Data Processing
Agreement

This Data Processing Agreement (“DPA”) is an agreement between the applicant and the entity it represents (“Client”) and Víntegris, S.L. (“VÍNTEGRIS”) and establishes the obligations of both parties regarding the treatment and security of the personal data for which the Client is responsible in relation to the use of the nebulaSUITE Services.

This DPA complements the General Conditions of the nebulaSUITE Service available at https://www.vintegris.com//es/nebulasuite-service-terms/ or another agreement between the Client and VÍNTEGRIS that governs the use by the Client of nebulaSUITE Services provided by VÍNTEGRIS when in the use of these services Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, is applicable regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (“GDPR”).

DEFINITIONS

For the purpose of this DPA:

“Applicable Data Protection Law” means the applicable laws and regulations where the Data Processing takes place, which apply to the terms of this DPA and which may vary from time to time. Understand both Regulations (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (“GDPR”) as the applicable local laws where the treatment takes place.

“Responsible” or “Data Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law;

“Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller;

“Data Subject” means a person who is the subject of personal data

“DPA”, “this DPA”, “this DPA agreement” is this Data Processing Agreement;

“Personal data” means any information about an identified or identifiable natural person (“the data subject”); an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements of identity physical, physiological, genetic, psychic, economic, cultural or social of said person;

“Supervisory Authority” means an independent public authority established by a member state that deals with the supervision of the processing of personal data in order to protect the fundamental rights and freedoms of natural persons with regard to the processing of their data.

“Client Data” means all personal data (including all text, sound, video, or image files and digital certificates) that the authorized persons of the Client incorporate into the databases and hosting systems of each service, as well as those that can be generated and preserved through the use of nebulaSUITE services. The Client is responsible for the treatment of this personal data.

“Services”, “nebulaSUITE Services” are Software as a Service (SaaS) services. These are the services provided through the internet by VÍNTEGRIS in favour of the Client, in relation to the use of the contracted service, through the nebulaSUITE platform and within the cloud computing infrastructure.

“Subprocessors” are the other data processors that Microsoft uses to process Customer Data, Professional Services Data, and Personal Data, as described in Article 28 of the GDPR.

SECTION I

Clause 1. Purpose and scope of application

1. The purpose of the clauses of this DPA (hereinafter, “clauses”) is to ensure compliance with article 28, sections 3 and 4, of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 of April 2016, regarding the protection of individuals with regard to the processing of personal data and the free circulation of these data, and by which Directive 95/46/EC (General Data Protection Regulation) is repealed).
2. The controllers and processors listed in Annex I have given their consent to be bound by these specifications in order to ensure compliance with article 28, sections 3 and 4, of Regulation (EU) 2016/679.
3. This list of clauses applies to the processing of personal data specified in Annex II.
4. Annexes I to IV are part of the specifications.
5. This list of clauses is understood without prejudice to the obligations to which the person in charge is subject by virtue of Regulation (EU) 2016/679.
6. This list of clauses does not in itself guarantee compliance with the obligations related to international transfers contemplated in Chapter V of Regulation (EU) 2016/679.
7. The specifications of this DPA are aligned with the Execution Decision (EU) 2021/915 of the Commission of June 4, 2021, on standard contractual clauses between controllers and processors.
8. This DPA, including its definitions, recitals and annexes, is a stand-alone document that does not incorporate trade terms that may have been established by the parties in separate trade agreements.

Clause 2. Invariability of the list of clauses

1. The parties agree not to modify the specifications, except to add or update information in the annexes.
2. This does not prevent the parties from adding other clauses or additional guarantees, provided that they do not contradict, directly or indirectly, the list of clauses or harm the fundamental rights or freedoms of the interested parties.

Clause 3. Interpretation

1. When terms defined in Regulation (EU) 2016/679 are used in this specification, it is understood that they have the same meaning as in the corresponding Regulation.
2. These specifications must be read and interpreted in accordance with the provisions of Regulation (EU) 2016/679.
3. Interpretations of this list of clauses that conflict with the rights and obligations established in Regulation (EU) 2016/679 and/or that harm the fundamental rights or freedoms of the interested parties may not be made.

Clause 4. Hierarchy

In case of contradiction between this list of clauses and the provisions of related agreements between the parties that were in force at the time this list of clauses was agreed upon or began to be applied, this list of clauses will prevail.

SECTION II. OBLIGATIONS OF THE PARTIES

Clause 5. Description of the treatment or treatments

Annex II specifies the details of the processing operations and, in particular, the categories of personal data and the purposes for which the personal data is processed on behalf of the controller.

