ANNEX A
- DETAILS OF THE PERSONAL DATA PROCESSING -
(Also Serves As Annex I To The EE SCCs)
A. LIST OF PARTIES
Data exporter
Name, address and contact details: Customer, whose name, address, and contact details are as detailed in the applicable order form.
Activities relevant to the data transferred under these Clauses: Provision of the Services under the Agreement.
Signature and date: The data exporter’s signature on the DPA or agreement between the parties applies herein.
Role (controller/processor): Controller.
Data importer
Name: Mine Technologies Ltd.
Address: Alon 1 Tower, 94 Yigal Alon St, Tel Aviv-Yafo, 6789139, Israel
Contact person’s name, position and contact details: As detailed under the applicable order form.
Activities relevant to the data transferred under these Clauses: Provision of services under the agreement.
Signature and date: The data importer’s signature on the DPA or agreement between the parties, applies herein.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- Customer’s end-users.
- Customer’s employees.
- Customer’s customers.
Categories of personal data transferred
Customer may submit Personal Data to the Platform or otherwise provide Personal Data to Mine as part of the provision of Services, the extent of which is determined and controlled solely by Customer. Such Personal Data may include, without limitation, Contact Information (name, age, gender, address, telephone number, email address etc.) related to the above mentioned categories of data subjects.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Customer may submit special categories of Personal Data to the Services, or otherwise provide Mine with special categories of Personal Data as part of the provision of Services, the extent of which is determined and controlled solely by Customer. The applicable security measures are detailed under ANNEX B to the DPA.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Continuous.
Nature of the processing
Provision of the services under the agreement between the parties.
Purpose(s) of the data transfer and further processing
Provision of the services under the agreement between the parties.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of the agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Hosting and ancillary services for the duration of the agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
Where the data exporter is established in an EU Member State - the supervisory authority of such EU Member State shall act as competent supervisory authority
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) - the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) - the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
ANNEX B
- TECHNICAL AND ORGANIZATIONAL MEASURES -
(Also Serves as Annex II To The EU SCCs)
MINE TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of pseudonymization and encryption of personal data
- Raw data is encrypted at rest and in transit in accordance with industry standards (and at least AES256 CTR).
- Mine will set adequate procedures for using cloud-based storage services in a multi-tenant environment which will include encryption and adequate access criteria.
- Mine will implement a procedure for Customer Data backups which sets, inter alia, backup method and frequency, appropriate encryption measures according to the level of sensitivity of the Customer Data and the location of the backup storage.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services
Mine will use measures to guarantee the integrity of Customer Data in backups, and to maintain the possibility to restore Customer Data in the event of data loss or destruction. Without limiting the above, to the extent that Mine uses backup media, Mine will store such media in a fireproof and waterproof safe environment which is located outside of the facility that contains Customer Data.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Mine will securely backup Customer Data that Mine possesses.
- Mine will implement a procedure for Customer Data backups which sets, inter alia, backup method and frequency, appropriate encryption measures according to the level of sensitivity of the Customer Data and the location of the backup storage. Mine will follow this procedure throughout the term of the agreement. Mine will use measures to guarantee the integrity of Customer Data in backups, and to maintain the possibility to restore Customer Data in the event of data loss or destruction. Without limiting the above, to the extent that Mine uses backup media, Mine will store such media in a fireproof and waterproof safe environment which is located outside of the facility that contains Customer Data.
- Mine will conduct ongoing technical Disaster Recovery sessions to review its related technical operations and to conduct 'fire drills' to test it in real time.
- Mine’s disaster recovery and business continuity processes will be approved by Mine’s management, audited by a non-dependent third party on an annual basis and will be practiced on an ongoing basis.
- Mine’s information security officer will ensure the backup of the following data, on a weekly basis, in a manner which guarantees that the possibility to perform data restoration in any given time:
- Entries and departures from Mine’s offices and other sites that store the following Customer Data: infrastructure and hardware systems, communication, and information security components.
- Administration of access to the Customer Data.
- Identification and validation of access to the Customer Data.
- Control and documentation to Mine’s systems which store or process Customer Data, including user’s identification, time & date of the attempt at access, system’s components attempted to be accessed to and whether access was granted or denied.
- Security breaches (any event which raises concerns to the integrity of data or use of data without or in excess of access permission).
- Security of communications (implementing adequate means to protect from unauthorized access and from exploits and malware.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing
Mine will monitor its systems and networks for security related events and will conduct periodic penetration tests by a credible external security adviser and a penetration test, in order to detect data security related risks. Mine will discuss the results of the assessment and test and further review the need to update information security processes. Mine will remediate any detected vulnerabilities.
Measures for user identification and authorization
- Access to applications, specifically when entering, changing and deleting data is logged.
- Access to Customer Data is made via a strong identification mechanism which includes at least two identification means (2FA), based on “something you know” and “something you have”.
- Identification means provided to employees or other authorized persons are not shared with any other employee or other authorized person, not even at a later stage. Mine keeps records of all identifications allocated to authorized personnel and operates identification verification measures prior to granting access to Customer Data.
