EBAOTECH DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) supplements and forms part of the InsureMO Subscription General Terms and Conditions available at https://insuremo.com/insuremo-gtc/, as updated from time to time between Client and eBaoTech, or other agreement(s) between Client and eBaoTech governing Client’s use of the Services (the “Agreement”).
This DPA is an agreement between you and the entity you represent (“Client”) and the eBaoTech contracting entity under the Agreement (“eBaoTech”). This DPA reflects the Parties’ agreement with regard to the Processing of Client Data (as defined below) by eBaoTech on behalf of Client in order to provide the Services pursuant to the Agreement.
1. Definitions
All capitalized terms shall follow the definition under the Agreement unless otherwise defined specifically in this DPA as below:
Client Data means the Personal Data that is uploaded to the Services under Client’s InsureMO accounts, or otherwise provided by, or on behalf of Client to eBaoTech through the Use of the Services.
Controller means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
Data Protection Laws mean all legislations and regulations applicable to the Processing of Client Data under the Agreement, including GDPR (EU General Data Protection Regulation 2016/679) and other data protection legislations, as applicable.
Process or Processing means any operation or set of operations performed on Client Data, including collection, storage, use, access, disclosure, erasure, destruction, and reading.
Processor means the entity which Processes Personal Data on behalf of the Controller.
Security Incident means a breach of eBaoTech’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.
Sub-processor means the entity engaged by Processor to provide Processing activities on Personal Data on behalf of Controller.
Supervisory Authority means an independent public authority or national body responsible for monitoring the application of the applicable Data Protection Laws.
2. Data Processing.
2.1 Scope and Roles. This DPA applies when Client Data is Processed by eBaoTech as a Processor on behalf of Client as a Controller in order to provide Services pursuant to the Agreement.
For clarity, this DPA applies only to the Processing of Personal Data in environments controlled by eBaoTech and eBaoTech’s Sub-processors. For the avoidance of doubt, this includes Personal Data sent to eBaoTech through the Use of the Services but does not include Personal Data that remains on Client’s premises or in any of Client’s selected third party operating environments.
2.2. Processing Details
2.2.1 Subject matter. The subject matter of the data processing under this DPA is Client Data.
2.2.2 Duration of the Processing. The duration of the Processing of Client Data under this DPA corresponds to the duration of the Services unless otherwise agreed by the Parties in writing.
2.2.3 Purpose and Nature of the Processing. eBaoTech will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Client in its Use of the Services. The nature of the Processing is the performance of the Services pursuant to the Agreement.
2.2.4 Type of Personal Data. Personal Data uploaded to the Services under Client’s InsureMO accounts or otherwise provided by Client to eBaoTech.
2.2.5 Categories of Data Subjects. The Data Subjects could include Client’s customers, employees, suppliers and End Users.
2.3 Compliance with Law. Each party will comply with all Data Protection Laws applicable to and binding on it in the performance of this DPA. Client agrees that it shall comply with its obligations as a Controller under Data Protection Laws. Client will not use the Services in a way that would violate Data Protection Laws.
3. Client Instructions.
The Parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding eBaoTech’s Processing of Client Data (“Documented Instructions”). eBaoTech will Process Client Data only in accordance with Documented Instructions from Client, unless otherwise required by Data Protection Laws. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between eBaoTech and Client, including agreement on any additional fees payable by Client to eBaoTech for carrying out such instructions. Client is entitled to terminate this DPA and the Agreement if eBaoTech declines to follow instructions requested by Client that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
4. Confidentiality Commitment.
eBaoTech will take reasonable steps to ensure that its personnel engaged in the Processing of Client Data (i) will Process such data only on Documented Instructions from Client, and (ii) will be obligated to maintain the confidentiality and security of such data. eBaoTech imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
5. Security of Data Processing.
5.1 eBaoTech has implemented and will maintain appropriate technical and organizational measures, as set out in Annex 1 (“Security Measures”), for protection of the security, confidentiality and integrity of Client Data.
5.2 eBaoTech regularly monitors compliance with the Security Measures. Client acknowledges that the Security Measures are subject to technical progress and development and that eBaoTech may update or modify the Security Measures from time to time provided that such updates and modifications will not materially decrease the overall security of the Services. eBaoTech will, at Client’s request, make available to Client corresponding information reasonably requested by Client regarding eBaoTech security practices and policies.
6. Sub-processing.
6.1 General Authorization. Client acknowledges and agrees that eBaoTech may appoint its Affiliates, Amazon Web Services and Microsoft Azure as Sub-processors to provide Processing activities on Client Data on behalf of Client.
6.2 eBaoTech shall not engage a Sub-processor to carry out specific Processing activities which fall outside the general authorization granted above without Client’s prior written authorization and, where such other Sub-processor is so engaged, eBaoTech shall ensure that the same contractual obligations set out in this DPA be imposed on that Sub-processor.
