Kaseya Data Processing Addendum

This Data Processing Addendum (“Addendum”) applies to the Processing of Customer Personal Data in connection with the products and/or services (the “Products”) provided under the Agreement entered into between Kaseya and Customer (each, a “Party” and collectively, the “Parties”) and is incorporated into and forms part of the Agreement. The scope of this Addendum and the Processing of Customer Personal Data under this Addendum is limited to the legally permitted use of the Products and Customer Personal Data under the Agreement. This Addendum supersedes all prior and contemporaneous written and oral agreements with respect to the subject matter.

1.     Definitions

In this Addendum, the following capitalized terms will have the meanings set forth below and related terms will be construed accordingly:

Agreement” means the Kaseya Master Agreement accessible here, or such other agreement that Customer entered into with Kaseya pursuant to which Kaseya provides the Products to Customer, including any Orders, Statements of Work, exhibits, addenda, and amendments thereto.

Applicable Data Protection Laws” means all data privacy or data protection laws or regulations that apply to the Processing of Customer Personal Data under this Addendum, which may include (without limitation) the GDPR and United States federal and state laws or regulations, such as the CCPA.

CCPA” means California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended, and its implementing regulations.

Customer” means the entity bound under the Agreement.

Customer Personal Data” means any Content that is Personal Data and is Processed by Kaseya on behalf of the Customer pursuant to the Agreement.

Data Subject” means an identified or identifiable natural person whose rights are protected by Applicable Data Protection Laws, including a “Consumer” as defined in Applicable Data Protection Laws.

Frameworks” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Where applicable, references to the “GDPR” include the UK GDPR, Swiss DPA, and/or Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the Processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

Personal Data” means any information relating to a Data Subject, including (without limitation) any information defined as “personal data,” “personal Information,” or an equivalent term under Applicable Data Protection Laws.

Restricted Transfer” means a transfer of Customer Personal Data from Customer to Kaseya or an onward transfer of Customer Personal Data from Kaseya to a Sub-processor, in each case, where such transfer would be prohibited by Applicable Data Protection Laws in the absence of appropriate safeguards such as an adequacy decision or Standard Contractual Clauses.

Standard Contractual Clauses” means the clauses set forth, or incorporated by reference, in Appendix 3.

Sub-processor” means any entity engaged by Kaseya to Process Customer Personal Data on behalf of Kaseya pursuant to the Agreement, including a “Service Provider” as defined in the CCPA;

Supervisory Authority” means, as applicable, an appointed government entity with the authority to enforce Applicable Data Protection Laws, such as a supervisory authority as defined in the GDPR or “Commissioner” as defined under Swiss member state law and/or the UK GDPR.

Swiss DPA” means the Swiss Federal Data Protection Act as may be amended or superseded from time to time.

UK GDPR” means, collectively, the United Kingdom (“UK”) General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, and amended Data Protection Act 2018, in each case as may be amended or superseded from time to time.

The terms “Business,” “Business Purpose,” “Collect,” “Controller,” “Process” (and its derivatives), “Processor,” “Sell,” “Share,” and “Service Provider” each have the meanings set forth in the relevant Applicable Data Protection Laws.

Capitalized terms used but not otherwise defined in this Addendum will have the meanings set forth in the Agreement.

2.     Roles and Scope

Except where otherwise expressly stated in this Addendum, Kaseya is the Processor (and Service Provider) with respect to Customer Personal Data Processed by Kaseya under the Agreement and Customer is the Controller (and Business) and/or Processor (and Service Provider), as applicable, with respect to Customer Personal Data that is its own Personal Data or its End Users’ Personal Data.

3.     Instructions

Kaseya will Process Customer Personal Data only on documented instructions from Customer, including those set forth in the Agreement and this Addendum. Kaseya will immediately inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Laws.

4.     Compliance

Each Party will comply with its respective obligations under Applicable Data Protection Laws. Kaseya does not determine whether Content includes information subject to any specific laws or regulations. As between the Parties, Customer is responsible for determining the lawfulness of the Processing of Customer Personal Data.

