By Risk Area

Anti-Bribery & Corruption
Modern Slavery & Human Rights
Sustainability
Environmental, Social & Governance (ESG) 
Third-Party Risk Management
Cyber

By Role

Third-Party Risk Management
Compliance & Risk
Legal
Procurement
C-Suite

By Industry

Healthcare & Life Sciences
Aerospace & Defense
Manufacturing
Telecommunications
Enterprise
Agribusiness
Oil & Gas

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

How It Works

Why Ethixbase360?
Trust Center

TPRM Capabilities

FastStart
Risk Assessment
Entity Verification
Ultimate Beneficial Ownership
Screening & Monitoring
Enhanced Due Diligence
Collaborative Due Diligence
Questionnaires
eLearning
Workflows & Case Management
Reporting & Analytics
Managed Services

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

Get Certified

Tcertification
TRAC
ESGmetrics

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

RESOURCES

Blog
Case Studies
eBooks/White Papers
Guides
Infographics

EVENTS

Events

Podcasts
Press Releases
Webinars – On Demand
Webinars – Upcoming
Templates

Ethics Exchange

Ethics Exchange Risk Center

ETHICS EXCHANGE

Ethics Exchange Risk Center

Access for the latest third-party risk management news, best practices, and insights.

Sign up for the monthly newsletter today.

EVENTS

View All Events

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

company

About Us
Careers
Current Vacancies
Sustainability @Ethixbase360

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

CAREERS

Careers
Current Vacancies

EBOOKS/WHITE PAPERS

2025: The State of Modern Slavery and Human Rights in Global Supply Chains

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

Request Demo

Ethixbase360 Data Processing Agreement

Background

Owner and Ethixbase360 may enter into Orders and associated Ethixbase360 terms and conditions for the supply of Services (“Terms”). Any capitalised terms not otherwise defined in this DPA shall having the meaning ascribed to that term in the Terms.

Ethixbase360 will be required to process Owner Personal Data on behalf of Owner and/or its Affiliates in connection with Orders.

This DPA sets out the additional terms on which Ethixbase360 will process Owner Personal Data when providing Services under or in connection with an Order.

The terms set out in this DPA will apply to the extent Data Protection Legislation requires Owner to include equivalent terms in agreements with its processors.

Data Protection Relationships

Collaborative Reports rely on information provided by the Collaborative Report Subject.  All other Reports are prepared without interaction between Ethixbase360 and the subject of the report.  A Collaborative Report may be paid for by the Collaborative Report Subject or another Customer.

Ethixbase360 acts as Processor to the Collaborative Report Subject in relation to the Collaborative Report and all personal data provided by the Collaborative Report Subject.  The Collaborative Report Subject is the Controller even if another Customer has paid for the Collaborative Report.   Ethixbase360 may only release a copy of the Collaborative Report to a third party on the written instructions of the Collaborative Report Subject.

If the Collaborative Report Subject authorises the release of a Collaborative Report to a third party, that third party is an independent Controller of the copy of the Collaborative Report released to it.  Ethixbase360 is the third party’s Processor in relation to (a) any copy of the Collaborative Report released to the third party; and (b) any personal data provided by the third party,  in each case while stored on the Ethixbase360 Platform.

In relation to all other Reports, Ethixbase360 acts as Processor to Customer and Customer is Controller.

In this DPA, “Ethixbase360” shall be the legal entity identified in clause 18 of the Terms and “Owner” shall be the Owner identified in the Order.

  1. Interpretation. The definitions and rules of interpretation in this clause apply in this DPA. Any capitalised terms not otherwise defined herein shall having the meaning ascribed to that term in the Terms.

Adequate Transfer Mechanism:  the transfer of Owner Personal Data to a recipient that (a) is covered by a suitable framework or other legally adequate transfer mechanism recognised by the relevant authorities as providing an adequate level of protection for Owner Personal Data (b) has achieved processor binding corporate rules authorisation in accordance with Data Protection Legislation; (c) has executed the Standard Contractual Clauses or the Standard Contractual Clauses approved by the UK Information Commissioner Office from time to time (as appropriate); or (d) is located in the United States and participates in such mechanism as may replace or supersede the EU-US Privacy Shield from time to time, or any equivalent mechanism implemented for EU-US or UK-US (as appropriate) data transfers.