6.3 eBaoTech is responsible for its Sub-processors’ compliance with eBaoTech’s obligations in this DPA.
6.4 The Parties agree that if copies of eBaoTech’s agreements with a Sub-processor must be sent by eBaoTech to Client as required by Data Protection Laws, such copies will be provided only upon reasonable request by Client and all commercial information and provisions unrelated to this DPA will be redacted beforehand.
7. Security Incident Notification.
7.1 eBaoTech will (i) notify Client of a Security Incident without undue delay after becoming aware of the Security Incident, and (ii) take reasonable steps to mitigate any adverse effects resulting from the Security Incident.
7.2 Notification(s) of Security Incidents will be delivered to Client by any means eBaoTech selects, including via email. It is Client’s sole responsibility to ensure Client maintains accurate contact information with eBaoTech for each applicable Service.
7.3 Client is solely responsible for complying with its third-party notification obligations related to any Security Incident as required under Data Protection Laws.
7.4 eBaoTech shall make reasonable efforts to assist Client in fulfilling Client’s obligation, as required under Data Protection Laws, to notify the relevant Supervisory Authority and Data Subjects about such Security Incident.
8. Audit.
Subject to Client’s commitment in confidentiality, eBaoTech shall allow for, and contribute to, audits conducted by Client or another auditor designated by Client, who shall not be a direct competitor of eBaoTech, including inspections to the extent required by Data Protection Laws, during eBaoTech’s normal business hours without interference to eBaoTech’s daily operations, in accordance with the following procedures:
8.1 eBaoTech will provide Client or its designated auditor with the most recent certifications and/or summary audit report(s), which eBaoTech has procured to regularly test, assess and evaluate the effectiveness of the security measures.
8.2 If further information is needed by Client to comply with its own or other Controllers audit obligations or a competent Supervisory Authority’s request, Client shall inform eBaoTech in writing to enable eBaoTech to provide such information or to grant access to it.
8.3 To the extent that it is not possible to satisfy Client’s audit rights as stipulated in Data Protection Laws or as required by a competent Supervisory Authority unless by way of onsite visit in eBaoTech’s premise or facilities, eBaoTech shall allow the onsite visit provided that Client gives eBaoTech reasonable prior written notice of such onsite visit and such onsite visit shall be conducted on a Working Day during normal business hours mutually selected by the Parties to reduce any risk to eBaoTech’s other clients, and only in a manner that causes minimal disruption to eBaoTech’s business.
9. Transfers of Client Data.
Client Data relating to the Services of the Agreement will be stored in a location as agreed with the Client. eBaoTech will not transfer Client Data to other locations/countries. In the event of a documented instruction from Client on international transfer of Client Data for purposes of performance of the Agreement or for eBaoTech to provide the Services initiated by Client, Client shall ensure its instructions will not breach the requirements under Data Protection Laws, and each Party will ensure such transfer is made in compliance with the requirements of Data Protection Laws.
10. eBaoTech Assistance.
10.1 eBaoTech will assist Client, when reasonably requested by Client, by technical and organizational measures for the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in compliance with Client’s obligations relating to the security of Processing, the notification to Supervisory Authorities and/or communication of a Security Incident to Data Subjects, as and when required by Data Protection Laws, taking into account the nature of the Processing and the information available to eBaoTech, subject to reasonable additional charges as mutually agreed by the Parties in advance for the efforts incurred based on the then-current charging standard of eBaoTech. If Client does not agree to the quote of eBaoTech, the Parties agree to reasonably cooperate to find a feasible solution.
10.2 Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to eBaoTech, eBaoTech will assist Client in complying with Client’s obligations in respect of data protection impact assessments and prior consultation with the responsible Supervisory Authority as and when required by the Data Protection Laws, by providing the necessary information reasonably requested by Client.
11. Termination of the DPA.
This DPA will continue in force and effect until the expiry or termination of the Agreement.
12. Deletion or Return of Client Data.
Upon termination of the Agreement, eBaoTech will, subject to the terms and conditions of the Agreement or otherwise agreed with the Client, delete or return Client Data in its possessions, unless otherwise required by applicable laws.
13. Limitation of Liability.
EACH PARTY’S AND ALL OF ITS AFFILIATES’ TOTAL AND AGGREGATE LIABILITIES ARISING OUT OF OR IN CONNECTION WITH THIS DPA, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, ARE SUBJECT TO THE LIMITATION OF LIABILITY SET OUT IN THE AGREEMENT.
14. Miscellaneous.
14.1 In the event and to the extent of a conflict between the Agreement and this DPA, the terms of this DPA will prevail.
14.2 eBaoTech has a Data Security Committee that includes a Data Protection Officer responsible for overseeing data protection and security measures. The Data Security Committee may be contacted at security-committee@ebaotech.com.
ANNEX 1 – Security Measures
eBaoTech has implemented and will maintain for Client Data the following Security Measures, which are in conjunction with the security commitments in this DPA, and the following are eBaoTech’s only responsibility with respect to the security of Client Data.