Clause 6. Obligations of the parties

6.1. Instructions

1. The controller will instruct the processor to process the personal data in the manner that is reasonably necessary for the processor to carry out the treatment in accordance with this DPA and in accordance with Regulation (EU) 2016/679.
2. The person in charge will treat the personal data only following documented instructions of the person in charge in accordance with the terms of service established in the General Conditions of the nebulaSUITE Service unless it is obliged to do so by virtue of the Law of the Union or of the Member States that apply to the in charge. In such a case, the person in charge will inform the person in charge of that legal requirement prior to the treatment unless said Law prohibits it for important reasons of public interest. The person in charge may also give further instructions at any time during the period of processing of personal data. These instructions must always be documented.
3. The data controller shall refrain from providing instructions that do not comply with applicable laws, including Regulation (EU) 2016/679 and in the event that such instructions are given, the data processor has the right to desist from carrying them out.
4. The person in charge shall immediately inform the person in charge of the instructions given by the person in charge infringe, in the opinion of the person in charge, Regulation (EU) 2016/679, Regulation (EU) 2018/1725 or the applicable provisions of the Law of the Union or of the States. members on data protection.
5. The processor will not disclose any personal data to a third party under any circumstances other than at the specific written request of the controller unless such disclosure is necessary to fulfil the obligations of the Service Agreement or is required under Union Law or of the Member States that applies to the processor.

6.2. Purpose limitation

The person in charge will process the personal data only for the specific purposes of the treatment indicated in annexe II, except when following additional instructions from the person in charge.

6.3. Duration of the processing of personal data

The treatment by the person in charge will only be carried out during the period specified in annexe II.

6.4. Treatment safety

1. The person in charge will apply, as a minimum, the technical and organizational measures specified in annexe III to guarantee the security of personal data. One of these measures may consist of protection against security breaches that result in the accidental or unlawful destruction, loss, or alteration of personal data or the unauthorized communication of or access to such data (“personal data breach”). When determining an adequate level of security, the parties shall take due to account the state of the art, the costs of the application, the nature, scope, context, and purposes of the treatment, and the risks that the treatment entails for the interested.
2. The person in charge will only grant access to the personal data processed to the members of his staff to the extent that it is strictly necessary for the execution, management, and monitoring of the contract.
3. The person in charge will guarantee that the persons authorized to process the personal data received have agreed to respect confidentiality or are subject to a confidentiality obligation of a statutory nature. The processor must keep all documented records of compliance with the confidentiality obligation available to the data controller.
4. The person in charge must ensure that all persons authorized to process personal data receive the necessary training in the protection of personal data.

6.5. Sensitive data

If the treatment affects personal data that reveal ethnic or racial origin, political opinions, religious or philosophical convictions, or trade union affiliation, genetic data or biometric data aimed at uniquely identifying a natural person, data relating to the health or data relating to the sexual life or sexual orientation of a natural person, or data relating to criminal convictions and offences (“sensitive data”), the processor will apply specific restrictions and/or additional guarantees

6.6. Documentation and compliance

1. The parties must be able to demonstrate compliance with the specifications of this DPA.
2. The person in charge will promptly and adequately resolve the queries of the person in charge related to the treatment in accordance with these specifications.
3. The Processor shall designate in Annexe I a point of contact within its authorized organization to respond to inquiries related to the processing of Personal Data and shall cooperate with the Controller, the Data Subject and the Supervisory Authority with respect to all such inquiries within a reasonable time.
4. The person in charge will make available to the person in charge all the information necessary to demonstrate compliance with the obligations contemplated in these specifications and that derive directly from Regulation (EU) 2016/679 and Regulation (EU) 2018/1725.
5. At the request of the person in charge, the person in charge will allow and contribute to the performance of audits of the treatment activities covered by these specifications at reasonable intervals or if there are indications of non-compliance. In deciding whether to conduct a review or audit, the controller may take into account any relevant certifications held by the processor.
6. These audits will be requested with reasonable notice and will be conducted during normal business hours. The request may be subject to any necessary consent or approval from a supervisory authority within the controller’s country.
7. The person in charge may choose to carry out the audit himself or authorize an independent auditor. The audits may also consist of inspections of the premises or physical facilities of the person in charge and, where appropriate, be carried out with reasonable notice.
8. The parties will make available to the competent control authorities, at their request, the information referred to in this clause and, in particular, the results of the audits.
9. The person in charge will notify the data controller of any request for information by the Supervisory Authority.
10. The processor will notify the controller of any complaint, notification, or communication received that relates directly or indirectly to the processing of personal data or other related activities or that relates directly or indirectly to the compliance of the processor and/or the responsible with the relevant applicable law, including applicable data protection law.