5.     Processing of Customer Personal Data

  1. Kaseya will Process Personal Data only for the purposes specified in the Agreement and this Addendum.
  2. Appendix 1 of this Addendum sets forth the subject matter and duration of the Processing, the nature and purpose of the Processing, and the categories of Customer Personal Data and Data Subjects.
  3. Customer instructs and permits Kaseya (and authorizes Kaseya to instruct and permit each applicable Sub-processor) to:
    1. Process Customer Personal Data (a) for the purposes specified in Appendix 1, including to provide the Products; (b) as permitted by applicable laws or regulations; (c) in accordance with any actions taken or settings or configurations applied or provided by Customer or its End Users within the Products; and (d) to comply with other documented instructions provided by Customer;
    2. engage Sub-processors as permitted in this Addendum; and
    3. transfer Customer Personal Data to requisite countries or territories, which include: (a) the locations of the applicable Kaseya data centers for the Products provided under the Agreement; (b) the locations of Processing by the Sub-Processors identified in this Addendum and/or the Standard Contractual Clauses; and (c) the locations necessary for Kaseya to perform services related to the Products, such as implementation, support and maintenance, incident management, and data backup and recovery.
  4. Customer represents and warrants that it has a lawful basis for any Processing activities it instructs Kaseya to undertake, including obtaining all permission(s) and providing all notifications required to Process, and to permit Kaseya to Process, Customer Personal Data in accordance with the Agreement and this Addendum.
  5. Kaseya may Process Customer Personal Data to render Customer Personal Data anonymous, de-identified, and non-personal.
  6. Customer acknowledges and agrees that as part of providing the Products, Kaseya has the right to Process Administrative Data (including Personal Data). To the extent Kaseya Processes Administrative Data subject to Applicable Data Protection Laws, Kaseya will comply with the obligations of an independent Controller under Applicable Data Protection Laws for such use and only for the purposes compatible with those described in the Agreement and/or this Addendum.
  7. Where Processing of Customer Personal Data is subject to the CCPA or other Applicable Data Protection Laws containing equivalent requirements, Kaseya will:
    1. be prohibited from: (a) Selling or Sharing Customer Personal Data it Collects pursuant to the Agreement; (b) retaining, using, or disclosing the Customer Personal Data that it Collected pursuant to the Agreement for a commercial purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA; (c) retaining, using, or disclosing the Customer Personal Data that it Collected pursuant to the Agreement outside of the direct business relationship between Kaseya and Customer except as permitted by the CCPA; and (d) combining Customer Personal Data that it Collected pursuant to the Agreement with Personal Data that Kaseya receives from or on behalf of another source, or that Kaseya Collected from its own interactions with Data Subjects, except where permitted by the CCPA. Kaseya certifies that it understands the foregoing restrictions and will comply with them; and
    2. notify Customer if Kaseya makes a determination that it can no longer meet its obligations with respect to its Processing of Customer Personal Data, in which case upon such notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data
  8. Notwithstanding any other provisions of this Addendum, Kaseya may be required to Process Customer Personal Data by applicable laws or regulations, in which case Kaseya will inform Customer of the applicable legal requirement before Processing, unless that law or regulation prohibits such information on important grounds of public interest.

6.     Personnel

Kaseya will ensure that any Kaseya personnel authorized to Process Customer Personal Data are bound by a duty of confidentiality and have received reasonable and appropriate privacy and security training.

7.     Sub-processors

  1. Customer authorizes Kaseya to engage Sub-processors provided that Kaseya enters into a written contract with each Sub-processor that includes data protection obligations equivalent to those in this Addendum. Where a Sub-processor fails to fulfill its data protection obligations, Kaseya will remain liable to Customer for the performance of that Sub-processor’s obligations.
  2. Kaseya maintains a list of Sub-processors that may be accessed at https://www.kaseya.com/subprocessors/ (the “Sub-Processor List”). To receive notice of any intended changes concerning the addition or replacement of Sub-processors, Customer can register at https://www.kaseya.com/sub-processor-updates-subscription/ and Kaseya will provide notification to the email address(es) registered by Customer. Upon receipt of such notice, Customer may reasonably and in good faith object to the new Sub-processor in writing within 15 calendar days. The Parties agree to work together in good faith to resolve any objection.

8.      Data Subject Rights

Kaseya will have in place appropriate measures to reasonably assist Customer in complying with its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (“Data Subject Request”). If Kaseya receives a Data Subject Request that specifically names Customer, Kaseya will redirect the Data Subject to submit its request to Customer, promptly notify Customer of the request, and not otherwise respond to the request unless expressly authorized by Customer.

9.     Data Protection Impact Assessments and Regulatory Consultations

Upon Customer’s reasonable request, Kaseya will reasonably assist Customer in complying with any obligations under Applicable Data Protection Laws to carry out privacy or data protection impact assessments and regulatory consultations.

