Data Processing Agreement
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the XM’s Subscription Agreement and/or Subscription Terms (the “Agreement”) entered into by and between XXXXXX (hereinafter referred to as “Controller”) and XM Cyber Ltd. (hereinafter referred to as “Processor”). Controller and Processor are hereinafter jointly referred to as the “Parties” and individually as the “Party.” Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
1. Definitions
In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:
- “Affiliate” means any entity that directly or indirectly Controls, is Controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means having the power, directly or indirectly, to direct or cause the direction of the management and policies of the entity, whether through ownership of voting securities, by contract or otherwise;
- “Applicable Laws” means (a) European Union or Member State laws with respect to any Controller Personal Data in respect of which Controller is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Controller Personal Data in respect of which the Controller is subject to any other Data Protection Laws;
- “Controller Personal Data” means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Agreement, including without limitation Customer Data (as defined in the Agreement);
- “Controller-to-Processor SCCs” means the Standard Contractual Clauses (Controller to Processor) in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended or replaced from time to time by the European Commission;
- “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties, including in the United States and Israel;
- “EU Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR as supplemented by European Union Member State data protection laws, to the extent applicable;
- “GDPR” means EU General Data Protection Regulation 2016/679;
- “Restricted Transfer” means (i) a transfer of Controller Personal Data from Controller to Processor; or (ii) an onward transfer of Controller Personal Data from a Processor to a Sub Processor, or between two establishments of Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of a legal transfer mechanism to be established under this DPA, including without limitation the applicable Standard Contractual Clauses;
- “Sub Processor” means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of the Controller in connection with the Agreement;
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
- The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.
2. Processing of Controller Personal Data
- Processor shall not Process Controller Personal Data other than on the Controller’s documented reasonable and customary instructions as specified in the Agreement or this DPA that were specifically and explicitly agreed to by Processor, unless such Processing is required by Applicable Laws to which the Processor is subject.
- Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) Process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as reasonably necessary for the provision of the services provided under the Agreement and consistent with Sections 2.1 above and the Agreement, and in accordance with Applicable Laws.
- Furthermore, Controller warrants and represents that it is and will remain duly and effectively authorized to give the instruction set out in Section 2.1 and any additional instructions as provided pursuant to the Agreement and/or in connection with the performance thereof, on behalf of itself and each relevant Controller Affiliate, at all relevant times and at least for as long as the Agreement is in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data.
- Controller sets forth the details of the Processing of Controller Personal Data, as required by Article 28(3) of the GDPR in Annex 1 (Details of Processing of Controller Personal Data), attached hereto.
- Without derogating from Controller’s obligations hereunder, including under the Agreement, Controller may only provide to Processor, or otherwise have Processor (or anyone on its behalf) process, such Controller Data types and parameters which are explicitly listed on Annex 1 attached hereto (the “Permitted Controller Personal Data”). Solely Controller (and not Processor) shall be liable for any data which is provided or otherwise made available to Processor or anyone on its behalf in excess of the Permitted Controller Personal Data (“Excess Data”). Processor obligations under the Agreement or this DPA shall not apply to any such Excess Data.
3. Processor Personnel
Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know/access basis, and that all Processor personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Controller’s Personal Data.
4. Security
Processor shall, in relation to the Controller Personal Data, implement appropriate technical and organizational measures to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Sub Processing
- Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 ((Sub-processing)) to appoint) Sub Processors in accordance with this Section 5 (Sub-processing) and any restrictions in the Agreement.
- Processor and each Processor Affiliate may continue to use the Sub Processors already engaged by Processor or any Processor Affiliate listed in Annex 2 to this DPA (“Authorized Sub-Processors”), including for the purpose of cloud hosting services by reputable Sub Processors, as well as any Sub Processors whom Controller requested Processor to use.
- The Processor may appoint new Sub Processors and shall give notice of the appointment of any new Sub Processor (for instance by e-mail), whether by general or specific reference to such Sub Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub Processor. If, within seven (7) days of such notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment, Processor shall not appoint for the processing of Controller Personal Data the proposed Sub Processor until reasonable steps have been taken to address the objections raised by Controller, and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination.
- With respect to each new Sub Processor, Processor shall:
- before the Sub Processor first Processes Controller Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub Processor is committed to providing the level of protection for Controller Personal Data required by the Agreement; and
- ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms that offer a materially similar level of protection for Controller Personal Data as those set out in this DPA that meet the requirements of Applicable Laws.
6. Data Subject Rights
- Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Taking into account the nature of the Processing, Processor shall reasonably endeavor to assist the Controller insofar as feasible, to fulfill Controller’s said obligations with respect to such Data Subject requests, as applicable, at Controller’s sole expense.