6.7. Recourse to subprocessors

1. The person in charge has the authorization of the person in charge to contract sub-processors that appear in an agreed list documented in annexe IV. The processor will inform the controller specifically and in writing of the additions or substitutions of sub-processors provided for in said list at least 1 month in advance so that the controller has sufficient time to object to such changes before the sub-processor is hired. or sub-managers in question. The person in charge of the treatment will provide the person in charge with the necessary information so that he can exercise his right to formulate an objection.
2. When the processor hires a sub-processor to carry out specific processing activities (on behalf of the controller), it will do so by means of a contract that imposes on the sub-processor, in essence, the same data protection obligations as those imposed on the sub-processor. commissioned by virtue of these specifications. The processor will ensure that the sub-processor complies with the obligations to which it is subject by virtue of these specifications and Regulation (EU) 2016/679.
3. The processor will provide the controller, at the controller’s request, with a copy of the contract with the sub-processor and any subsequent amendments thereto. To the extent necessary to protect trade secrets or other sensitive information, such as personal data, the processor may redact the contract text before sharing the copy.
4. The processor will remain fully responsible to the controller for the fulfilment of the obligations imposed on the sub-processor by its contract with the processor. The person in charge will notify the person in charge of the breaches by the sub-person in charge of the obligations attributed to him by said contract.
5. The processor will agree with the sub-processor a third-party beneficiary clause by virtue of which, in the event that the processor disappears de facto, ceases to exist legally or is insolvent, the controller will have the right to terminate the contract of the sub-processor and order the sub-processor to delete or return the personal data.

6.8. International transfers

1. Data transfers to a third country or to an international organization by the processor may only be carried out following documented instructions from the controller or by virtue of an express requirement of the Law of the Union or of the Member State to which the processor is subject; will be carried out in accordance with Chapter V of Regulation (EU) 2016/67.
2. The controller agrees that where the processor uses a sub-processor in accordance with clause 6.7 to carry out specific processing activities (on behalf of the controller) and such activities involve a transfer of personal data within the meaning of chapter V of the Regulation (EU) 2016/679, the processor and the sub-processor can guarantee compliance with Chapter V of Regulation (EU) 2016/679 using standard contractual clauses adopted by the Commission, in accordance with article 46, paragraph 2, of Regulation (EU ) 2016/679, provided that the conditions for the use of said standard contractual clauses are met.

Clause 7. Obligations of the data controller

The data controller guarantees and undertakes that:

1. Personal data has been collected, processed and transferred in accordance with applicable data protection laws.
2. You must carry out an assessment of the impact on the protection of personal data of the treatment operations that the person in charge will carry out when a type of treatment may give rise to a high risk for the rights and freedoms of the interested parties.
3. You will have the appropriate technical and organizational measures to protect the confidentiality of personal data, as well as to protect them against accidental or unlawful destruction or accidental loss, alteration, disclosure or unauthorized access, and that provides a level of security. appropriate to the risk represented by the treatment and the nature of the data to be protected.
4. You will respond to requests from data subjects and supervisory authorities in relation to the processing of personal data as stipulated in Clause 8 (b).
5. It will carry out prior consultations that correspond to the control authority when a data protection impact assessment indicates that the treatment would give rise to a high risk in the absence of measures taken by the controller to mitigate the risk.

Clause 8. Help the data controller

1. The person in charge will promptly notify the person in charge of the requests received from the interested party. He will not respond to said request himself unless the person in charge has authorized him to do so.
2. The person in charge will help the person in charge to fulfil his obligations when responding to the requests to exercise the rights of the interested parties, taking into account the nature of the treatment. In fulfilling the obligations attributed to it by letters a) and b), the person in charge shall comply with the instructions of the person in charge. Given the case:
   1. the data subject should first address the request to the data controller;
   2. then, the controller, after receiving the request, will request the processor to carry out the necessary actions through the contact point established in annexe I;
   3. Once the processor has received the controller’s request, the processor will respond to the controller within ten (10) business days;
   4. In the event that an interested party communicates directly with the person in charge, the latter will ask the interested party to direct their request to the person in charge. At the same time, the person in charge will inform the person in charge of this request;
3. In addition to the obligation of the processor to assist the controller under clause 8(b), the processor will also help the controller to ensure compliance with the following obligations taking into account the nature of the processing and the information available to the processor:
   1. the obligation to carry out an assessment of the impact of processing operations on the protection of personal data (“impact assessment”) when it is likely that a type of processing poses a high risk to the rights and freedoms of natural persons;
   2. the obligation to consult the competent supervisory authorities before proceeding with the treatment when a data protection impact assessment shows that the treatment would entail a high risk if the controller does not take measures to mitigate it;
   3. the obligation to ensure that the personal data is accurate and up-to-date, informing the controller without delay if the processor discovers that the personal data he is processing is inaccurate or has become obsolete;
   4. the obligations contemplated in [OPTION 1] article 32 of Regulation (EU) 2016/679 / [OPTION 2] articles 33 and 36 to 38 of Regulation (EU) 2018/1725.
4. The parties will establish in Annex III appropriate technical and organizational measures that oblige the processor to help the controller to apply this clause, as well as the object and scope of the assistance required.

Clause 9. Notification of violations of the security of personal data

In the event of a violation of the security of personal data, the person in charge will collaborate with the person in charge and help him to fulfil the obligations attributed to him by articles 33 and 34 of Regulation (EU) 2016/679, taking into account the nature of the treatment and the information available to the person in charge.

9.1. Violation of the security of personal data processed by the person in charge

In the event of a breach of the security of personal data in relation to the data processed by the controller, the processor will assist the controller in the following.