10.   Security

In accordance with Applicable Data Protection Laws and taking into account the risks presented by Kaseya’s Processing of Customer Personal Data, Kaseya will implement and maintain appropriate technical and organizational measures, as set forth in Appendix 2, to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.

11.   Personal Data Breach

Kaseya will notify Customer without undue delay, and in any event within the notification period required by Applicable Data Protection Laws, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. Kaseya will use reasonable efforts to provide Customer with reasonable information necessary for Customer to be able to comply with Customer’s obligations to notify Supervisory Authorities and/or affected Data Subjects and will reasonably cooperate with Customer’s need for assistance in responding to the Personal Data Breach, subject to limitations that may be set forth by law enforcement or other agencies.

12.   Restricted Transfers

  1. The Parties agree that Restricted Transfers will be governed by the Standard Contractual Clauses, which are hereby incorporated by reference and will be binding on the Parties. Notwithstanding the foregoing, Kaseya participates in the Frameworks and the Parties agree that transfers of Customer Personal Data to the United States that are subject to the Frameworks are transfers on the basis of an adequacy decision unless and until either: (i) Kaseya discontinues its participation with the applicable Frameworks, or (ii) there is a legally binding, final decision that the Frameworks do not ensure an adequate level of protection under Applicable Data Protection Laws, in which case, the Parties agree that such transfers are Restricted Transfers that will be governed by the Standard Contractual Clauses.
  2. To the extent that Kaseya adopts an alternative data export mechanism approved by the applicable government authority or applicable Supervisory Authority (including any new version of or successor to the Standard Contractual Clauses adopted pursuant to Applicable Data Protection Laws) (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism will automatically apply instead of any applicable transfer mechanism described in this Addendum (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Laws and extends to territories to which Customer Personal Data is transferred).

13.   Audit Rights

Upon Customer’s written request and no more than once annually (unless otherwise required by law), Kaseya will make available to Customer (or Customer’s independent, third-party auditor) information reasonably necessary to demonstrate Kaseya’s compliance with this Addendum and/or Applicable Data Protection Laws. As an alternative, Kaseya may provide relevant third-party audit reports to Customer. Customer agrees such reports are sufficient unless more detailed information is reasonably necessary to demonstrate compliance with Applicable Data Protection Laws, in which case the Parties will agree on the scope and timing for making available such information. Any information provided to Customer pursuant to this Section 13 is Kaseya’s Confidential Information.

14.   Return or Deletion

Kaseya will delete all Customer Personal Data after expiration or termination of the Agreement or a Service Subscription, as applicable (“Termination Date”), unless retention is required by applicable laws or regulations. In accordance with Kaseya’s Product Specifications, Customer may request that Kaseya return a copy of all Customer Personal Data by providing written notice to Kaseya within 30 days after the Termination Date.

15.   Data Protection Officer

Kaseya has appointed a Data Protection Officer who can be contacted at [email protected].

16.   Governing Law and Jurisdiction

This Addendum follows the governing law and jurisdiction stated in the Agreement for any disputes or claims, including those about its validity or termination. If the Standard Contractual Clauses apply, the governing law and jurisdiction will be as specified in the Standard Contractual Clauses.

17.   Order of Precedence

Any ambiguity, conflict, or inconsistency between the Agreement, this Addendum, and the Standard Contractual Clauses will be resolved according to the following order of precedence: (a) Standard Contractual Clauses, (b) this Addendum, (c) the Agreement.

18.   Third-Party Beneficiary Rights

Except where required by Applicable Data Protection Laws and/or explicitly provided for by the Standard Contractual Clauses, the terms of this Addendum and the Standard Contractual Clauses do not create any third-party beneficiary rights for any individual Data Subjects.

19.   Cooperation

If Kaseya receives a legally binding request from a government or judicial authority or becomes aware of law enforcement access to Customer Personal Data, Kaseya will notify Customer unless legally prohibited. If prohibited, Kaseya will use best efforts to obtain permission to share information with Customer as soon as possible and will document those efforts and provide that documentation to Customer upon request. Where legally permitted, Kaseya will use available legal avenues to challenge overbroad or unlawful requests and will disclose the minimum amount of information necessary to comply with the request.

