Background

Owner and Ethixbase360 have and may enter into Orders and associated Ethixbase360 terms and conditions for the supply of Services (“Terms”). Any capitalised terms not otherwise defined in this DPA shall having the meaning ascribed to that term in the Terms.

Ethixbase360 will be required to process Owner Personal Data on behalf of Owner and/or its Affiliates in connection with Orders.

This DPA sets out the additional terms on which Ethixbase360 will process Owner Personal Data when providing Services under or in connection with an Order. 

The terms set out in this DPA will apply to the extent Data Protection Legislation requires Owner to include equivalent terms in agreements with its processors.

Data Protection Relationships

Collaborative Reports rely on information provided by the Collaborative Report Subject.  All other Reports are prepared without interaction between Ethixbase360 and the subject of the report.  A Collaborative Report may be paid for by the Collaborative Report Subject or another Customer.

Ethixbase360 acts as Processor to the Collaborative Report Subject in relation to the Collaborative Report and all personal data provided by the Collaborative Report Subject.  The Collaborative Report Subject is the Controller even if another Customer has paid for the Collaborative Report.   Ethixbase360 may only release a copy of the Collaborative Report to a third party on the written instructions of the Collaborative Report Subject.

If the Collaborative Report Subject authorises the release of a Collaborative Report to a third party, that third party is an independent Controller of the copy of the Collaborative Report released to it.  Ethixbase360 is the third party’s Processor in relation to (a) any copy of the Collaborative Report released to the third party; and (b) any personal data provided by the third party,  in each case while stored on the Ethixbase360 Platform. 

In relation to all other Reports, Ethixbase360 acts as Processor to Customer and Customer is Controller. 

In this DPA, “Ethixbase360” shall be the legal entity identified in clause 18 of the Terms and “Owner” shall be the Owner identified in the Order.

1. Interpretation. The definitions and rules of interpretation in this clause apply in this DPA. Any capitalised terms not otherwise defined herein shall having the meaning ascribed to that term in the Terms.

Adequate Transfer Mechanism:  the transfer of Owner Personal Data to a recipient that (a) is covered by a suitable framework or other legally adequate transfer mechanism recognised by the relevant authorities as providing an adequate level of protection for Owner Personal Data (b) has achieved processor binding corporate rules authorisation in accordance with Data Protection Legislation; (c) has executed the Standard Contractual Clauses or the Standard Contractual Clauses approved by the UK Information Commissioner Office from time to time (as appropriate); or (d) is located in the United States and participates in such mechanism as may replace or supersede the EU-US Privacy Shield from time to time, or any equivalent mechanism implemented for EU-US or UK-US (as appropriate) data transfers.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “personal data breach” and “processing”, “supervisory authority” shall have the meanings attributed to them in the Data Protection Legislation.

Data Protection Legislation: all data protection and privacy legislation in force from time to time governing the processing of personal data in the country or state in which that personal data is processed applicable to a party including, GDPR, UK GDPR, the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended).

EU Standard Contractual Clauses/SCCs means Module Two (controller to processor) of the the standard contractual clauses adopted by the European Commission for the transfer of personal data to third countries pursuant to GDPR in the form annexed to the European Commission’s Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries or the replacement agreement annexed to any subsequent European Commission decision for use in relation to transfers from a processor located in the EU/EEA (or otherwise subject to the EU GDPR) to processors established outside the EU/EEA (and not subject to the EU GDPR).

Owner Personal Data: Personal Data Ethixbase360 processes on behalf of Owner or its Affiliates within the Ethixbase360 Platform including Personal Data processed in and in relation to, Reports.

Standard Contractual Clauses: as appropriate the (a) EU Standard Contractual Clauses; or (b)  Standard Contractual Clauses as modified by the UK Addendum.

UK Addendum the international data transfer addendum approved by the UK Information Commissioner in accordance with s119A of the Data Protection Act 2018 from time to time which is intended to be used in conjunction with the Standard Contractual Clauses for the transfer of Personal Data to third countries compliant with the Data Protection Legislation applicable in the UK.

UK GDPR: the retained version of the EU General Data Protection Regulation ((EU) 2016/679) in the UK, as defined in s.3(10) of the Data Protection Act 2018, and as supplemented by s.205(4), and all references in this DPA to “GDPR” are to UK GDPR unless otherwise stated.