Category | Practices |
Asset Management | Assets Security. eBaoTech identifies and manages data assets, and implements appropriate operating procedures to manage such assets according to the characteristics of different types of assets. |
Access Control | Access Control Policy. eBaoTech has set up a set of access control policies which standardizes user management, password management and system configuration, to ensure proper authority control. User Access Management. eBaoTech implements a formal user access provisioning process to assign or revoke access rights for all user types to each system. eBaoTech ensures that only relevant personnel can obtain appropriate access to their duties, and forms a list of user access and implements regular review of it. eBaoTech also adjusts and cancels the employee’s user access right when the employee leaves post or departs from the company. |
Cryptography | Cryptographic Controls. eBaoTech has formulated regulations on the management of using cryptographic control, including identification of the protection level based on risk assessment and considering the type, intensity and quality of encryption algorithm. Cryptographic Management. eBaoTech has formulated regulations on the cryptographic management so as to the whole process from the application, use, custody to destruction of key is under secure control. |
Physical and Environmental Security Control |
Secure Areas. eBaoTech specifies the boundaries of secure areas and takes appropriate control measures, such as physical isolation, access control systems, video surveillance, etc. Equipment and Facilities Security. eBaoTech ensures all kinds of equipment and facilities are placed in the appropriate area and appropriate protective measures are taken to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. |
Operational Security Control |
Operating Procedures. eBaoTech has established necessary management, operating responsibilities and procedures for all data processing facilities. eBaoTech controls the changes of data processing facilities and systems, and all system activities are under documented specification. eBaoTech also implements a clear allocation of responsibilities in accordance with the basic requirements of secure operations to reduce risks due to negligence or misuse of the system. Individuals unauthorized or unmonitored shall not be able to access, modify or use system. Planning and Management of Capacity. eBaoTech ensures that each controlled information system is able to identify capacity requirements so as to guarantee timely assessment and improvement of the availability and efficiency when necessary. Separation of Development, Testing and Operational Environments. eBaoTech identifies the separation level among the operation, testing and developing environment of the controlled information system to prevent overstepping or unauthorized operations. Protection from Malware. eBaoTech has established effective computer virus prevention, detection and killing mechanism, implements the detection and protection control to prevent malware, and improves employees’ sense of prevention. Backup. eBaoTech implements backup procedures and implements effective test on the backup data. Audit Logging and Logging Protection. eBaoTech has established logging management regulations to prevent logging storage facilities from unauthorized tempering and operational problems. Important audit loggings are archived, including details such as user ID, date, time and key events, as well as system configuration, special access rights, the use of system utilities and applications. Control of Operational Software. eBaoTech implements management procedures on software installations, and designates special personnel who have the skills that meet the requirements of daily software installation to install software on operating systems according the procedures. Clock Synchronization. eBaoTech synchronizes the clocks to ensure the accuracy of the system loggings. Technical Vulnerability Control. eBaoTech timely obtains the technical vulnerability information of controlled information systems to assess the protection of this kind of technical vulnerability and take appropriate control measures. Information Systems Audit Control. eBaoTech implements information systems audit strictly in accordance with relevant audit procedures and policies. eBaoTech makes detailed planning and assesses the risks associated with information systems audit when doing the audits. |
Communications Security Control |
Network Security Management. eBaoTech implements network security management, divides the network secure areas, monitors and manages the network equipment and activities, develops network security policies and operating procedures, and protects the network information and supporting facilities. Information Processing Procedures. eBaoTech has established a management procedure that handles, processes, stores and classifies information consistent with its communications, and dispose and mark all the media according to the classification standard. |
System Security Control |
Prevention of Data Disclosure. eBaoTech limits the risk of data disclosure, regularly assesses the external communications security of data, conceals and adjusts the communication behavior of the system to reduce the possibility that third parties will infer information from these actions. eBaoTech also regularly monitors the activities of individuals and system as well as the use of resources in computer systems under the existing laws and regulations. System Security Testing. eBaoTech implements security testing on information system regularly and take a comprehensive testing before the information system gets online. System Acceptance Testing. The requirements and principles of the acceptance of new system will be clearly defined, formed into documents and through testing before the construction of new information system. The upgrade of new system and the update of new version will be operated online as a product only after formal testing and acceptance. |
Security Incident Control | Policy on Information Security Incident. eBaoTech has established the monitoring, reporting, warning, disposal, rectification mechanism of information security incident. eBaoTech maintains a record of security incident, and knowledge gained from analyzing and resolving such incidents will be used to reduce the likelihood or impact of future incidents. |
Business Continuity Control | Business Continuity Management. eBaoTech has established the mechanism of identifying potential hazards that could lead to interruptions of business, as well as the possibility and impact of such interruptions and the security consequences due to the interruptions. eBaoTech has formulated continual planning and implements emergency drills to ensure timely recovery upon interruptions or failure in critical business processes and to guarantee the availability of information. |