Data protection in the Cloud - International
11.1 Scope. You acknowledge that You use the Service under a shared responsibility model. This clause 11 defines the roles, responsibilities and assurances between You and the Provider regarding Data Protection and, in particular, Personal Data under the GDPR. It also serves as the Data Processing Addendum between You and the Provider as required by the GDPR.
11.2 Roles. In the context of this Agreement, the Provider acts as “processor” to You who may act either as “controller” or “processor” as each term is defined in the GDPR.
11.3 Types of information collected. The Service collects a minimum set of Personal Data on Users of the Service, the contributions of Users and circumstantial information as follows:
11.3.1 Personal Data. The Service collects Personal Data solely for the purpose of authenticating Users at login and their identification in the Session. This information is limited to (a) first name and surname, (b) email address and (c) organisation or department. For the purpose of maintaining User accounts via a centralised directory or single sign on, this information can be extended by a unique identifier such as a personnel number.
11.3.2 Contributions of Users. Users and their contributions to Sessions fall into two categories: (a) Participants who submit ideas, comments and ratings, which can include file attachments, and (b) Hosts who set up and run Sessions with Participants and who also contribute Session structures such as agendas and questions by which they organise the Session and guide the work of Participants in the Session.
11.3.3 Circumstantial information. This is information logged for security auditing purposes such as the IP address from which Users connect or which records were created, accessed or changed. The Provider screens and analyses these logs solely for the purpose of securing the deployment and protecting the information therein. The Provider deletes logs after 90 days.
11.4 Provider’s obligations and responsibilities. The Provider implements and maintains technical and organisational measures to adequately protect Your data in accordance with and satisfying the requirements of the GDPR and the principle of data secrecy.
11.4.1 Processing. The Service processes Personal Data and contributions of Users only in so far as it provides the technical functionality by which Your Users enter, change and delete such information. For the avoidance of doubt, the Provider is not involved in the processing of Personal Data and User contributions beyond (a) providing the functionality for such processing by You as part of its Service, (b) creating, restoring and deleting backup copies of the Center database which hold such information (c) creating, storing and deleting Audit logs and (d) recording licensing information in the Subscription Store.
11.4.2 Storage. Information collected by the Service is stored in encrypted format only in the agreed geography from where information is transmitted to Users directly in encrypted format. For the avoidance of doubt: The Provider will not store Your Personal Data or any other content of your Center outside the agreed location. The Provider hosts the Centers of residents of the European Union in the European Union. You can instruct the Provider to host Your Center in London or Singapore or another mutually agreed AWS region outside the European Union.
11.4.3 Disclosure of collected information. The Provider will not disclose or transmit information that has been collected by the Service to anyone, unless required by law following due legal process.
11.4.4 Sub-processing. The Service rests on the infrastructure services of Amazon (AWS) who acts as a sub-processor under the Provider’s control. A GDPR compliant data processing addendum is incorporated in the agreement between AWS and the Provider. The Provider will inform You of any changes of sub-processors.
11.4.5 Personnel. The Provider warrants that personnel entrusted with processing Your data has been vetted and instructed on the protective regulations of the GDPR and have undertaken to comply with the principle of data secrecy.
11.4.6 Encryption. The Provider warrants that information is stored and transmitted only in encrypted format.
11.4.7 Use by Provider. The Provider makes no use of information collected by the Service other than to keep track of the personal licensing and unlicensing of individuals as Host and to provide information to these Users regarding their new or changed role. For the avoidance of doubt: The Provider does not profile use patterns, User contributions or Personal Data or related information for any purpose and will prevent any third party from doing so.
11.4.8 Other systems. Information collected by Your use of the Service is held (a) in a dedicated Center instance with dedicated database, (b) backups of that database and (c) the Subscription Store. The Subscription Store is located in Dublin (European Union) and holds the names and email addresses only of Hosts, Subscription Administrators and Licensors. The Provider maintains licensing information as part of its business records in compliance with legal requirements and good commercial practice.
