Cendyn and Pegasus have merged. To learn more about this exciting news and how Cendyn can help you drive direct bookings, enhance brand loyalty and drive profitability visit cendyn.com.

Learn More

Data Processing Addendum

Last Modified: January 15, 2022 | Previous Versions

This Data Processing Addendum (“DPA”) is attached to and a part of the Master Services Agreement (“MSA”) entered into between Travel Tripper LLC d/b/a Pegasus (f/k/a Travel Tripper), along with its parents, subsidiaries, and affiliates (“Company”) and the contracting party identified under the applicable MSA to whom such Services are provided (“Customer”). Company and Customer may also be referred to in this MSA individually as a “Party” and collectively as the “Parties.”

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms set out below shall be added as an addendum to the MSA.

The headings of the paragraphs of this DPA are inserted for convenience only and shall not be deemed to constitute part of this DPA or to affect the interpretation thereof.  

1. Definitions.

1.1 Business has the meaning given in the CCPA. For purposes of this DPA, Customer is considered the Business as it relates to the CCPA.

1.2 CCPA means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this DPA.

1.3 Contracted Business Purposes means the services described in Annex 2 for which the Company receives or accesses personal information subject to the CCPA.

1.4 Data Controller has the meaning given in applicable Data Protection Laws from time to time.

1.5 Data Processor has the meaning given in applicable Data Protection Laws from time to time.

1.6 Data Subject has the meaning given in applicable Data Protection Laws from time to time.

1.7 Data Protection Laws means, as applicable to the processing of Personal Data under the MSA:

a. the GDPR;

b. any laws which implement any such law;

c. other privacy, data protection and data security laws of jurisdictions applicable to the processing of Personal Data under this DPA; and

d. any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.

1.8 EEA means, the European Economic Area.

1.9 GDPR means, as applicable: (i) the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); and/or (ii) the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force (“UK GDPR”).

1.10 Personal Data has the meaning given in applicable Data Protection Laws as updated from time to time.

1.11 Personal Information has the meaning given in the CCPA.

1.12 Restricted Transfer means the disclosure, grant of access or other transfer of Personal Data under the MSA to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.

1.13 SCCs means in respect of: (i) any EU Restricted Transfer, the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as populated in accordance with Part 1 of Annex 3 (“EU SCCs”); and (ii) any UK Restricted Transfer, the standard contractual clauses adopted by the European Commission pursuant to implementing Decision (EU) 2010/87, as amended and populated in accordance with Part 2 of Annex 3 (“UK SCCs”).

1.14 Service Provider has the meaning given in the CCPA. For purposes of this DPA, Company is considered the Service Provider as it relates to the CCPA.

2. CCPA Provisions. The terms of this Section 2 shall apply to the extent that Company is collecting, using, retaining, or disclosing Personal Information of a California resident that is protected under the CCPA, on behalf of the Customer.

2.1 Compliance with the Law. Both parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing Personal Information.

2.2 Scope of Use. Company will only collect, use, retain, or disclose Personal Information for the Contracted Business Purposes for which Customer provides or permits Personal Information access. Company will not collect, use, retain, disclose, sell, or otherwise make Personal Information available for Company’s own commercial purposes or in a way that does not comply with the CCPA. 

2.3 Disclosure of Personal Information. If a law requires the Company to disclose Personal Information for a purpose unrelated to the Contracted Business Purpose, the Service Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

2.4 Limitation of Use. Company will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.

2.5 Compliance with Customer Requests. Company must promptly comply with Customer requests or instructions that require Company to provide, amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.

2.6 CCPA Compliant Notices. If the Contracted Business Purposes require the collection of Personal Information from individuals on the Customer’s behalf, Company will provide a CCPA-compliant notice to the individuals addressing use and collection methods.

2.7 Data Aggregation. If the CCPA permits, Company may aggregate, de-identify, or anonymize Personal Information so it no longer meets the Personal Information definition, and may use such aggregated, de-identified, or anonymized data for its own research and development purposes. Company will not attempt to or actually re-identify any previously aggregated, de-identified, or anonymized data.

2.8 Assistance with Customer’s CCPA Obligations. Company will reasonably cooperate and assist Customer, at the Customer’s cost, with meeting the Customer’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of the Company’s processing and the information available to the Company. Company will reasonably notify Customer if it receives any complaint, notice, or communication that directly or indirectly relates either Party’s compliance with the CCPA. Specifically, the Company must notify the Customer within fifteen (15) working days if it receives a verifiable consumer request under the CCPA.

