Schedule a Demo

Legal Information

Detailed legal info regarding the use of our services, terms and conditions, privacy policy, and other legal notices necessary for understanding the rights and responsibilities of both our users and organization.

Terms & ConditionsService Level AgreementPrivacy PolicyData Processing Addendum

Data Processing Addendum

This Data Processing Addendum ('DPA') is incorporated by reference into and forms part of the Services Agreement between the customer ('CLE') and Inlayer, inc ('Vendor'). By using Inlayer’s Phonism service, the CLE agrees to the terms of this DPA.  

WHEREAS, both CLE and Vendor may be collectively referred to as the Parties;

WHEREAS, the Parties have agreed that it will be necessary for the Vendor to process certain personal data on behalf of the CLE; and

WHEREAS, in light of this processing, theParties have agreed to the terms of this Addendum to address the compliance obligations imposed upon them to the Data Protection Law listed under Sec 1.2 below as applicable;

NOW THEREFORE, the Parties hereby agree as follows.

1. Subject Matter of this Data Processing Addendum        

1.1.

This Data Processing Addendum applies exclusively to the processing of personal data that is subject to Data Protection Law in the scope of the Addendum between the Parties for the Centralized device management platform (“Services”).

1.2

The term “Data Protection Law” shall mean all Applicable Laws relating to data protection, the processing of personal data and privacy including,

1.2.1.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”);

1.2.2.

Regulation EU 2018/1725 of the European Parliament and of the Council of 23 October 2018

1.2.3.

UK GDPR (General data protection regulation – Keeling schedule) and United Kingdom’s Data Protection Act 2018

1.2.4.

The Brazilian General Data Protection Law or “Lei Geral de Proteção de Dados Pessoais” (“LGPD”) as amended by Law No.13,853/2019.

1.2.5.

the Swiss Federal Act on Data Protection ("Swiss FADP").

1.2.6.

CCPA - California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.199) as amended by California Privacy Rights Act of 2020 (CPRA) and the California Consumer Privacy Act Regulations (Cal. Code Regs. tit. 11, §§ 999.300 to 999.337) as amended or superseded from time to time (the “CCPA”), and any related regulations or guidance provided by the California Attorney General.

1.2.7.

Canada’s Federal legislation, The Personal Information Protection and Electronic Documents Act (PIPEDA) and other provincial legislations such as but not limited to 'PIPA Alberta', 'PIPA BC' and 'Quebec Privacy Act'.

1.2.8.

Any national data protection law implemented by an EU/EEA member to supplement the GDPR, such as but not limited to Norwegian Personal Data Act, Germany’s Bundesdatenschutzgesetz (BDSG), Denmark’s Data Protection Act, etc. as relevant to the jurisdiction and the processing of personal or sensitive information.

1.2.9.

Any equivalent applicable legislation in any jurisdiction in which the CLE is established to the extent applicable to the CLE. The above-mentioned legislations as amended, consolidated, restated or re-enacted from time to time.

1.3

Terms such as “Processing”, “Personal Data”, “Data Controller” and “Processor” shall have the meaning ascribed to them in the EU Data Protection Law.

1.4

Insofar as the Vendor will be processing Personal Data subject to Data Protection Law on behalf of the CLE in the course of the performance of the Service Agreement with the CLE, the terms of this Data Processing Addendum shall apply. An overview of the categories of Personal Data, the types of Data Subjects, and purposes for which the Personal Data are being processed is provided in Annex 2.

1.5

“Standard Contractual Clauses" means: (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0” issued by the Information Commissioner’s Office under s.119A (1) of the United Kingdom Data Protection Act 2018  in respect of the transfer of such Personal Data ("UK SCCs") and (iii) where the Swiss FADP applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC") (the "Swiss SCCs").

2. Legal Basis of Processing

2.1.

The CLE (on their own or on behalf of their Customer) will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Vendor. The CLE represents that they have the lawful authority to act on behalf of their Customer. The Vendor will process the Personal Data only as set forth in CLE’s written instructions.

2.2.

The CLE will comply with Applicable Data Protection Law as relevant to their business operating model in the Vendor Services regarding the use of the Vendor Services by End Customer and End Users. The CLE represents that they have entered into necessary contractual agreement with their Customer regarding the Vendor Services. Nothing in this Agreement will establish any direct relationship between the Vendor and any Third Party.

2.3.

The Vendor will only process the Personal Data on documented instructions of the CLE (including with regard to transfers of personal data to a third country or an international organization, unless required to do by Union or Member State law to which the Vendor is subject) in such manner as, and to the extent that, this is appropriate for the provision of the Services, except as required to comply with a legal obligation to which the Vendor is subject. In such a case, the Vendor shall inform the CLE of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the CLE. The Vendor shall never process the Personal Data in a manner inconsistent with the CLE’s documented instructions. The Vendor shall immediately inform the CLE if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

2.4.