- Processor shall:
- promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
- ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Laws, inform Controller of that legal requirement before it responds to the request.
7. Personal Data Breach
- Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, in connection with the Processing of such Controller Personal Data by the Processor or Processor Affiliates. In such an event, the Processor shall provide Controller with information (to the extent in the Processor’s possession) to assist the Controller to meet any obligations to inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Laws.
- At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Controller’s sole expense.
8. Data Protection Impact Assessment and Prior Consultation
At the written request of the Controller, the Processor and each Processor Affiliate shall provide reasonable assistance to Controller, at Controller’s expense, with any data protection impact assessments or prior consultations with Supervising Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to the Processing of Controller Personal Data by the Processor.
9. Deletion or return of Controller Personal Data
- Subject to Section 9.2, Processor shall promptly and in any event within up to ninety (90) days of the date of cessation of any Services involving the Processing of Controller Personal Data (the “Cessation Date“), delete or anonymize, at its option, and if commercially and technically practicable, all copies of those Controller Personal Data, except such copies as authorized including under the Agreement and this DPA or required to be retained in accordance with applicable law and/or regulation. In addition, and to the extent permitted by Applicable Laws and subject to Section 9.2, Processor shall return Controller Personal Data to Controller subject to Controller providing written notification to Processor of such request within seven (7) days prior to the date on which the Agreement expired or was terminated, whichever occurs first.
- Subject to the Agreement, Processor may retain Controller Personal Data to the extent authorized or required by Applicable Laws, provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that it is only processed for such legal purpose(s).
- Upon Controller’s prior written request, Processor shall provide written certification to Controller that it has complied with this Section 9.
10. Audit Rights
- Subject to Sections 10.2 and 10.3, Processor shall make available to a reputable auditor mandated by Controller in coordination with Processor, upon prior written request, such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
- Provisions of information and audits are and shall be at Controller’s sole expense and may only arise under Section 10.1 to the extent that the Agreement does not otherwise give Controller information and audit rights meeting the relevant requirements of the applicable Data Protection Laws. In any event, all audits or inspections shall be subject to the terms of the Agreement, and to Processor’s obligations to third parties, including with respect to confidentiality.
- The Controller shall give Processor reasonable prior written notice of any audit or inspection to be conducted under Section 10.1 and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Processor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- if Processor was not given written notice of such audit or inspection at least 2 weeks in advance;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller has given notice to Processor that this is the case before attendance outside those hours begins;
- for premises outside the Processor’s control (such as data storage farms of the Processor’s cloud hosting providers);
- if more than one (1) audit or inspection, in respect of each Processor, already took place in the same calendar year, except for any additional audits or inspections which:
- Controller reasonably considers necessary because of genuine concerns as to Processor’s compliance with this DPA; or
- The Controller is required to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where the Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.
11. Data Transfers
For transfers of EU Personal Data for Processing in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, or otherwise in connection with a Restricted Transfer, Processor agrees it will provide privacy protection for EU Personal Data (i) using the Controller-to-Processor SCCs, or (ii) under another legal framework providing adequate protection as agreed by the Parties in a separate agreement. If data transfers under this Section 11 rely on SCCs to enable the lawful transfer of EU Personal Data, as set forth in the preceding sentence, the Parties agree that Data Subjects for whom Processor Processes EU Personal Data are third-party beneficiaries under the SCCs. If the Processor is unable or becomes unable to comply with these requirements, then EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of Controller with respect to Personal Data. Processor shall promptly notify Controller of any inability by Processor to comply with the provisions of this Section 11.
12. General Terms
- Governing Law and Jurisdiction
- The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
- Order of Precedence
Nothing in this DPA reduces the Processor’s obligations under the Agreement in relation to the protection of Personal Data or permits the Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originates from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to, and does not in any way limit or derogate from Controller’s own obligations and liabilities towards the Processor under the Agreement, and/or pursuant to the GDPR or any law applicable to Controller, in connection with the collection, handling and use of Personal Data by Controller or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision or Personal Data to Processor and/or providing access thereto to Processor.
Subject to this Section 12.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
- Changes in Data Protection Laws
- The Controller may by at least forty-five (45) calendar days prior to written notice to Processor, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Law, to allow Processing of those Controller Personal Data to be made (or continue to be made) without breach of that Data Protection Law; and
- If Controller gives notice with respect to its request to modify this DPA under Section 12.3.:
- Processor shall make commercially reasonable efforts to accommodate such modification request; and
- The Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.
- If Controller gives notice under Section12.3.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days, then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
- Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from the later date set out below.