2.9 Subcontracting. Company may use subcontractors to provide the Contracted Business Services. Company remains liable to the Customer for the subcontractor’s performance of its agreement obligations.

3. GDPR Provisions. The terms of this Section 3 shall apply to the extent that Company processes Personal Data subject to the GDPR, on behalf of the Customer.

3.1 Compliance with the Law. Both parties will comply with all applicable requirements of the Data Protection Laws. This Section is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Laws. 

3.2 Data Controller and Data Processor. The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Data Controller and Company is the Data Processor. Annex 1 sets out the scope, nature, and purpose of processing by Company, the duration of the processing, and the types of Personal Data and categories of Data Subject.

3.3. Consents and Notices. Without prejudice to the generality of Section 3.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable the Company’s lawful processing of the Personal Data for the duration and purposes of this DPA. The Customer shall ensure all instructions given by it to Company in respect of Personal Data shall at all times be in accordance with Data Protection Laws. 

3.4 Obligations of the Company. Without prejudice to the generality of Section 3.1, Company shall, in relation to any Personal Data processed in connection with the performance by the Company of its obligations under the MSA:

a. process that Personal Data only on the written instructions of the Customer unless Company is required by law to process that Personal Data; 

b. immediately inform the Customer if Company is requested to take any action which may infringe the GDPR or other data protection laws of the EEA, a member state, or the UK, as applicable; 

c. ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected; 

d. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 

e. assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

f. notify the Customer without undue delay on becoming aware of a Personal Data breach;

g. at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the MSA unless required by applicable law to store the Personal Data; 

h. maintain complete and accurate records and information to demonstrate its compliance with the Data Protection Laws and to assist with any further information required to ensure that both parties meet their obligations under Article 28 of the GDPR; and

i. permit audits by the Customer or the Customer’s designated auditor, subject to a maximum of one audit request in any 12-month period. 

3.5 Data Transfers. Customer acknowledges that Customer’s transmission of Personal Data to Company hereunder may involve a Restricted Transfer. The relevant set(s) of SCCs that may be entered into under Section 3.5(a) and/or 3.5(b) shall apply and have effect only if and to the extent permitted and required under the EU GDPR and/or UK GDPR (if and as applicable) to establish a valid basis under Chapter V of the EU GDPR and/or UK GDPR in respect of the transfer from Customer to Company of Personal Data.  

a. EU Restricted Transfers. To the extent that any processing of Personal Data under this DPA involves an EU Restricted Transfer from Customer to Company, the parties shall comply with their respective obligations set out in the EU SCCs, which are hereby deemed to be populated in accordance with Part 1 of Annex 3 and entered into by the parties and incorporated by reference into this DPA. 

b. UK Restricted Transfers. To the extent that any processing of Personal Data under this DPA involves a UK Restricted Transfer from Customer to Company, the parties shall comply with their respective obligations set out in the UK SCCs, which are hereby deemed to be populated in accordance with Part 2 of Annex 3 and entered into by the parties and incorporated by reference into this DPA.

c. In respect of any UK Restricted Transfer involving processing in respect of which Customer is itself acting as a Data Processor on behalf of any other person, Customer warrants and represents on an ongoing basis, and further undertakes, that it has full and sufficient authority to enter into the UK SCCs for and on behalf of each such other person.

d. To the extent that Company effects an onward transfer to a sub-processor in respect of Personal Data to which the UK SCCs apply, Customer hereby authorises Company to enter into the UK SCCs as agent for Customer (as ‘data exporter’) with that sub-processor (as ‘data importer’), which it may (at its option) elect to do in order to meet its obligations to Customer under Clause 11 of the UK SCCs (which it is agreed may be discharged by inclusion of any relevant delegated processing within generic descriptions detailed in any such further UK SCCs).

e. In respect of any given Restricted Transfer, if requested of Customer by a supervisory authority, Data Subject or further Data Controller (where applicable) – on specific written request (accompanied by suitable supporting evidence of the relevant request), Company shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Annex 3 in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Data Protection Laws.