Controller”, “Processor”, “Data Subject”, “Personal Data”, “personal data breach” and “processing”, “supervisory authority” shall have the meanings attributed to them in the Data Protection Legislation.

Data Protection Legislation: all data protection and privacy legislation in force from time to time governing the processing of personal data in the country or state in which that personal data is processed applicable to a party including, GDPR, UK GDPR, the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended).

EU Standard Contractual Clauses/SCCs means Module Two (controller to processor) of the the standard contractual clauses adopted by the European Commission for the transfer of personal data to third countries pursuant to GDPR in the form annexed to the European Commission’s Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries or the replacement agreement annexed to any subsequent European Commission decision for use in relation to transfers from a processor located in the EU/EEA (or otherwise subject to the EU GDPR) to processors established outside the EU/EEA (and not subject to the EU GDPR).

Owner Personal Data: Personal Data Ethixbase360 processes on behalf of Owner or its Affiliates to provide the Services including Personal Data processed in and in relation to, Reports.

Standard Contractual Clauses: as appropriate the (a) EU Standard Contractual Clauses; or (b)  Standard Contractual Clauses as modified by the UK Addendum.

UK Addendum the international data transfer addendum approved by the UK Information Commissioner in accordance with s119A of the Data Protection Act 2018 from time to time which is intended to be used in conjunction with the Standard Contractual Clauses for the transfer of Personal Data to third countries compliant with the Data Protection Legislation applicable in the UK.

UK GDPR: the retained version of the EU General Data Protection Regulation ((EU) 2016/679) in the UK, as defined in s.3(10) of the Data Protection Act 2018, and as supplemented by s.205(4), and all references in this DPA to “GDPR” are to UK GDPR unless otherwise stated.

Words and expressions defined in the Terms shall have the same meaning in this DPA.

1.2. Clause, schedule and paragraph headings shall not affect the interpretation of this DPA.

1.3. A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality).

1.4. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.5. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular, and a reference to one gender shall include a reference to the other genders.

1.6. A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this DPA and shall include all subordinate legislation made as at the date of this DPA under that statute or statutory provision.

Basis of Processing

In the provision of the Services, Ethixbase360 may process Owner Personal Data.  If Ethixbase360 processes Owner Personal Data under the Order and Terms, for the purposes of the relevant Data Protection Legislation, Owner is the Controller of Owner Personal Data and Ethixbase360 is the Processor of Owner Personal Data.

Owner alone will exercise all rights under this DPA on its own behalf and on behalf of Owner Affiliates that are permitted by Ethixbase360 to use the Services under Owner’s Order.

If the Owner authorises the release of a Collaborative Report to an Authorised Recipient, that Authorised Recipient becomes an independent Controller of the Collaborative Report.  Ethixbase360 has no control over the use of a Collaborative Report or any Personal Data contained within it by a Third Party Recipient.  Prior to authorising disclosure, it is the responsibility of Owner to ensure appropriate arrangements are in place with Third Party Recipient governing the confidentiality of a Collaborative Report and the Processing of Personal Data within it.

The subject-matter, duration, nature, purpose of processing, types of Owner Personal Data and categories of Data Subjects processed under this DPA are set out in the Schedule to this DPA.

Instructions

Ethixbase360 will process Owner Personal Data for the purpose of and the duration as is necessary to perform its obligations under the Order and the Terms only, or otherwise in accordance with Owner’s written instructions.  Such  instructions will be reasonable, given in good faith and consistent with Ethixbase360’s obligations under an Order and the Terms.

Ethixbase360 may also process Owner Personal Data if required to do so by applicable law.  Ethixbase360 will inform Owner of any such legal requirement before processing unless the law prohibits it from doing so.

Compliance with Data Protection Legislation

Each party will comply with the Data Protection Legislation applicable to it.