1. Notify the personal data security breach to the competent supervisory authorities without undue delay once it becomes known if applicable (unless it is unlikely that said security breach constitutes a risk to the rights and freedoms of natural persons).
2. Collect the following information, which, in accordance with article 33, section 3, of Regulation (EU) 2016/679, must appear in the notification of the person in charge, which must include at least:
   1. the nature of the personal data, including, where possible, the categories and the approximate number of data subjects affected, and the categories and the approximate number of personal data records affected;
   2. the likely consequences of the personal data security breach;
   3. the measures adopted or proposed by the data controller to remedy the breach of personal data security, including, if applicable, the measures taken to mitigate possible negative effects.

   When and to the extent that all the information cannot be provided at the same time, the information that is available at that time will be provided in the initial notification and, as it is collected, additional information will be provided without delay improper.

3. Comply, in accordance with article 34 of Regulation (EU) 2016/679, with the obligation to notify the interested party of the violation of the security of personal data without undue delay when it is probable that the violation of security entails a high risk for the rights and freedoms of natural persons.

9.2. Violation of the security of personal data processed by the person in charge

In the event of a violation of the security of personal data processed by the person in charge, the latter will notify the person in charge without undue delay once the person in charge is aware of it. Said notification must include at least:

1. a description of the nature of the security breach (including, where possible, the categories and the approximate number of data subjects and data records affected);
2. details of a contact point where further information about the personal data breach can be obtained;
3. its likely consequences and the steps taken or proposed to remedy the security breach, including steps taken to mitigate potential negative effects.

When and to the extent that all the information cannot be provided at the same time, the information that is available at that time will be provided in the initial notification and, as it is collected, additional information will be provided without delay improper.

The parties will establish in Annex III the other elements that the person in charge must provide when helping the person in charge to fulfil the obligations attributed to him by articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III. FINAL PROVISIONS

Clause 10. Breach of the clauses and termination of the contract

1. Without prejudice to the provisions of Regulation (EU) 2016/679, in the event that the person in charge of the treatment fails to comply with the obligations attributed to it by these specifications, the person in charge may order the person in charge to suspend the processing of personal data until this returns to comply with this list of clauses, or terminate the contract. The person in charge will promptly inform the person in charge in the event that he cannot comply with these specifications for any reason.
2. The person in charge will be empowered to terminate the contract in what refers to the processing of personal data under this specification when:
   1. the processing of personal data by the person in charge has been suspended by the person in charge in accordance with the letter a) and the present list of clauses is not complied with again within a reasonable period of time and, in any case, within a period of one-month counting from the suspension;
   2. the person in charge substantially or persistently fails to comply with these specifications or the obligations attributed to it by Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
   3. the person in charge fails to comply with a binding resolution of a competent court or of the competent control authorities in relation to the obligations attributed to them by these specifications, Regulation (EU) 2016/679 and/or Regulation (EU) 2018/ 1725.
3. The person in charge will be empowered to terminate the contract in what refers to the processing of personal data by virtue of these specifications when, after having informed the person in charge that their instructions violate the legal requirements demanded by clause 7.1, letter b), the person in charge insists that these instructions be followed.
4. After termination of the contract, the processor will delete, at the request of the controller, all personal data processed on behalf of the controller and credit the controller that it has done so, or return all personal data to the controller and delete existing copies, unless the law of the Union or of the Member States requires the storage of personal data. Until the data is destroyed or returned, the person in charge will continue to guarantee compliance with these specifications.
5. Other reasons and conditions of termination will be subject to the General Conditions of the nebulaSUITE Service.

Clause 11. Liability and compensation

1. The person in charge of the treatment will not be responsible for any claim presented by an interested party that is a consequence of any action of the person in charge to the extent that said action is the direct result of the instructions of the person in charge and the incorrect implementation of its technical and organizational measures.
2. In the event that a data subject files a claim against the processor arising from any action or omission of the processor to the extent that said action or omission is the direct result of the instructions of the controller, or the incorrect application by the controller of its and organizational measures, in accordance with Clause 7 (c) of this DPA, the controller shall indemnify and hold indemnified and defend at its own expense the processor with respect to all costs, claims, damages, or expenses incurred by the processor for which The Processor may be liable for any breach by the Controller or its managers, employees, agents, or contractors of their obligations under the provisions of this DPA.

Clause 12. Law applicable to this DPA

This DPA shall be governed by and construed in all respects in accordance with the laws and regulations of the EU country where the data processing takes place. The parties to this agreement submit to the exclusive jurisdiction of the place where the data processing takes place for all purposes of this DPA.

Clause 13. Resolution of disputes with interested parties or supervisory authorities

1. In the event of a dispute or claim filed by a data subject or a supervisory authority regarding the processing of personal data against one or both parties, the parties shall inform each other of such disputes or claims and cooperate with a view to resolving them amicably and the most timely manner.
2. The parties agree to respond to any available non-binding mediation procedures generally initiated by a data subject or by a supervisory authority. If they participate in the proceeding, the parties may choose to do so remotely (for example, by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation, or other dispute resolution procedure enabled for data protection disputes.
3. Each party undertakes to abide by the decision of the supervisory authority, which is final and against which it will no longer be possible to appeal.