The Parties have entered into a Service Agreement in order to benefit from the expertise of the Vendor in securing and processing the Personal Data for the purposes set out in Annex 2. The Vendor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this Data Processing Addendum.

2.5.

CLE warrants that it has all necessary rights to provide the Personal Data to Vendor for the Processing to be performed in relation to the Services. To the extent required by Applicable Data Protection Law, CLE is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, CLE is responsible for communicating the fact of such revocation to the Vendor, and Vendor remains responsible for implementing any CLE instruction with respect to the further processing of that Personal Data.

3. Confidentiality

3.1.

Without prejudice to any existing contractual arrangements between the Parties, the Vendor shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Vendor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

4. Security

4.1.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, the CLE and Vendor shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include as appropriate:

4.1.1.

measures to ensure that the Personal Data can be accessed only by authorized personnel for the purposes set forth in Annex 2 of this Data Processing Addendum;

4.1.2.

In assessing the appropriate level of security, account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;

4.1.3.

the pseudonymisation and encryption of personal data;

4.1.4.

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

4.1.5.

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

4.1.6.

a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data;

4.1.7.

measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the CLE; and

4.1.8.

the measures agreed upon by the Parties in Annex 3.

4.2.

The Vendor shall at all times have in place an appropriate written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Section 4.1.

4.3.

At the request of the CLE, the Vendor, shall demonstrate the measures it has taken pursuant to this Section 4 shall allow the CLE to audit and test such measures. The CLE shall be entitled on giving at least 14 days’ notice to the Vendor to carry out, or have carried out by a third party who has entered into a confidentiality agreement with the Vendor, audits of the Vendor´s premises and operations as these relate to the Personal Data. The Vendor shall cooperate with such audits carried out by or on behalf of the CLE and shall grant the CLE´s auditors reasonable access to any premises and devices involved with the Processing of the Personal Data. The Vendor shall provide the CLE and/or the CLE´s auditors with access to any information relating to the Processing of the Personal Data as may be reasonably required by the CLE to ascertain the Vendor´s compliance with this Data Processing Addendum.

4.4.

The CLE will implement and maintain comprehensive information security and privacy practices and procedures with commercially reasonable safeguards consistent with best practices in the industry to protect End Customer and End User Information.

5. Improvements to Security

5.1.

The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Vendor will therefore evaluate the measures as implemented in accordance with Section 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Section 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction.

5.2.

Where an amendment to the Service Agreement is necessary in order to execute a CLE instruction to the Vendor to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith.

6. Data Transfers

6.1.

If the storage and/or processing of Personal Data involves transfers of Personal Data out of the EEA, then the Vendor shall be obliged to meet at least one of the following conditions:

6.1.1.

Ensure the destination meets the European Commission’s level of adequacy per Article 45 of the Regulation (GDPR); or

6.1.2

Ensure the destination employs an approved European Commission legal mechanism; or

6.1.3.

Ensure the destination has entered into an acceptable EU Model Contract Clause specifying the appropriate importer and exporter designations, requirements and safeguards; or

6.1.4.

Employs an alternative solution that meets the requirements of the European commission such as Binding Corporate Rules per Article 63 of the Regulation.

6.2.

The Vendor shall immediately notify the CLE of any planned, permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such transfer after obtaining authorisation from the CLE, which may be refused at its own discretion.

6.3.

Annex 4 provides a list of transfers for which the CLE grants its consent upon the conclusion of this Data Processing Addendum.

6.4.

To the extent that the CLE or the Vendor are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the CLE and the Vendor agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

6.5.

This DPA incorporates the Standard Contractual Clauses by reference. By executing this DPA, the CLE enters this DPA (including the Standard Contractual Clauses referenced herein, if applicable) on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with the Vendor.

6.6.

It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.

6.7.

Transfers outside EEA: In relation to EU data protected by the EU GDPR, the EU Standard Contractual Clauses apply to such transfers, completed as follows.

6.7.1.

MODULE ONE: Transfer controller to controller of the EU SCCs shall apply when both the CLE and Vendor act as a Controller.

6.7.2.

MODULE TWO: Transfer controller to processor of the EU SCCs shall apply when the CLE is a Controller and Vendor is a Processor.

6.7.3.

MODULE THREE: Transfer processor to processor of the EU SCCs shall apply when both the CLE and Vendor act as a Processor.

6.7.4.

Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1,2, 4 of this DPA.

