Curious minds, start here!
< All knowledge base articles
Print

RockyNordic Data Processor Agreement

Data Protection Legislation: General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations, and secondary legislation, as amended or updated from time to time, in the UK and then any successor legislation to the GDPR or the Data Protection Act 2018.

DATA PROCESSING AGREEMENT

DEFINITIONS

  • “Customer is the purchaser of the services from RockyNordic.
  • “Database Software is a software program or utility used for creating, editing, and maintaining database files or records, such as (but not limited to) MySQL, MariaDB, and PostgreSQL.
  • “Logical Security is the protection of computer software (“Operating System“) of RockyNordic’s platform, including user identification and password access, authentication, and access rights. These measures are to ensure that only authorized users are able to perform actions or access information on our platform.
  • “Parties are RockyNordic together with the Customer.
  • “Physical Security is the protection of hardware, software, network, and data from physical action and events that could cause serious loss or damage to RockyNordic’s platform. This includes protection from fire, flood, natural disasters, theft and vandalism.
  • “Software is defined as (but not limited to) WordPress, Magento, Spreadsheets, Documents, customer code.

1. DATA PROTECTION LEGISLATION

Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to and does not relieve, remove, or replace, a party’s obligations under the Data Protection Legislation.

2. ROLES

  • The parties acknowledge that for the purposes of the Data Protection Legislation, RockyNordic is the data processor.
  • This data processing agreement should be read in conjunction with RockyNordic’s acceptable use policy and terms and conditions.
  • The duration of the processing shall be from the date of the Customer’s acceptance of this agreement until the agreement expires or terminates in accordance with the expiry or termination of the Customer’s services with RockyNordic.
  • The categories of Data Subjects are those whose personal data are provided or made available to RockyNordic by or on behalf of the Customer through the use or provision of the services purchased by the Customer (the “Services“) and shall exclude special categories of personal data or data relating to criminal convictions and offenses.
  • RockyNordic shall process the personal data of the Customer in accordance with Article 4 no. 2 and Article 28 of the GDPR.

3. ROCKYNORDIC’S RESPONSIBILITIES

  • RockyNordic’s responsibilities with regard to the processing of personal data provided by the Customer in its use of the Services are limited to providing adequate security measures to store the data uploaded by the Customer onto the hosting platform. RockyNordic is responsible for the Physical Security of its platform, and the Logical Security of the Operating System and the Database Software which serves the Customer’s database. RockyNordic is not responsible for the security of the data however populated within such databases and/or hosting space by the Customer, or Software managed by the Customer and the access to the data that this has. This is the sole responsibility of the Customer.
  • RockyNordic shall, in relation to any personal data processed in connection with the performance by RockyNordic of its obligations under this agreement:
    • process that personal data only on the written instructions of the Customer, unless RockyNordic is otherwise required to do so by the laws of any member of the European Union or by the laws of the European Union that apply to RockyNordic (“Applicable Laws”). Where RockyNordic is required by Applicable Laws to process personal data, RockyNordic shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prevent RockyNordic from notifying the Customer;
    • pursuant to article 32 of the GDPR, ensure that it has appropriate technical and organizational measures in place in order to protect against any unauthorized or unlawful processing of personal data, accidental loss or destruction of personal data, and damage being caused to personal data. Such measures are set out in Appendix 1 of this agreement.
    • ensure only personnel required for the purposes of carrying out this agreement have access to, and that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
    • if the Customer is unable to access the relevant information, to assist the Customer, and in any event, at the Customer’s cost, provide reasonable assistance in responding to any request from a supervising authority or a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
    • notify the Customer on becoming aware of a personal data breach
    • in accordance with RockyNordic’s standard policies, delete, or return (at the Customer’s cost) in a format determined by RockyNordic, personal data and copies thereof, on termination of the agreement, unless required by any Applicable Laws to continue to store the personal data; and
    • maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits to be carried out by the Customer, only so far as is necessary in order to demonstrate compliance, provided that the Customer (a) provides RockyNordic with no less than 30 days notice of such audit or inspection; (b) refunds RockyNordic for all reasonable costs and expenses that it incurs as a result of any such audit or inspection (c) both parties agree the scope, duration and purpose of such audit or inspection. If the Customer becomes privy to any Confidential Information of RockyNordic as a result of this clause, the Customer shall hold such Confidential Information in confidence and, unless required by law, not make the Confidential Information available to any third party, or use the Confidential Information for any other purpose. The Customer acknowledges that RockyNordic shall only be required to use reasonable endeavors to assist the Customer in procuring access to any third-party assets, records, or information as part of any audit, and
    • to provide a list of sub-processors engaged to full Services by sending an email request to support@rockynordic.com

