Elastic Vendor Data Processing Addendum

Elastic Vendor Data Processing Addendum

This Elastic Vendor Data Processing Addendum ("DPA") forms part of the agreement between Vendor (defined below) and Elastic (defined below) for the Services (defined below) provided by Vendor to Elastic (collectively, the "Agreement"). For the purposes of this DPA, "Elastic" means the entity identified as "Elastic" and "Vendor" means the entity identified as "Vendor" on the applicable Ordering Document.

This DPA describes the commitments of Elastic and Vendor (each a "Party" and together, the "Parties") concerning the processing of Elastic Personal Data in connection with the provision of one or more services contemplated by the Agreement (the "Services").

The terms used in this DPA have the meaning set forth in this DPA. Capitalized terms not otherwise defined herein have the meaning given to them in the Agreement.

The Parties agree as follows:

  1. 1. Definitions. The following capitalized terms, when used in this DPA, will have the corresponding meanings provided below:
    1. 1.1 "Applicable Data Protection Laws" mean all worldwide privacy and data protection laws, regulations, rules, ordinances and other decrees applicable to each respective Party in its role related to the processing of Elastic Personal Data pursuant to the Agreement, including (but not limited to): (i) European Data Protection Laws; (ii) Canadian Privacy Laws; and (iii) US Privacy Laws; in each case as may be amended, superseded or replaced.
    2. 1.2 "Canadian Privacy Laws" mean: (i) the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the provincial Personal Information Protection Acts in place in Alberta and British Columbia, and An Act respecting the Protection of Personal Information in the Private Sector (Québec); (ii) the E-Health (Personal Health Information Access and Protection of Privacy Act) in British Columbia, the Health Information Act in Alberta, the Personal Health Information Act in Manitoba, the Personal Health Information Protection Act, 2004 in Ontario, the Personal Health Information Privacy and Access Act in New Brunswick, the Personal Health Information Act in Newfoundland and Labrador, and the Personal Health Information Act in Nova Scotia; and (iii) the Canada Anti-Spam Act Legislation (CASL).
    3. 1.3 "EEA" means the countries that are party to the agreement on the European Economic Area, and Switzerland.
    4. 1.4 "Elastic Personal Data" means any Personal Data processed by Vendor as a service provider or processor (as applicable) on behalf of Elastic in connection with the Agreement.
    5. 1.5 "European Data Protection Laws" mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC ("e-Privacy Directive"); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance ("Swiss DPA"); and (v) in respect of the United Kingdom ("UK"), the Data Protection Act 2018 and the GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 ("UK GDPR") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the UK's European Union (Withdrawal) Act 2018; in each case as may be amended, superseded or replaced.
    6. 1.6 "Personal Data" means any information that relates to an identified or identifiable natural person and which is protected as "personal data," "personal information," or "personally identifiable information" under Applicable Data Protection Laws.
    7. 1.7 "Restricted Transfers" mean: (i) where the GDPR applies, a transfer of Elastic Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an "EEA Restricted Transfer"); (ii) where the UK GDPR applies, a transfer of Elastic Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (a "UK Restricted Transfer"); and (iii) where the Swiss DPA applies, a transfer of Elastic Personal Data to a country outside of Switzerland which is not included in the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner (a "Swiss Restricted Transfer").
    8. 1.8 "Security Breach" means any event or security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Elastic Personal Data that is transmitted, stored or otherwise processed by Vendor and/or its Sub-processors.
    9. 1.9 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021.
    10. 1.10 "Sub-processor" means any third party data processor engaged by Vendor to process Elastic Personal Data on Elastic's behalf to assist in fulfilling Vendor's obligations with respect to providing the Services pursuant to the Agreement and this DPA. Sub-processors may include independent third parties and Vendor affiliates.
    11. 1.11 "UK Addendum" means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner's Office under S.119(A) of the UK Data Protection Act 2018.
    12. 1.12 "US Privacy Laws" mean, as applicable: the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq. (2018) as amended by the California Privacy Rights Act of 2020 ("CPRA") (together the "CCPA"), and any other US state privacy or data protection laws that have been enacted at the time of the Parties execution of this DPA.