ANNEXE I. List of parts

As Data Controller:

1. Name: The Client who contracts nebulaSUITE services under the agreed General Conditions of Service.
2. Address: As specified in the agreement or contract for the provision of nebulaSUITE services signed between both parties.
3. Reference department/employee: As specified in the agreement or contract for the provision of nebulaSUITE services signed between both parties.
4. Name, position and contact information of the contact person: As specified in the agreement or contract between both parties.
5. Date of adhesion: Date of entry into force of the contract or agreement for the provision of nebulaSUITE services signed by both parties.

As Treatment Manager:

1. Name: VÍNTEGRIS, S.L.
2. Address: Carrer Pallars, 99, Planta 3a, Oficina 33, 08018 Barcelona, Spain
3. Reference department/employee: As specified in the agreement or contract for the provision of nebulaSUITE services signed between both parties
4. Contact details of the contact person: incidentesRGPD@vintegris.com
5. Date of adhesion: Date of entry into force of the contract or agreement for the provision of nebulaSUITE services signed by both parties.

ANNEXE II. Description of the treatment

Categories of data subjects whose personal data is processed

• Personnel, collaborators, and others authorized by the Client who are users of the nebulaSUITE platform
• Holders of the certificates that the Client manages through nebulaSUITE services
• Applicants for the issuance of qualified certificates through remote video identification using the nebulaID platform.

Categories of personal data processed

• Information of the users of the nebulaSUITE platform necessary to access and use the services
  • Identity of users, for example, their first and last names.
  • Professional contact information such as email address and telephone number.
  • Authentication data for access
  • Records of user activity in the use of the Services, which may include information on the IP address from which the nebulaSUITE platform is accessed
• Data of the holders of the certificates that the Client decides to include in them:
  • Personal identification information including unique identity numbers, such as identification document or passport number, employee number of others that the client uses to identify the certificate holders.
  • Business contact information, such as business email address
  • Professional relationship information such as company and job or powers granted.
  • Signature image that may appear on documents stored on the nebulaSUITE platform
• The qualified certificates themselves as a support for the data of the certificate holders.
• In the case of using nebulaID for remote video identification:
  • Identification data
  • Image of identity documents
  • OCR processing results of identity documents
  • Video recorded image of proof of life of the platform user, including voice records
  • Audit records of the verification process
  • Data on the personal circumstances of the applicant depending on the type of certificate to be issued (date of birth, nationality, place of birth or residence, gender, company, position or representation, …)

Special Category Data

• This DPA does not consider the treatment of data classified as “special category data” or that requires special protection measures.
• The processing of such data on behalf of the client should only be done with a prior agreement between both parties and after having carried out an adequate data protection impact assessment before processing.
• In the case of using nebulaID, although a facial recognition process is carried out applying biometric techniques, no biometric data is generated or collected.

Nature of treatment

• VÍNTEGRIS will process the Customer Data through the Services provided by the nebulaSUITE platform.
• It involves the activities of:
  • Registration and storage of customer information.
  • Deletion or destruction of information when required by the Client and at the termination of the service
  • Limitation of the processing of information at the request of the Client or competent authority.
• For services provided through nebulaID:
  • Video capture of users and their identification documents
  • Scanning and OCR processing of identification documents
  • Application of facial recognition algorithms contrasting the image of the person with that contained in the identification document using document validation technology and facial biometrics
  • Preservation of the evidence collected during the recognition process during the periods established by legal obligations
• All data is stored on servers in the EU through services provided by third parties as stipulated in ANNEXE IV List of Subprocessors.
• The data is provided by the Client as data controller, when using the Services.
• Processing on the nebulaSUITE platform is automated, so VÍNTEGRIS personnel do not have access to the Client’s data. Given the case, this access would only occur at the express request and supervision of the Client, for example, in the case of requiring support for its use or resolution of a problem reported by the Client.
• VÍNTEGRIS considers that it does not have instructions to process other personal data that could circumstantially be included in the content managed by the Client.
• Any additional personal data that is processed by VÍNTEGRIS on behalf of the Client must be agreed upon as an amendment to this DPA.
• It should be noted that in the event that the contracted services include the issuance of qualified certificates by VinCAsign, the certification authority of VÍNTEGRIS, the responsibility for this treatment is VÍNTEGRIS, as established by the current legislation regarding the provision of trust services.
• The use of nebulaID corresponds to a registration authority (RA) function, so it is only considered as part of a processing order when the client is another Qualified Certification Service Provider (QTSP) that has responsibility for the RA.

Purpose of the processing of personal data on behalf of the data controller

VÍNTEGRIS will process the data solely for the purpose of providing the contracted nebulaSUITE platform services and in accordance with the General Conditions of Service.