- Non-active user’s access is blocked following six months of inactivity, other than with respect to users created for support and maintenance purposes.
- Access to Customer Data is blocked for users of personnel no longer involved in the provision of services to customer.
- Mine enforces a policy which reduces the risk for passwords’ confidentiality breach. Passwords are stored in an encrypted manner, in a manner that will keep them illegible.
- Mine maintains an internal procedure for allocating, distributing, and storing passwords. Passwords are periodically reset. Passwords must include at least 8 characters and any string which can be easily related to a Mine’s employee (e.g. employee’s name, last name, family members’ name, birthdays etc.) is prohibited. Access is automatically blocked after three consecutive failed access attempts. Records of last five passwords of every authorized user are retained.
Measures for the protection of data during transmission
Data transfer between Customer and Mine, if required, will be made in accordance with the acceptable standards, including through VPN, encryption, point-to-point communication or other secure and encrypted means such as TLS 1.2 or higher.
Measures for the protection of data during storage
- Customer Data and backup data are encrypted at rest according to NIST best practices (at least AES256 CTR).
- Data Systems’ storage devices are marked, labelled and placed in a surrounding accessible solely to Mine’s authorized personnel on a need-to-know basis.
- Mine maintains adequate procedures for using cloud-based storage services in a multi-tenant environment which will include encryption and adequate access criteria.
- When Customer Data is stored by third party service providers, Mine ensures that its subcontractors providing Mine with storage services are carefully vetted with regard to data security, comply with EU data protection regulations, and are certified with known information security standards, such as ISO27001 or SOC2 Type II.
- Mine implements a system for documenting media devices received from third parties or submitted by Mine to third parties. Such documentation includes the type of media, date & time of the receipt/submission of media, identity of the recipient and sender, the media’s serial number and description of the media’s content.
- Access to backup data is restricted.
Measures for ensuring physical security of locations at which personal data are processed
- Mine documents and controls access to facilities containing Customer Data that are under Mine’s control.
- Mine documents all computer and network equipment transfer into and out of Mine’s facility, or on any other entity’s facilities on Mine’s behalf, which contains Customer Data.
- Servers and any equipment used for storage, processing and access to Mine’s services or applications are protected by adequate means for entry control in a manner that ensures that only authorized employees have access thereto.
Measures for ensuring events logging
- All access to applications is logged, specifically when entering, changing, and deleting data.
- Audit logs cannot be accessed or tampered by unauthorized personnel.
- Mine has the ability to send/fetch logs to Customer’s SIEM system on authentication and authorization.
- Mine has intrusion detection solutions and the ability to generate the relevant security alerts upon detection.
- Mine implements a procedure for responding, managing, and reporting security incidents which are related or may be related to Customer Data. Mine will keep a record of any security incident that Mine becomes aware of, which will include the date of the event, the identity of the reporter, the identity of persons reported to and consequences of the event.
- Mine implements a procedure for the restoration of lost or corrupted Customer Data due to security breach.
- Mine will hold periodic discussions regarding security incidents and reviews the necessity to update relevant procedures
Measures for ensuring system configuration, including default configuration
- Testing and development environments are separated and isolated from the production environment.
- Changes are pre-approved by authorized personnel and traced accordingly.
Measures for internal IT and IT security governance and management
ISO27001 & SOC II type 2 certifications
Measures for certification/assurance of processes and products
- New staff across the company are trained in Secure Software Development Lifecycle (SSDLC) practices.
- New product initiatives are reviewed by the security team according to SPbD (Security and Privacy by Design) concepts at the design phase.
- System code is tested against known vulnerabilities (e.g., OWASP top 10).
- Existing core systems and infrastructure are tested for security vulnerabilities periodically. In some cases, testing is conducted by automatic scanners as well as manually by external independent parties.
Measures for ensuring data minimization
- Collection is limited only to required data to fulfill the specific purpose of the Agreement.
- Data minimization is assured during our SDLC process.
Measures for ensuring limited data retention
Customer Data is retained for the duration of the contract. Following termination, Customer Data is deleted or de-identified in accordance with the terms of the Agreement and the DPA.
Measures for ensuring accountability
- Mine has in place internal policies containing formal instructions for data processing procedures.
- Mine carefully vets its relevant contractors with regard to data security.
- Mine’s personnel are being vetted prior to engagement and trained periodically to maintain awareness regarding data protection and security requirements.
Measures for allowing data portability and ensuring erasure
Data can be exported from the system by authorized customer’s users.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the Controller and, for transfers from a processor to a sub-processor, to the data exporter.
Measures that Mine has in place to assist the Customer in fulfilling its obligations to respond to Data Subject’s requests
Responding to DSARs is at customer’s control through the platform.
ANNEX C
- CROSS-BORDER PERSONAL DATA TRANSFER -
1. DEFINITIONS
Capitalized terms not defined herein will have the meaning set forth in the DPA or under Privacy Laws and Regulations.