3.6 Sub-processor(s). Customer consents to Company appointing sub-processor(s) as third-party processors of Personal Data under the MSA, and provides a general authorization for Company to appoint further sub-processors in accordance with this Section 3.6 and, if and as applicable, the relevant set(s) of SCCs. Company confirms that it has entered or (as the case may be) will enter into a written agreement with such third-party processors incorporating terms which are substantially similar to those set out in this Section 3. As between the Customer and Company, Company shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this Section 3.6. The sub-processors engaged by Company and authorized by the Customer are listed at: https://www.pegs.com/gdpr-subprocessors/. Company will inform the Customer of any addition, replacement, or other changes of sub-processors and provide the Customer with fourteen (14) days to reasonably object to such changes on legitimate grounds. 

4. Miscellaneous Provisions.

4.1 The parties each acknowledge and agree that (i) this DPA is intended as an addendum to the MSA between the parties pursuant to which Company provides services to the Customer, and (ii) the parties intend for this DPA to be binding.  This DPA, regardless of how accepted by the parties, is equivalent to and shall have the same effect as a written agreement executed by each of the parties.

4.2 The Customer shall indemnify and keep indemnified Company against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to data subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Customer of its obligations under this DPA. 

4.3 Company may at any time, revise this DPA or replace it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this DPA).

4.4 The Customer hereby represents and warrants that the person accepting this DPA by signing the MSA or any Order Form, Addendum, or Amendment incorporating this DPA (or through whichever other means) is authorized to: (i) execute agreements on behalf of the Customer, and (ii) bind the Customer to the terms of this DPA.  The acceptance of this DPA by whichever means, electronic or otherwise, demonstrates the intent of the parties to be bound hereby.

4.5 In the event of any conflict or inconsistency between:

a. this DPA and the MSA, this DPA shall prevail; or

b. any SCCs entered into pursuant to Section 3.5 of this DPA and the rest of this DPA and/or the MSA, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

 

ANNEX 1
PROCESSING, PERSONAL DATA, AND DATA SUBJECTS

As applicable to the GDPR, processing of Personal Data by Company under the MSA shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subject set out in this Annex 1. 

1. Processing by Company. 

1.1 Subject-matter of processing. The subject matter of the data processing under this DPA is the Customer Personal Data processed by Company pursuant to the services provided to the Customer under the MSA. 

1.2 Nature and purpose of processing. Company will process Personal Data for the purposes of providing the services to the Customer in accordance with the MSA. 

1.3 Duration of the processing. The duration of the processing under the MSA is determined by the Customer and as set forth in the MSA.

1.4 Frequency of the Transfer. Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the services provided to the Customer under the MSA.

2. Types of Personal Data. Personal Data relating to individuals processed by Company in order to provide services under the MSA, including of the Customer’s personnel and customers, including but not limited to the following: 

  • First and last name 
  • Email address 
  • Telephone number 
  • Fax number 
  • Billing address
  • Delivery address 
  • Location data
  • Online identifier
  • IP address
  • Device details 
  • Cookie data 
  • Job title 
  • Credit card information 

3. Categories of Data Subject.

  • Visitors to the Customer’s website, provided by Company as a part of the Services, and customers of the Customer who are  “Data subjects” as defined herein and whose data is processed by Company. 
  • Customer’s personnel that accesses Company systems. 

 

ANNEX 2
CCPA PERSONAL INFORMATION PROCESSING PURPOSES AND DETAILS

Contracted Business Purposes: Performing services on behalf of a CCPA-covered Business such as customer service, reservation fulfillment and/or processing, advertising, marketing, or analytic services.

Personal Information Categories: This DPA involves the following types of Personal Information, as defined and classified in CCPA Cal. Civ. Code § 1798.140(o):

Category Examples Processed under this DPA
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, driver’s license number, passport number, or other similar identifiers. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, employment, credit card number, debit card number, or any other financial information.

Some personal information included in this category may overlap with other categories.

YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). NO
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. NO
F. Internet or other similar network activity. Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements.  YES
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. NO
I. Professional or employment-related information. Current or past job history or performance evaluations. NO
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.  NO
K. Inferences drawn from other personal information. Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. YES

 

ANNEX 3
POPULATION OF SCCs

PART 1: POPULATION OF EU SCCs

1. SIGNATURE OF THE EU SCCs:

1.1 Where applicable in accordance with Section 3.5(a) of the DPA:

a. each of the parties is hereby deemed to have signed the EU SCCs at the relevant signature block in Annex I to the Appendix to the EU SCCs; and

b. those EU SCCs are entered into by and between the Parties with effect from the date of the first EU Restricted Transfer to which they apply in accordance with Section 3.5(a) of the DPA.