20.   Changes in Applicable Data Protection Laws

Suppose Applicable Data Protection Laws are amended, replaced, or repealed. In that case, the Parties will, where necessary, negotiate in good faith a solution to enable the Processing of Customer Personal Data in compliance with Applicable Data Protection Laws.

21.   Updates

Kaseya may update this Addendum to reflect changes: (a) required to comply with Applicable Data Protection Laws, other applicable laws or regulations, court orders, or guidance issued by Supervisory Authorities or other regulatory agencies, or (b) that do not materially diminish the protections for Customer Personal Data. Kaseya will notify you of changes by posting the updated Addendum on the appropriate Portal or website, and/or by sending a message to a primary account user for Customer. If Customer believes that updates to this Addendum materially diminish the protections for Customer Personal Data under this Addendum, Customer may object to such changes in writing within 30 days. The Parties agree to work together in good faith to resolve any objection.

Appendix 1

Details of Processing

This Appendix 1 includes certain details of the Processing of Customer Personal Data as required by Applicable Data Protection Laws, including the information required for Annex I of the Standard Contractual Clauses, when applicable.

  1. LIST OF PARTIES
    Customer/Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

    Name: The entity identified as Customer in this Addendum or the Agreement and any applicable Customer Affiliate (to the extent authorized under the Agreement).Address: The address of Customer specified in this Addendum or the Agreement.Contact person’s name, position, and contact details: The name, position, and contact details of Customer’s contact person specified in this Addendum or the Agreement.Activities relevant to the data processed: Customer’s/Data exporter’s Product(s) and/or Service Subscription(s) identified in the Agreement.
    Signature and date: As set forth in this Addendum and/or the Agreement.Role (controller/processor): ControllerKaseya/Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]Name: The entity identified as Kaseya in this Addendum or the Agreement, and any applicable Kaseya Affiliate.Address: 701 Brickell Ave #400, Miami, FL 33131Contact person’s name, position, and contact details: Bill O’Connor, Data Privacy and Protection Officer,
    [email protected]Activities relevant to the data processed: Provision by Kaseya/data importer of the Product(s) and/or Service Subscription(s) identified in the Agreement, which Process Customer Personal Data upon the instruction of the Customer/data exporter in accordance with the terms of this Addendum and the Agreement.Signature and date: As set forth in this Addendum and/or the Agreement.Role (controller/processor): Processor
  2. DESCRIPTION OF PROCESSING, INCLUDING TRANSFERSCategories of data subjects whose personal data is processed, including the data transferred
    Customer/Data exporter may submit Personal Data to Kaseya/data importer, the extent of which is determined and controlled by Customer/data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: Customer’s/data exporter’s representatives and End Users, including employees, contractors, business partners, collaborators, customers, and prospective customers. Data Subjects may also include individuals attempting to communicate or transfer Personal Data to users of the Products.Categories of personal data processed, including the data transferred
    Customer/Data exporter may submit Personal Data to Kaseya/data importer, the extent of which is determined and controlled by Customer/data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: (a) first and last name; (b) title; (c) position; (d) employer; (e) contact information (company, email, phone, physical business address); (f) ID data; (g) professional life data; (h) personal life data; (i) connection data; (j) localization data; and (k) other data in an electronic form provided to Kaseya/data importer in the context of the Products.Sensitive data processed, including the data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.Processing may include sensitive data if such information is uploaded or transmitted by Customer/data exporter or its End Users via the Products, which is at the sole discretion of the user of the Products.The frequency of the processing, including transfers (e.g., whether the data is processed or transferred on a one-off or continuous basis).Customer/data exporter processes and transfers Personal Data to Kaseya/data importer via the Products on a continuous basis in accordance with the frequency of the Products’ use by Customer/data exporter and its End Users.Nature of the processingCustomer Personal Data will be subject to the Processing activities that are necessary to provide Kaseya’s/data importer’s Products to Customer/data exporter, including hosting, storage, providing access, and applying analytics.Purpose(s) of the processing, data transfer, and further processingKaseya/Data importer processes Customer Personal Data to provide the Products and/or Service Subscriptions at the direction of the Customer/data exporter and in accordance with the terms of this Addendum and the Agreement.The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodCustomer Personal Data is retained in accordance with any retention periods configured by Customer/data exporter via the Products, or if such retention periods are not configured or do not exist, in accordance with the terms of this Addendum and the Agreement.For transfers to (sub-) processors, also specify subject matter, nature and duration of the processingCustomer Personal Data is transferred to Kaseya’s/data importer’s Sub-processors for the purpose of providing Kaseya’s/data importer’s Products to Customer/data exporter for the duration of the Agreement or Service Subscription, as applicable, unless the Customer Personal Data is deleted prior to that by Customer/data exporter or by Kaseya/data importer at Customer’s/data exporter’s instruction or pursuant to the terms of this Addendum or the Agreement. Details of Sub-Processors used to provide the Products are available at https://www.kaseya.com/subprocessors/.
  3. COMPETENT SUPERVISORY AUTHORITY

    Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard Contractual Clauses

    Data Protection Commission of the Republic of Ireland

Appendix 2

Technical and Organizational Measures Including Technical and Organizational

Measures to Ensure the Security of the Data

Kaseya maintains an information security, privacy, and compliance program aligned with Kaseya’s business objectives, Product Specifications, and in accordance with ISO/IEC 27000 standards and NIST Cybersecurity Framework. Kaseya’s technical and organizational measures are regularly tested and evaluated by independent third-party auditors, including penetration tests and annual AICPA SOC 2 Type II audits. Measures are also regularly tested by internal audits, as well as annual and targeted risk assessments.

Kaseya’s information security program includes:

Measures of encryption of Personal Data

Kaseya designs, implements, and effectively operates encryption to adequately protect Personal Data in transit or at rest by:

  • Using state-of-the-art encryption protocols and algorithms designed to provide effective protection against active and passive attacks with resources known to be available to public authorities.
  • Using trustworthy public-key certification authorities and infrastructure.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Kaseya enhances the security of processing systems and services in production environments by:

  • Employing a code review process before promoting code to product to increase the security of the code used to provide the Services.
  • Testing code and systems for vulnerabilities before and during use.
  • Maintaining an external Vulnerability Disclosure Policy.
  • Using checks to validate the integrity of encrypted data.
  • Employing preventative and reactive intrusion prevention and detection systems.
  • Deploying high-availability systems across geographically distributed data centers.

Kaseya designs, implements, and effectively operates access control measures to protect and maintain the confidentiality of Personal Data by:

  • Adopting the least privilege access principle on a need-to-know basis.
  • Implementing an access control and policy for the creation, reading, updating, and deletion of data.
  • Authenticating authorized and identified personnel using unique authentication credentials (passwords) and multi factor authentication whenever possible.
  • Automatically signing-out user IDs after a period of inactivity.
  • Maintaining data processing facilities – data centers, server rooms, and telecommunication rooms – locked and secure.
  • Maintaining policies and training in respect of each employee’s access rights to Personal Data.
  • Monitoring access and actions of those authorized to add, modify, or delete Personal Data.
  • Controlling access to data, with controlled and documented destruction of data.

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

Kaseya designs, implements, and effectively operates measures to ensure that Personal Data is protected from accidental destruction or loss by maintaining:

  • Maintaining and testing business continuity plans / disaster recovery plans and procedures.
  • Maintaining and testing incident management plans and procedures.
  • Utilizing geographically distributed data centers.
  • Using redundant infrastructure, including power supplies and internet connectivity.
  • Storing backups available for restoration in case of failure of primary systems.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Kaseya’s technical and organizational measures are regularly tested and evaluated by independent third-party auditors, including penetration tests and annual AICPA SOC 2 Type II audits. Measures are also regularly tested by internal audits, as well as annual and targeted risk assessments.

Measures for user identification and authorization

Kaseya designs, implements, and effectively operates measures for user authentication and privilege management by:

  • Applying a mandatory access control and authentication policy.
  • Authenticating authorized personnel using unique authentication credentials and strong two-factor authentication.
  • Allocating and managing appropriate privileges according to role, approvals, and exception management.
  • Applying the Adopting the least privilege access principle on a need-to-know basis.

Measures for the protection of data during transmission

Kaseya designs, implements, and effectively operates measures to protect Personal Data from being read, copied, modified, or deleted by unauthorized parties during transmission, including by:

  • Using state-of-the-art transport encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities.
  • Using trustworthy public-key certification authorities and infrastructure.
  • Implementing protective measures against active and passive attacks on the sending and receiving systems providing transport encryption, such as layer 7 firewalls, IPS/IDS, threat management and traffic monitoring tools, anti-virus, anti-phishing and email security, mutual TLS encryption, API authentication, and encryption to protect the gateways and pipelines through which data travels, as well as testing for software vulnerabilities and possible backdoors.
  • Using correctly implemented and properly maintained software, covered under a vulnerability management program.
  • Enforcing secure measures to reliably generate, manage, store, and protect encryption keys.
  • Audit logging, monitoring, and tracking data transmissions.