6.7.5.

Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 3 of this DPA.

6.7.6.

Clause 7 – Docking clause (optional) will apply.

6.7.7.

Clause 9 (a) OPTION 2 – General written authorization for subprocessors will apply and the time period to object will be Thirty days.

6.7.8.

Clause 11(a) – OPTION to use independent resolution body shall not apply.

6.7.9.

Clause 17, Option 2 will apply, and the parties agree that this shall be the law of Ireland.

6.7.10.

Clause 18(b), disputes shall be resolved before the courts of Ireland.

6.8.

Transfers outside Switzerland: In relation to Personal Data that is protected by the Swiss FADP, the EU SCCs will apply in accordance with Section 6.6 with the following modifications:

6.8.1.

any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss FADP;

6.8.2.

references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and

6.8.3.

references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the FDPIC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss FADP, in which event the Swiss SCCS shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in Annex 1,2,3,4 to this Addendum (as applicable).

6.9.

Transfers outside UK: In relation to Personal Data that is protected by the UK GDPR, the UK SCCs shall apply, completed as follows:

6.9.1.

The EU Standard Contractual Clauses shall be deemed amended as specified by the UK SCCs;

6.9.2.

Reference to Table 1 shall be satisfied by the information in Annex 1;

6.9.3.

Table 2, The version of the Approved EU SCCs shall be the EU SCCs identified in Sec 1.5 and completed as set out in Section 6.7 above;

6.9.4.

Reference to Table 3 shall be se satisfied by the information in Annexes 1, 2, 3 and 4;

6.9.5.

Table 4, Importer and Exporter shall have the rights outlined in Section 19 of UK SCCs.

7. Information Obligations and Incident Management

7.1.

When the Vendor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the CLE about the incident, shall at all times cooperate with the CLE, and shall follow the CLE’s instructions with regard to such incidents, in order to enable the CLE to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.

7.2.

The term “incident” used in Section 7.1 shall be understood to mean in any case:

7.2.1.

a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law;

7.2.2.

an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;

7.2.3.

any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;

7.2.4.

any breach of the security and/or confidentiality as set out in Sections 3 and 4 of this Data Processing Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place;

7.2.5.

where, in the opinion of the Vendor, implementing an instruction received from the CLE would violate applicable laws to which the CLE or the Vendor are subject.

7.3.

The Vendor shall at all times have in place written procedures which enable it to promptly respond to the CLE about an incident. Where the incident is reasonably likely to require a data breach notification by the CLE under applicable EU Data Protection Law, the Vendor shall implement its written procedures in such a way that it is in a position to notify the CLE without undue delay of having become aware of such an incident.

7.4.

Any notifications made to the CLE pursuant to this Section 7 shall be addressed to the employee of the CLE whose contact details are provided in Annex 1 of this Data Processing Addendum, and shall contain:

7.4.1.

a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

7.4.2.

the name and contact details of the Vendor’s data protection officer or another contact point where more information can be obtained;

7.4.3.

a description of the likely consequences of the incident; and

7.4.4.

a description of the measures taken or proposed to be taken by the Vendor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

8. Contracting with Sub-Processors

8.1.

The CLE authorises the Vendor to engage sub-processors for the service-related activities specified as described in Annex 2. Vendor shall not add or replace any such sub-processors listed in Annex 4 without giving the CLE an opportunity to object to such changes.

8.2.

The Vendor shall not engage in any future subcontracting of its Service-related activities related to the processing of the Personal Data or requiring Personal Data to be processed by any third party without the prior written authorisation of the CLE.

8.3.

Notwithstanding any authorisations by the CLE within the meaning of the preceding paragraphs, the Vendor shall remain fully liable vis-à-vis the CLE for the performance of any such subprocessor that fails to fulfil its data protection obligations.

8.4.

The consent of the CLE pursuant to paragraphs 8.1 and 8.2 shall not alter the fact that consent is required under Section 6 for the engagement of sub-processors in a country outside the European Economic Area without a suitable level of protection.

8.5.

The Vendor shall ensure that the sub-processor is bound by the same data protection obligations of the Vendor under this Data Processing Addendum, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of EU Data Protection Law.

8.6.

The CLE may request that the Vendor audit a Third Party Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist CLE in obtaining a third-party audit report concerning the Third Party Subprocessor’s operations) to ensure compliance with its obligations imposed by the Vendor in conformity with this Addendum.

8.7.

The Vendor shall not engage any Subprocessors located outside of European Economic Area without employing an acceptable instrument for cross-border data transfers such as Standard Contractual Clauses, Binding Corporate Rules or an Article 49 derogation.

9. Returning or Destruction of Personal Data

9.1.