Ethixbase360 will notify Owner prior to carrying out any instruction from Owner that Ethixbase360 is aware would result in a breach of Data Protection Legislation.

Technical Requirements

Taking into account the state of technical development and the nature of processing, Ethixbase360 shall implement and maintain appropriate technical and organisational measures designed to meet the requirements of Data Protection Legislation.

Owner will determine whether the technical and organisational measures provided by the Services enable Owner to meet Owner’s obligations under the Data Protection Legislation.

Owner is solely responsible for ensuring the secure use of the Services by its Users.

Ethixbase360 will notify Owner if Ethixbase360 ceases to be ISO 27001 certified.

Sub-processing

Ethixbase360 will provide Owner with a list of its then current sub-processors on request. Sub-processors may be outside the UK or EEA.

Ethixbase360 has Owner’s general authorisation under this DPA and the Standard Contractual Clauses to appoint sub-processors and authorise them to process Owner Personal Data to the extent necessary for Ethixbase360 to provide Services.  Ethixbase360 shall only allow processing of Owner Personal Data using a sub-processor if:

  • Ethixbase360 has appointed that sub-processor under a written agreement containing, in substance, the same data protection obligations as this DPA;
  • Ethixbase360 is responsible for each sub-processor’s compliance with Ethixbase360 obligations under this DPA;
  • the conditions of paragraph “International Transfer” below have been met whenever Owner Personal Data is transferred from the EEA or the UK to any country outside the EEA or UK.

Ethixbase360 will notify Owner of any proposed changes to its sub-processors. Acting reasonably and in good faith, Owner may object to such changes on data protection grounds within 10 days of Ethixbase360’s notification to Owner. If Owner does notify Ethixbase360 of such reasonable objections, the parties will discuss Owner’s concerns in good faith with a view to achieving a commercially reasonable resolution within a reasonable period of time, but in any event within 30 days of Owner being informed of the proposed new sub-processor.  Ethixbase360 may suspend the provision of the Services pending such resolution and may appoint such new sub-processor. If no objection is received within such 10 day period, Owner will be deemed to have no objections,  If Ethixbase360 is unable to resolve the objection to Owner’s reasonable satisfaction within this timeframe, Owner may, as its sole and exclusive remedy, terminate the Order or, at its option, the affected Services, immediately on notice given within such 30 day period.

Ethixbase360 Personnel

Ethixbase360 shall ensure that those of its personnel who are engaged or involved in the processing of Owner Personal Data to provide the Services:

  • are informed of the confidential nature of Owner Personal Data and are subject to a binding written contractual obligation to keep Owner Personal Data confidential;
  • are aware of, and have adequate training and instruction to allow them to comply with, Ethixbase360’s duties and their personal duties and obligations under such laws and this DPA; and
  • shall only have access to such part or parts of Owner Personal Data as is strictly necessary for performance of that person’s duties.

International transfers

Ethixbase360 shall not transfer any Owner Personal Data to any sub-processor in a country outside the EEA or UK (as applicable) unless an Adequate Transfer Mechanism is in place with such sub-processor and the parties have taken all other actions required by the Data Protection Legislation to legitimise the transfer.

Ethixbase360 entities located outside the UK or EEA

If the Ethixbase360 entity providing Services is located outside the UK or EAA and the processing of Owner Personal Data is subject to the GDPR or UK GDPR:

  • the transfer of Owner Personal Data to Ethixbase360 will be subject to the Standard Contractual Clauses;
  • Owner will be the data exporter and Ethixbase360 will be the data importer under Standard Contractual Clauses;
  • the information required by the Standard Contractual Clauses is set out in Part 1 of Schedule 1 to this DPA and the information required by the UK Addendum is set out in Part 2 of Schedule 1 to this DPA;
  • The additional safeguards in Schedule 2 will apply.

If the Standard Contractual Clauses cease to be a valid Adequate Transfer Mechanism, Owner and Ethixbase360 will promptly and acting reasonably and in good faith agree an alternative Adequate Transfer Mechanism to ensure that the transfer of Owner Personal Data remains lawful.