    13. 1.13 The terms "controller", "processor" and "processing" shall have the meanings given to them in applicable European Data Protection Laws, and "process", "processes" and "processed" shall be interpreted accordingly; and the terms "business", "business purpose", "consumer", "commercial purpose", "personal information", "service provider", "sell" and "share" shall have the meanings given to them in applicable US Privacy Laws.
  2. 2. Roles and Scope of Processing
    1. 2.1 Scope. This DPA applies to the extent that Vendor processes any Elastic Personal Data as a processor or service provider (as applicable).
    2. 2.2 Roles of the Parties. The Parties acknowledge and agree that Elastic is a business or the controller (as applicable) with respect to the processing of Elastic Personal Data, and Vendor shall process Elastic Personal Data only as a processor or service provider (as applicable) on behalf of Elastic. Any processing of Elastic Personal Data by either Party under or in connection with the Agreement shall be performed in accordance with Applicable Data Protection Laws.
    3. 2.3 Vendor processing of Personal Data. Vendor agrees that it shall process Elastic Personal Data only for the purposes described in the Agreement and in accordance with Elastic's documented lawful instructions. The Parties agree that the Agreement and this DPA set out Elastic's complete and final instructions to Vendor in relation to the processing of Elastic Personal Data. Vendor shall notify Elastic in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any data processing instructions from Elastic violates Applicable Data Protection Laws. Notwithstanding anything to the contrary in the Agreement, Vendor shall not process Elastic Personal Data for its own internal purposes, including but not limited to, in an anonymized or aggregated form.
  3. 3. Sub-processing
    1. 3.1 Authorized Sub-processors. Elastic acknowledges and agrees that Vendor may engage Sub-processors to process Elastic Personal Data on Elastic's behalf. Vendor must provide Elastic, via email notice to procurement@elastic.co, with a current list of Sub-processors engaged by Vendor before disclosing Elastic Personal Data to such Sub-Processors. The list must include each Sub-processor's legal name, location(s) of processing, description(s) of processing, and instructions for communicating to Elastic any updates to this list. Vendor shall notify Elastic in writing if it changes its Sub-processors at least thirty (30) calendar days in advance of any such changes.
    2. 3.2 Objections to Sub-processors. Elastic may object to Vendor's appointment of a new Sub-processor by notifying Vendor in writing within thirty (30) calendar days after receiving Vendor's notice in accordance with Section 3.1 above. Elastic's notice shall explain the reasonable grounds for the objection. In such event, the Parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no resolution can be reached, Vendor shall either not appoint the Sub-processor, or permit Elastic to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to any fees incurred by Elastic prior to suspension or termination).
    3. 3.3 Sub-processor Obligations. Vendor shall: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require each Sub-processor to protect Elastic Personal Data to the standards required by Applicable Data Protection Laws and this DPA; and (ii) remain liable for the acts or omissions of each Sub-processor to the same extent that Vendor would be liable if performing the services of each Sub-processor under the terms of this DPA.
  4. 4. Security and Audits
    1. 4.1 Vendor Security Measures. Vendor shall implement and maintain appropriate technical and organizational security measures designed to protect Elastic Personal Data from Security Breaches and to preserve the security and confidentiality of the Elastic Personal Data ("Security Measures"). Such measures will include, at a minimum, those measures described in Annex II attached hereto. Vendor shall ensure that any person who is authorized by Vendor to process Elastic Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty) with respect to such processing.
    2. 4.2 Security Breach Response. Upon becoming aware of a Security Breach, Vendor shall: (i) notify Elastic without undue delay of the discovery of the Security Breach, which shall include a summary of the known circumstances of the Security Breach and the corrective actions taken or to be taken by Vendor; (ii) provide Elastic with any additional required information relating to the Security Breach as it becomes known or as is reasonably requested by Elastic in a timely manner; (iii) promptly take steps, necessary to contain, mitigate, investigate, and remediate any Security Breach; and (iv) reasonably communicate and cooperate with Elastic concerning its responses to the Security Breach.
