequent version thereof released by the Commission (which shall automatically apply), including Appendix I attached hereto.
“Subprocessor” as used in this Addendum means Grokstream’s Affiliates and third-party Subprocessors engaged by Grokstream or Grokstream’s Affiliates in accordance with Section III.
The following sections define the current security measures established by Grokstream. Grokstream may change these at any time without notice by keeping a comparable or better level of security. This may mean that individual measures are replaced by new measures that serve the same purpose without diminishing the security level.
I. Physical Access Control
Unauthorized persons shall be prevented from gaining physical access to premises, buildings or rooms where data processing systems are located which process and/or use Customer Data.
All Data Centers adhere to strict security procedures enforced by guards, surveillance cameras, motion detectors, access control mechanisms and other measures to prevent equipment and Data Center facilities from being compromised. Only authorized representatives have access to systems and infrastructure within the Data Center facilities. To ensure proper functionality, physical security equipment (e.g. motion sensors, cameras, etc.) are maintained on a regular basis.
II. System Access Control
Data processing systems used to provide the Cloud Services must be prevented from being used without authorization.
III. Data Access Control
Persons entitled to use data processing systems shall gain access only to the Customer Data that they have a right to access, and Customer Data must not be read, copied, modified or removed without authorization in the course of processing, use and storage.
Access to personal, confidential or sensitive information is granted on a need-to-know basis. In other words, employees or external third parties have access to the information that they require in order to complete their work. Grokstream uses authorization concepts that document how authorizations are assigned and which authorizations are assigned. All personal, confidential, or otherwise sensitive data is protected in accordance with the Grokstream security policies and standards.
All production servers of any Grokstream Cloud Services are operated in the relevant Data Centers server rooms. Security measures that protect applications processing personal, confidential or other sensitive information are regularly checked. To this end, Grokstream conducts internal and external security checks and penetration tests on the IT systems.
Grokstream does not allow the installation of personal software or other software not approved by Grokstream to systems being used for any Cloud Service.
A Grokstream security standard governs how data and data carriers are deleted or destroyed.
IV. Data Transmission Control
Customer Data must not be read, copied, modified or removed without authorization during transfer.
Where data carriers are physically transported, adequate measures are implemented at Grokstream to ensure the agreed service levels (for example, encryption, and lead-lined containers).
Customer Data transfer over Grokstream internal networks are protected as any other confidential data according to Grokstream Security Policy.
When the data is being transferred between Grokstream and its customers, the protection measures for the transferred Customer Data are mutually agreed upon and made part of the Policy. This applies to both physical and network-based data transfer. In any case the Customer assumes responsibility for any data transfer from Grokstream’s Point of Demarcation (e.g. outgoing firewall of the Grokstream Data Center which hosts the Cloud Service).
V. Data Input Control
It shall be possible to retrospectively examine and establish whether and by whom at Grokstream Customer Data have been entered, modified or removed from data processing systems used to provide the Cloud Service.
VI. Job Control
Customer Data being processed on commission shall be processed solely in accordance with the Policy and related instructions of the Customer.
Grokstream uses controls and processes to ensure compliance with contracts between Grokstream and its customers, Subprocessors or other service providers.
As part of the Grokstream Security Policy, Customer Data requires at least the same protection level as “confidential” information according to the Grokstream Information Classification standard.
All Grokstream employees and contractual partners are contractually bound to respect the confidentiality of all sensitive information including trade secrets of Grokstream customers and partners.
VII. Data Separation Control
Customer Data collected for different purposes can be processed separately.
Grokstream uses the technical capabilities of the deployed software (for example: single-tenancy or separate system landscapes) to achieve data separation between Customer Data from one and any other customer.
Grokstream maintains dedicated instances for each Customer.
Customers (including their Affiliates) have access only to own Customer instance(s).
VIII. Data Integrity Control
Ensures that Customer Data will remain intact, complete and current during processing activities. Grokstream has implemented a defense strategy in several layers as a protection against unauthorized modifications. This refers to controls as stated in the control and measure sections as described above. In particular:
IX. Availability Control:
Customer Data shall be protected against accidental or unauthorized destruction or loss.
Discover the Transformative Power of Grok by Embedding AI into the DNA of your IT Operations.
