Login to Customer Portal
Contact
SearchData Processing Agreement
Background
1.1 This Data Processing Agreement (“DPA”) regarding Processing of Personal Data forms part of the Agreement entered into between Customer and Tacton. The provisions of this DPA shall apply to the extent Tacton, in providing the Services set forth in the Agreement, processes Personal Data on behalf of Customer. References to the Agreement will be construed as including this DPA.
1.2 Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.
1.3 This DPA consists of (i) the main body of this DPA, (ii) Details of Processing of Customer’s Personal Data, Attachment 1, (iii) Security Documentation, Attachment 2, (iv) List of Sub-processors, Attachment 3, and where applicable, (v) the “Standard Contractual Clauses”, Attachment 4.
1.4 Tacton will also process Personal Data on behalf of Affiliates of Customer that are explicitly covered by the Agreement. Such Processing of Personal Data will also be covered by this DPA and the Customer Affiliates have the same rights and obligations as the Customer herein. All rights, obligations and communication under this DPA will be channeled to and from Tacton via Customer, to and from Customer Affiliates. Any reference in the DPA to the Customer’s right and obligations shall be regarded as a reference to any Customer Affiliates rights and obligations.
1.5 The Parties have entered into this DPA to comply with the requirements set out in the Data Protection Laws and Regulations. The Parties shall negotiate in good faith and agree on any relevant and necessary amendments and updates to this DPA and the Processing carried out hereunder to ensure that it complies with the data Protection Laws and Regulations at all times during the term of the Agreement.
Definitions
2.1 “Agreement” means a Master Services Agreement (MSA), License Agreement, SaaS Services Agreement, Project Services Agreement, or other agreements related to the purchase of Services from Tacton.
2.2 “Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer and/or applicable Customer Affiliates are the Data Controller.
2.3 “Data Processor” means the entity which processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Tacton, including its Affiliates, is the Data Processor.
2.4 “Data Protection Laws and Regulations” means all mandatory laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement.
2.5 “GDPR” means the EU General Data Protection Regulation 2016/679.
2.6 “Data Subject” means the individual to whom Personal Data relates.
2.7 “Personal Data” means data about a living individual transmitted to Tacton from which that person is identified or identifiable, as defined in the applicable Data Protection Laws and Regulations.
2.8 “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.9 “Security Documentation” means the information Attachment 2, as updated from time to time.
2.10 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data.
2.11 “Services” means a Tacton service offering described in the applicable Order Form, Statement of Work, Service Order Form or other service description, provided by Tacton to Customer under the Agreement.
2.12 “Standard Contractual Clauses” or “SCCs” means the European Commission’s decision of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and any revised standard contractual clauses published later in accordance with the GDPR.
2.13 “Sub-processor” means any non-Tacton or Tacton Affiliate data processor, engaged by Tacton to Process Personal Data on behalf of Data Controller in accordance with this DPA.
Processing of Personal Data
3.1 Tacton’s Processing of Personal Data
TACTON CONFIDENTIAL INFORMATION
3.1.1 Tacton shall, in connection with Processing of Personal Data, comply with Data Protection Laws and Regulations. Tacton will process Personal Data on Customer’s behalf and only in accordance with Customer’s documented instructions (including via email), for the purposes of providing the Services to Customer and to the extent required by law. Customer hereby acknowledges that by virtue of using the Services it gives Tacton instructions to process and use Personal Data in order to provide the Services in accordance with the Agreement. Customer takes full responsibility to keep the amount of Personal Data provided to Tacton to the minimum necessary for the performance of the Services.
3.1.2 This DPA and the Agreement are the complete and final instructions of Customer to Tacton for the Processing of Personal Data. Tacton shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.
3.1.3 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Tacton shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
3.1.4 Tacton will not disclose or share the Personal Data processed under the Agreement, with any third party except a) as expressly permitted under the Agreement or DPA, b) with the written authority of the Customer, or c) if required under applicable law.
3.1.5 Attachment 1 to this DPA sets out certain information regarding the Processing of Customer’s Personal Data as required by article 28(3) of the GDPR. Customer may make reasonable amendments to Attachment 1 by written notice to Tacton from time to time as Customer reasonably considers necessary to meet those requirements. Tacton is entitled to charge any additional work carried out by it to comply with the Controller’s amended instructions on a time and material basis in accordance with its standard consultancy rates. Nothing in Attachment 1 confers any right or imposes any obligation on any party to this DPA.