Controller: XXXXXXXXXX
Signature ______________________________
Name _________________________________
Title __________________________________
Date __________________________________
Processor: XM Cyber Ltd.
Signature ______________________________
Name _________________________________
Title __________________________________
Date ________________________
Annex 1: Details Of Processing Of Controller Personal Data
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
| Types of Customer Data: | Account user data (name, business mail address) and logging credentials for XM Cyber Portal user
Technical Log/ telemetry data collected by sensors in connection with Vulnerabilities that may be associated with certain employees (i.e., endpoint devices related to certain individuals) |
| Types of processing: | Storage/Data processing to the extent needed for the hosting and operation of the application/infrastructure by the service provider |
| Purposes of processing: | XM Cyber Exposure Management Platform – to perform obligations under the contract |
| Categories of data subjects: | Internal and external employees with IT account |
The obligations and rights of the Controller. The obligations and rights of Controller and Controller Affiliates are set out in the Agreement and this DPA.
Annex 2: Technical and Organizational Measurements and Authorized Sub-Processors
Technical and Organisational Measures (TOMs)
The present document supplements Appendix 1 of the Data Processing Agreement (DPA) between Client and Contractor pursuant to Art 28 GDPR (EU General Data Protection Regulation).
The technical and organizational measures are implemented by XM CYBER in accordance with Art 32 GDPR. They are continuously improved by XM CYBER according to feasibility and state of the art, including annual audits certifications, maintenance of ISMS framework of ISO 27001, and enforcement of SOC2 Type 2 controls in order to maintain a higher level of security and protection.
1. Confidentiality
1.1. Physical Access Control
Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used.
| Technical Measures | Organizational Measures |
| ✔ Alarm system | ✔ Key regulation / List |
| ✔ Automatic access control system | ✔ Reception (office manager) |
| ✔ Manual locking system | ✔ Visitors accompanied by employees |
| ✔ Doors with knob outside | ✔ Care in selection of security guard personnel |
| ✔ Doorbell system with camera | ✔ Care in selection of cleaning services |
| ✔ Video surveillance of entrances | ✔ Information Security Policy |
| ✔ Dedicated server room with keys | ✔ Physical access policy |
| ✔ CCTV/Video system | ✔ Access control policy |
1.2. Logical Access Control
Measures are suitable for preventing data processing systems from being used by unauthorized persons.
| Technical Measures | Organizational Measures |
| ✔ Login with username + strong password | ✔ User permission management |
| ✔ Anti-Virus&Malware Software Servers | ✔ Creating user profiles |
| ✔ Anti-Virus&Malware Software Clients | ✔ Central password assignment |
| ✔ Firewall | ✔ Information Security Policy |
| ✔ Use of VPN for accessing internal resources | ✔ Work instruction IT user regulations |
| ✔ Encryption of data at rest / in transit | ✔ Work instruction operational security |
| ✔ Automatic desktop lock | ✔ Access control policy |
| ✔ Two-factor authentication / SSO with SMEL protocol to any critical services |
1.3. Authorization Control
Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.
| Technical Measures | Organizational Measures |
| ✔ Data that requires particularly high protection is encrypted before it is stored in the database so that it cannot be viewed by database administrators | ✔ Use of authorization concepts |
| ✔ Certified SSL encryption | ✔ Minimum number of administrators |
| ✔ Logging of accesses to applications, specifically when entering, changing, and deleting data | ✔ Management of user rights by administrators |
| ✔ Logging of system access events | ✔ Information Security Policy (including Data Retention) |
| ✔ Continues review of user rights/permissions | ✔ Logging and Monitoring policy |
| ✔ SSO with company’s Identity Provider (required MFA) | ✔ Access Control policy |
| ✔ Physical deletion of data carriers | ✔ On/Off Boarding process |
| ✔ Need-based rights of access |
1.4. Separation Control
Measures ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.
| Technical Measures | Organizational Measures |
| ✔ Separation of production and test environments | ✔ Control via authorization concept |
| ✔ Physical separation (systems/databases / data carriers) | ✔ Determination of database rights |
| ✔ Multi-tenancy of relevant applications | ✔ Information Security Policy |
| ✔ Network segmentation | ✔ Data Protection Policy |
| ✔ Client instances logically separated | ✔ Work instruction operational security |
| ✔ Staging of development, test and production environments | ✔ Work instruction security in software development |
| ✔ Data privacy – segregation between different customers |
2. Integrity
2.1. Transfer Control
Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which entities personal data are intended to be transmitted by data transmission equipment.