4. THE CUSTOMER’S RESPONSIBILITIES

  • The Customer acknowledges that RockyNordic has no knowledge of the type/content of any personal data received, stored, or transmitted to RockyNordic’s platform, by using the Services.
  • If RockyNordic believes or becomes aware that its processing of Customer personal data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall inform Customer and provide reasonable cooperation to Customer (at the Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
  • In respect of personal data which the Customer receives, stores, or transmits using the Services, the Customer:
    • will ensure, and warrants that, it has all necessary and appropriate consents and notices in place to ensure that it can lawfully transfer the personal data to RockyNordic, for the duration and purposes of this agreement;
    • undertakes that its use of the Services for processing personal data will each (i) comply with privacy laws or regulations applicable to its Processing of Customer Personal Data, (ii) not cause RockyNordic to infringe Applicable Data Protection Law. The Customer will ensure that it has all necessary consents, notices, and other requirements in place to enable lawful processing of the customer’s personal data by RockyNordic for the duration and purposes of this agreement;
    • shall, unless otherwise provided for in the agreement, be solely responsible for the legality, confidentiality, integrity, availability, accuracy, and quality of all data it processes;
    • shall be solely responsible for ensuring the safety and security of all the data it controls and processes. The Customer warrants it has relevant and appropriate security measures in place to adequately protect the personal data it collects/processes. The Customer must verify the adequacy of RockyNordic’s security measures as appropriate for the type of personal data the Customer collects/processes and stores on RockyNordic’s platform. The Customer should refer to the Acceptable Use Policy to ensure it is not in breach of RockyNordic’s terms and conditions.
    • is solely responsible for responding to any request from a data subject and ensuring its own compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;
    • shall indemnify RockyNordic against any claims, actions, liabilities, proceedings, direct losses, damages, expenses, fines, and costs (including without limitation court costs and reasonable legal fees) incurred by RockyNordic as a direct result of any negligence, wilful misconduct, or breach of the Data Protection Legislation of the Customer.

5. THIRDPARTY PROCESSING

  • The Customer grants RockyNordic the authorization to appoint (and permit each third-party processor appointed in accordance with this section 5 to appoint) third-party sub-processors in accordance with this section 5.
  • RockyNordic may appoint alternative thirdparty processors to provide materially like-for-like services to the Customer as part of the Services subject to:
    • RockyNordic entering into a written agreement with such third-party processor incorporating terms that are substantially similar to those set out in this agreement; and
    • such third-party processor being able to demonstrate at least as high a standard of service quality and compliance to the previously appointed third-party processor.
  • The Customer agrees to RockyNordic giving any such sub-processors access to the Customer’s details so that RockyNordic can deliver the Services under the agreement. The Customer further agrees that those subprocessors may be based outside of the country in which the Customer has chosen to store Customer Personal Data, subject to RockyNordic taking steps to ensure transfer protections are in place if transfers are made to those subprocessors. RockyNordic requires that its subprocessors maintain security and data protection practices that are consistent with the agreement.

 

6. GOVERNING LAW

This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of Denmark.

 

7. JURISDICTION

Each party irrevocably agrees that the courts of Denmark shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement or its subject matter or formation.

Appendix 1 – Technical and Organisational Measures in Accordance with Article 32 GDPR

 

1. Confidentiality

  • Building Security & Access Control
    • RockyNordic data centers use internal CCTV systems.
    • RockyNordic uses access fob tags for all doors in and out of the data centers.