Words and expressions defined in the Terms shall have the same meaning in this DPA.

1.2. Clause, schedule and paragraph headings shall not affect the interpretation of this DPA.

1.3. A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality).

1.4. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.5. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular, and a reference to one gender shall include a reference to the other genders.

1.6. A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this DPA and shall include all subordinate legislation made as at the date of this DPA under that statute or statutory provision.

Basis of Processing

In the provision of the Services, Ethixbase360 may process Owner Personal Data.  If Ethixbase360 processes Owner Personal Data under the Order and Terms, for the purposes of the relevant Data Protection Legislation, Owner is the Controller of Owner Personal Data and Ethixbase360 is the Processor of Owner Personal Data.

Owner alone will exercise all rights under this DPA on its own behalf and on behalf of Owner Affiliates that are permitted by Ethixbase360 to use the Services under Owner’s Order.  

If the Owner authorises the release of a Collaborative Report to an Authorised Recipient, that Authorised Recipient becomes an independent Controller of the Collaborative Report.  Ethixbase360 has no control over the use of a Collaborative Report or any Personal Data contained within it by a Third Party Recipient.  Prior to authorising disclosure, it is the responsibility of Owner to ensure appropriate arrangements are in place with Third Party Recipient governing the confidentiality of a Collaborative Report and the Processing of Personal Data within it.

The subject-matter, duration, nature, purpose of processing, types of Owner Personal Data and categories of Data Subjects processed under this DPA are set out in the Schedule to this DPA.

Instructions

Ethixbase360 will process Owner Personal Data for the purpose of and the duration as is necessary to perform its obligations under the Order and the Terms only, or otherwise in accordance with Owner’s written instructions.  Such  instructions will be reasonable, given in good faith and consistent with Ethixbase360’s obligations under an Order and the Terms.

Ethixbase360 may also process Owner Personal Data if required to do so by applicable law.  Ethixbase360 will inform Owner of any such legal requirement before processing unless the law prohibits it from doing so.

Compliance with Data Protection Legislation

Each party will comply with the Data Protection Legislation applicable to it.

Ethixbase360 will notify Owner prior to carrying out any instruction from Owner that Ethixbase360 is aware would result in a breach of Data Protection Legislation.

Technical Requirements

Taking into account the state of technical development and the nature of processing, Ethixbase360 shall implement and maintain appropriate technical and organisational measures designed to meet the requirements of Data Protection Legislation.

Owner will determine whether the technical and organisational measures provided by the Services enable Owner to meet Owner’s obligations under the Data Protection Legislation.

Owner is solely responsible for ensuring the secure use of the Services by its Users.

Ethixbase360 will notify Owner if Ethixbase360 ceases to be ISO 27001 certified.

Sub-processing

Ethixbase360 will provide Owner with a list of its then current sub-processors on request. Sub-processors may be outside the UK or EEA.

Ethixbase360 has Owner’s general authorisation under this DPA and the Standard Contractual Clauses to appoint sub-processors and authorise them to process Owner Personal Data to the extent necessary for Ethixbase360 to provide Services.  Ethixbase360 shall only allow processing of Owner Personal Data using a sub-processor if:

• Ethixbase360 has appointed that sub-processor under a written agreement containing, in substance, the same data protection obligations as this DPA;
• Ethixbase360 is responsible for each sub-processor’s compliance with Ethixbase360 obligations under this DPA;
• the conditions of paragraph “International Transfer” below have been met whenever Owner Personal Data is transferred from the EEA or the UK to any country outside the EEA or UK.

Ethixbase360 will notify Owner of any proposed changes to its sub-processors. Acting reasonably and in good faith, Owner may object to such changes on data protection grounds within 10 days of Ethixbase360’s notification to Owner. If Owner does notify Ethixbase360 of such reasonable objections, the parties will discuss Owner’s concerns in good faith with a view to achieving a commercially reasonable resolution within a reasonable period of time, but in any event within 30 days of Owner being informed of the proposed new sub-processor.  Ethixbase360 may suspend the provision of the Services pending such resolution and may appoint such new sub-processor. If no objection is received within such 10 day period, Owner will be deemed to have no objections,  If Ethixbase360 is unable to resolve the objection to Owner’s reasonable satisfaction within this timeframe, Owner may, as its sole and exclusive remedy, terminate the Order or, at its option, the affected Services, immediately on notice given within such 30 day period.