2. MODULES.

2.1 The following modules of the EU SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 1 (European Annex) to the DPA):

a. Module Two of the EU SCCs applies to any EU Restricted Transfer involving processing of Personal Data in respect of which Customer is a Data Controller in its own right; and/or

b. Module Three of the EU SCCs applies to any EU Restricted Transfer involving processing of Personal Data in respect of which Customer is itself acting as a Data Processor on behalf of any other person.

3. POPULATION OF THE BODY OF THE EU SCCs

3.1 For each Module of the EU SCCs, the following applies as and where applicable to that Module and the Clauses thereof:

a. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.

b. In Clause 9:

(i) OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of sub-processors shall be the advance notice period set out in Section 3.6 of the DPA; and

(ii)OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the EU SCCs.

c. In Clause 11, the optional language is not used and is deleted.

d. In Clause 13, all square brackets are removed and all text therein is retained.

e. In Clause 17: 

(i) OPTION 1 applies, and the parties agree that the EU SCCs shall governed by the law of Ireland; and

(ii) OPTION 2 is not used and that optional language is deleted. 

f. For the purposes of Clause 18, the parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

3.2 In this Section 3, references to “Clauses” are references to the Clauses of the EU SCCs.

4. POPULATION OF ANNEXES TO THE APPENDIX TO THE EU SCCs

4.1 Annex I to the Appendix to the EU SCCs is populated with the corresponding information detailed in Annex 1 to the DPA, with:

a. Customer being ‘data exporter’; and 

b. Company being ‘data importer’.

4.2 Part C of Annex I to the Appendix to the EU SCCs is populated as below:

The competent supervisory authority shall be determined as follows:

• Where Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.

• Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).

• Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Vendor’s contact point for data protection identified in Attachment 1 to Annex 1 (European Annex) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

4.3 Annex II to the Appendix to the EU SCCs is populated as below:

General:

• Please refer to Annex 4 to the DPA.

• In the event that Customer receives a data subject request under the EU GDPR and requires assistance from Company, Customer should email Company’s contact point for data protection.

Sub-processors: When Company engages a sub-processor under these Clauses, Company shall enter into a binding contractual arrangement with such sub-processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:

• applicable information security measures;

• notification of Personal Data breaches to Company;

• return or deletion of Personal Data as and where required; and

• engagement of further sub-processors.

PART 2: POPULATION OF UK SCCs

1. SIGNATURE OF THE UK SCCs:

1.1 Where applicable in accordance with Section 3.5(b) of the DPA:

a. each of the parties is hereby deemed to have signed the UK SCCs and their Appendices at the relevant signature block; and 

b. those UK SCCs are entered into by and between the parties with effect from the date of the first UK Restricted Transfer to which they apply in accordance with Section 3.5(b) of the DPA.

2. POPULATION OF DETAILS OF PARTIES TO THE UK SCCs

2.1 The details of the parties to the UK SCCs set out on the first page of UK SCCs is populated with the relevant information of the Parties as detailed in Annex 1 to the DPA, with:

a. Customer being ‘data exporter’, both on its own behalf as a Data Controller or as agent for applicable Data Controllers to the extent Customer is acting as a Data Processor; and 

b. Company being ‘data importer’.

3. VARIATION OF THE UK SCCs TO REFLECT THE UK GDPR

3.1 The UK SCCs are hereby deemed to be amended to reflect the versions of those UK SCCs issued and published by the UK Information Commissioner’s Office to reflect variations:

a. required to account for the specific requirements of the UK GDPR; 

b. required to reflect the UK no longer being a member state of the European Union; and 

c. permitted by paragraph 7 of Schedule 21 to the UK Data Protection Act 2018, which as the Addendum Effective Date, are as shown at the following webpage https://ico.org.uk/media/for-organisations/documents/2618973/uk-sccs-c-p-202012.docx.

3.2 Notwithstanding the above, it is agreed that neither:

a. the optional ‘Indemnification’ clause; nor 

b. the optional ‘Effective date of the Standard Contractual Clauses’ clause, are used, and all such optional language is deleted.

4. POPULATION OF THE APPENDICES TO THE UK SCCs

4.1 Appendix I to the UK SCCs is populated with the corresponding information detailed in Annex 1 to the DPA.

4.2 Appendix II to the UK SCCs is populated as follows:

The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) to the UK SCCs are those established and maintained under Annex 4 to the DPA.