Measures for the protection of data during storage

Kaseya designs, implements, and effectively operates measures to protect Personal Data during storage, controlling and limiting access to data processing systems, and by:

  • Using state-of-the-art encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities.
  • Using trustworthy public-key certification authorities and infrastructure.
  • Testing systems storing data for software vulnerabilities and penetration.
  • Using correctly implemented and properly maintained software, covered under a vulnerability management program.
  • Enforcing secure measures to reliably generate, manage, store, and protect encryption keys.
  • Identifying and authorizing systems and users with access to data processing systems.
  • Automatically signing-out users after a period of inactivity.
  • Audit logging, monitoring, and tracking access to data processing and storage systems.

Measures for ensuring physical security of locations at which Personal Data are processed

Kaseya designs, implements, and effectively operates physical access control policies and measures to prevent unauthorized persons from gaining access to the data processing equipment where the Personal Data are processed or stored, including by partnering with data center and cloud service providers that:

  • Are renowned for excellency of services and physical security controls.
  • Maintain state-of-the-art data centers with advanced physical access controls, including physical barriers, video surveillance systems, electronic intrusion detection systems.
  • Provide redundancy and replication of data within or across regions.
  • Maintain and monitor operational support systems, such as redundant electrical power systems, temperature humidity monitoring and control, fire detection and suppression systems, and leakage detection.
  • Are independently tested by third-party organizations, possessing SOC 2 Type 2 reports or ISO/IEC 27001 certifications.
  • Are compliant with privacy regulations, including CCPA and GDPR.

Measures for ensuring events logging

Kaseya designs, implements, and effectively operates a logging and monitoring program to log, monitor and track access to personal data, including by system administrators, and to ensure data is processed in accordance with instructions received. This is accomplished by various measures, including:

  • Authenticating authorized and identified personnel using unique authentication credentials (passwords) and multi factor authentication whenever possible.
  • Maintaining updated lists of system administrators’ identification details.
  • Adopting measures to detect, assess, and respond to high-risk anomalies.
  • Keeping secure, accurate, and unmodified access logs to the processing infrastructure.
  • Testing the logging configuration, monitoring system, alerting and incident response process at least once annually.

Measures for ensuring system configuration, including default configuration

Kaseya designs, implements, and effectively operates configuration baselines for all systems supporting the production data processing environment, including third-party systems. Configuration baselines should align with industry best practices such as the Center for Internet Security (CIS) Level 1 benchmarks. Automated mechanisms must be used to enforce baseline configurations on production systems, and to prevent unauthorized changes. Changes to baselines are limited to a small number of authorized Kaseya personnel and must follow change control processes. Changes must be auditable and checked regularly to detect deviations from baseline configurations.

Kaseya configures baselines for the information system using the principle of least privilege. By default, access configurations are set to “deny-all,” and default passwords must be changed to meet Kaseya’s policies prior to device installation on the Kaseya network, or immediately after software or operating system installation. Systems are configured to synchronize system time clocks based on International Atomic Time or Coordinated Universal Time (UTC), and access to modify time data is restricted to authorized personnel.

Measures for internal IT and IT security governance and management

Kaseya maintains internal policies on the acceptable use of IT systems and general information security. Kaseya requires all employees and contractors to undertake general security and privacy awareness training at least every year, security awareness campaigns on a quarterly-basis, and make available monthly security awareness newsletters. Kaseya restricts and protects the processing of Personal Data, and has documented and implemented:

  • Information security, privacy, and compliance programs in order to protect the confidentiality, integrity, and availability of Kaseya’s data and information systems, and to ensure the effectiveness of security controls over data and information systems that support operations, both as a processor and a controller of customer information.

Kaseya keeps documentation of technical and organizational measures in case of audits and for the conservation of evidence. Kaseya will take reasonable steps to ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this Annex 2.

Measures for certification/assurance of processes and products

The implementation of Kaseya’s information security, privacy, and compliance programs and related security risk management processes have been externally certified by annual AICPA SOC 2 Type II audits in accordance with the AICPA Trust Service Criteria, and details of these and other certifications that Kaseya may undertake from time to time will be made available on Kaseya’s Trust center website.