3.1.6 Customer shall, in its use of the Services, comply with Data Protection Laws and Regulations. Customer’s instructions to Tacton for the Processing of Personal Data must comply with Data Protection Laws and Regulations. In addition, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including providing any required notices to, and obtaining any necessary consent from, the relevant Data Subjects.
Rights of Data Subjects
4.1 Deletion of Personal Data.
4.1.1 The Customer may, upon termination of this DPA, request the deletion of Personal Data of an individual Data Subject. Following such deletion request by Customer, Tacton will delete such data from its systems as soon as reasonably practicable.
4.1.2 Subject to sections 4.1.3 and 4.1.4 Tacton shall promptly and in any event within ninety (90) days of the date of termination of any Services involving the Processing of Personal Data (the “Termination Date“), delete and procure the deletion of all copies of those Personal Data.
4.1.3 Subject to section 4.1.4, Customer may in its absolute discretion by written notice to Tacton within thirty (30) days of the Termination Date require Tacton to (a) return a complete copy of all Personal Data to Customer by secure file transfer in such format as is specified in the Documentation describing the Service; and (b) delete and procure the deletion of all other copies of Personal Data Processed by Tacton and any Sub-processor. Tacton shall comply with any such written request within ninety (90) days of the Termination Date.
4.1.4 Tacton and any Sub-processor may retain Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Tacton and any Sub-processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
4.1.5 Tacton and any Sub-processor shall provide written certification to Customer that it has fully complied with this section 4.1 within (90) days of the Termination Date.
4.2 Data Subject Requests
4.2.1 Taking into account the nature of the Processing, Tacton shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws and Regulations.
TACTON CONFIDENTIAL INFORMATION
4.2.2 Tacton shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of such Data Subject’s Personal Data. Tacton shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer.
4.3 Complaints or Notices related to Personal Data
4.3.1 In the event Tacton receives any official complaint, notice, or communication that relates to Tacton’s processing of Personal Data or either party’s compliance with applicable laws in connection with Personal Data, to the extent legally permitted, Tacton shall promptly notify Customer and, to the extent applicable, Tacton shall provide Customer with commercially reasonable cooperation and assistance in relation to any such complaint, notice, or communication. Customer shall be responsible for any reasonable costs arising from Tacton’s provision of such assistance.
Tacton Personnel
5.1 Tacton shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. Tacton shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
5.2 Tacton shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Agreement.
Appointment of Sub-Processors
6.1 Customer acknowledges and agrees that (i) Tacton is entitled to retain its Affiliates as Sub-processors, and (ii) Tacton or any such Affiliate may engage any third parties from time to time to process Customer Personal Data in connection with the provision of Services.
6.2 Tacton will only disclose Personal Data to Sub-processors that are parties to written agreements with Tacton including obligations no less protective than the obligations of this DPA.
6.3 Tacton shall ensure that each Sub-processor performs the obligations under sections 3.1 , 4 , 5 , 8 , 9 and 10 , as they apply to Processing of Customer Personal Data carried out by that Sub-processor, as if it were party to this DPA in place of Tacton. Tacton shall be liable for the acts and omissions of its Sub-processors to the same extent Tacton would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6.4 Tacton will provide to the Customer the names of its Sub-processors processing the Personal Data and the countries in which such data is or may be processed. The list of current Sub-processors is enclosed to this DPA in Attachment 3.
6.5 Tacton shall give Customer prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within thirty (30) days of receipt of that notice, Customer notifies Tacton in writing of any objections (on reasonable grounds) to the proposed appointment, then Tacton shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and where such a change cannot be made within ninety (90) days from Tacton’s receipt of Customer notice, notwithstanding anything in the Agreement, Customer may by written notice to Tacton with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor.
Additional Terms for Transfer of Personal Data From the EEA
7.1 Application of Standard Contractual Clauses.
7.1.1 The Standard Contractual Clauses (“SCC’s”) and the terms of this Section 7 will only apply to the extent that Processing of Personal Data by Tacton in the course of providing the Services is transferred from within the European Economic Area (EEA) to outside the EEA to any country or recipient not recognized by the European Commission as providing an adequate level of protection for Personal Data.
7.1.2 In the event (i) the Controller is an entity in a third country, and (ii) Tacton transfers Personal Data to the Controller, the Parties shall enter into the Standard Contractual Clauses (Module 4) which shall be incorporated into this DPA as Attachment 4.
7.1.3 If Tacton engages a Sub-processor to process Personal Data on behalf of Customer not recognized by the European Commission as providing an adequate level of protection for Personal Data, Tacton shallenter into the SCC’s with such Sub-processor.
