SKURIO DATA PROCESSING AGREEMENT

V3.0 18 August 2022
1. DEFINITION

1.1 This Skurio Data Processing Agreement (the “Data Processing Agreement”) governs the processing of personal data by Skurio as processor on behalf of Customer. This Data Processing Agreement does not apply to personal data for which Skurio is a controller.

1.2 In this Data Processing Agreement, “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”) and “special categories of personal data” shall have the meanings given in Data Protection Legislation. Unless otherwise defined in this Data Processing Agreement, capitalised terms will have the meaning given them in the Skurio Master Services Agreement at https: //skurio.com/msa/

2. RELATIONSHIP OF THE PARTIES

2. Customer (the controller) appoints Skurio as a processor to process the Customer Data described in the Agreement (the “Data”) for the purpose of providing the services set out in the Order (the “Permitted Purpose”). Each party shall comply with the obligations that apply to it under Data Protection Legislation.

3. CUSTOMER RESPONSIBILITIES

3.1 Consents. Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Data to Skurio for the duration and purposes of this agreement.

3.2. Instructions. All instructions given to Skurio with respect to Customer Data shall at all times be in accordance with Data Protection Legislation.

3.3 Prohibited data. Unless explicitly requested by Skurio to do so, Customer and Authorised Users shall not send any special categories of personal data to Skurio for processing.

4. SKURIO RESPONSIBILITIES

4.1 Processing. Skurio will only process the Customer Data for the purpose of providing the services set out in the Order.

4.2 Security. Skurio shall implement technical and organisational measures, as set out in Annex A, which may be amended and updated from time to time, to protect the Customer Data from:

(a) unauthorised or unlawful processing; and

(b) accidental loss, damage, destruction of, or access to the Customer Data (together a “Security Incident”).

Such technical and organizational measures will be appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

4.3 Confidentiality of processing. Skurio shall ensure that any person it authorises to access or process the Customer Data (an “Authorised Person”) shall protect the Data in accordance with Skurio’s confidentiality obligations under the Agreement.

4.4 International transfers. Skurio shall not transfer the Customer Data outside of the UK or European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Legislation. Such measures may include (without limitation) transferring the Customer Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (e.g., New Zealand), or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

4.5 Subcontracting. Customer consents to Skurio engaging third party subprocessors to process the Customer Data for the Permitted Purpose provided that:

(a) Skurio maintains an up-to-date list of its subprocessors in Annex B, which it shall update with details of any change in subprocessors at least 30 days prior to the change;

(b) Skurio imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Data Protection Legislation; and

(c) Skurio remains liable for any breach of this Data Processing Agreement that is caused by an act, error or omission of its subprocessor.

Customer may object to Skurio’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Skurio will either not appoint or replace the subprocessor or, if this is not reasonably possible, in Skurio’s sole discretion, Customer may suspend or terminate the Agreement without penalty (save that any fees incurred by Customer up to and including the date of suspension or termination will remain payable).

4.6 Security incidents. If Skurio becomes aware of a confirmed Security Incident, Skurio shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Data Protection Legislation. Except where a Security Incident is caused by the Customer, Skurio shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep Customer informed of all material developments in connection with the Security Incident.

4.7 Customer assistance. Skurio shall assist Customer, at Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.

4.8 Deletion or return of Data. Upon termination or expiry of the Agreement, Skurio may destroy or otherwise dispose of any of the Customer Data in its possession unless Skurio receives, no later than ten days after the effective date of the termination or expiry of this agreement, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data. Skurio shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination or expiry (whether or not due at the date of termination or expiry). The Customer shall pay all reasonable expenses incurred by Skurio in returning or disposing of Customer Data. This requirement shall not apply to the extent that Skurio is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Data Skurio shall securely isolate and protect from any further processing. Customer Data that is requested by Customer to be returned, will only be returned to the extent that it complies with the Skurio Terms of Use and any non-compliant Customer Data will be deleted.

Annex A – Security

1. The Technical and Organizational Data Security Measures

1.1 Skurio has implemented and maintains a security program that conforms to the ISO 27001:2013 information security standard.

2. Access Control to Processing Areas

2.1 Skurio’s web applications, data collection and communications infrastructure, and database servers are located in secure data centers provided by Amazon Web Services (“AWS”). AWS infrastructure is designed and managed in alignment with security best practices and IT security standards to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where Customer Data is processed or used.