If (a) Owner and Ethixbase360 are unable promptly to agree an alternative Adequate Transfer Mechanism; or (b) any data protection regulator requires the transfer of Owner Personal Data to Ethixbase360 outside the UK or the EU/EAA to be suspended, then:

  • Owner will immediately stop such transfers of Owner Personal Data to Ethixbase360 until such time as it is able to perform the transfer in full compliance with this paragraph and the requirements of any data protection regulator; and
  • if requested by Owner, Ethixbase360 will comply with its obligations under the heading Deletion/Return.

Personal Data Breach

Ethixbase360 shall without undue delay, inform Owner if Ethixbase360 becomes aware that any Owner Personal Data has been subject to a personal data breach.

Ethixbase360 shall make reasonable efforts to identify the cause of any personal data breach and take  those steps as Ethixbase360 deems necessary and reasonable in order to remediate the cause of any personal data breach to  the  extent remediation is within  Ethixbase360’s  reasonable control.  Ethixbase360 will keep Owner informed of such cause and the steps it is taking.

Audits

Ethixbase360 shall on request, in accordance with the Data Protection Legislation, make available to Owner such information it has as is necessary to demonstrate Ethixbase360’s compliance with the provisions of this DPA and with the applicable Data Protection Legislation and allow for and contribute to audits.

Any audit (including any audit performed under the Standard Contractual Clauses) shall be performed: (i) following a personal data breach or request from a supervisory authority; or (ii) otherwise  no more than once per calendar year, with at least 60 days prior written notice and be at Owner’s own cost and expense. Audits will be carried out on a remote or desktop basis unless it is not possible to do so. Owner will not unreasonably interfere with Ethixbase360’s day to day business activities and shall comply with its reasonable security requirements.

Assistance

Ethixbase360 shall:

  • Without undue delay, provide such reasonable information and assistance as Owner may require in relation to the fulfilment of Owner’s obligations to respond to requests for exercising the Data Subjects’ rights under the Data Protection Legislation; and
  • Provide such information, co-operation and other assistance to Owner as Owner reasonably requires (taking into account the nature of processing and the information available to Ethixbase360) to ensure compliance with Owner’s obligations as Controller under Data Protection Legislation, including with respect to:
    • security of processing;
    • data protection impact assessments;
    • prior consultation with a supervisory authority regarding high risk processing; and
    • any remedial action and/or notifications to be taken in response to any personal data breach and/or any complaint or request relating to either party’s obligations under Data Protection Legislation relevant to this DPA, including (subject in each case to Owner’s prior written authorisation) regarding any notification of the personal data breach to supervisory authorities and/or communication to any affected Data Subjects.

Ethixbase360 may (acting reasonably) charge Owner at its standard professional services rates for any support, co-operation or assistance it provides under the DPA and the Standard Contractual Clauses that cannot be provided within the scope of the Services.  This paragraph shall not apply in relation to any support, co-operation or assistance (a) that is a direct legal obligation of Ethixbase360 under the Data Protection Legislation; or (b) required due to a breach of Ethixbase360’s obligations under this DPA or the Standard Contractual Clauses.

Deletion/return

On termination of the provision of Services Ethixbase360 may securely dispose of Owner Personal Data, unless, within 30 days of termination, Owner requests Ethixbase360 to return (and thereafter promptly to delete) Owner Personal Data at Owner’s cost.  Following receipt of a request Ethixbase360 shall use reasonable commercial endeavours to deliver to Owner a copy of the then most recent back-up of Owner Personal Data within 30 days of receipt of such request.  Ethixbase360 shall have no obligation to deliver such copy unless Owner has paid all fees and charges outstanding at or resulting from termination (whether or not due at the date of termination).  Ethixbase360 shall be entitled to retain Owner Personal Data (i) when required by law; or (ii) when securely isolated and protected on back-up systems and deleted in accordance with Ethixbase360’s standard deletion practises.  Ethixbase360 may also keep one copy of each Report for risk management purposes for 6 years following the date of the Report.  Any retained Owner Personal Data shall remain subject to the terms of this DPA.