11.4.9 Deletion. The Provider deletes Your Center and its database including all backup copies automatically at the end of the Grace Period or on Your written order. The Provider will also delete backup copies of Your Center on your written order should this be required for You to comply with deletion requests. For the avoidance of doubt: After such deletion no copies of Your information shall survive, and You accept that such information cannot be subsequently restored.
11.4.10 Use statistics. To improve its product, the Provider keeps anonymous statistics on the use of system components. These statistics do not allow for disaggregation to the level of individual Users or groups of Users.
11.4.11 Notification of breaches. The Provider will inform you without undue delay of any material breach of the regulations for the protection of Your Personal Data, committed by the Provider, its personnel or third parties. The Provider shall implement the measures necessary to secure the data and to mitigate potential adverse effects on the data subjects and shall agree upon the same with You without undue delay. The Provider shall support You in fulfilling Your disclosure obligations regarding such breaches.
11.4.12 Enquiries by data subjects. At your written request, the Provider will assist You in answering a data subject’s enquiry related to Your collection, processing or use of such data subject’s data by Your Use of the Service. You and the Provider acknowledge the right of individuals falling under the protection of the GDPR to access their personal data pursuant to the GDPR and will grant individuals reasonable access to personal information they received pursuant to these principles. In addition, You and the Provider will take reasonable steps to permit individuals to correct, amend, or delete such information that is demonstrated to be inaccurate or incomplete. An individual may request to access his or her information, or otherwise correct, amend, or delete his or her information pursuant to the GDPR by contacting the Provider at firstname.lastname@example.org.
11.5 Your obligations. While the Provider is responsible for the technical security, availability, confidentiality and functionality of the Service, it falls on You to assure that the Service is used in compliance with the GDPR, the principles of data secrecy and other regulations that may apply to you. This obligation includes but is not limited to the following sub-clauses of this clause 11.5:
11.5.1 Collection of Personal Data. You will collect Personal Data only with the User’s consent and/or where You have a legitimate interest or legal basis to do so.
11.5.2 Authentication. You will set and enforce adequate authentication requirements and a separation of roles to protect the Personal Data and contributions of Your Users.
11.5.3 Data economy. You acknowledge that the Service is not a repository for the results and the minutes of Sessions and will instruct Your Administrators and Hosts to delete Personal Data after it has served its purpose and apply the principles of data secrecy and economy through the Service’s automated procedures to remove inactive User accounts and old unused Sessions which may hold Participant lists.
11.5.4 Irregularities. You will instruct Your Administrators that any attempt to circumvent the Service’s protective measures and controls regarding the bulk extraction, profiling or transfer of Personal Data is a severe violation of this Agreement and may be a crime.
“Center” means the technical environment in which Sessions are planned, executed and stored and for which a Center Subscription must be purchased.
“Data Processing Addendum” means the Agreement between You and the Provider regarding the respective roles and responsibilities under the GDPR which is incorporated in this Agreement as clause 11.
“Data Protection Officer” designates the MeetingSphere officer responsible for compliance with Meeting-Sphere’s contractual and legal obligations regarding data protection.
“GDPR” refers to the General Data Protection Regulation of the European Union.
“Grace Period” is the term measured in weeks or months for which a Center is preserved for renewal after the Center Subscription has expired.
“MeetingSphere” means MeetingSphere GmbH a limited liability company registered in Hamburg HRB 153862 with offices at Efftingestrasse 28, 22041 Hamburg, Germany, referred to throughout this agreement as ‘Provider’.
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly.
“Subscription Store” means the Provider’s system used for transactions related to Center Subscriptions and Host Subscriptions and for the provisioning of the Service.
* The ‘Terms and Conditions for the Software Service – International’ apply to products XLeap Center and Managed Server. The ‘Terms and Conditions for Personal Subscriptions - International‘ differ regarding the details of technical implementation.