Ethixbase360 Personnel

Ethixbase360 shall ensure that those of its personnel who are engaged or involved in the processing of Owner Personal Data to provide the Services:

• are informed of the confidential nature of Owner Personal Data and are subject to a binding written contractual obligation to keep Owner Personal Data confidential;
• are aware of, and have adequate training and instruction to allow them to comply with, Ethixbase360’s duties and their personal duties and obligations under such laws and this DPA; and
• shall only have access to such part or parts of Owner Personal Data as is strictly necessary for performance of that person’s duties.

International transfers

Ethixbase360 shall not transfer any Owner Personal Data to any sub-processor in a country outside the EEA or UK (as applicable) unless an Adequate Transfer Mechanism is in place with such sub-processor and the parties have taken all other actions required by the Data Protection Legislation to legitimise the transfer.  

Ethixbase360 entities located outside the UK or EEA

If the Ethixbase360 entity providing Services is located outside the UK or EAA:  

• the transfer of Owner Personal Data to Ethixbase360 will be subject to the Standard Contractual Clauses;
• Owner will be the data exporter and Ethixbase360 will be the data importer under Standard Contractual Clauses;
• the information required by the Standard Contractual Clauses is set out in Part 1 of Schedule 1 to this DPA and the information required by the UK Addendum is set out in Part 2 of Schedule 1 to this DPA;
• The additional safeguards in Schedule 2 will apply.

If the Standard Contractual Clauses cease to be a valid Adequate Transfer Mechanism, Owner and Ethixbase360 will promptly and acting reasonably and in good faith agree an alternative Adequate Transfer Mechanism to ensure that the transfer of Owner Personal Data remains lawful. 

If (a) Owner and Ethixbase360 are unable promptly to agree an alternative Adequate Transfer Mechanism; or (b) any data protection regulator requires the transfer of Owner Personal Data to Ethixbase360 outside the UK or the EU/EAA to be suspended, then:

• Owner will immediately stop such transfers of Owner Personal Data to Ethixbase360 until such time as it is able to perform the transfer in full compliance with this paragraph and the requirements of any data protection regulator; and
• if requested by Owner, Ethixbase360 will comply with its obligations under the heading Deletion/Return.

Personal Data Breach

Ethixbase360 shall without undue delay, inform Owner if Ethixbase360 becomes aware that any Owner Personal Data has been subject to a personal data breach.

Ethixbase360 shall make reasonable efforts to identify the cause of any personal data breach and take  those steps as Ethixbase360 deems necessary and reasonable in order to remediate the cause of any personal data breach to  the  extent remediation is within  Ethixbase360’s  reasonable control.  Ethixbase360 will keep Owner informed of such cause and the steps it is taking.

Audits

Ethixbase360 shall on request, in accordance with the Data Protection Legislation, make available to Owner such information it has as is necessary to demonstrate Ethixbase360’s compliance with the provisions of this DPA and with the applicable Data Protection Legislation and allow for and contribute to audits.

Any audit (including any audit performed under the Standard Contractual Clauses) shall be performed: (i) following a personal data breach or request from a supervisory authority; or (ii) otherwise  no more than once per calendar year, with at least 60 days prior written notice and be at Owner’s own cost and expense. Audits will be carried out on a remote or desktop basis unless it is not possible to do so. Owner will not unreasonably interfere with Ethixbase360’s day to day business activities and shall comply with its reasonable security requirements.

Assistance

Ethixbase360 shall:

• Without undue delay, provide such reasonable information and assistance as Owner may require in relation to the fulfilment of Owner’s obligations to respond to requests for exercising the Data Subjects’ rights under the Data Protection Legislation; and
• Provide such information, co-operation and other assistance to Owner as Owner reasonably requires (taking into account the nature of processing and the information available to Ethixbase360) to ensure compliance with Owner’s obligations as Controller under Data Protection Legislation, including with respect to:
  • security of processing;
  • data protection impact assessments;
  • prior consultation with a supervisory authority regarding high risk processing; and
  • any remedial action and/or notifications to be taken in response to any personal data breach and/or any complaint or request relating to either party’s obligations under Data Protection Legislation relevant to this DPA, including (subject in each case to Owner’s prior written authorisation) regarding any notification of the personal data breach to supervisory authorities and/or communication to any affected Data Subjects.