Owner obligations

Owner must obtain all consents or other legal justifications necessary for Ethixbase360 to process Owner Personal Data and to deliver the Services in accordance with an Order and Terms.

The Owner will ensure the Owner Data:

  • contains the minimum information required for Ethixbase360 to provide the Services;
  • is accurate and complete (and the Owner shall notify Ethixbase360 of any inaccuracies or of any corrections required);
  • does not contain any special category or sensitive Personal Data (within the meaning of the Data Protection Legislation) other than as contained in Reports.

If the Owner receives any complaint, notice or communication which relates directly or indirectly to the Service, Ethixbase360 Data or to Ethixbase360’s compliance with the Data Protection Legislation it shall without undue delay notify Ethixbase360 and provide reasonable cooperation and assistance in relation to any such complaint, notice or communication.

Owner will provide Ethixbase360 with reasonable co-operation and assistance in relation to any request made by any Data Subject identified in the Owner Data in relation to the Ethixbase360 Data.

Application of the Terms

The following provisions of the Terms shall apply equally to this DPA as if references in the Terms to “the agreement” or “this agreement” were references to this DPA: 1 (definitions), 12 (limitation of Liability)  as between Ethixbase360 and Owner but not between Ethixbase360 and Data Subjects, , 14 (Force Majeure), 16 (General), 17 (Notices), 18 (Contracting Entity) and 19 (English language).

Schedule 1 – Part 1

Information Required by the Standard Contractual Clauses

For the purpose of SCCs that shall apply between the parties pursuant to the DPA, clauses 7, 9, 11, 13, 17, 18 and the Annexes of the SCCs shall be deemed to be completed as follows:

  1. Clause 7 (Docking Clause) shall apply
  2. In Clause 9 of the SCCs, Option 2 shall apply and the time period shall be not less than 10 days.
  3. The optional wording at Clause 11(a) of the SCCs is deleted.
  4. In Clause 13(a) of the SCCs:
    • where the GDPR applies to processing under the Agreement, the applicable wording (as determined by the instructions in square brackets in the SCCs) is retained and the two remaining alternatives are deleted; and
    • where the GDPR does not apply to processing under the Agreement, the wording in Clause 13(a) is deleted and replaced with the following “The supervisory authority of the data exporter, as indicated in Annex I.C, shall act as competent supervisory authority”.
  5. In Clause 17 of the SCCs, Option 2 is deleted and Option 1 is completed with details of the applicable governing law as follows:
    • where the GDPR applies to processing under the Agreement and the country of establishment of the data exporter, as specified in Annex I.A of the SCCs, is a Member State of the European Union whose law allows for third party beneficiary rights, the governing law shall be that country of establishment of the data exporter;
    • where the GDPR applies to processing under the Agreement and the country of establishment of the data exporter, as specified in Annex I.A of the SCCs, is not a Member State of the European Union, then the governing law shall be the law of the Republic of Ireland; and
    • where the GDPR does not apply to processing under the Agreement, the wording at Option 1 is deleted and replaced with the following “These Clauses shall be governed by English law.”
  6. Clause 18(b) of the SCCs is completed with details of the courts of competent jurisdiction as follows:
    • where the GDPR applies to processing under the Agreement, (i) the courts of the country of establishment of the data exporter, as specified in Annex I.A of the SCCs, provided such country of establishment is a Member State of the European Union and (ii) in all other cases, the courts of the Republic of Ireland; and
    • where the GDPR does not apply to processing under the Agreement, the wording in Clauses 18(a) and (b) is deleted and replaced with the following “(a) NOT USED. (b) Any dispute arising from these Clauses shall be resolved by the courts of England and Wales.”.

ANNEX I to the Standard Contractual Clauses

Annex I.A of the SCCs is completed with the additional party details for transfers as set below:

  1. LIST OF PARTIES

Data exporter/processor:

Name and Address: Owner whose details are set out in the Order.

Contact person’s name, position and contact details:

As set out in the Order

Activities relevant to the data transferred under these Clauses:

Receipt of the services set out in the Agreement.