Treatment duration

• This DPA applies for the duration of the provision of the service as established in the contract or agreement for the provision of nebulaSUITE services signed by both parties.
• After the termination of the contract or agreement, VÍNTEGRIS will maintain its obligations with respect to the data processed in accordance with the period determined by the data retention policy described in the General Conditions of the nebulaSUITE Service or other terms agreed explicitly between both parties.
• In the event that the provision of services includes the issuance of qualified digital certificates, through the VinCAsign certification authority, as responsible for this treatment, VÍNTEGRIS will store the documentation and records for at least 15 years, in accordance with the requirements established by Regulation (EU) No 910/2014 of July 23, 2014, regarding electronic identification and trust services for electronic transactions in the internal market (“eIDAS”), and as determined in the Declaration of Practices of VinCAsign Certification
• In the case of the use of nebulaID services, in accordance with the provisions of Order ETD/465/2021, of May 6, which regulates remote video identification methods for the issuance of qualified electronic certificates:
  • A copy of the video recording will be kept for a minimum period of fifteen years from the expiration of the validity of the certificate obtained by this means.
  • Photos or screenshots of the applicant and the identity document used will be kept for a minimum period of 15 years, in which both the person and the front and back of the identity document will be clearly recognizable.
  • The automatic result of the verification carried out by the application, as well as the evaluation and observations made by the operator together with its decision to approve or reject the identification, will be kept for a minimum period of fifteen years.
  • All the evidence of the incomplete identification processes that have not verified the authenticity, validity, and physical and logical integrity of the identification document used and the correspondence of the holder of the document with the applicant completed due to suspicion of attempted fraud during a period of 5 years from the execution of the identification process, specifying the reason why they were not completed, in accordance with the policy established for that purpose.
  • Conservation will be carried out by blocking the data, in accordance with the provisions of article 32 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.

ANNEXE III. Technical and organisational measures to guarantee data security

VÍNTEGRIS applies the necessary technical and organisational security measures to guarantee an adequate level of information security in order to protect the confidentiality of personal data, as well as to protect it against accidental or unlawful destruction or accidental loss, alteration, disclosure or unauthorised access, taking into account the nature, scope, context, and purpose of the treatment, as well as the risks to the rights and freedoms of natural persons.

These measures are implemented under the framework of an Information Security Management System that has the ISO 27001:2017 certification, as well as the certifications of the National Security Scheme (ENS) and eIDAS.

On the other hand, the Client is responsible for the implementation and maintenance of the security measures and protection of the pertinent personal data as a user of the Services in those aspects that are under his control.

Consequently, VÍNTEGRIS confirms that it has implemented the measures listed below that apply to the processing carried out on behalf of the controller.

Security Controls in Place

1. Policies of the Organization

Security policy

There is an information security and personal data protection policy published and known by all staff and collaborators.

Security Manager

VÍNTEGRIS has designated an Information Security Officer (“CISO”) as responsible for coordinating and supervising security rules and procedures

Security Roles and Responsibilities

Information security roles and responsibilities are appropriately defined and assigned within the organisation.

The VÍNTEGRIS staff that manages the Services that contain Customer Data is subject to confidentiality obligations and the information security and personal data protection regulations.

Risk management program

Within the framework of the Information Security Management System, there is an information security risk assessment and treatment plan, and it is reviewed periodically.

Continuous assessment

VÍNTEGRIS carries out a periodic verification and evaluation of the effectiveness of the technical and organisational measures implemented to protect the security of the information in the treatment systems, work centres and users who use them.

This evaluation and review are carried out under the criteria of industry security standards and the policies and procedures determined by the Information Security Management System.

Supplier Security Policy

There is a formal process that allows assessing compliance with information security requirements that must be met by providers that process information and personal data.

Providers are only given access to information when there is a legitimate need to justify this access.

2. Staff and Collaborators

Confidentiality commitment

All staff and collaborators with access to information and personal data have signed a commitment regarding:

• Keep secrecy and guarantee the confidentiality and security regarding the data to which they may have access for reasons of their labour, contractual or any other type of responsibility.
• Not to make use of the confidential information to which they have access for purposes other than those that have been determined.
• Do not communicate, reveal, divulge or transfer confidential information to unauthorised third parties.
• Maintain the duty of secrecy for a minimum period of 1 year once the employment or contractual relationship has ended.

Internal information security regulations

There is a regulation of information security, protection of personal data and use of computer media that all staff and collaborators have agreed to comply with.

Information security training

All staff and collaborators with access to information and personal data have received adequate training regarding information security and personal data protection.

Rules for the use of information systems

The information security regulations establish the standards of acceptable use of the information systems and equipment that the personnel is in charge of.

Prohibition of use for personal purposes of corporate equipment

It has been established that the use for private purposes of those computers and devices intended for the processing of corporate information and personal data is not allowed.

Access to corporate information from private computers is also not allowed.

3. Safety in the Workplace

Unattended computers

A mechanism has been established so that when a computer is left unattended, the screen is locked or the session is closed.

Documentation custody

A regulation has been established so that at no time is paper documentation or information media left unattended in the workplace.