| Technical Measures | Organizational Measures |
| ✔ Use of VPN | ✔ Survey of regular retrieval and transmission processes |
| ✔ Logging of accesses and retrievals | ✔ Transmission in an encrypted form |
| ✔ Provision via encrypted connections such as secure vaults, HTTPS, password-protected, emails | ✔ Information Security Policy |
| ✔ Certificate signing over secure SSL communication channel | ✔ Data Protection Policy |
2.2. Input Control
Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g., operating system, network, firewall, database, application).
| Technical Measures | Organizational Measures |
| ✔ Technical logging of the entry, modification and deletion of data | ✔ Survey of which programs can be used to enter, change or delete which data |
| ✔ Manual or automated control of the logs (according to strict internal specifications) | ✔ Traceability of data entry, modification and deletion through individual user names (not user groups) |
| ✔ Assignment of rights to enter, change and delete data on the basis of an authorization concept | |
| ✔ Clear responsibilities for deletions | |
| ✔ Information Security Policy | |
| ✔ retention of forms from which data has been transferred to automated processes |
3. Availability and Resilience
3.1. Availability Control
Measures to ensure that personal data is protected against accidental destruction or loss (UPS, air conditioning, fire protection, data backups, secure storage of data media, virus protection, raid systems, disk mirroring, etc.).
| Technical Measures | Organizational Measures |
| ✔ Fire and smoke detection systems | ✔ Backup concept |
| ✔ Fire extinguisher server room | ✔ No sanitary connections in the server room |
| ✔ Server room monitoring temperature | ✔ Existence of an emergency plan |
| ✔ Server room air-conditioning | ✔ Storage of backup media in a secure location outside the server room |
| ✔ UPS system and emergency diesel generators | ✔ Separate partitions for operating systems and data where necessary |
| ✔ RAID system / hard disk mirroring | ✔ Regular testing of the Business continuity policy |
| ✔ Video surveillance server room | ✔ Work instruction operational security |
| ✔ Business Continuity Policy |
3.2. Recoverability Control
Measures are capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident.
| Technical Measures | Organizational Measures |
| ✔ Backup monitoring and reporting | ✔ Recovery concept |
| ✔ Restorability from automation tools | ✔ Control of the backup process |
| ✔ Backup concept according to criticality and customer specifications | ✔ Regular testing of data recovery and logging of results |
| ✔ Existence of an emergency plan | |
| ✔ Information Security Policy | |
| ✔ Disaster Recovery Policy | |
| ✔ Work instruction operational security |
4. Procedures for regular Review, Assessment, and Evaluation
4.1. Data Protection Management
| Technical Measures | Organizational Measures |
| ✔ Central documentation of all data protection regulations | ✔ Internal Chief Information Security Officer appointed |
| ✔ Security certification according to ISO 27001 | ✔ Staff trained and obliged to confidentiality/data secrecy |
| ✔ Security certification according to SOC2 type 2 | ✔ Regular awareness training at least annually |
| ✔ A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updated | ✔ Data Protection Impact Assessment (DPIA) is carried out as required |
| ✔ Monitoring of subcontractors | ✔ Processes regarding information obligations according to Art 13 and 14 GDPR established |
| ✔ Data protection aspects established as part of corporate risk management | |
| ✔ ISO 27001 and SOC2 Type 2 certifications of key parts of the company including data center operations and annual monitoring audits |
4.2. Incident Response Management
Support for security breach response and data breach process.
| Technical Measures | Organizational Measures |
| ✔ Use of firewall and regular updating | ✔ Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority) |
| ✔ Use of spam filter and regular updating | ✔ Formalized procedure for handling security incidents |
| ✔ Use of virus scanner and regular updating | ✔ Involvement of CISO in security incidents and data breaches |
| ✔ Intrusion Detection System (IDS) for customer systems on order | ✔ Documentation of security incidents and data breaches via ticket system |
| ✔ Intrusion Prevention System (IPS) for customer systems on order | ✔ A formal process for following up on security incidents and data breaches |
| ✔ Use of complete End Point Protection suite | ✔ Information Security Policy |
| ✔ Use of continues attack simulation module | ✔ Incident Management Policy |
| ✔ Use of Email protection layers | ✔ Work instruction operational security |
| ✔ Use of DNS protection for employees | ✔ Work instruction IT user regulations |
4.3. Data Protection by Design and by Default
Measures pursuant to Art 25 GDPR that comply with the principles of data protection by design and by default.
| Technical Measures | Organizational Measures |
| ✔ No more personal data is collected than is necessary for the respective purpose | ✔ Data Protection Policy (includes principles “privacy by design / by default”) |
| ✔ Use of data protection-friendly default settings in standard and individual software | ✔ Perimeter analysis for web applications |
4.4. Order Control (outsourcing, subcontractors and order processing)
Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with the client’s instructions.