TACTON CONFIDENTIAL INFORMATION
Security; Audit Rights
8.1 Controls for the Protection of Personal Data.
8.1.1 Tacton will maintain appropriate technical and organizational safeguards, as described in the Security Documentation against unauthorized or unlawful Processing of the Personal Data, and against accidental loss or destruction of, and damage to the Personal Data, according to the measures set forth in Attachment 2.
8.1.2 Subject to sections 8.1.3 to 8.1.6, Tacton shall make available to Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Customer that is not a competitor to Tacton, or an auditor mandated by Customer in relation to the Processing of Personal Data by Tacton and any Sub-processors.
8.1.3 Any third party auditor shall be mutually agreed upon and paid by Customer, and shall be under a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the DPA, obligating it to maintain the confidentiality of all Tacton Confidential Information and all audit findings.
8.1.4 Information and audit rights of Customer only arise under section 8.1.2 to the extent that the Agreement does not otherwise give Customer information and audit rights meeting the relevant requirements of Data Protection Laws and Regulations (including, where applicable, article 28(3)(h) of the GDPR).
8.1.5 Customer undertaking an audit shall give Tacton reasonable notice of any audit or inspection to be conducted under section 8.1.2 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Tacton’s and any Sub-processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Tacton’s and any Sub-processor’s need not give access to its premises for the purposes of such an audit or inspection:
(i) to any individual unless he or she produces reasonable evidence of identity and authority;
(ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer has given notice to Tacton that this is the case before attendance outside those hours begins; or
(iii) for the purposes of more than one audit or inspection, in respect of each of Tacton or any Sub-processor, in any calendar year, except for any additional audits or inspections which:
a) Customer reasonably considers necessary because of genuine concerns as to Tacton’s compliance with this DPA; or
b) Customer is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws and Regulations in any country or territory; or
c) where Customer has identified its concerns or the relevant requirement or request in its notice to Tacton of the audit or inspection.
8.1.6 Before the commencement of any on-site audit, Tacton and Customer shall mutually agree upon the timing and duration of the audit and in addition Tacton will provide Tacton’s reimbursement rate for which Customer shall be responsible.
8.1.7 Customer shall, at no charge, provide to Tacton a full copy of all findings of the audit.
8.2 Third Party Certifications
8.2.1 Tacton has obtained the third-party certifications and audits set forth in the Security Documentation. Upon Customer’s written request at reasonable intervals, Tacton shall provide a copy of Tacton’s then most recent third-party audits or certifications (the “Audit Reports”), as applicable, or any summaries thereof, that Tacton generally makes available to its customers.
8.3 Satisfaction of Audit Request
8.3.1 Upon receipt of a written request to audit, and subject to Customer’s agreement, Tacton may satisfy such audit request by providing Customer with a confidential copy of an Audit Report (described in Section 8.2.1) in order that Customer may reasonably verify Tacton’s compliance with the technical and organizational measures set forth in Attachment 2.
8.4 Notice of Failure to Comply
8.4.1 After conducting an audit under Section 8.1.2 or after receiving a Report under Section 8.3.1 Customer must notify Tacton of the specific manner, if any, in which Tacton does not comply with any of the security, confidentiality, or data protection obligations in this DPA, if applicable. Any such information will be deemed Confidential Information of Tacton. Upon such notice, Tacton will use commercially reasonable efforts to make any necessary changes to ensure compliance with such obligations.
TACTON CONFIDENTIAL INFORMATION
Security Breach Management and Notification
9.1 Tacton maintains security incident management policies and procedures, including detailed security incident escalation procedures. If Tacton becomes aware of any Security Incident, then Tacton will notify Customer without undue delay and not later than within forty-eight (48) hours and provide Customer with relevant information about the Security Incident, including, to the extent then known, the type of Personal Data involved, the volume of Personal Data disclosed, the circumstances of the incident, mitigation steps taken, and remedial and preventative action taken.
9.2 Tacton shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Security Incident.
Data Protection Impact Assessment and Prior Consultation
10.1 Tacton shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Laws and Regulations.
Liability
11.1 Each party’s liability under the DPA shall be limited in accordance with the limitation of liability in the Agreement.
11.2 Notwithstanding Section 11.1, the limitation of liability does not apply to administrative fines imposed by supervisory authorities or national courts in accordance with Article 83 of the GDPR.
Legal Effect; Termination
12.1 This DPA shall only become legally binding between Customer and Tacton when fully executed and will terminate when the Agreement terminates, without further action required by either party.
Governing law and jurisdiction
13.1 The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
13.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of Precedence
14.1 Nothing in this DPA reduces Tacton’s obligations under the Agreement in relation to the protection of Personal Data or permits Tacton to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement.