Ethixbase360 may (acting reasonably) charge Owner at its standard professional services rates for any support, co-operation or assistance it provides under the DPA and the Standard Contractual Clauses that cannot be provided within the scope of the Services.  This paragraph shall not apply in relation to any support, co-operation or assistance (a) that is a direct legal obligation of Ethixbase360 under the Data Protection Legislation; or (b) required due to a breach of Ethixbase360’s obligations under this DPA or the Standard Contractual Clauses.

Deletion/return

On termination of the provision of Services Ethixbase360 shall securely dispose of Owner Personal Data, unless, within 30 days of termination, Owner requests Ethixbase360 to return (and thereafter promptly to delete) Owner Personal Data at Owner’s cost.  Following receipt of a request Ethixbase360 shall use reasonable commercial endeavours to deliver to Owner a copy of the then most recent back-up of Owner Personal Data within 30 days of receipt of such request.  Ethixbase360 shall have no obligation to deliver such copy unless Owner has paid all fees and charges outstanding at or resulting from termination (whether or not due at the date of termination).  Ethixbase360 shall be entitled to retain Owner Personal Data (i) when required by law; or (ii) when securely isolated and protected on back-up systems and deleted in accordance with Ethixbase360’s standard deletion practises.  Ethixbase360 may also keep one copy of each Report for its own internal risk management purposes for 6 years following the date of the Report.  Any retained Owner Personal Data shall remain subject to the terms of this DPA.

Owner obligations

Owner must obtain all consents or other legal justifications necessary for Ethixbase360 to process Owner Personal Data and to deliver the Services in accordance with an Order and Terms.

The Owner will ensure the Owner Data:

• contains the minimum information required for Ethixbase360 to provide the Services;
• is accurate and complete (and the Owner shall notify Ethixbase360 of any inaccuracies or of any corrections required);
• does not contain any special category or sensitive Personal Data (within the meaning of the Data Protection Legislation) other than as contained in Reports.

If the Owner receives any complaint, notice or communication which relates directly or indirectly to the Service, Ethixbase360 Data or to Ethixbase360’s compliance with the Data Protection Legislation it shall without undue delay notify Ethixbase360 and provide reasonable cooperation and assistance in relation to any such complaint, notice or communication.

Owner will provide Ethixbase360 with reasonable co-operation and assistance in relation to any request made by any Data Subject identified in the Owner Data in relation to the Ethixbase360 Data.

Application of the Terms

The following provisions of the Terms shall apply equally to this DPA as if references in the Terms to “the agreement” or “this agreement” were references to this DPA: 1 (definitions), 12 (limitation of Liability)  as between Ethixbase360 and Owner but not between Ethixbase360 and Data Subjects, , 14 (Force Majeure), 16 (General), 17 (Notices), 18 (Contracting Entity) and 19 (English language).

Schedule 1 – Part 1

Information Required by the Standard Contractual Clauses

For the purpose of SCCs that shall apply between the parties pursuant to the DPA, clauses 7, 9, 11, 13, 17, 18 and the Annexes of the SCCs shall be deemed to be completed as follows:

1. Clause 7 (Docking Clause) shall apply
2. In Clause 9 of the SCCs, Option 2 shall apply and the time period shall be not less than 10 days.
3. The optional wording at Clause 11(a) of the SCCs is deleted.
4. In Clause 13(a) of the SCCs:
   • where the GDPR applies to processing under the Agreement, the applicable wording (as determined by the instructions in square brackets in the SCCs) is retained and the two remaining alternatives are deleted; and
   • where the GDPR does not apply to processing under the Agreement, the wording in Clause 13(a) is deleted and replaced with the following “The supervisory authority of the data exporter, as indicated in Annex I.C, shall act as competent supervisory authority”.
5. In Clause 17 of the SCCs, Option 2 is deleted and Option 1 is completed with details of the applicable governing law as follows:
   • where the GDPR applies to processing under the Agreement and the country of establishment of the data exporter, as specified in Annex I.A of the SCCs, is a Member State of the European Union whose law allows for third party beneficiary rights, the governing law shall be that country of establishment of the data exporter;
   • where the GDPR applies to processing under the Agreement and the country of establishment of the data exporter, as specified in Annex I.A of the SCCs, is not a Member State of the European Union, then the governing law shall be the law of the Republic of Ireland; and
   • where the GDPR does not apply to processing under the Agreement, the wording at Option 1 is deleted and replaced with the following “These Clauses shall be governed by English law.”
6. Clause 18(b) of the SCCs is completed with details of the courts of competent jurisdiction as follows:
   • where the GDPR applies to processing under the Agreement, (i) the courts of the country of establishment of the data exporter, as specified in Annex I.A of the SCCs, provided such country of establishment is a Member State of the European Union and (ii) in all other cases, the courts of the Republic of Ireland; and
   • where the GDPR does not apply to processing under the Agreement, the wording in Clauses 18(a) and (b) is deleted and replaced with the following “(a) NOT USED. (b) Any dispute arising from these Clauses shall be resolved by the courts of England and Wales.”.