    3. 4.3 Audits. Upon request, Vendor shall supply copies of any audit reports, such as a Service Organization Control (SOC) 2 or comparable report ("Reports") to Elastic, so that Elastic can verify Vendor's compliance with this DPA and Applicable Data Protection Laws. In addition to the Reports, Vendor shall provide written responses (on a confidential basis) to all reasonable requests for information made by Elastic related to its processing of Elastic Personal Data, including responses to information security and audit questionnaires that are necessary to confirm Vendor's compliance with this DPA and Applicable Data Protection Laws, provided that Elastic shall not exercise this right more than once in any 12 month rolling period. Elastic may also conduct an additional audit of Vendor's compliance with this DPA and Applicable Data Protection Laws if: (i) the above measures are not sufficient to confirm compliance with this DPA or reveal any material issues; (ii) Elastic is expressly requested or required by a data protection authority to conduct such an audit; or (iii) Vendor has experienced a Security Breach.
    4. 4.4 Vendor Data Protection Measures. In addition to the Security Measures described herein, Vendor shall implement and maintain appropriate technical and organizational measures to ensure data protection for Elastic Personal Data including but not limited to: (i) measures for certification or similar assurance of data protection in its processes and products; (ii) measures for ensuring data minimization; (iii) measures for ensuring data quality; (iv) measures for ensuring limited data retention; (v) measures for ensuring accountability; (vi) measures for allowing data portability where required by Applicable Data Protection Law; and (vii) measures for ensuring erasure.
  5. 5. Deletion of Elastic Personal Data
    1. 5.1 Upon termination or expiry of the Agreement, Vendor shall delete all Elastic Personal Data (including copies) in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Vendor is required by applicable law to retain some or all of the Elastic Personal Data, in which case Vendor shall retain such Elastic Personal Data in compliance with all Applicable Data Protection Laws.
  6. 6. Rights of Individuals and Cooperation
    1. 6.1 Individual Rights Requests. Vendor shall, taking into account the nature of the processing, provide reasonable cooperation to assist Elastic to respond to any requests from individuals to exercise their rights under Applicable Data Protection Laws relating to the processing of Elastic Personal Data under the Agreement. In the event that any such request that implicates Elastic Personal Data is made to Vendor directly, Vendor shall redirect the individual to make their request directly to Elastic. If Vendor is required to respond directly to such a request, Vendor shall promptly notify Elastic and provide it with a copy of the request unless legally prohibited from doing so.
    2. 6.2 Disclosure Requests. If Vendor receives a demand to disclose or provide access to Elastic Personal Data from a law enforcement agency, government authority, public authority, or other third party ("Third-Party Demand"), then Vendor will attempt to redirect the Third-Party Demand to Elastic. If Vendor cannot redirect the Third-Party Demand to Elastic, Vendor shall promptly notify Elastic and provide a copy of the Third-Party Demand to allow Elastic to seek a protective order or other appropriate remedy unless Vendor is legally prohibited from doing so in which case Vendor shall take all reasonable steps to challenge such prohibition. Vendor shall only disclose or provide access to Elastic Personal Data in response to a Third-Party Demand as strictly required by law.
  7. 7. Jurisdiction Specific Terms
    1. 7.1 Data Protection Impact Assessments. To the extent required under Applicable Data Protection Laws, Vendor shall provide Elastic with reasonably requested information regarding Vendor's processing of Elastic Personal Data under the Agreement to assist Elastic to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.
    2. 7.2 Restricted Transfers
      1. 7.2.1 GDPR. To the extent that any transfer of Elastic Personal Data to Vendor from Elastic is an EEA Restricted Transfer, Vendor agrees to abide by and process Elastic Personal Data in compliance with the Standard Contractual Clauses, which shall be deemed incorporated into this DPA as follows:
        1. (a) Where Elastic is the controller of Elastic Personal Data and Vendor is the processor. Module Two (controller to processor transfers) shall apply, or where Elastic is a processor of the Elastic Personal Data, Module Three (processor to processor transfers) shall apply;
        2. (b) In Clause 7, the optional docking clause will apply;
        3. (c) In Clause 9, Option 2 (General Written Authorization) will apply and the time period for prior notice of Sub-processor changes shall be as set out in Section 3.1 of this DPA;
        4. (d) In Clause 11, the optional language will not apply;
        5. (e) In Clause 17, Option 2 will apply, and the Standard Contractual Clauses will be governed by the law of the Netherlands;
        6. (f) In Clause 18(b), disputes shall be resolved before the courts of the Netherlands; and
        7. (g) Annex I and II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annexes I and II attached hereto;
      2. 7.2.2 UK GDPR. To the extent that any transfer of Elastic Personal Data to Vendor from Elastic is a UK Restricted Transfer, the Standard Contractual Clauses shall apply in accordance with Section 7.2.1 above, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 through 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II attached hereto and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party."
