Memset Customer Data Processing Addendum
Unless otherwise stated, definitions used in this addendum shall have the same meaning as those in Memset’s terms and conditions.
Purpose and scope of Memset Data Processing on behalf of Data Controllers
For the purpose of providing the Services, Memset will process Customer Hosted Data. To the extent that Customer Hosted Data is comprised of Personal Data, the parties acknowledge that Memset acts as a Data Processor for all Customer Hosted Data supplied to Memset by the Customer as well as the Customer’s own customers or agents.
The Services are provided on the basis that either:
- the Customer is the Data Controller for all Customer Hosted Data supplied to Memset under the Services and has complied with its obligations under the applicable Data Protection Laws, including but not limited to obtaining the required consents (“Data Protection Consents”); or
- where the Customer is a Data Processor on behalf of a Data Controller, that Memset is a sub-Data Processor and
that the Customer has:
- ensured that all necessary Data Protection Consents have been obtained or other lawful grounds for Processing have been correctly established;
- entered into the required contractual arrangements, including arrangements with the relevant Data Controller for Memset to act as sub-processor legally; and
- has complied with its obligations as Data Processor under the applicable Data Protection Laws;
By accepting this addendum the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Addendum is accurate.
Nature of the Processing
Memset undertakes a range of Processing as defined by the Services, i.e. the provision of hosting services to the Customer, the choice of which is determined by the Customer. The Customer acknowledges that the scope of the Services explicitly excludes the access to, manipulation, transformation or optimisation of or decision-making based on Customer Hosted Data for the purposes of such Processing by Memset. Memset provides a dedicated and cloud-based hosting infrastructure to support the Customer’s or Customer’s agents’ processing of data to that end.
Memset maintains no visibility of and has no intention to access or manipulate Customer Hosted Data, even in the case where Memset maintains technical access for the purposes of management of the infrastructure of the Customer Hosted Solution. This is due to the Customer’s position as the Primary System Administrator. Memset interacts with the Customer Hosted Solution at an infrastructure level only, not at the level of Customer Hosted Data or the Customer Hosted Applications. Further, any processing by Memset of Customer Hosted Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.
Memset classifies all Customer Hosted Data as the same type of data and does not maintain visibility of different types or Customer Hosted Data or categories of Personal Data within this set. Memset applies the same level of generic security controls to all Customer Hosted Solutions.
Memset provides a service which constitutes among other things the provision of VMs, storage, networking and dedicated servers to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the Operating Systems, applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues not related to the underlying services.
Duration of Processing
The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Hosted Data. While the Agreement is in force, Memset will Process all such Personal Data in accordance with the Customer’s written instructions.
Security and compliance of the underlying hosting infrastructure
Memset will be responsible for maintaining the GDPR compliance of the underlying hosting infrastructure, Memset support personnel (including that such personnel are subject to a duty of confidence that is compliant with the applicable Data Protection Laws) and physical locations, including appropriate technical and organisational controls to secure and ensure the resilience of the underlying hosting infrastructure as defined by our ISO27001 security procedures.