Upon termination of this Data Processing Addendum, upon the CLE’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, the Vendor shall, at the discretion of the CLE, either delete, destroy or return all Personal Data to the CLE and destroy or return any existing copies.

9.2.

The Vendor shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Addendum and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the CLE, at the discretion of the CLE.

10. Assistance to CLE

10.1.

The Vendor shall assist the CLE by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the CLE’s obligation to respond to requests for exercising the data subject’s rights under the GDPR.

10.2.

The Vendor shall assist the CLE in ensuring compliance with the obligations pursuant to Section 4 (Security) and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to the Vendor.

10.3.

The Vendor shall make available to the CLE all information necessary to demonstrate compliance with the Vendor’s obligations and allow for and contribute to audits, including inspections, conducted by the CLE or another auditor mandated by the CLE.

10.4.

The Vendor shall assist the CLE in carrying out data protection impact assessments when requested.

10.5.

The CLE shall bear any costs accrued by the Vendor related to any assistance in sections 10.1 – 10.4, unless otherwise agreed.

11. Liability and Indemnity

11.1.

Notwithstanding any other provisions in this Addendum, each Party's liability towards the other for indirect, consequential, or punitive damages shall be limited, except as expressly provided in this Addendum. However, nothing in this Addendum shall limit or exclude either Party's liability for breaches of Data Protection Laws, including obligations under GDPR, or for any other liability which cannot be excluded or limited under applicable law. Both Parties commit to maintaining compliance with all relevant data protection regulations and to cooperate in good faith to address any data protection issues that arise in the course of providing and using the services.

12. Duration and Termination

12.1.

This Data Processing Addendum shall come into effect as of the date of this contract execution as noted in the signature block.

12.2.

Termination or expiration of this Data Processing Addendum shall not discharge the Vendor from its confidentiality obligations pursuant to Section 3.

12.3.

The Vendor shall process Personal Data until the date of termination of the Service Agreement, unless instructed otherwise by the CLE, or until such data is returned or destroyed on instruction of the CLE.‍

13. Miscellaneous

13.1.

In the event of any inconsistency between the provisions of this Data Processing Addendum and the provisions of the Service Agreement, the provisions of this Data Processing Addendum shall prevail.

13.2.

This Data Processing Addendum is governed by the laws noted in the Services Agreement.

13.3.

By entering into the Services Agreement, the customer (CLE) acknowledges and agrees to the terms of this Data Processing Addendum without the need for separate signature.

Annex 1: List of Parties and Competent Supervisory Authority

List of Parties: Refer page1 of DPA for list of Parties along with their roles.

Activities relevant to the data transferred under these Clauses: Refer Sec 1.1 of this DPA.

COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be

  1. the supervisory authority applicable to the data exporter in its EEA country of establishment or,
  2. where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or
  3. where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.
  4. with respect to CLE Data regulated by the UK GDPR, the competent supervisory authority is the Information Commissioners Office (the "ICO").
  5. with respect to CLE Data regulated by the Brazil General Data Protection Law or LGPD, the competent supervisory authority is the ANPD - “Autoridade Nacional de Proteção de Dados’’.
  6. with respect to CLE Data to which the Swiss FADP applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
  7. with respect to CLE Data to which the Canada Privacy Law applies, the competent supervisory authority is the Office of the Privacy Commissioner of Canada.

Annex 2: Description of Transfer

Personal data that will be processed according to the scope of the Service Agreement and related Statement(s) of Work the purposes for which these data will be processed is defined as follows:

Subject Matter:  Inlayer’s Phonism solution is an Automation Platform designed to Deploy, Manage, Secure & Migrate SIP Devices at Scale. Phonism offers cloud-based device management and other related services to businesses, including a device management service allowing a user to configure and manage their SIP devices and other devices on a customary and proprietary electronic platform on a subscription basis.

Purpose of Processing: Vendor may process Personal data on behalf of the CLE in order facilitate ‘centralized device management’ activities on behalf of the CLE. According to the Service Agreement and affiliated Statement(s) of Work, the subject matter, purpose of data processing, nature of data processing, and categories of data subjects are defined below.

The purpose of processing activities include:

  • Centralized Device Management (Device could be SIP Phones, ATA, Gateways, etc...)
  • Automated provisioning
  • Reboot or Reset devices to factory defaults
  • Configuration changes, including locking configuration down for compliance
  • Firmware updates

Nature of Data Processing: Personal data may be processed according to the Services Agreement and affiliated Statement(s) of Work to support the device management services, and the processing activity may involve collection, storage, duplication, electronic viewing, deletion, and destruction of personal data.