| Technical Measures | Organizational Measures |
| ✔ Monitoring of authorized access by external parties, e.g. in the context of remote support or service maintenance | ✔ Prior review of the security measures taken by the contractor and their documentation |
| ✔ Monitoring of subcontractors according to the principles and with the technologies according to the preceding chapters 1, 2 | ✔ Work instruction supplier management and supplier evaluation |
| ✔ Annual review of Security & Privacy measurements of Sub-Processors | ✔ Selection of the contractor under due diligence aspects (especially with regard to data protection and data security) |
| ✔ Conclusion of the necessary data processing agreement on commissioned processing or EU standard contractual clauses | |
| ✔ Obligation of the contractor’s employees to maintain data secrecy | |
| ✔ Agreement on effective control rights over the contractor | |
| ✔ Regulation on the use of further subcontractors | |
| ✔ Ensuring the destruction of data after termination of the contract | |
| ✔ In the case of longer collaboration: ongoing review of the contractor and its level of protection |
5. Organization and Data Protection at XM Cyber
XM Cyber considers personal data protection as of utmost importance and as such, is continually committing itself to considerable efforts in maintaining and constantly improving it.
For GDPR compliance (e.g. Article 30) and for the benefit of its clients, XM Cyber wishes to describe what has been implemented regarding its technical and organizational personal data protection measures (TOMs). It is worth mentioning that almost all XM’s Information security and privacy-related efforts are supported by external consultants which provide information security and privacy advisory services.
Data is encrypted with certificate signing and a secure communication channel. DB server is located in a segmented network for each customer and accessible to authorized personnel only. Access is logged and monitored. There are several protection layers and authentication methods – user/pass + 2FA, SSO role, security groups that segregate the DB server, and user+pass+key to access the DB itself. DB server monitored with EDR and connected to a continuous risk assessment platform.
Incident management policy is in place and defines the roles, responsibilities, and procedures that need to be taken when an incident is identified.
Further explanation can be found in our SOC2 Type 2 and BSI C5 summary report.
6. Certifications
Both Information Security and Risk Management framework according to SOC2 Type 2, BSI C5 and the Information Security Management System according to ISO 27001 of essential parts of XM Cyber.
Authorized Sub-Processors
Note: No transfer of personal data to 3rd country outside of the EEA or outside of a jurisdiction that has been deemed adequate by the European Commission.
| Company | Country | Service | Privacy & Security Assessment |
| Schwarz IT KG | The servers are located in region EU01 of the Schwarz IT KG.
All DCs are in the Heilbronn area, Baden-Württemberg, Germany. |
Cloud provider. customer instances including data-based hosting in the STACKIT Cloud.
|
Annually – DPA, BSI C5 Clauses |
| AWS | Amazon Web Services EMEA SARL, Luxembourg
XM Cyber’s AWS Managed Instances are located in EU-central-1 – Frankfurt EU, DE |
Authentication to XM Cyber UI | Annually – DPA, SOC2 Clauses |
| XM Cyber Germany GmbH & Co. KG | XM Cyber Germany GmbH & Co. KG
Stiftsbergstraße 1 74172 Neckarsulm, Germany |
Fulfill certain services, e.g. Support and CSM | Annually, in the context of ISO 27701 and SOC-2 security certification renewal.
Periodically in the ordinary course of business. |
| Salesforce | XM Cyber instance located in Salesforce-Managed Instances EU32 – Frankfurt, DE | CRM System | Annually – DPA, SOC2 Clauses |
| MongoDB | XM Cyber instance located in AWS Managed Instances- AWS eu-central-1 (Frankfurt) | Managed Mongo database as a service | Annually – DPA, SOC2 Clauses |
| Pendo
|
Google Cloud Platform EU1 europe-west3 (Frankfurt) | Product Analytics | Annually – DPA, SOC2 Clauses |
| FullStory | Google Cloud Platform EU1 europe-west3 (Frankfurt) | Data Analytics | Annually – DPA, SOC2 Clauses |
| Atlassian (Jira) | AWS eu-central-1 (Frankfurt) | Issue-tracking system | Annually – DPA, SOC2 Clauses |
| Twilight Cyber | AWS eu-west-1 (Ireland) | Detection of leakages in the web related to customer domains. Relevant only for customers who choose to use this service. | Annually – DPA, SOC2 Clauses
|
| Homerun | AWS eu-central-1 (Frankfurt) | POV Management
|
Annually – DPA, SOC2 Clauses |