2. Electronic Access Control

  • For self-managed dedicated / VPS / Cloud servers, colocation servers, and customer solution servers:
    • Server root passwords are only known to RockyNordic, either at the initial deployment of the server or when the Customer has provided RockyNordic with the details in order to assist with troubleshooting. RockyNordic only holds the root password of the server that was current when it was deployed. It is the Customer’s responsibility to ensure passwords are secure and changed when required. RockyNordic does store the modified root passwords.
  • For Managed dedicated / VPS / Cloud servers:
    • Server root passwords are only known to RockyNordic. Passwords are restricted to authorized staff and controlled using authentication systems such as LDAP, and cryptographic keys.
  • For RockyNordic Control Panel:
    • Control Panel passwords are only known to RockyNordic. Passwords are restricted to authorized staff and controlled using various authentication systems such as LDAP, and cryptographic keys. Note: this does not apply to third-party control panels eg. Plesk, or Cpanel, installed on Customer servers.
  • Internal Access Control
    • For self-managed dedicated / VPS / Cloud servers, colocation servers, and customer solution servers:
      • The responsibility of access control is with the Customer.
    • For Managed dedicated / VPS / Cloud servers:
      • RockyNordic shall prevent unauthorized access by applying necessary security updates regularly. It is the Customer’s responsibility to ensure that they restrict to whom they provide access.
      • RockyNordic shall ensure access is restricted to only those employees who need to access the system in order to perform their duties within the organization.
      • RockyNordic shall ensure access is restricted to only those employees who need to access the system in order to perform their duties within the organization

4. Transfer Control

  • For self-managed dedicated / VPS / Cloud servers, and managed services
    • When a Customer ends their rental agreements with RockyNordic, we ensure that the server is delegated into our cancellation delegation where we securely destroy the data on the disks.
  • For Colocation servers:
    • The servers will be returned to the Customer.
  • Failed disks:
    • Failed disks are removed. RockyNordic will either do this by own staff or use an external company that attends the Data Centre, removes the disks, and destroys them.

5. Isolation Control

  • For self-managed dedicated / VPS / Cloud servers, colocation servers, and customer solution servers:
    • The Customer is responsible for Isolation control.
  • For Managed dedicated / VPS / Cloud servers:
    • Data shall be physically or logically isolated.
  • Backups of the data shall also be performed using a similar system of physical and logical isolation.

6. Pseudonymization

  • For dedicated / VPS / Cloud servers, colocation servers, and customer solution servers the Customer is responsible for pseudonymisation.

7. Integrity

  • Data Transfer Control:
    • RockyNordic employees are trained to ensure that personal data is handled in accordance with appropriate data protection regulations.
  • The Customer is responsible for ensuring that the data transmitted is encrypted.

8. Data Entry Control

  • For RockyNordic’s internal system managing data collection:
    • Data is entered or collected by the Customer.
    • Changes in data are logged in the appropriate RockyNordic system.
  • For self-managed dedicated / VPS / Cloud servers, and colocation servers:
    • The Customer is responsible for input control. Data is entered or collected by the Customer.
  • For Managed dedicated / VPS / Cloud servers:
    • The Customer is responsible for input control. Data is entered or collected by the Customer.

9. Availability and Resilience (Article. 32 Para.1 Clause b GDPR)

  • For RockyNordic’s internal system:
    • Daily backups of all relevant data realigned for fulfillment of the Services
    • Employment of security measures (virus scanning, firewalls, encryption of data only where appropriate, spam filters).
    • Employment of Raid protection on all relevant servers.
    • Monitoring of all relevant servers.
    • Data center power protection (Generators & UPS).
  • For self-managed dedicated / VPS / Cloud servers, colocation servers, and customer solution servers:
    • (a) The Customer is responsible for their own Data backups. Where a Customer purchases a backup product, RockyNordic shall provide the tools for the Customer to ensure they have set up the backup routine.
    • The Customer should employ software firewalls and restrict ports.
    • Data center power protection (Generators & UPS).
  • For unmanaged dedicated / VPS / Cloud servers:
    • The Customer is responsible for their own Data backups. Where a customer purchases a backup product, RockyNordic shall provide the tools for the Customer to ensure they have set up the backup routine.
    • Data center power protection (Generators & UPS).
  • For rapid recovery measures (Article 32 Para. 1 Clause c GDPR):
    • RockyNordic has a defined escalation chain which is followed in the event of known issues in order to address the issues promptly.

10. Procedure for regular testing, assessments, and evaluation (Article. 25 Para.1 GDPR)

  • RockyNordic has Incident response policies.
  • As per Article. 25 Para. 2 GDPR, data protection default settings are taken into account for RockyNordic software development.
  • Contract / Agreement Control:
    • RockyNordic’s terms and conditions, along with the Privacy Policy outline the scope of our data processing and use of Customers’ personal data.
    • RockyNordic has appointed a representative for Data Protection.
Table of Contents