ANNEX I to the Standard Contractual Clauses

Annex I.A of the SCCs is completed with the additional party details for transfers as set below:

1. LIST OF PARTIES

Data exporter/processor: 

Name and Address: Owner whose details are set out in the Order.

Contact person’s name, position and contact details:

As set out in the Order

Activities relevant to the data transferred under these Clauses:

Receipt of the services set out in the Agreement.

Data importer/processor: 

Name and Address:  the Ethixbase360 entity identified in the Terms.

Contact person’s name, position and contact details: as set out in the Agreement.

Data Protection Officer, [email protected]

Activities relevant to the data transferred under these Clauses:

Supply of the services set out in the Agreement.

Annex I.B of the SCCs is completed with the processing details and additional transfer details set out in the table below:

1. DESCRIPTION OF TRANSFER

To the extent necessary to provide Services, Ethixbase360 may have access to Personal Data processed by Owner as controller and Ethixbase360 as a processor to Owner. 

Controller	Owner as identified in the Order
Processor	The Ethixbase360 legal entity identified in section 18 of the Terms
Subject matter of processing	·        Authorised Users: for the provision of the Services ·        Other parties: for assessing and managing third party risks in the Owner’s business operations
Duration of Processing	The term of the applicable Order
Nature of Processing	The processing of Personal Data in accordance with an Order and the Terms including collecting, recording, organising, structuring, copying, storing, adapting, retrieving, using, investigating, disclosing by transmitting, making available, combining and erasing purely for the purpose of providing the Services.
Personal Data Categories	Authorised Users: names, email addresses, IP addresses and phone numbers, and/or any other data made available to Ethixbase360 in connection with the provision of the Services Other parties: identification details, contact details, location details, family details, lifestyle and social circumstances, educational details, employment details, financial details, media and other publicly sourced information, appearance on governmental and professional sanctions and watch lists, actual and alleged criminal offence information,  political opinion (Politically Exposed Persons) and/or any other data made available to Ethixbase360 in connection with the provision of the Services or collected by Owner through a custom due diligence questionnaire prepared to Owner’s specification. Sensitive Personal Data (if revealed by public domain research sources): criminal offence information,  political opinion (Politically Exposed Persons).
Data Subject Types	·        Authorised Users ·        Directors, officers, employees, business or other associates of a Collaborative Report Subject and their family members
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)	Continuous
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing	Sub-processor may have access to Owner Personal Data to support the provision of Services for the duration of the Order.

 

Annex I.C of the SCCs is completed with the following details:

1. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority

Data Protection Commission

21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland

ANNEX II to the Standard Contractual Clauses

Annex II of the SCCs is completed with the technical and organisational measures described below.

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

Ethixbase360  – Singapore

Security during electronic transmission   

• Installation of dedicated lines or VPN tunnels  
•  Encrypted transfer (e.g. HTTPS, SSL, SSH, [algorithm], [number]-bit keys)  
• E-mail encryption  
• All Data in Transit is strictly over TLS (version 1.3)  
• All data is encrypted at rest (AES 256).  
• End-to-end encryption for content   
• Connection encryption for metadata   
• Use of TLS/SSL   
• Key exchange protocols with Perfect Forward   