2.2 This is accomplished by:

(a) Establishing security areas;

(b) Securing the data processing equipment and personal computers;

(c) Establishing access authorizations for staff and third parties;

(d) Regulations/restrictions on electronic access cards;

(e) Restricting physical access to the servers by using electronically-locked doors and physical barriers at both the perimeter of the facilities and at building access points;

(f) Logging, monitoring, and tracking by security personnel, via electronic and CCTV video surveillance, all access to the facilities; and

(g) Protection by security alarm systems and other appropriate security measures, designed to detect unauthorized access.

3. Access Control to Data Processing Systems

3.1 Skurio has implemented suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:

(a) Establishing the identification of the user to the Skurio processing systems;

(b) Automatic time-out of user terminal if left idle, identification and password required to reopen;

(c) Automatic lock out of the user ID when several erroneous passwords are entered. Events are logged and logs are reviewed on a regular basis;

(d) Utilizing firewall, router and VPN-based access controls to protect the private service networks and back-end-servers;

(e) Continuously monitoring infrastructure security;

(f) Regularly assessing and addressing security risks from internal and external sources in accordance with Skurio’s ISO 27001:2013 certification;

(g) Access to host servers, applications, databases, routers, switches, etc., is logged.

(h) Access and account management requests must be submitted through internal approval systems.

(i) Access must be approved by an appropriate approving authority.

(j) Passwords must adhere to the Skurio password policy, which includes minimum length requirements and enforcing complexity.

4. Access Control to Use Specific Areas of Data Processing Systems

4.1 Persons entitled to use the data processing system are only able to access Customer Data within the scope and to the extent covered by their respective access permission (authorization) and that Customer Data cannot be read, copied, modified or removed without authorization. This is accomplished by:

(a) Employee policies and training in respect of each employee’s access rights to the Customer Data;

(b) Users have unique log in credentials;

(c) Monitoring activities that add, delete or modify the Customer Data;

(d) Effective and measured disciplinary action against individuals who access Customer Data without authorization;

(e) Release of Customer Data only to authorized persons;

(f) Controlling access to Customer Data via role-based access controls (RBAC) in compliance with the security principle of least-privilege;

(g) Encryption at rest of Customer Search Terms;

(h) Policies controlling the retention of back-up copies.

5. Availability Control

5.1 Skurio has implemented suitable measures to ensure that Customer Data is protected from accidental destruction or loss.  This is accomplished by:

(a) Infrastructure redundancy;

(b) Backups are stored at an alternative AWS location and are available for restore in case of failure of the primary system.

6. Transmission Control

6.1 Skurio has implemented suitable measures to prevent Customer Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:

(a) Use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels;

(b) Customer Data is encrypted during transmission using up to date versions of TLS or other security protocols using strong encryption algorithms and keys;

(c) Customer Search Terms are encrypted at rest within the system;

(d) Protecting web-based access to account management interfaces by employees through encrypted TLS

7. Input Control

7.1 Skurio has implemented suitable input control measures including:

(a) Authentication of the authorized personnel;

(b) Protective measures for Customer Data input into memory, as well as for the reading, alteration and deletion of stored Customer Data, including by documenting or logging material changes to account data or account settings;

(c) Segregation and protection of all stored Customer Data via database schemas, logical access controls, and/or encryption;

(d) Utilization of user identification credentials;

(e) Physical security of data processing facilities;

(f) Session time outs.

8. Separation of Processing for different Purposes

8.1 Skurio has implemented suitable measures to ensure that Customer Data collected for different purposes can be processed separately.

Annex B – Subprocessors

Subprocessor Service Location
Amazon Web Services Cloud Infrastructure Provider USA, Germany
Twitter* Data provider USA
Youtube* Data provider USA
Flickr* Data provider USA
VK* Data provider Russia
Ebay* Data provider USA
Github* Data provider USA
Google* Data provider USA

* Data Provider for Cyber Threat Intelligence platform.  If Customer chooses to enable each of these data sources for searches, Customer Data (query strings or keywords) is passed to these Providers via external API calls.  Customer may individually select or deselect these Data Providers when creating searches in the Cyber Threat Intelligence platform.