Memset has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. A non-exhaustive list of technical and organisational measures are as set out below. By entering into this addendum, the Customer confirms that it has reviewed and approved the following measures:
Security management & Policy
- Maintenance of an overarching information security management system based on an industry leading international standard (currently ISO27001:2013)
- Security and Compliance teams to help ensure Memset operational and policy/audit security matters receive appropriate attention and resourcing, including Operations Board seats for both department representatives respectively
HR & Access Control
- Vetting of all Memset personnel to at least UK BPSS level prior to commencement of employment
- Appropriate on-hire, role change and termination activities related to Memset access and asset management
- Use of a role-based access control system and restriction of all Memset access to customer data or Customer Hosted Solutions to those personnel with a business need for access
- The ability to audit all Memset personnel access to Customer Hosted Solutions and/or Customer Hosted Data
Physical & Environmental security
- Sufficient physical and environmental security controls at all Memset facilities
- Appropriate availability, performance and security logging, monitoring and audit controls for the underlying infrastructure
- Vulnerability management systems to help ensure the patch and configuration levels of the underlying infrastructure appropriate to Memset’s scale and policies
- Hardening of underlying infrastructure devices to levels that are materially in accordance with good industry practice
- Appropriate encryption in transit and at rest for sensitive operational data such as API calls, control panel access, customer credentials and key material managed by Memset and Memset privileged user access to all infrastructure and Customer Hosted Solution devices, including a commitment to continually manage the strength of associated cryptosystems and ciphers
- Regular third party tests of the security posture of the underlying hosting environment
- Backups and infrastructure redundancy within the underlying hosting infrastructure appropriate to our Terms and Conditions and SLAs
- Appropriate security of all Memset end-user devices used by Memset to access the underlying hosting infrastructure, Customer Hosted Data and Customer Hosted Solutions
Incident management & communication
- Sufficient internal incident management procedures including the commitment to escalate relevant security incident to impacted Customers without undue delay
Availability of Customer Hosted Solutions and Services
Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.
As set out in the applicable Service Definitions, Memset cannot guarantee the Availability of individual Customer Hosted Solutions in an Available state at an application or data level, as this availability is primarily a result of decisions taken by the Primary System Administrator. Memset guarantees the availability of data centre services, e.g. availability of core network connection, power and cooling, and the availability of sufficient hypervisor capacity where Cloud services are procured in line with the provisions of the services’ respective SLAs and Memset’s definition of Availability. In accordance with the Services being provided, Memset is not able to decide how Personal Data comprising Customer Hosted Data is processed. The Customer Hosted Solutions are inevitably Infrastructure-as-a-Service-based and control of the data thereon is with the Customer.
Customer data protection responsibilities
As the Primary System Administrator and / or Data Controller the Customer has the following responsibilities under GDPR:
- Maintain appropriate technical controls to secure and monitor for security:
- the Operating System
- the Applications
- logical data stores (data bases, or storage structures built by or on behalf of the Customer using Memset Storage-as-a-Service products)
- Configuration of network security controls specific to the Customer Hosted Solution (I.e. configuration of any Managed Firewall, OpenStack security groups and local firewalls)
- Monitoring of the Customer Hosted Solution for signs of security incident or intrusion
- all non-Memset user access
- Ongoing management of any anti-malware controls residing on Customer virtual machines or dedicated servers
- Undertake any required third party testing or certification of their Customer Hosted Solution
- Where the above is included within the scope of a Customer SLA, Memset will undertake the work based on instructions from the Customer in ticket form, but the Customer remains responsible for the efficacy of the controls implemented.
- Undertaking all organisational measures required to ensure compliance with the basic principles for processing (articles 5, 6, 7 and 9 of the GDPR) and Subject’s rights (Articles 12-22 of the GDPR) at point of collection of data, and be aware of the technical and organisational security controls put in place by Memset, maintain additional technical and organisational controls to ensure compliance during processing, storage, any transfer not undertaken solely by Memset and at point of destruction, if not reliant on Memset’s underlying solution-level data destruction processes. (I.e. deletion of a VM or decommissioning of a dedicated server and associated storage media.)
- Undertake and manage all communication with Data Subjects
- Maintain any required relationship with the Information Commissioner’s Office on behalf of the Data Controller
Memset use of Data Sub-Processors
By entering into this Data Protection Addendum, the Customer hereby permits Memset to appoint sub-processors of Personal Data and, for the term that the Data Protection Addendum is in force, shall have a general right to appoint sub-processors of Personal Data. Memset shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Data Processing Addendum.