Physical access control   

Technical and organisational measures for access control, 

•  Alarm system  
• Locking system  
• Chip cards  
• Locking system with code lock  
• Manual locking system  
• Lockable cabinets  
•  For offices  
• For server rooms   
• Visitor checks   
• Logging of visitors / visitor book  
• Obligation for visitors to wear authorisation cards  
• Careful selection of security personnel  
• Obligation to wear identification cards/badges for employees.  
• Biometric access barriers  
• Video surveillance of the access points/entrances  
• Motion detectors  
• Security locks  
• Key regulations   

Physical access to our data centres and infrastructure is restricted to our cloud provider AWS. These include:   

• Intrusion detection systems  
• Authorised staff must pass two-factor authentication a minimum of 2 times to access data centre floors  
• Physical access points to server locations are recorded by CCTV, images are retained according to legal and compliance requirements.
• Physical Access is controlled at building ingress points by professional security team Staff utilising
• Surveillance, detection and other electronic means.
• Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.

• Safety Glazing  
• Code Locks  
• Logging of employee presence 
• Only approved employees/third party have access to data centre
• Justification of access to data with a valid business case.
• Request is reviewed are reviewed and approved by authorised personnel.
• Access Granted based on ‘least privilege’
• Request of access is limited to approved and specific data layer.
• Access is limited and time bound.  
• Access revoked after the time expires.
• Visitor Badge must be present and are signed in and escorted by authorised staff
• Securing of entrance and side doors  

Data Centre Access Review 

• Access to data centres is regularly reviewed. 
• Access is automatically revoked when an employee’s record is terminated in Amazon’s HR system
• Employee and contractors access right is revoked soon the approved duration expires

Data Centre Access Logs 

• Physical Access to AWS data Centre is:
• Logged
• Monitored
• And retained.

Data Centre Access Monitoring 

• Data Centre is monitored by global Operations Centres which are responsible for:
• Monitoring
• Triaging
• And executing security programmes
• Data centre are monitored 24/7 by the SOC team who also assists to respond to
• Security incidents by triaging
• Consulting
• Analysing
• And Despatching response.

Intrusion Detection 

• Electronic detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents.
• Ingress and egress points server rooms are secured with devices each individual to provide multi-factor authentication before granting entry or exit. 
• These devices will sound alarm if the door is forced upon without authentication. 
• Door Alarm configured to detect instances where an individual exits or enters a data layer without providing MFA. Alarms are immediately dispatched to 24/7 AWS Security Operations Centres for immediate logging, analysis, and response.

Asset Management 

• Centrally Managed through an inventory management System that stores and tracks:
• Owner, location, Status, Maintenance.

Media Destruction 

• AWS has exacting standards on how to install, service and destroy end of life using NIST 800-88

Technical access control   

Technical (password protection) and organizational (user master data record) measures regarding user identification and authentication:   

• Assignment of user rights  
• Creation of user profiles  
• Password policy  
• Automated expiration of passwords after deadline  
• Password quality requirements (special character, length)  
• Authentication with username/password  
• Automatic computer lock after certain inactivity  
• Automatic log-out from programs after a certain period of inactivity  
• Assignment of user profiles to IT systems  
• Locking of external interfaces (USB etc.)  
• Use of intrusion detection systems.  
• Use of central smartphone administration software (e.g., for external deletion of data)  
• Use of anti-virus software.  
• Use of a hardware firewall  
• Use of a software firewall  
• Use of private storage media prohibited.  
• Interfaces for external storage media (e.g., USB) blocked  
• Periodic checks for and removal of redundant and un-used user IDs   
• 2-factor authentication for remote access  
• Access restriction based on specific user groups subdivided to task areas  
• Secure storage of administrator passwords for the IT system  
• Secure storage of keys for cryptographic processes  
• Internal management of access rights  
• Separation of data within the system to secure information  
• Locking away of mobile computers outside of business hours  
• Certificate-based access authorisation  
• Logging of data processing activities  

Authorisation control    

Demand-oriented design of the authorization concept and access rights as well as their monitoring and logging:   

• Authorization concept  
• Employee commitment to data secrecy   
• Obligation of secrecy and confidentiality  
• Rights management by system administrator  
•  Number of administrators reduced to the bare minimum  
•  Logging of access to applications, in particular when entering, changing and deleting data  
• Logging of faulty logins (log-on attempts)  
•  Secure storage of data media  
• Physical deletion of data carriers before reuse  
• Proper destruction of data carriers (DIN 66399)  
• Use of document shredders or professional service providers with data protection seal of destruction  
• Logging the destruction of data  
• Logging of access authorisation  
• Logging if system usage and log evaluation  