14.2 Subject to section 14.1 with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
TACTON CONFIDENTIAL INFORMATION
Attachment 1
Details of Processing of Customer’s Personal Data
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Customer Personal Data
Tacton will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by Customer in its use of the Services. Tacton may process Personal Data in Tacton’s technical environment and, when applicable, by remote access to the Customer’s technical environment, in the latter case by using access privileges granted and administered by the Customer.
The Customer is configuring, pricing and quoting products and services with support of Tacton CPQ applications. If the applications are provided as SaaS, Tacton and its sub-processors provide management of cloud-based infrastructure, including databases related to Tacton CPQ applications, e.g. installations, upgrades and issue resolution may require access to production and test data with user accounts and other organization references, customers, products and quote information.
The types of Customer Personal Data to be Processed
Customer may submit Personal Data to the applications and Services, the extent of which is determined and controlled by Customer in its sole discretion. Data fields for Personal Data is defined in the customer unique configuration of the application. Customer may not submit sensitive Personal Data.
Customer’s Personal Data that is processed may include but is not limited to the following categories:
- First and last name
- Email address
- User name
- Phone and mobile number
- Physical business address
- Title and organization and role
The categories of Data Subject to whom the Customer Personal Data relates
If no other categories are added by the Customer, Data Subjects are users of Tacton CPQ applications, staff involved in the sales process and in procurement at Controller’s end customer, e.g. named references on quote headers.
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. Data fields for Personal Data is defined in the customer unique configuration of the application.
Customer’s Personal Data can relate to, but is not limited to the following categories of data subjects:
- Prospects, customers, business partners and vendors of Customer (who are natural persons)
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Customer’s Users authorized by Customer to use the Services
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Customer and Customer Affiliates are set out in the Agreement and this DPA.
TACTON CONFIDENTIAL INFORMATION
Attachment 2
Security Documentation
This documentation describes security measures for Tacton Services, including, but not restricted to, Tacton software as a service, jointly referred to as SaaS in this, Support Services, Professional Services and other services provided to Customers for demonstration and test purposes. SaaS, Support Services, Professional Services and other services provided by Tacton are jointly referred to as Services in this document. Tacton implements these security measures to comply e.g. with Article 32 of the GDPR.
Architecture and Data Segregation
SaaS operates in multitenant architectures. The architectures provide data separation between Customers and allow use of role-based access privileges.
When performing Services, Tacton may process personal data and other Customer data in Tacton’s technical environment and, when applicable, by remote access to the Customer’s technical environment, in the latter case by using access privileges granted and administered by the Customer.
Operational Procedures
Services include all security relevant operational procedures, including Incident Management and Change Management procedures.
Tacton notifies impacted Customers without undue delay of any incidents of which Tacton becomes aware, to the extent permitted by law.
All changes to SaaS are introduced on master images and on file repositories. When tests are approved and changes are finally decided, production environments are completely and automatically re-built from the approved master image and the approved file repositories, thus preventing manual mistakes from affecting the functionality and the security of Tacton Services.
Personal Data Processing Categories
The categories of Personal Data processed by Tacton when performing Services are described in Attachment 1.
User Authentication and Authorization
SaaS supports a range of user authentication solutions. Operator / administrator duties and common user duties are separated. All administrator activities are logged.
Users of SaaS are set up and managed by the Customer as having different roles, defined to have different types of access to different business layers and thus different access rights (read, modify, etc.) to data. This solution supports “the principle of least privilege”. User access is logged.
Users of, and access privileges to, the Customer’s own technical environment/s are set up and managed by the Customer.
Third Country Considerations
All processing of Personal Data by Tacton on behalf of Customer is performed within the EU/EEA, unless otherwise explicitly agreed.
Third-Party Functionality
SaaS uses functionality provided by AWS. Depending on the specific SaaS , the functionality used may include, but is not limited to, EC2 (virtual machines, load balancers, EBS etc.), VPC (networking), S3 (storage), IAM (authentication and authorization service), RDS (database), Route53 (domain management), CloudTrail and CloudWatch (logging and monitoring), SNS (Simple Notification Service), Lambdas (deployment and patching), KMS (Key Management Service), ACM (Amazon Certification Management), Elastic Search (logging), Kinesis (data streaming), and Cloud Formation (infrastructure as code).
Nordcloud is a supplier operating SaaS environments.
All Sub-processors used by Tacton are parties to written agreements with Tacton including obligations no less protective than the obligations of this DPA.