Categories of Data Subjects:

The categories of data subjects may include the following:

  • Platform Administrators: The people who administer the data through this platform with highly privileged access.
  • Device Managers: The people who administer the devices and related data through this platform
  • Device Users: The people for whom devices are provisioned for use

Depending on the type of CLE (Distributor, Reseller, End Customer, Service Provider), the platform administrators and device managers could be their workforce or the workforce of their Customer.

Device Users are usually the workforce of End Customer (at the extreme end of the supply chain).

Categories of Personal Data Transferred:

This section should be read in the light of the business operating model of the CLE.

  • CRM (Administration and Billing) Data:  This is applicable for all types of CLEs and both parties act as Data Controller.
  • Phonism SaaS Platform Data:  This is applicable only if any individual working for CLE or on behalf of CLE gets provisioned as users on the platform. Phonism acts as Processor for this data.
  • Support Data: This is mentioned separately from Phonism SaaS Platform Data as CLE may only interact with helpdesk, but they don’t have access to the Phonism SaaS platform. Phonism acts as Controller for this data

1.  CRM (Administration and Billing) Data

Personal data that may be collected, processed and transferred related to customer relationship activities.

  • Full Name
  • Email Address
  • Telephone Number
  • Title/Job Function

2.  Phonism SaaS Platform Data

Personal data that may be collected, processed and transferred in the SaaS Platform that provides device management functionality include:

Platform Administrator and Device Manager: These are the individuals who are part of the customizable hierarchy in the Phonism platform

  • Full Name
  • Email Address
  • Phone number or Extension Number
  • Organization      

Device Data

  • Device Alias (which may include name of an end user)
  • IP Address
  • MAC Address
  • Assigned User

Configuration Files

  • Full Name
  • Email Address
  • Phone number

Contacts Data:  The contacts data that gets loaded to devices.

  • Full Name
  • Phone number or Extension number

VOIP Credential Data:

  • SIP User Name
  • SIP Auth ID
  • SIP Password
  • Alias (may include name of end user)

Note:

  1. Redirect Services credentials (such as Yealink RPS, Snom SRAPS, Poly  ZTP, etc...) data contains username, password, API tokens but they are not personal data. Such sensitive data is encrypted at rest for data security purposes.
  2. Phonism manages the devices remotely in regards to their configuration, firmware, logs, and network management tasks e.g. reboot device.  The voice data sent and received to and from the devices is not managed or accessible by Phonism.

3.  Support Data

The following personal data could be associated with incident management when a ticket is opened at the support desk and requests help to redress an issue.

  • Device IP address
  • Device MAC address
  • Log files or any supporting materials that may reflect any data handled by Phonism in unstructured form
  • Any other personal data supplied by the individual raising the support ticket.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The data will be retained till the end of contractual relationship, in compliance with data protection and data security policies and in accordance with the instructions of the CLE.

Annex 3: Security Measures

Annex 3 describes the adopted security measures cemented in an Information Security Management System (ISMS) for the purpose of protecting Personal Data and information, primarily with a view to meeting pre-defined requirements of applicable data protection and privacy law across Controller markets. These requirements have largely been derived from legislation across Controller markets mandating fundamental security measures for the protection of Personal Data and are intended to provide a harmonised and single standard.

These requirements are applied for the protection of Personal Data on behalf of the CLE.

Security Officer

  1. A person responsible for the overall compliance with these minimum-security requirements shall be designated as the Security Officer. This person shall be suitably trained and experienced in managing information security and provided with appropriate resources to effectively ensure compliance.
  2. The contact details of the Security Officer shall be promptly provided to the CLE.