Separation control    

Measures for the separate processing (storage, modification, erasure, transmission) of data with different purposes:   

• Logical client separation (software-side)  
• Creation of an authorization concept  
• Providing the data records with purpose attributes/data fields   
• Definition of database rights  

 Separation of production and test system   

• User competence   
• Limited user access    
• Separation of functions   
• Separation of databases   
• Separation of test and routine programs   
• Separation of test and productive data   
• Client separation   
• File Separation   
• Separation of tables within databases   
• Physically separated storage   
• Encryption   
• Access to data being separated through application security for the appropriate users   
• Traffic between various networks being controlled by firewalls   

Input control    

Measures for subsequent verification as to whether and by whom data have been entered, changed or removed/deleted:   

• Logging of the input, modification and deletion of data through individual user names (not user groups)  
• Overview showing which applications can be used to enter, change and delete which data.  
• Authorization concept  
• Logging of entries, changes, and deletions within the system   
• Seamless process logging for each individual case    
• Traceability within the system   
• Program access only for known and authorized persons   
• Separation of program and data areas of different users   
• Assign individual usernames instead of user groups   
• Malware protection  
• Separation of programme and data areas of different users  
• Assign individual usernames instead of user groups  
• Automatic screen lock after 3 minutes of inactivity  

Human Resources controls/ISO27001 

• ISO27001 certified with emphasis upon security prior to selecting candidates, during employment and after.
• Multiple interviews are conducted with any potential employee or contractor. Character and professional references are mandatory. 
• Background verification checks are conducted using the Ethixbase360 platform. 
• A due diligence report is carried out on the potential employee/contractor or third-party. Background check includes areas such as individual background information, sanctions, enforcement and watchlist, Political exposure risk and negative media finding. 
• A non-disclosure agreement is also in place during the period and after the end of the contract. 
• All employees including third-party go through Security Training as part of the on-boarding process and as a yearly refresher term in partnership with the National Cyber Security Centre of UK. 

• Employee contracts stipulate requirement to read and understand and agree and abide by the
• Non-Disclosure agreement
• Information Security Technology Policy and associated Information Security Policies.

Ethixbase360 – USA

Ethixbase360 has implemented appropriate technical and organizational security measures as required by Applicable Data Protection Law. These include, but are not limited to the following:

Use of Secure Systems
Ethixbase360 utilizes Microsoft Azure, an industry-leading provider of cloud computing solutions, to host our website, Third Party Management System (TPMS), and network resources.  Currently, TPMS servers are hosted in Ireland, with back-ups in the United Kingdom. Azure meets a broad set of international and industry-specific compliance standards, such as General Data Protection Regulation (GDPR), ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards, including Australia IRAP, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits, such as those done by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate. All Microsoft data centers maintain state-of-the art physical security, including 24x7x365 surveillance, environmental protections and extensive secure access policies. 

Ethixbase360 partners with Docebo, N.A. for its online training learning management system (LMS) and LMS data is currently housed on their servers located in Canada, with a back-up server housed in Ireland. Docebo is GDPR-compliant, has recently completed its SOC 2 type II audit and is also an ISO 9001 & 27001 certified company. The Docebo LMS is developed, maintained and operated through a Software Development Life Cycle (SDLC) and a Change Management process including the security by design principle and the highest security and quality standards.

ISO 27001 Compliance
Ethixbase360 is compliant with ISO 27001 standards. Security measures are supported by internal policies, procedures and contractual obligations among controllers, processors and recipients.

External Security Audits and Penetration Tests
Ethixbase360 conducts penetration tests on an annual basis both in the application and in the infrastructure level using well-known, independent third-party auditors. Ethixbase360 also employs third party auditors to certify our continued compliance with ISO 27001 standards.

Physical Security
Ethixbase360’s premises are alarmed, require access keys, and are kept secure when not occupied. All visitors to Ethixbase360 offices must sign in and be accompanied by an employee at all times. There are CCTV security cameras in the exterior of our building.

