ANNEX I TO EEA (European Economic Area) CUSTOMER – AVIATRIX SCCs (Standard Contractual Clauses) ( transfer controller-controller)
Description of Transfer
Categories of data subjects whose personal data is transferred
- Employees, contractors, managers, board members and other natural persons using the Customer’s IT infrastructure
Categories of personal data transferred
- Contact details of representatives of the Customers (for the purposes of managing the relationship between Aviatrix and the Customer, billing, log support tickets).
- IP addresses and (occassionally) historic user log-in data of (included in the log files) shared for support issue resolution
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- Not applicable
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Contact details are provided when Customer representatives creates an registers with Aviatrix for support, software management or billing purposes, contact information is provided when Customer representatives issue a request for support.
- Log files generated by the Aviatrix Software running in the customer’s cloud network enviroment can be required to resolve support issues regarding the Aviatrix Software and may be shared by the customer on an ad hoc basis.
Please note that Aviatrix has no remote access to the Aviatrix software deployed by the Customer or otherwise to Customer data or to Customer’s IT infrastructure.
Nature of the processing
- For contact details: Collecting, keeping up to date, and use for managing the relationship
- For log files: collecting and analysing for the purposes of providing support
Purpose(s) of the data transfer and further processing
- Managing the relationship between the Customer and Aviatrix
- Providing support when necessary
- Where appropriate, marketing purposes
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- Contact details of Customer representatives will be retained during the relationship between Aviatrix and the Customer and as long as necessary for regulatory and/or audit purposes thereafter;
- Log files will be retained for 30 calendar days
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Aviatrix relies on external IT service providers (for example provider(s) of CRM software and software enabling our customers to raise support tickets) Most of our data processors are based in the United States and we have controller-processor SCCs in place to govern the transfer of personal data to these processors if necessary.
Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
| Measure | Description |
| Measures of pseudonymisation and encryption of personal data | Aviatrix uses TLS (Transport Layer Security) AES-256 encryption (both in-transit and at rest)
Please also see Security at Aviatrix – Aviatrix |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | All Aviatrix employees that have access to Customer (personal) data are bound by confidentiality. In addition, all employees complete an annual security training program and employ best practises when handling Customer (personal) data.
Aviatrix is SOC (Security Operations Center) 2 certified. For more detail, please see also: Security at Aviatrix – Aviatrix Aviatrix has in place physical, electronic, and administrative security measures appropriate to the risks and sensitivity of the personal data we process. We have processes to store personal information that we have collected in secure operating environments. For more detail also see our privacy policy: Privacy Policy – Aviatrix
|
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Aviatrix has defined and documented its Platform recovery plans in the Business Continuity Management Policy and Technical Recovery Plans. This plan requires hourly backup of our IT systems and annual backup recovery testing. Management reviews and approves the plans annually. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing | Aviatrix works with industry leading security firms to perform annual network and application layer penetration tests.
Aviatrix is SOC (Security Operations Center) 2 certified. For more detail, please see also Security at Aviatrix – Aviatrix |
| Measures for user identification and authorisation | Representatives of Customers who have an Aviatrix account can authenticate using username, password, and MFA (Multi Factor Authentication)
All credentials are hosted in the application database, which is encrypted at rest (using TLS (Transport Layer Security) AES-256).
|
| Measures for the protection of data during transmission | We apply TLS (Transport Layer Security) AES-256 encryption to data in-transit |
| Measures for the protection of data during storage | We apply TLS (Transport Layer Security) AES-256 encryption to data at rest |
| Measures for ensuring physical security of locations at which personal data are processed | Aviatrix has a robust Information Security Management System in place as defined within our security policy. which covers secure working areas, securing our IT equipment wherever it may be, restricting access to our buildings and offices to appropriate personnel, amongst others.
Our physical security practices include reception attendance during work hours, requirements for visitors to register, badge access to all non-public areas, and we rely on (after hours) access and video recording. All personal data are processed remotely within AWS (Amazon Web Services) controlled datacenters, which provide comprehensive physical security measures. We are also SOC-2 certified.
|
| Measures for ensuring events logging | Aviatrix logs all material security incidents, including incidents that constitute a data breach under the GDPR (General Data Protection Regulation). |
| Measures for ensuring system configuration, including default configuration | Aviatrix production environments are deployed using CI/CD pipelines and scripts to ensure a configuration baseline that meets security requirements defined within the security policy. |
| Measures for internal IT and IT security governance and management | Aviatrix is SOC-2 certified.
Aviatrix manages production configurations using cloud native utilities and cloud anomaly detection tools implemented to scan for external threats. The cloud native utility tool monitors the production resource configurations against defined rules. The cloud anomaly detection tool continuously monitors the Platform for malicious activity and unauthorized behavior. When issues with the production servers’ configurations are detected, the tool logs and alerts the Security team to analyze and prioritize the issues.
|
| Measures for certification/assurance of processes and products | Aviatrix is SOC-2 certified.
|
| Measures for ensuring data minimisation | Aviatrix only processes the necessary Customer personal data to manage its relationship with the Customer and personal data contained in log files (IP addresses and (occasionally) log-in data). The log files are deleted after 30 calendar days. |
| Measures for ensuring data quality | Customer representatives can update their personal data through the account settings.
Log files containing Customer personal data will only be retained for [30] calendar days and only used for providing support and (occasionally) improvement of the Aviatrix software. |
| Measures for ensuring limited data retention | Please refer to “Data Retention” in “chapter 12. Europe / United” of our privacy policy: Privacy Policy – Aviatrix
|
| Measures for ensuring accountability | Aviatrix has in place an appropriate governance model and policies ensuring accountability. |
| Measures for allowing data portability and ensuring erasure | Please refer to “Your Privacy Rights” in “chapter 12. Europe / United” of our Privacy Policy see how we deal with data subject rights: Privacy Policy – Aviatrix
|