Data importer/processor:

Name and Address:  the Ethixbase360 entity identified in the Terms.

Contact person’s name, position and contact details: as set out in the Agreement.

Data Protection Officer, [email protected]

Activities relevant to the data transferred under these Clauses:

Supply of the services set out in the Agreement.

Annex I.B of the SCCs is completed with the processing details and additional transfer details set out in the table below:

  1. DESCRIPTION OF TRANSFER

To the extent necessary to provide Services, Ethixbase360 may have access to Personal Data processed by Owner as controller and Ethixbase360 as a processor to Owner.

ControllerOwner as identified in the Order
ProcessorThe Ethixbase360 legal entity identified in section 18 of the Terms
Subject matter of processing

·        Authorised Users: for the provision of the Services

·        Other parties: for assessing and managing third party risks in the Owner’s business operations

Duration of ProcessingThe term of the applicable Order
Nature of ProcessingThe processing of Personal Data in accordance with an Order and the Terms including collecting, recording, organising, structuring, copying, storing, adapting, retrieving, using, investigating, disclosing by transmitting, making available, combining and erasing purely for the purpose of providing the Services.
Personal Data Categories

Authorised Users: names, email addresses, IP addresses and phone numbers, and/or any other data made available to Ethixbase360 in connection with the provision of the Services.

Data subjects subject to due diligence: Name, location, address, gender, date of birth, current and former employment details/position, public profile summary, shareholding details, previous names, aliases, nationality,  director or officer status,  business and family relationships (if individual holds Politically Exposed Person (PEP) position), adverse media findings, actual or potential regulatory breach and civil litigation history, PEP status and related information, sanctions and watchlists screening results. Information provided in response to Owner due diligence questionnaires (can include name, contact details of Associates or of referees. Gov ID if requested by Owner). Open source due diligence checks may reveal Gov ID information.

Username, access permissions, IP addresses, last login date for those will access to the Ethixbase360 Platform.

Sensitive Personal Data (if revealed by public domain research sources): Criminality data, political opinion data (if this can be inferred from PEP status) and sexual orientation (if this can be inferred from familial links for PEPs)

Data Subject Types

·        Authorised Users

·        Directors, officers, employees, business or other associates of Third Parties and their business associates or family members

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)Continuous

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

 

Sub-processor may have access to Owner Personal Data to support the provision of Services for the duration of the Order.

Annex I.C of the SCCs is completed with the following details:

  1. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority

Data Protection Commission

21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland

ANNEX II to the Standard Contractual Clauses

Annex II of the SCCs is completed with the technical and organisational measures described below.

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

General Organisational measures

Policies and governance

  • Ethixbase360 holds ISO/IEC 27001 certification for its Information Security Management System that covers the Services.
  • Written information security and data protection policies are maintained covering matters such as secure handling, access control, and incident management.
  • Responsibilities for security are assigned to named roles (management / IT / operational leads).
  • Key controls (including sharing settings and access permissions) are reviewed periodically and after material changes.

Personnel controls

  • Personnel with access to Owner Personal Data are subject to confidentiality obligations.
  • Personnel with access to Owner Personal Data receive security and data protection training on onboarding and periodically thereafter.
  • A joiners/movers/leavers process is operated designed to support timely provisioning and removal of access.

Incident management

  • An incident response process is maintained to assess, contain, and remediate suspected data breaches relating Owner Personal Data.

Monitoring

  • A range of tools are utilised to monitor corporate and production network environments.
  • Data is collected from devices and applications in the network and aggregated into the Security Incident and Event Management (SIEM) platform to identify, detect and respond to suspected or confirmed anomalies and threats. The SIEM is monitored by a dedicated 24/7 Cyber Security Operations Centre to respond to and mitigate threats.
  • Suspicious and malicious activities feed into the security-incident management process.