ANNEX 4
SECURITY MEASURES

The Company currently abides by the security standards in this Appendix 2 and will undertake appropriate technical and organizational security measures to protect personal data against: unauthorized or unlawful processing, accidental loss, destruction, or damage thereof. The measures implemented will take into account available encryption technology and must ensure a level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected. The Company may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the MSA.

1. Internal Organizational Measures.

The Company’s internal organization is structured with the measures necessary to meet the specific requirements of data protection law at all times. The Company maintains resilient, industry-standard security controls and engages a dedicated, skilled, and trained information security staff with the appropriate experience to protect high-value data. The Company will moreover support the Data Exporter to safeguard the data subject’s rights of access, rectification, erasure, blocking and objection.

The Company employs written policies, procedures, security awareness training, privacy training, background checks, and all PCI controls related to internal organizational security to satisfy this requirement.

2. Access and Site Controls.

The Company takes the measures necessary to prevent unauthorized persons from gaining access to data processing systems for processing or using personal data. Such measures include the prevention of unauthorized physical site access.

Company’s sites are protected with electronic security, intrusion alarms, and fire detection equipment. Company’s data centers provide state-of-the-art innovative architectural and engineering methodologies and are housed in nondescript facilities as an added security measure.

The Company ensures an access control system in which authorization is particularly checked by the Company. For any systems not hosted in the cloud, physical access to the data centers is strictly controlled at building ingress points by professional security staff utilizing video surveillance and other electronic means like ID reader, magnetic or chip cards and door locking mechanisms.

Even authorized staff must pass two-factor authentication to access the Company’s data center floors. Access to the data center requires the authorized party to be on a pre-approved list maintained by data center security staff. At the entrance to the facility authorized personnel are checked against this pre-approved list and verified by examining (and surrendering while on premise) a government-issued photo ID. Once within the data-center, access is further restricted as the Company’s equipment is contained within locked cabinets. Without the required key, no persons are able to access the Company’s locked cabinets.

All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. All physical access to the premises is logged and audited routinely. Physical locations of the Company’s data centers are carefully selected with co-location partners that meet or exceed the following standards:

  • SSAE16 SOC1/2 – Type 2
  • PCI DSS Level 1
  • Uptime Institute – Tier III

All data centers require badge as well as biometric (retina) to gain physical access to the data center. The parking and surrounding areas of the data centers are inaccessible without a badge. The data center facilities are protected with a satisfactory perimeter of blast protection in the event of an explosion. All data centers have CCTV as well as fully auditable access logs. The data center racks themselves are also protected with locking front and rear doors. All cross connects and intra-cabinet cabling is completely shielded and secured.

3. System Access Controls.

The Company employs appropriate measures to prevent data processing systems from being used without authorization. The following operational measures are in place to ensures technical (ID/password security) and organizational (user master data) security for user identification and authentication:

a. Physical locations housing employees do not have direct network, VPN, etc. access to the server/data centers;

b. Access to servers is controlled with client VPN, as well as maintenance of local workstation compliance leveraging Company’s configuration management tools;

c. Client VPN is protected with MFA; UserID/Password and Duo;

d. Once in Company’s network, in order to access servers, a second VPN tunnel is established, to access production data. This is also protected with MFA, but leverages a different UserID/Password combination;

e. All TLS communication is as TLS 1.2 or better;

f. Company’s Internal encryption is at a minimum of 256 bit;

g. Access to servers is only provided to those with a NEED. This need is accompanied by an approval by appropriate management;

h. Server access once past all VPN controls, is then maintained with SSH keys. Sudoers management is centralized and manages executable commands, by user;

i. Next generation firewall/IDS/IPS devices are used for controlling access to various LAN segments, as well as the flow of traffic to/from the internet;

j. All user management is centralized via LDAP, with formal on and off boarding processes coordinated with Human Resources.