Secure data destruction

Mechanisms have been established to facilitate the secure destruction of confidential information on paper or other electronic media.

Secure telecommuting position

A policy has been established so that teleworking can be carried out safely.

Mobile device security

A policy has been established to protect the use of mobile devices and the information they may contain.

4. Management of Incidents and Security Breaches

Incident management procedure

A procedure has been defined to record and resolve incidents that affect the security of information and personal data

Procedure for managing security breaches in personal data

The procedure makes it possible to identify when a personal data security breach occurs and to notify the person responsible immediately and without undue delay about said security breaches, including all the information necessary to assess the impact and determine the causes and measures. corrective measures applied.

Assistance to the person in charge in the notification of security breaches

It is planned to assist the person in charge to notify the security breach to the supervisory authority and, where appropriate, to the interested parties, taking into account the information available to the person in charge.

5. Access to Systems

Access control policy

VÍNTEGRIS maintains an access control policy that determines the security privileges of the people who have access to the information

Access authorization

There is a formal process to manage the authorization, registration, cancellation and modification of user access to the systems.

Individual accounts

Each person uses an individual and non-transferable user account.

Least privilege

VÍNTEGRIS has defined and applies a policy of minimum access by default, which guarantees that staff and collaborators only have access to the information they require to carry out their job duties.

Accounts with privileged access

To carry out system administration and configuration tasks, nominal access accounts with privileged rights are used that are different from and segregated from the accounts for ordinary use of the systems.

Authentication

VÍNTEGRIS uses industry standard practices to identify and authenticate users who attempt to access information systems.

To access the most exposed networks or system administration, double-factor authentication systems are used.

All systems include controls to prevent repeated attempts to gain access to information systems using an invalid password.

Password security

The existence of password policies (or equivalent mechanisms) will be guaranteed for access to systems and applications that meet at least the following:

• Password length: minimum 8 characters
• Periodic renewal of passwords
• Password Complexity Requirements
• Limits on password reuse

Password Confidentiality

There is a regulation to ensure the confidentiality of passwords, preventing them from being exposed or shared with third parties.

Internally, all passwords are saved by applying irreversible encryption algorithms.

Access logs

A log of accesses and access attempts to systems is maintained and monitored

6. Information Processing Assets

Actives’ inventory

There is an inventory of the systems and equipment used in the processing of information, with information on the person who is responsible for said equipment.

Safe disposal and reuse

Formal processes have been defined for the safe disposal and/or reuse of information processing equipment.

Equipment maintenance

The systems and equipment used for the processing of information are properly maintained and updated

Malware protection

The computers on which information is processed or stored have permanently active and updated anti-malware protection.

Software update

All the software used for the processing of information is duly updated and without known serious vulnerabilities.

Bastion of systems

Hardening measures have been applied to the systems, such as, among others:

• Keep only essential ports open
• Disable all services not strictly necessary
• Lock or change default passwords for accounts with privileged access
• Encryption of the disks that contain the information

Limitation on the installation of software by users

There are regulations or technical measures to prevent staff from installing unauthorised software on their work equipment, as well as to prevent the use of software that may violate the intellectual property of third parties.

Administrative Privilege Limitation

Technical measures have been implemented so that users cannot modify or deactivate the security settings of the equipment

Restriction on use for personal purposes

There is a regulation that prohibits the private or personal use of corporate equipment.

7. Protection of Information in Transit and at Rest

Network perimeter protection

There is perimeter protection of the network to protect it against attacks and improper access to those systems in which information and personal data are stored and/or processed.

Network segregation

The network has been configured so that there are segregated security zones according to the different security requirements that have been established.

Secure information transmission protocols

All traffic on the organisation’s networks, especially when it runs totally or partially through public networks, is encrypted using secure protocols and without known serious vulnerabilities (for example, at least TLS 1.2)

Secure remote access

For remote access to the organisation’s network, for example, through virtual networks (VPN), secure protocols and authentication keys of the communication ends are used.

Encryption of information on transit media

There are mechanisms to encrypt the information on media and equipment in transit outside the usual treatment facilities.

Vulnerability scan

Tests are carried out periodically to verify that the networks are free of vulnerabilities and the necessary corrective measures are applied

Wi-Fi network segregation

Wi-Fi networks for visitors are segregated so that access to internal company networks is not possible.

Security of cloud provider services

In the case of using the services of a provider in the cloud (IaaS, PaaS, SaaS,…) to process the information, it is guaranteed that the provider provides or allows the application of security measures at least equivalent to those required of the person in charge.

Audit trails

The audit records of the operations carried out on the data (access, modification and deletion) are collected, kept and reviewed, especially when dealing with special category data

Segregation of client instances

Segregation of services to different clients through a multi-tenant architecture. Logical segregation of users and data is provided.

8. Physical Security of the Treatment Spaces

Physical security perimeter

There is a security perimeter to protect the premises and dependencies where information is processed or stored.

Access limitation

Physical access controls have been implemented at the premises where information processing is carried out to ensure that only authorised personnel have permitted access.