      3. 7.2.3 Swiss DPA. To the extent that any transfer of Elastic Personal Data to Vendor from Elastic is a Swiss Restricted Transfer, the Standard Contractual Clauses shall apply in accordance with Section 7.2.1 above, but with the following modifications:
        1. (a) any references in the Standard Contractual Clauses to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein;
        2. (b) any references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be;
        3. (c) any references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and
        4. (d) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
    3. 7.3 US Privacy Laws. To the extent that Vendor's processing of Elastic Personal Data under the Agreement is subject to US Privacy Laws, the Parties agrees that Elastic is a business and that it appoints Vendor as its service provider (or processor) to process Elastic Personal Data for the limited and specific business purpose permitted under the Agreement (including this DPA) and US Privacy Laws (the "Permitted Purposes"). To the extent required under US Privacy Laws, Elastic and Vendor agree that:
      1. (a) Vendor shall not retain, use, or disclose Elastic Personal Data outside of the direct business relationship between Elastic and Vendor, or for any purpose other than for the Permitted Purposes, including retaining, using, or disclosing Elastic Personal Data for a commercial purpose other than the Permitted Purposes;
      2. (b) Elastic is not sharing or selling Elastic Personal Data to Vendor, and Vendor shall not sell or share Elastic Personal Data;
      3. (c) Vendor shall comply with its applicable obligations under US Privacy Laws, shall provide the level of privacy protection required by US Privacy Laws, and shall notify Elastic if it decides it can no longer meet its obligations under US Privacy Laws with respect to its processing Elastic Personal Data under the Agreement;
      4. (d) Elastic has the right to take reasonable and appropriate steps to ensure Vendor processes Elastic Personal Data in a manner consistent with Elastic's obligations under US Privacy Laws, and in compliance with the Agreement in accordance with the audit parameters set forth in Section 4.3 (Audits) of this DPA, and shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Elastic Personal Data;
      5. (e) Vendor may engage other service providers to assist in the processing of Elastic Personal Data for the Permitted Purposes under the Agreement on behalf of Elastic, as detailed in Section 3.1 (Authorized Sub-processors) of this DPA pursuant to a written contract(s) binding such additional service providers to observe the applicable requirements of US Privacy Laws; and
      6. (f) Vendor shall not combine the Elastic Personal Data that Vendor receives from or on behalf of Elastic, with Personal Data that it receives from or on behalf of another person or persons, or collects from its own interaction with consumers.
  8. 8. Use of Artificial Intelligence
    1. 8.1 AI Features. To the extent that Vendor employs, uses, or otherwise implements any generative artificial intelligence, large language models (LLMs), machine learning, or any other artificial intelligence features to provide the Services (collectively "AI Features") the following terms shall apply:
      • (a) Vendor shall not use any Elastic Personal Data, including in anonymized or aggregated form, for any purpose other than to provide the Services to Elastic, including to train or otherwise improve the AI Features;
      • (b) Vendor has provided Elastic with a list of any third parties that provide the AI Features as part of the Services in accordance with Section 3.1 of this DPA;
      • (c) Vendor shall at all times process Elastic Personal Data in connection with the use of AI Features in accordance with its obligations under Applicable Data Protection Laws and this DPA; and
      • (d) Anything to the contrary notwithstanding, Elastic shall retain all right, title, and interest in and to Elastic Personal Data at all times.
  • 9. Miscellaneous
    1. 9.1 Except for the changes made by this DPA as applicable to the Agreement, the Agreement remains unchanged and in full force and effect; provided however that any limitations on liability and/or disclaimers of damages contained in the Agreement shall not apply to any damages arising from Vendor's breach of this DPA.
    2. 9.2 The Parties acknowledge and agree that, by executing the Agreement, Elastic enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Affiliates (as defined in the underlying Agreement), thereby establishing a separate DPA between Vendor and each such Affiliate subject to the provisions of the Agreement and this Section. For the avoidance of doubt, an Affiliate is not and does not become a party to the Agreement, but is only a party to this DPA. Elastic shall remain responsible for coordinating all communication with Vendor under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.
    3. 9.3 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