Access Control
Only personnel and Affiliates who are properly authorized, subject to confidentiality obligations, and have a need-to-know, have access to your company’s data. Ethixbase360 regularly conduct user access reviews to ensure appropriate permissions are in place, in accordance with the least privilege principle. Employees have their access rights promptly modified upon change in employment. Ethixbase360 systems are password-protected and Ethixbase360 utilizes multi-factor authentication technology for those accessing our systems remotely.

Ethixbase360 Consultant sub-Processors are provided with company email addresses and are required to access Ethixbase360 systems via secure remote multi-factor authentication using either Ethixbase360 or Affiliate-issued equipment or equipment approved by Ethixbase360 for use in the provision of the services. 

Security Awareness and Training
Ethixbase360 understands that its security is dependent on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding. Further security training is provided on at least an annual basis. Additionally, all employees must sign our Acceptable Use Policy.

Application Security
Ethixbase360 implements a security-oriented design in multiple layers, one of which is the application layer. Our TPMS is developed according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production. Our controlled SDLC process includes end-to-end and unit testing which addresses authorization aspects and more.

Infrastructure Security
Ethixbase360 infrastructure is protected using multiple layers of defense mechanisms, including:

• Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources
• A web application firewall (WAF) for content-based dynamic attack blocking
• DDoS mitigation and rate limiting
• NIDS sensors for early attack detection
• Advanced routing configuration
• logging of network traffic, both internal and edge

Data Encryption
Ethixbase360 encrypts all data both in transit and at rest:

• Traffic is encrypted using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum
• User data is encrypted at rest across our infrastructure using AES-256 or better
• Credentials are hashed and salted using a modern hash function

Data Minimization & Retention
The Personal Data collected is carefully circumscribed to what is relevant and strictly necessary to perform the Services, and the data is periodically deleted pursuant to Ethixbase360’s data retention schedule.

Disaster Recovery and Backups
Ethixbase360 is committed to providing continuous and uninterrupted service to all its customers. Ethixbase360 consistently backs up user data with 35-day point-in-time recovery. All backups are encrypted and distributed to various locations, where they are retained for 56 days (8 weeks).

Our Disaster Recovery Plan is tested at least annually to assess its effectiveness and to keep the teams aligned with their responsibilities in case of a service interruption.

Annex III of the SCCs is completed with the details of the sub-processors set out in the list maintained by Ethixbase360 a copy of which is available on request by Owner .

Schedule 1- Part 2

Information Required by the UK Addendum

UK Addendum Tables

Table 1:  Parties

Start date	Date of the Order
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Owner whose details are set out in the Order	Ethixbase360 whose details are set out in the Terms
Key Contact	As set out in the Agreement	As set out in the Agreement

 

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
	2	Yes	No	Option 2 – General  Authorisation	10 days	Yes

Table 3: Appendix Information is completed with cross references to the relevant Annexes in the SCCs.

Table 4: Ending this Addendum when the Approved Addendum Changes:  The “Exporter” option is selected.

 

Schedule 2 – Additional Safeguards

If Ethixbase360 is located outside the UK or EEA, the following additional safeguards will apply:

1. Ethixbase360 shall have in place and maintain in accordance with good industry practice measures to protect Owner Personal Data from interception (including in transit from Owner to Ethixbase360 and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Owner Personal Data whilst in transit and at rest intended to deny attackers the ability to read
2. Ethixbase360 will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to Owner Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);
3. If Ethixbase360 becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Owner Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise (unless legally prohibited from doing so):
   1. Ethixbase360 will notify Owner promptly after first becoming aware of such demand for access to Owner Personal Data and provide Owner with all relevant details of the same, unless and to the extent legally prohibited to do so;
   2. Ethixbase360 shall inform the relevant government authority that Ethixbase360 is a processor of the Owner Personal Data and that Owner has not authorized Ethixbase360 to disclose the Owner Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Owner Personal Data should therefore be notified to or served upon Owner in writing;
   3. Ethixbase360 will use commercially reasonable legal mechanisms to challenge any such demand for access to Owner Personal Data which is under Ethixbase360’s control. Notwithstanding the above, (a) Owner acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Owner Personal Data, Ethixbase360 has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (c)(III) shall not In such event, Ethixbase360 shall notify Owner, as soon as possible, following the access by the government authority, and provide Owner with relevant details of the same, unless and to the extent legally prohibited to do so.
   4. Once in every 12-month period, Ethixbase360 will inform Owner, at Owner’s written request, to the extent permitted by applicable law, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.