Physical access control

Specific entry controls have been established to limit access to strictly authorised personnel to the secure areas where the servers, network equipment or document files used for the treatment and storage of information are located.

Protection against external and environmental threats

The necessary measures have been established to protect people, equipment and facilities in the event of natural disasters, malicious attacks or incidents, such as fire, floods, water leaks, air conditioning failures, etc.

Supply facilities

The necessary measures have been established to guarantee the continuity of the electricity supply.

Security of processing center providers

The external data centres where the VÍNTEGRIS servers are located in the EU and provide that they must be at least TIER III and have information security certifications.

More information in Annexe IV “Subprocessors”

Security of IaaS and PaaS service providers

IaaS and PaaS service providers provide the necessary and guaranteed physical security controls through the appropriate certifications such as ISO 27001, SOC 2, ENS (High level), PCI-DSS, and others.

In this case, the services are contracted in data centres located in the EU.

More information in Annexe IV “Subprocessors”

9. Resilience of Systems

Systems Availability

VÍNTEGRIS has established measures to guarantee the availability of the systems in accordance with the service levels committed.

Capacity monitoring and management

The performance of the systems is continuously monitored, with alert systems to immediately detect any incident.

Monitoring of the capacity of the systems is carried out continuously to ensure the availability of sufficient capacity for the required services.

Redundancies

All Víntegris systems are redundant, internally on different servers and in different geographically distant data centers

Backups

VÍNTEGRIS makes a backup copy stored on a support dissociated from the usual treatment equipment. This copy is made as often as necessary to meet the agreed service levels.

Additionally, VÍNTEGRIS maintains a backup copy stored in a different and geographically separated location from the usual information processing facilities. This copy is made as often as necessary to meet the service levels committed to in the event of a serious incident at the treatment facilities.

Backup monitoring

The successful execution of backups is continuously monitored.

Recovery tests

Periodic tests of recovery and verification of the information contained in the backup copies are carried out

Continuity Plan

A Continuity Plan has been drawn up to recover the availability of the systems and the integrity of the information in the event of a serious incident.

Recovery procedures

There are specific protections and recovery procedures against threats that compromise the integrity of the information, such as ransomware attacks.

10. Privacy by Design and by Default

Minimization of data collection

Only the data strictly necessary for the purpose for which it should be processed is collected.

Limitation of the term of conservation of the data

VÍNTEGRIS has established procedures to limit data retention and prevent it from being kept beyond the established periods.

Temporary files created as a result of processing are deleted when they are no longer needed.

Purpose limitation

VÍNTEGRIS has defined mechanisms to prevent the information processed on behalf of the controller from being used for purposes other than those established in this Data Processing Agreement (DPA).

Pseudonymization and data encryption

Pseudonymization and data encryption measures are applied, especially when the information processed includes data of a special category or especially sensitive.

Segregation of sensitive information

Access to the most sensitive information is segregated so that it can only be consulted and processed by specifically authorized personnel.

11. Exercise of the Rights of Interested Parts

Response procedure

VÍNTEGRIS has defined a formal process to address and assist the person in charge in responding to requests to exercise the rights of the interested parties.

Communication of requests to exercise rights

VÍNTEGRIS has defined the channels to communicate the requests to exercise the rights of the interested parties to the data controller.

Treatment limitation

There are mechanisms to limit data processing whenever required.

ANNEXE IV. List of sub-managers

Agreed list of sub-processors in accordance with Clause 6.7(a)

• Sub-processor name: Amazon Web Services Inc.
• Description of the treatment: IaaS and PaaS service provider
• Treatment location: European Union (Irlanda, Frankfurt, Paris)
• Address and contact details: Amazon Web Services EMEA SARL
  38 Avenue John F. Kennedy, L-1855, Luxembourg
  Tel: +352 2789 0057
• Guarantees provided: https://aws.amazon.com/compliance/gdpr-center/

---

• Sub-processor name: AE Group S.à r.l. (AtlasEdge)
• Description of the treatment: Provider of the data centres where VÍNTEGRIS servers are located. AtlasEdge personnel have no access to the servers or the data contained therein.
• Treatment location: Spain (Barcelona and Madrid)
• Address and contact details: Email: privacy@atlasedge.com
• Guarantees provided:
  https://atlasedge.com/wp-content/uploads/2021/10/AtlasEdge_Barcelona-DC_DataSheet.pdf
  https://atlasedge.com/wp-content/uploads/2021/10/AtlasEdge_Madrid-DC_DataSheet.pdf

---

• Sub-processor name: VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, S.L .VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, S.L.
• Description of the treatment: Provider of the technological platform on which the identity recognition process is supported the technological platform on which the identity recognition process is supported
• Treatment location: Spain
• Address and contact details: Email: partners@veridas.com
• Guarantees provided: The Treatment manager agreement included in the platform use and distribution license agreement signed between Víntegris and Veridas. The Treatment manager agreement is included in the platform use and distribution license agreement signed between Víntegris and Veridas.