Memset utilises a small number of Data Sub-Processors in order to provide Services to the Customer. The following list of Data Sub Processors used to provide Services will be updated from time to time to reflect the current operational position:
- Everest Ltd – Provision of Colocation hosting and 1st line data centre remote hands support (Reading DC)
- Microsoft Ltd – Provision of Memset email used for communications with the customer
- Mimecast Ltd – Provision of Secure Email Gateway Services to Memset
- Slack Technologies Ltd – Provision of Memset internal communications tooling
- Duo Security Inc. – Provision of 2-factor authentication services for internal Memset use
- Salesforce.com EMEA Ltd – Provision of Memset sales and account management systems
- dotMailer Ltd – Provision of bulk emailing services
Memset will update the Customer of the use of any new Data Sub-Processor at least one (1) month prior to adoption of the Sub-Processor and transfer of Customer Hosted Data or provision of any form of access to Customer Hosted Solutions by support ticket or email, and the Customer must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established. The Customer’s continued use of the Services constitutes approval for the use of this new Data Sub-Processor and a repeated warranty by the Customer that the use of all sub-processors is lawful under the applicable Data Protection Laws subject to Memset complying with its obligations under the applicable Data Protection Laws in respect of appointing sub-processors. Memset will perform appropriate due diligence on the Data Sub-Processor, as we will on any security-impacting supplier.
Memset will maintain written contracts with all Memset Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular audits to confirm their continuing conformance with Data Protection Laws.
Transfer to non GDPR-aligned locations or Sub-Processors
Memset will not transfer Customer Hosted Data to any Data Sub-Processor located outside of the EEA or to any other third party location not deemed appropriate by Binding Corporate Rules, Privacy Shield or other adequacy decision defined on a continuing basis by the Information Commissioner’s Office without explicit written permission from the Customer.
Processing in accordance with written instructions
Memset will only processing Customer Hosted Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this addendum are taken to be in whole contained within the section ‘Purpose and scope of Memset Data Processing on behalf of Data Controllers.’ No other written instructions can be accepted as they will fall outside of the scope of our services.
Assistance with Customer data protection obligations
Insofar as Memset provides a hosting infrastructure to the Customer, Memset will assist the Data Controller in meeting their data protection obligations including:
- Provide the Customer with one (1) working day per annum in which they may undertake an onsite security and compliance audit of Memset’s services and premises. This must be scheduled and agreed with Memset Security and Compliance at least ten (10) working days in advance, including agreement of a detailed agenda for the audit. We are able to support audits performed by suitably empowered third parties on behalf of the Customer, but request that a Customer representative is in attendance in this case.
- Further audits as required by the Customer’s compliance regime or in the event of an investigation will be charged on a reasonable time and materials basis, unless Memset has reasonable evidence to suggest that the investigation is related to a material failure or weakness in our Services.
- Maintain an up to date ‘Data Protection Compliance Pack’ available via the Memset Control Panel that includes a range of compliance information and accreditation information for the Data Control to maintain their visibility of our compliance status.
- Carry out internal Data Privacy Impact Assessments as the Data Processor for all Services and provide summaries of these as part of the Data Protection Compliance Pack, and to assist the Customer with consulting with the Information Commissioner’s Office where these indicate an unmitigated high risk.
- To inform the Customer of the possibility of a material security breach of their Customer Hosted Solution if detected by our systems without undue delay.
- Provision of Customer root or admin access to the Customer Hosted Solution at point of initial deployment. (This constitutes the technologically possible extent to which Memset can provide regarding Subject Access Requests regarding data for which the Customer or Customer’s customer is the Data Controller.).
- Keep a record of all Processing of Personal Data performed in relation to the Services.
- Where a Security Incident resulting in a data breach has occurred or has been suspected to have occurred as a result of a material failure or weakness in the Memset infrastructure we will notify the Information Commissioner’s Office and impacted Customers without undue delay
- For termination of contract for reasons other than breach of Acceptable Use Policy or non-payment of fees, provide a reasonable period in which the Customer can use standard tools to extract the data themselves provided that such extraction by the Customer does not prejudice Memset or its systems. In all cases Memset will delete all Customer Hosted Data on our infrastructure as part of decommissioning of the Customer Hosted Solution.
- Memset shall assist the Customer in complying with its obligations under applicable Data Protection Laws in particular in relation implementing appropriate security measures, to carrying out a data protection impact assessment, and to consulting the competent data protection authority.