    • ANNEX I

    1. A. LIST OF PARTIES
      Data exporter(s):
      1. 1.

        Name: Elastic
        Address: As detailed in the underlying Agreement
        Contact person's name, position and contact details: As detailed in the underlying Agreement
        Activities relevant to the data transferred under these Clauses: the Services described in the Agreement and any applicable addendum

        Role: Controller or Processor, as applicable

      Data importer(s):
      1. 1.

        Name: Vendor
        Address: As detailed in the underlying Agreement
        Contact person's name, position and contact details: As detailed in the underlying Agreement
        Activities relevant to the data transferred under these Clauses: the Services described in the Agreement and any applicable addendum

        Role: Processor

    2. B. DESCRIPTION OF TRANSFER
      • Categories of data subjects whose personal data is transferred

        Elastic Personal Data transferred to Vendor under the Agreement may concern the following categories of data subjects: individuals whose personal data or personal information Elastic elects to transfer to Vendor for processing for Vendor to perform the Services as set forth in the Agreement.
      • Categories of personal data transferred

        The types of Elastic Personal Data are determined and controlled by Elastic in its sole discretion, and may include, but are not limited to: (a) name, address, title, email address, contact details, username; and/or (b) any other Elastic Personal Data processed for operation, provision, receipt, support, and/or use of the Services.
      • Sensitive data transferred

        Unless expressly specified in the Agreement, Vendor shall not process special categories of personal data.
      • Frequency of the transfer

        The frequency of the transfer is on a continuous or one-off basis depending on the nature of the Services.
      • Nature of the processing

        Elastic Personal Data that Elastic elects to transfer for Vendor to provide the services as set forth in the Agreement.
      • Purpose(s) of the data transfer and further processing

        The operation, support, or use of the Services as set out in the Agreement and compliance with applicable laws.
      • The period for which the personal data will be retained

        The duration of the processing under this DPA is until the termination of the Services in accordance with the Agreement terms.
    3. C. COMPETENT SUPERVISORY AUTHORITY

      The supervisory authority of the Netherlands shall act as competent supervisory authority.

    ANNEX II

    Security Measures

    Vendor has implemented and will maintain the administrative, physical and technical safeguards set forth below for the protection of the security, confidentiality and integrity of Elastic Personal Data it processes on behalf of Elastic in fulfillment of the Services. The measures shall be appropriate to the nature and risk to personal data, and in any event shall not be less stringent than those prescribed under Applicable Data Protection Laws. Vendor will not materially decrease the overall security of the Services during the term during which it processes Elastic Personal Data.

    1. 1. Physical access control
      Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are processed. These measures include:
      • Establishing security areas, restriction of access paths
      • Establishing access authorizations for employees and third parties
      • Access control system (ID reader, magnetic card, chip card)
      • Key management, card-keys procedures
      • Door locking (electric door openers etc.)
      • Security staff, janitors
      • Surveillance facilities, video/CCTV monitor, alarm system
      • Securing decentralized data processing equipment and personal computers
      • Reviewing physical access privileges
      • Additional measures as necessary to ensure the physical security of locations where personal data is processed
    2. 2. Virtual access control
      Technical and organizational measures to prevent data processing systems from being used by unauthorized persons. These measures include:
      • User identification and authentication procedures
      • ID/password security procedures (special characters, minimum length, change of password)
      • Multi-factor authentication for all systems where it is supported
      • Automatic blocking (e.g. password or timeout)
      • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempt
      • Creation of one master record per user, user master data procedures, per data processing environment
      • Encryption of archived data media
      • Endpoint protection (encryption, anti-malware, logging) on workstations
    3. 3. Data access control
      Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization. These measures include:
      • Internal security policies and procedures
      • Control authorization schemes
      • Differentiated access rights (profiles, roles, transactions and objects)
      • Monitoring and logging of accesses, including reviews of alerts of anomalous privileged access
      • Disciplinary action against employees who access Personal Data without authorization
      • Reports of access
      • At least annual access privilege review procedures
      • Access procedure
      • Change procedure
      • Deletion procedure
      • Encryption of data at rest with at least AES 256-bit
      • Incident response plans and procedures
      • Incident response notification procedures to affected parties and required regulatory or legal entities
    4. 4. Disclosure control
      Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed. These measures include:
      • Encryption/tunneling
      • Logging access to Personal Data
      • Transport security
    5. 5. Entry control
      Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems. These measures include:
      • Logging and reporting systems
      • Protecting logs from modification and unauthorized access
      • Configuring alerting for anomalous or suspected malicious activity
      • Procedures to continuously review audit logging events or alerts
      • Audit trails and documentation
      • Procedures to review audit event logging for completeness
      • Retention of security logs for 12 months
    6. 6. Control of instructions
      Technical and organizational measures ensuring Personal Data are processed solely in accordance with the Instructions of the Controller. These measures include:
      • Unambiguous wording of the contract
      • Formal commissioning (request form)
      • Criteria for selecting the Processor
    7. 7. Availability control
      Technical and organizational measures ensuring Personal Data are protected against accidental destruction or loss (physical/logical). These measures include:
      • Backup procedures
      • Mirroring of hard disks (e.g. RAID technology)
      • Uninterruptible power supply (UPS)
      • Remote storage of backups
      • Anti-virus/firewall systems
      • Disaster recovery plans that include at least annual testing
    8. 8. Separation control
      Technical and organizational measures to ensure that Personal Data collected for different purposes can be processed separately. These measures include:
      • Separation of databases
      • "Internal client" concept / limitation of use
      • Segregation of functions (production/testing)
      • Procedures for storage, amendment, deletion, transmission of data for different purposes
      • Prohibiting the use of Personal Data in testing