Security Plan and Document

  1. The measures adopted to comply with these minimum-security requirements shall be the subject of a security plan and set out in a security document, which shall be kept up to date, and revised whenever relevant changes are made to the Information System or to how it is organised. The security document shall record significant changes to the security measures or the processing activities.
  2. The security plan shall address security measures relating to the modification and maintenance of the system used to Process Personal Data, including the development and maintenance of applications, appropriate vendor support,  an inventory of hardware and software, and physical security, including security of the buildings or premises where data Processing occurs, security of data equipment and telecommunication infrastructure and environmental controls.
  3. Data security mechanisms for securing the integrity and confidentiality of the data, classification of the data.
  4. Security of computers and telecommunication systems including procedures for managing back-up copies, procedures dealing with computer viruses, procedures for managing signal/codes, security for software implementation, security related to databases, security for connecting systems to the Internet, inspection of circumvention of data system, mechanisms for keeping account of attempts to break system security or gain unauthorized access.
  5. The security plan shall include:some text
    1. a Disaster Recovery Plan which shall set out: measures to minimize interruptions to the normal functioning of the system; limit the extent of any damage and disasters; enable a smooth transition of Personal Data from one computer system to another; if necessary, provide for alternative means of operating a computer system; educate, exercise and familiarize personnel with emergency procedures; provide for fast and smooth system recovery, and minimize the economic effects of any disaster event.
    2. a Contingency Plan which must address the following possible dangers to the system and appropriate criteria to determine when the Plan must be triggered: the critical functions and systems, the strategy for protecting the system and priorities in the event the Plan is activated; an inventory of relevant staff members to be called upon during an emergency, as well as telephone numbers of other relevant parties; a set of procedures for calculating the damage incurred; realistic time management plans to enable the recovery of the system; clearly allocated staff duties; possible use of alarms and special devices (e.g., air filters, noise filters); in the event of a fire, special equipment must be available (e.g., fire extinguisher, water pumps, etc.); devices or methods for determining temperature, humidity and other environmental factors (e.g., air conditioning, thermometers, etc.); special security software to detect breaches of security; special generators for dealing with power cuts; retention of copies of software or materials in other protected buildings to avoid inadvertent loss.
  6. The security document shall be available to staff who have access to Personal Data and the Information Systems, and must cover the following aspects as a minimum:some text
    1. The scope, with a detailed specification of protected resources;              
    2. The measures, standards, procedures, code of conduct rules and norms to guarantee security, including for the control, inspection and supervision of the Information Systems;
    3. The functions and obligations of staff;
    4. The structure of files containing Personal Data and a description of the Information Systems on which they are Processed;
    5. The purposes for which the Information Systems may be used;
    6. The procedures for reporting, managing and responding to incidents;
    7. The procedures for making back-up copies and recovering data including the person who undertook the process, the data restored and, as appropriate, which data had to be input manually in the recovery process.
  7. The security document and any related records and documentation shall be retained for a minimum period of 5 years from the end of the Processing.

Functions and Obligations of Staff

  1. Only those employees who have demonstrated honesty, integrity and discretion will be Authorised Users or have access to premises where Information Systems or media containing Personal Data are located.  Staff will be bound by a duty of confidentiality in respect of any access to Personal Data.
  2. The necessary measures shall be adopted to train and make staff familiar with these minimum-security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Personal Data and the consequences of any breach of these requirements.
  3. The functions and obligations of staff having access to Personal Data and the Information Systems shall be clearly defined and documented.
  4. Authorised Users shall be instructed to the effect that electronic equipment must not be left unattended and made accessible during Processing sessions.
  5. Physical access to areas where any Personal Data are stored shall be restricted to Authorised Users.
  6. The disciplinary measures for a breach of the security plan shall be clearly defined and documented and communicated to staff.

Authorisation

  1. Only those employees who have a legitimate operational need to access the Information Systems or carry out any Processing of Personal Data shall be authorised to do so (“Authorised Users”).
  2. An authorisation system shall be used where different authorisation profiles are used for different purposes.
  3. Only few roles(‘’) can access the device credentials in the UI.

Identification

  1. Every Authorised User must be issued with a personal and unique identification code for that purpose (“User ID”).
  2. A User ID may not be assigned to another person, even at a subsequent time.
  3. An up-to-date record shall be kept of Authorised Users, and the authorised access available to each, and identification and authentication procedures shall be established for all access to Information Systems or for carrying out any Processing of Personal Data.

Authentication

  1. Authorised Users shall be allowed to Process Personal Data if they are provided with authentication credentials such as to successfully complete an authentication procedure relating either to a specific Processing operation or to a set of Processing operations.
  2. Authentication must be based on a secret password associated with User ID, and which password shall only be known to the Authorised User; alternatively, authentication shall consist in an authentication device that shall be used and held exclusively by the person in charge of the Processing and may be associated with either an ID code or a password, or else in a biometric feature that relates to the person in charge of the Processing and may be associated with either an ID code or a password.
  3. One or more authentication credentials shall be assigned to, or associated with, an Authorised User.
  4. There must be a procedure that guarantees password confidentiality and integrity. Passwords must be stored in a way that makes them unintelligible while they remain valid. There must be a procedure for assigning, distributing and storing passwords.
  5. Passwords shall consist of at least eight characters, or, if this is not technically permitted by the relevant Information Systems, a password shall consist of the maximum permitted number of characters. Passwords shall not contain any item that can be easily related to the Authorised User in charge of the Processing and must be changed at regular intervals, which intervals must be set out in the security document. Passwords shall be modified by the Authorised User to a secret value known only to the Authorised User when it is first used.  
  6. The instructions provided to Authorised Users shall lay down the obligation, as a condition of accessing the Information Systems, to take such precautions as may be necessary to ensure that the confidential component(s) in the credentials are kept secret and that the devices used and held exclusively by Authorised Users are kept with due care.
  7. Authentication credentials shall be de-activated if they have not been used for at least six months, except for those that have been authorised exclusively for technical management and support purposes.
  8. Authentication credentials shall be also de-activated if the Authorised User is disqualified or de-authorised from accessing the Information Systems or Processing Personal Data.
  9. Where data and electronic equipment may only be accessed by using the confidential component(s) of the authentication credential, appropriate instructions shall be given in advance, in writing, to clearly specify the mechanisms by which the exporter can ensure that data or electronic equipment are available in case the person in charge of the Processing is either absent or unavailable for a long time and it is indispensable to carry out certain activities without further delay exclusively for purposes related to system operationality and security. In this case, copies of the credentials shall be kept in such a way as to ensure their confidentiality by specifying, in writing, the entities in charge of keeping such credentials. Such entities shall have to inform the person in charge of the Processing, without delay, as to the activities carried out.