- 1.1. “EU SCCs” means the Standard Contractual Clauses pursuant to EU Commission Decision C(2021)3972.
- 1.2. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (Status as of 1 March 2019) as replaced by its amendment of September 25, 2020 (effective as of September 1, 2023).
- 1.3. “IDTA” means the International Data Transfer Agreement, issued by the ICO in accordance with section 119A of the Data Protection Act 2018, or any other applicable standard contractual clauses issued, approved, or otherwise recognized by the ICO.
- 1.4. “Swiss SCCs” means the applicable standard contractual clauses issued, approved, or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).
- 1.5. “Third Country” means a country outside the European Economic Area (“EEA”), the UK or Switzerland, which was not acknowledged by the EU Commission, a UK Secretary of State or the FDPIC (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR, Article 45 of the UK GDPR or the equivalent.
- 1.6. A “Transfer” means a transfer by Mine, Mine’s New Processors or Mine’s Other Processors of: (1) GDPR-governed Customer Personal Data transferred outside the EEA (“EEA Transferred Data”); (2) UK-GDPR governed Customer Personal Data transferred outside the UK (“UK Transferred Data”); and, (3) FADP-governed Customer Personal Data transferred outside of Switzerland (“Swiss Transferred Data”, and with EEA and UK Transferred Data: “Transferred Data”).
- 1.7. “UK Addendum” means the UK addendum published by the Information Commissioner's Office's (“ICO”) in accordance with section 119A(1) of the Data Protection Act of 2018, incorporating the EU SCCs.
2. EEA Transfers
Transfers of EEA Transferred Data to a Third Country, will be made under the EU SCCs, giving effect to module 2 or 3, as applicable, which is incorporated by reference to this DPA, as follows:
- 2.1. In Clause 7, the optional docking clause will apply.
- 2.2. If applicable - in clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Section 5 of this DPA.
- 2.3. In clause 11, the optional language will not apply.
- 2.4. In clause 17, Option 1 will apply, and the EU SCC will be governed by the Irish law.
- 2.5. In clause 18(b), disputes will be resolved before the courts of Ireland.
- 2.6. Annexes (I)-(II) to the EU SCCs will be completed with the relevant details in ANNEXES A-B to this DPA.
3. UK Transfers
Transfers of UK Transferred Data to a Third Country, will be made -
- 3.1. In accordance with the EU SCCs as detailed in section 2 above, as amended by the UK Addendum, which is incorporated by reference to this DPA, with the necessary changes made as detailed in sections 12-15 to the UK Addendum; or,
- 3.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer UK Transferred Data, the IDTA will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
4. Swiss Transfers
Transfers of Swiss Transferred Data to a Third Country, will be made -
- 4.1. In accordance with the EU SCCs as detailed in section 2 above, as recognized by the FDPIC on August 27, 2021, with the following modifications: (A) references to ‘EU’, ‘Union’, ‘Member State’ and ‘Member State law’ will be interpreted as references to ‘Switzerland’, and ‘Swiss law’, as applicable; and, (B) references to ‘Competent supervisory authority’ and ‘Competent courts’ will be interpreted as references to the FDIPC and Competent courts in Switzerland; or,
- 4.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer Swiss Transferred Data in compliance with the FADP, the Swiss SCCs will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
5. Supplemental Measures
In accordance with Article 46 of the GDPR, the EU SCCs and guidelines published by the European Data Protection Board (EDPB), and without prejudice to any provisions of the DPA or this Annex, Mine undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs, to ensure the required adequate level of protection to Transferred Data:
- 5.1. Technical and Organizational Measures. Mine will implement and maintain the technical and organizational measures, as specified in ANNEX B, which is attached and incorporated by reference to this DPA, with a purpose to protect Customer Personal Data against any processing for national security or other government purposes that go beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances.
- 5.2. Contractual Measures. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory authority requests access to such data (“Request”), and unless required by a valid court order or if otherwise Mine may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA Transferred Data, or where the access is requested in the event of imminent threat to lives, Mine will:
- 5.2.1. not purposefully create back doors or similar programming that could be used to access EEA Transferred Data;
- 5.2.2. not provide the source code or encryption keys to any government agency for the purpose of accessing EEA Transferred Data;
- 5.2.3. upon Customer’s written request, provide reasonable available information about the requests of access to Customer Personal Data by government agencies Mine has received in the 6 months preceding to Customer’s request; and,
- 5.2.4. notify Customer upon receiving a request by a government agency to access Customer Personal Data to enable Customer to take necessary actions, communicate directly with the relevant authority and to respond to the request. If Mine is prohibited by law to notify the Customer of such request, Mine will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.
6. Future Adequacy
As applicable, if: (A) the Adequacy Recognition is invalidated or otherwise terminated by the EU Commission or a UK Secretary of State; (B) the EU SCC are invalidated or are no longer in effect; or (C) any other Transfer safeguard used for the Transfer of Transferred Data is no longer in effect for any reason, then Mine will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful Transfer of Transferred Data by Mine, Mine’s Other Processors, Mines’ New Processors, or equivalents thereof.