Endpoint Security

  • Endpoint Detection and Response (EDR) solutions are used on all managed endpoint devices such as laptops, desktops and mobile devices that access Owner Personal Data. The enterprise EDR solution is configured to perform daily threat-definition updates and malware scans.
  • All managed devices that store or access Owner Personal Data must have automated security updates enabled or where appropriate security updates must be installed upon notification of their availability. All managed devices that process Owner Personal Data must be encrypted using approved software.
  • Personnel are prohibited from altering, disabling, or removing endpoint security controls and the security update service from any computer.

Ethixbase360 Platform

Assurance

  • Annual ISO/IEC 27001 surveillance or recertification audits are performed by an independent certification body. Annual external penetration tests are commissioned on the Platform.
  • The Platform is subject to regular vulnerability scanning, and identified vulnerabilities are triaged and remediated on a risk-based basis.

Security during electronic transmission  

  • Installation of dedicated lines or VPN tunnels.
  • Encrypted transfer (e.g. HTTPS, SSL, SSH, [algorithm], [number]-bit keys)
  • Traffic is encrypted using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum
  • Owner Personal Data in the database is encrypted at rest

Physical access control

Technical and organisational measures are maintained for access control to Ethixbase360 buildings,

Ethixbase 360 leverages Amazon Web Services (AWS) and Microsoft Azure for production systems which follow standardised industry practices for physical security.

Information about AWS’s data centre controls can be found here:

https://aws.amazon.com/trust-center/data-center/our-controls/

Information about Microsoft Azure’s data centre controls can be found here:

https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security

Annex III of the SCCs is completed with the details of the sub-processors set out in the list maintained by Ethixbase360 a copy of which is available on request by Owner .

Schedule 1- Part 2

Information Required by the UK Addendum

UK Addendum Tables

Table 1:  Parties

Start dateDate of the Order
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties’ detailsOwner whose details are set out in the OrderEthixbase360 whose details are set out in the Terms
Key ContactAs set out in the AgreementAs set out in the Agreement

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs    The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
  
ModuleModule in operationClause 7 (Docking Clause)Clause 11
(Option)		Clause 9a (Prior Authorisation or General Authorisation)Clause 9a (Time period)Is personal data received from the Importer combined with personal data collected by the Exporter?
 2YesNoOption 2 – General  Authorisation10 daysYes

Table 3: Appendix Information is completed with cross references to the relevant Annexes in the SCCs.

Table 4: Ending this Addendum when the Approved Addendum Changes:  The “Exporter” option is selected.

Schedule 2 – Additional Safeguards

If Ethixbase360 is located outside the UK or EEA, the following additional safeguards will apply:

  1. Ethixbase360 shall have in place and maintain in accordance with good industry practice measures to protect Owner Personal Data from interception (including in transit from Owner to Ethixbase360 and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Owner Personal Data whilst in transit and at rest intended to deny attackers the ability to read
  2. Ethixbase360 will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to Owner Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);
  3. If Ethixbase360 becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Owner Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise (unless legally prohibited from doing so):
    1. Ethixbase360 will notify Owner promptly after first becoming aware of such demand for access to Owner Personal Data and provide Owner with all relevant details of the same, unless and to the extent legally prohibited to do so;
    2. Ethixbase360 shall inform the relevant government authority that Ethixbase360 is a processor of the Owner Personal Data and that Owner has not authorized Ethixbase360 to disclose the Owner Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Owner Personal Data should therefore be notified to or served upon Owner in writing;
    3. Ethixbase360 will use commercially reasonable legal mechanisms to challenge any such demand for access to Owner Personal Data which is under Ethixbase360’s control. Notwithstanding the above, (a) Owner acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Owner Personal Data, Ethixbase360 has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (c)(III) shall not In such event, Ethixbase360 shall notify Owner, as soon as possible, following the access by the government authority, and provide Owner with relevant details of the same, unless and to the extent legally prohibited to do so.
    4. Once in every 12-month period, Ethixbase360 will inform Owner, at Owner’s written request, to the extent permitted by applicable law, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.

On-Demand Webinar: ‘FCPA Trends to Watch: From Incentive Programs to Ephemeral Messaging Communications and Beyond’

Watch Now