Access Controls

  1. Only Authorised Users shall have access to Personal Data, including when stored on any electronic or portable media or when transmitted.  Authorised Users shall have authorised access only to those data and resources necessary for them to perform their duties.
  2. A system for granting Authorised Users access to designated data and resources shall be used.
  3. Authorisation profiles for each individual Authorised User or for homogeneous sets of Authorised Users shall be established and configured prior to the start of any Processing in such a way as to only enable access to data and resources that are necessary for Authorised Users to perform their duties.
  4. It shall be regularly verified, at least at yearly intervals, that the prerequisites for retaining the relevant authorisation profiles still apply.   This may also include the list of Authorised Persons drawn up by homogeneous categories of task and corresponding authorisation profile.
  5. Measures shall be put in place to prevent a user gaining unauthorised access to, or use of, the Information Systems. In particular, firewalls and/or intrusion detection systems reflecting the state of the art and industry best practice must be installed to protect the Information Systems from unauthorized access. Measures shall be put in place to identify when the Information Systems have been accessed or Personal Data has been Processed without authorization, or where there have been unsuccessful attempts at the same.
  6. Operating system or database access controls must be correctly configured to ensure authorised access.
  7. Only those staff authorised in the security document shall be authorised to grant, alter or cancel authorised access by users to the Information Systems.

Management of Media

  1. Information Systems and physical media storing Personal Data must be housed in a secure physical environment. Measures must be taken to prevent unauthorized physical access to premises housing Information Systems.
  2. Organisational and technical instructions shall be issued with regard to keeping and using the removable media on which the data are stored in order to prevent unauthorised access and Processing.
  3. Media containing Personal Data must permit the kind of information they contain to be identified, Inventoried (including the time of data entry; the Authorised User who entered the data and the person from whom the data was received; and the Personal Data entered) and stored at a physical location with physical access restricted to staff that are authorised in the security document to have such access.
  4. When media are to be disposed of or reused, the necessary measures shall be taken to prevent any subsequent retrieval of the Personal Data and other information stored on them, or to otherwise make the information intelligible or be re-constructed by any technical means, before they are withdrawn from the inventory. All reusable media used for the storage of Personal Data must be overwritten three times with randomised data prior to disposal or re-use.
  5. The removal of media containing Personal Data from the designated premises must be specifically authorised by the CLE.
  6. Media containing Personal Data must be erased or rendered unreadable if it is no longer used or prior to disposal.

Distribution of Media and Transmission

  1. Media containing Personal Data must only be available to Authorised Users.
  2. Printing/copying Processes must be physically controlled by Authorised Users, to ensure that no prints or copies containing Personal Data remain left in the printers or copying machines.
  3. Media containing Personal Data or printed copies of Personal Data must contain the classification mark “Confidential”.
  4. Encryption (128-bit or stronger) or another equivalent form of protection must be used to protect Personal Data that is electronically transmitted over a public network or stored on a portable device, or where there is a requirement to store or Process Personal Data in a physically insecure environment.
  5. Paper documents containing Personal Data must be transferred in a sealed container / envelope that indicates clearly that the document must be delivered by hand to an Authorised User.
  6. When media containing Personal Data are to leave the designated premises as a result of maintenance operations, the necessary measures shall be taken to prevent any unauthorised retrieval of the Personal Data and other information stored on them.
  7. A system for recording incoming and outgoing media must be set up which permits direct or indirect identification of the kind of media, the date and time, the sender/recipient, the number of media, the kind of information contained, how they are sent and the person responsible for receiving /sending them, who must be duly authorised.
  8. Where Personal Data is transmitted or transferred over an electronic communications network, measures shall be put in place to control the flow of data and record the timing of the transmission or transfer, the Personal Data transmitted or transferred, the destination of any Personal Data transmitted or transferred , and details of the Authorised User conducting the transmission or transfer.