Audits and Certifications
Tacton’s SaaS products are ISO/IEC 27001 and SOC 2 Type-II certified, and Tacton strives to be compliant with the management system standard ISO 9001 and to apply relevant ITIL processes.
TACTON CONFIDENTIAL INFORMATION
Tacton is not required to comply with legislation like HIPAA and has no agreements requiring compliance with industry security standards like PCI-DSS.
Tacton is subject of comprehensive audits. It is a legal requirement to include a short report, summarizing the external auditors’ findings, in the yearly report from Tacton Systems AB.
AWS, Tacton’s SaaS infrastructure provider, is ISO/IEC 27001, SOC 2 Type-II, and PCI-DSS certified and undergoes annual audits.
Nordcloud, operating Tacton’s SaaS environments, is ISO/IEC 27001 certified.
Tacton’s own systems are run on cloud platforms from ISO/IEC 27001 and SOC 2 Type-II certified suppliers.
Annual vulnerability scanning and penetration tests by an independent third-party auditor is part of the Tacton SaaS offer.
Technical and organizational security measures implemented by Tacton and its Processors and Sub-Processors are subject to regular audits.
Security Logs
All systems used in the provision of SaaS, including firewalls, routers, network switches and operating systems as well as the main applications used, log information in order to enable security reviews and analysis.
Logging of Support Services activities and Professional Services activities in the Customer’s technical environments is a Customer responsibility.
Physical Security
Data centers used to provide Services to and from Tacton have access control systems that permit only authorized personnel to have access to secure areas. These facilities are designed to withstand physical attacks and adverse weather and other reasonably predictable natural conditions, utilize redundant electrical and telecommunications systems, employ environmental systems that monitor temperature, humidity and other environmental conditions, and contain strategically placed heat, smoke and fire detection and suppression systems. Facilities are secured by around-the-clock guards and interior and exterior surveillance cameras. In the event of a power failure, uninterruptible power supply and continuous power supply solutions are used to provide power while activating on-site back-up generators.
Tacton’s offices are equipped with physical access control systems that permit only authorized personnel to have access. Facilities are secured by intrusion and fire alarm systems and surveillance cameras.
Business Continuity and Disaster Recovery
Tacton employs a formal (documented, approved, published, communicated and implemented) Business Continuity / Disaster Recovery policy / process. Disaster Recovery, i.e. establishing new and complete production sites, is regularly tested as part of the operational procedures. Master images, repositories, database mirrors, and transaction logs needed for new site establishment are saved at two sufficiently separated sites.
Business Continuity relies on redundancy and is maintained through normal operational procedures, which include load balanced dual production sites, sufficiently separated. If one site fails, production continues, and a new site is established within very short time from quality assured master images and repositories. The strategy is to never update, always rebuild, to reduce the risk that weaknesses and vulnerabilities are preserved in old parts of code and/or data. Backups are in this strategy used primarily for the protection of data integrity.
Databases used by Tacton when providing SaaS are, when required from data integrity reasons, recovered from database mirrors and transaction logs.
Tacton’s own Business Continuity relies on redundancy and is maintained through normal operational procedures. In the event of e.g. a power failure, Tacton reallocates to alternate premises.
Malicious Code
SaaS and Tacton’s own production environments are protected against malicious code according to industry best practices.
Data Encryption
Data at rest and in transit is protected from unauthorized access and disclosure by encryption or other industry best practices.
TACTON CONFIDENTIAL INFORMATION
Attachment 3
List of Sub-Processors of Personal Data (SaaS)
| Sub-processor, full legal name, contact information, location | Services Provided | Location of Personal Data processed by Sub-processor |
|---|---|---|
| Tacton Systems GmbH | Product support and cloud infrastructure | Germany |
| Amazon Web Services Ltd, Ireland https://aws.amazon.com/ | Cloud Infrastructure | Europe (Ireland) Region * |
| Amazon Web Services Inc, https://aws.amazon.com/ | Cloud Infrastructure | US West (Oregon) Region ** |
| Nordcloud Hosting Sweden AB, nordcloud.com | Cloud Operations and Support | Sweden |
| Nordcloud Oy (Finland), nordcloud.com | Cloud Operations and Support | Finland |
| Salesforce Rupert-Mayer-Str. 44 81379 München Germany |
Tacton’s CRM. Manage contract and business relation data. | Germany |
| Microsoft Ireland Operations Limited One Microsoft Place South County Business Park Leopardstown Dublin 18, Ireland |
Office 365. Collaboration tools such as e-mail, chat and file share. | Ireland |
| Direct communication Sp. z o.o. | Product support | Poland |
| Cafeto Software USA LLC | Product support | USA |