4. Data Access Controls.

The Company has measures in place, including the latest encryption procedures, to ensure that persons authorized to use any data processing systems can only access the data that they are authorized to access, and that personal data shall not be read, copied, altered or removed without legitimate authorization. The following sections set forth the Company’s measures for: (a) authorization; (b) Log-in, Username, and Passwords; and (c) Confidentiality.

a. Authorization: All of Company’s employees who have access to personal data are pre-authorized to do so. All such authorizations are required to specify the type of access and purpose that each employee can access personal data. No employees is given access to personal data that is not explicitly included in their individual authorization. Company has taken additional measures to ensure that all access to personal data by it’s employees is logged. All employee authorizations are evaluated and updated on a bi-annual basis. Anytime an employee changes positions within Company’s organization, resigns, or is terminated, the employees authorizations are adapted or withdrawn as required. The Company applies the two-factor authentication as described above, which is required for access to it’s Payment Card Industry Network.

b. Login, Username and Passwords: Each Company employee has a unique usernames and password for system access. All usernames and passwords are created and altered from generally recognized principles and no username is reused within a period of at least six months since the username was last in use. If at any time an employee has not used their username within a period of three months, the username will automatically be suspended. Company employees with access to the IT solution are covered by a strict password policy. All system access passwords must: (i) be a minimum of 8 characters; (ii) contain at least one alphabetic character; (iii) contain at least one numeric character; (iv) be unique from the users last 4 passwords; and (v) be changed at least every 3 months. An account lockout will be applied after 5 failed attempts to access a system with incorrect user credentials. No access is granted for guest users or anonymous accounts. Terminated employee accounts are immediately removed from the system.

c. Confidentiality: All Company employees with access to personal data are subject to confidentiality throughout their employment contracts. Such confidentiality is maintained beyond cessation of the employee’s employment with the Company.

5. Disclosure Control.

The Company has implemented measures, including the use of the latest encryption procedures, to ensure that personal data cannot be copied, altered, read, or removed without authorization during electronic transfer or transport or while being recorded onto data storage media.

Data transfers occur via a secure VPN or over a Company owned network. When Company employees access Company systems, connections are secured through encryption. Any access to Company’s IT systems requires that the employees register a username and a password. All data transfers are audited and must be business justified and limited to the minimum necessary data.

6. Input Control.

Company takes measures to ensure it is possible to determine whether personal data has been entered into, altered, or removed from it’s data processing systems and if so, who is responsible. Any access to personal data related to the use of the Company systems is logged automatically. Company employs measures to log the username, time, type of application, and the person that data is concerning, to ensure all access to personal data is kept on record. Company maintains logs for a minimum of six months and is deleted after a maximum of seven months. All system, security, network, application logs are streamed in real-time to an outsourced SOC. This SOC reviews and alerts on all predefined incidents/patterns with an SLA of 15 minutes.

7. Job Control.

Measures are taken by Company to ensure that personal data processed on behalf of others is processed strictly in compliance with the Data Exporter’s instructions. All Company employees with access to personal data are informed of this DPA and are obligated to comply with its requirements. The Company’s employees do not have access to personal data that is not included in their authorization.

Any sub-processors of Company are required to process or use personal data only for the purposes agreed with the Data Exporter and in accordance with the standard contractual clauses binding the Company to the Data Exporter.

8. Availability Control.

The Company takes measures to ensure that personal data is protected against accidental destruction or loss. As provided under Section 2 of this Appendix, the Company’s sites are secured in the usual manner to protect against fire and can continue even during power outages of a certain duration. The Company secures data stored through continuous backup of stored data several times daily. The backup is conducted as a mix of full backup and incremental backup. The Company regularly conducts tests of previously completed backups to ensure sure that the backup routines function as intended. For safety reasons, backups are also duplicated and stored in another data center from the same provider in the same country and region. For systems that are hosted in the cloud, backups are taken and stored by AWS automatically. For systems that are not hosted in the cloud, the Company has redundant sites in place for the processing and storage of data in Phoenix, Arizona and Las Vegas, Nevada.

In addition, the Company uses intrusion detection / prevention systems (IPS / IDS) to prevent interference of data integrity. An IPS/IDS will block/detect nefarious access attempts to access applications via known exploits. When run in IPS mode such attempts are logged and blocked. Company runs devices in IPS mode in both data centers.

The Company’s data centers electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility. The Company´s business continuity procedures are: backup copies at alternate data centers, with pre-configured servers available in the event that operations need to be shifted between data centers.

Climate control is required to maintain a constant operating temperature for the servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels. Electrical, mechanical, and life support systems and equipment are monitored so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.

 

PREVIOUS VERSIONS

Dec. 19, 2019
Oct. 30, 2019

Travel Tripper Logo

Request a Demo