Preservation, Back-up copies and Recovery

  1. Tools must be in place to prevent the unintended deterioration or destruction of Personal Data.
  2. Procedures must be defined and laid down for making back-up copies and for recovering data. These procedures must guarantee that Personal Data files can be reconstructed in the state they were in at the time they were lost or destroyed.
  3. Back-up copies must be made at least once a week, unless no data have been updated during that period.

Anti-Virus / Intrusion Detection

  1. Anti-virus software or intrusion detection systems must be installed on the Information Systems to protect against attacks or other unauthorised acts in respect of Information Systems. Antivirus software and intrusion detection systems must be updated regularly in accordance with the state of the art and industry best practice for the Information Systems concerned (and at least every six months).

Software Updates

  1. The software, firmware and hardware used in the Information Systems shall be reviewed regularly in order to detect vulnerabilities and flaws in the Information Systems and resolve such vulnerabilities and flaws. This review shall be carried out at least annually.

Access Record

  1. A history of Authorised Users’ access to or disclosure of Personal Data shall be recorded on a secure audit trail.

Physical Access Record

  1. Only those staff duly authorised in the security document may have physical access to the premises where Information Systems and media storing Personal Data are stored. A record of staff who access such premises shall be maintained, including name, date and time of access.

Record of Incidents

  1. There shall be a procedure for reporting, responding to and managing security incidents such as data security breaches or attempts at unauthorised access. This shall include as a minimum:some text
    1. A procedure for reporting such incidents/ breaches to appropriate management within the Vendor;
    2. A clearly designated team for managing and co-ordinating the response to an incident led by the Security Officer;
    3. A documented and tested process for managing the response to an incident including the requirement to keep appropriate issues and action logs to include the time at which the incident occurred, the person reporting the incident, to whom it was reported and the effects thereof;
    4. The requirement on the Vendor to notify the CLE immediately if it appears that Personal Data was involved in the incident or breach or may be impacted or affected in some way; and
    5. The Vendor security/ incident management team must, where appropriate, work together with the CLE’s security representatives until the incident or breach has been satisfactorily resolved.

Annex 4: List of Approved Subprocessors

The following subprocessors have been vetted and may be involved in aspects of processing PII according to the instructions of the organisation.

Subprocessors
Purpose of Processing Activity
Registered Business Address
Location of Processing
Link to Privacy / Security  Policy
Amazon Web Services
Hosting provider
410 Terry Ave N, Seattle 98109, WA, US
Worldwide 

Customers  can choose to deploy in their own AWS instance or in a region of choice.
Amazon Data Processing Agreement 

AWS Security and compliance 
Jira by Atlassian Inc
Service Desk
350 Bush Street, Floor 13, San Francisco, CA 94104, US
Worldwide
Data Processing Addendum | Atlassian 

Atlassian Cloud data protection | Atlassian
Intuit Mailchimp
Service announcement emails
675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, US
Worldwide
Mailchimp Data  Security and Privacy | Mailchimp Mailchimp

Data Processing Addendum Preview | Mailchimp
ThinkSys
Customer Support
440 N Wolfe Road, Suite #22 Sunnyvale, California – 94085
US, India
Privacy Policy - ThinkSys Inc.
Any affiliates of Phonism
Support and business operations
-
-
-

In addition, any third parties whom you expressly authorize for providing services using Phonism SaaS services or related to Phonism SaaS services.

ANNEX5 – CCPA - PERSONAL INFORMATION PROCESSING PURPOSES AND DETAILS 

Contracted Business Purposes: The purposes mentioned in Annex 2 of this DPA for which the Service Provider receives or accesses personal information. 

Personal Information Categories: This Addendum involves the following types of Personal Information, as defined and classified in CCPA Cal. Civ. Code § 1798.140(o). 

Category
Examples
Processed under this Addendum
A. Identifiers.
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
Yes
B. Personal information categories listed in the California Reseller Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Some personal information included in this category may overlap with other categories.
No
C. Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
No
D. Commercial information.
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
No
E. Biometric information.
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
No
F. Internet or other similar network activity.
Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
No
G. Geolocation data.
Physical location or movements.
Yes
H. Sensory data.
Audio, electronic, visual, thermal, olfactory, or similar information.
No
I. Professional or employment-related information.
Current or past job history or performance evaluations.
No
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
No
K. Inferences drawn from other personal information.
Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
No