Measures for allowing data portability and ensuring erasure

Kaseya designs, implements, and effective operates measures to allow data portability and ensuring erasure when technically possible and contractually agreed upon by:

  • Restoring or exporting data stored in Kaseya’s servers to customers’ servers.
  • Utilizing a NIST 800-88 based data destruction process within 45 days after the end of the agreement.

 

Appendix 3

Standard Contractual Clauses

  1. Transfers From the European Economic Area

With respect to Customer Personal Data transferred from the European Economic Area (“EEA”), the applicable Standard Contractual Clauses are the clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”), which are incorporated by reference and form part of this Addendum and will apply to such transfers. The EU SCCs will be deemed completed as follows:

  1. Where Customer is a controller and Kaseya is a processor, Module 2 will apply, and where Customer is a processor and Kaseya is a processor, Module 3 will apply;
  2. Clause 7 (Docking clause (optional)) will apply;
  3. In Clause 9(a) (Use of sub-processors), Option 2 will apply (general written authorization), and the time period for prior notice of addition or replacement of Sub-processors will be as set forth in Section 7.b of this Addendum;
  4. In Clause 11(a) (Redress), the optional requirement that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body will apply;
  5. In Clause 17 (Governing law), Option 1 will apply (the law of an EU Member State that allows for third-party beneficiary rights), and the EU SCCs will be governed by the law of Ireland;
  6. In Clause 18(b) (Choice of forum and jurisdiction), disputes will be resolved before the courts of Ireland;
  7. Annex I of the EU SCCs will be deemed completed with the information set forth in Appendix 1 to this Addendum, as applicable;
  8. Annex II of the EU SCCs will be deemed completed with the information set forth in Appendix 2 to this Addendum; and
  9. By entering into this Addendum, the Parties are deemed to be signing the EU SCCs and its applicable Annexes.
  1. Transfers From Switzerland

With respect to Customer Personal Data transferred from Switzerland, the EU SCCs will apply in accordance with Section 1 above, with the following modifications:

  1. Any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA;
  2. References to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be; and
  3. References to the “competent supervisory authority” and “competent courts” will be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland,

unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such Customer Personal Data in compliance with the Swiss DPA, in which case the applicable standard data protection clauses issued, approved, or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCCs”) will instead be incorporated by reference and form part of this Addendum and will apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs will be populated using the information contained in Appendix 1 and Appendix 2 to this Addendum, as applicable.

  1. Transfers From the United Kingdom

With respect to Customer Personal Data transferred from the UK, the applicable Standard Contractual Clauses are the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, in force 21 March 2022 (“UK IDTA”), which are incorporated by reference and form part of this Addendum and will apply to such transfers. The UK IDTA will be deemed completed as follows:

  1. Table 1 of the UK IDTA:
    1. The Parties’ details will be the Parties set forth in Appendix 1;
    2. The Key Contact will be the contacts set forth in Appendix 1;
  2. Table 2 of the UK IDTA:
    1. The version of the EU SCCs which are incorporated by reference in this Addendum apply;
  3. Table 3 of the UK IDTA:
    1. List of Parties (Annex 1A) is set forth in Appendix 1;
    2. Description of Transfer (Annex 1B) is set forth in Appendix 1;
    3. Technical and Organisational Measures (Annex II) are set forth in Appendix 2;
    4. List of Sub-processors (Annex III) are set forth in Appendix 1;
  4. Table 4 of the UK IDTA:
    1. Neither Party may end this Addendum as set forth in Section 19 of the UK IDTA; and
  5. By entering into this Addendum, the Parties are deemed to be signing the UK IDTA and its applicable Tables and Appendix Information.
  1. Transfers From Other Jurisdictions

If: (i) the Standard Contractual Clauses are recognized under Applicable Data Protection Laws as an adequacy mechanism or other comparable instrument for the transfer of Customer Personal Data originating in any country outside of the EEA, Switzerland, and UK (each an “Additional Country”); and (ii) Kaseya or its Sub-processor(s) Process Customer Personal Data originating from an Additional Country in a country that has not been found to provide an adequate level of protection under Applicable Data Protection Laws of such Additional Country, then the Parties agree that this Addendum (including its Appendices) will also apply respectively to Kaseya’s Processing of such Customer Personal Data. Where applicable, references to EU Member State law or EU Supervisory Authorities in the Standard Contractual Clauses shall be modified to include the appropriate reference to the Additional Country’s Applicable Data Protection Laws and Supervisory Authorities.