Astry - On-Call Management Platform

Data Processing Addendum

Last updated: November 19, 2025

Summary

This Data Processing Addendum ("DPA") amends the terms and forms part of the Agreement (defined below) by and between the customer as identified in the Agreement ("Customer") and the 5Soft company ("5Soft") and will be effective on the later of (i) the effective date of the Agreement; or (ii) the date both parties execute this DPA in accordance with Section 1 below ("Effective Date"). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

1. Instructions and Effectiveness

1.1. To enter into this DPA, Customer must:

  • (a) be a customer of the 5Soft products;
  • (b) sign and provide all relevant information related to this DPA; and
  • (c) submit the completed and signed DPA to 5Soft.

1.2. This DPA will only be effective (as of the Effective Date) if executed and submitted to 5Soft accurately and in full accordance with Section 1. Where Customer makes any deletions or other revisions to this DPA, this DPA will be null and void.

1.3. Customer signatory represents to 5Soft that he or she has the legal authority to bind Customer and is lawfully able to enter into this DPA.

2. Data Protection

2.1. Definitions

In this DPA, the following terms have the following meanings:

  • (a) "Agreement" means the contract in place between Customer and 5Soft in connection with the purchase of products by Customer.
  • (b) "Applicable Data Protection Law" means U.S. Data Protection Law and European Data Protection Law that are applicable to the processing of personal data under this DPA.
  • (c) "controller", "processor", "data subject", "personal data" and "processing" (and "process") have the meanings given in European Data Protection Law.
  • (d) "Customer Personal Data" means any personal data provided by (or on behalf of) Customer to 5Soft.
  • (e) "End Users" means an individual the Customer permits or invites to use the products. For the avoidance of doubt: (a) individuals invited by End Users, (b) individuals under managed accounts, and (c) individuals interacting with a product as Customer's customers are also considered End Users.
  • (f) "Europe" means for the purposes of this DPA, the Member States of the European Economic Area ("EEA"), the United Kingdom ("UK") and Switzerland.
  • (g) "European Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (ii) in respect of the United Kingdom the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK Data Protection Law"); (iii) the EU ePrivacy Directive (Directive 2002/58/EC); and (iv) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss DPA"), in each case as may be amended, superseded or replaced from time to time.
  • (h) "Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
  • (i) "Restricted Transfer" means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Law to a country outside Europe that is not subject to an adequacy decision by the European Commission, or the competent UK or Swiss authorities (as applicable).
  • (j) "Security Incident" means any confirmed breach of security that leads to the accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data processed by 5Soft and/or its Sub-processors in connection with the provision of the Services. For the avoidance of doubt, "Security Incident" does not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
  • (k) "Services" means the provision of the products by 5Soft to Customer pursuant to the Agreement.
  • (l) "special categories of personal data" or "sensitive data" means any Customer Personal Data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, and (iii) relating to criminal convictions and offences.
  • (m) "Standard Contractual Clauses" or "EU SCCs" means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • (n) "Sub-processor" means any processor engaged by 5Soft to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA where such entity processes Customer Personal Data. Sub-processors may include 5Soft's affiliates or other third parties.
  • (o) "UK Addendum" means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.
  • (p) "U.S. Data Protection Law" means those data protection or privacy laws and regulations within the United States, including the California Consumer Privacy Act (as amended) (the "CCPA"), as applicable to Customer Personal Data.

2.2. Relationship of the parties

Where Applicable Data Protection Law provides for the roles of "controller," "processor," and "sub-processor":

  • (a) Where 5Soft processes Customer Personal Data on behalf of Customer in connection with the Services, 5Soft will process such personal data as a processor or Sub-processor on behalf of Customer (who, in turn, processes such personal data as a controller or processor) and this DPA will apply accordingly. A description of such processing is set out in Exhibit A, Annex 1(B), Part A.
  • (b) Where 5Soft processes personal data as a controller, as further detailed in Exhibit A, Annex 1(B), Part B, 5Soft will process such personal data in compliance with Applicable Data Protection Law and only for the purposes that are compatible with those described in Exhibit A, Annex 1(B), Part B. For these purposes, only Sections 2.3 and 2.6 of this DPA will apply, to the extent applicable.

2.3. Description of Processing

A description of the processing of personal data related to the Services, as applicable, is set out in Exhibit A. 5Soft may update the description of processing from time to time to reflect new products, features or functionality comprised within the Services. 5Soft will update relevant documentation to reflect such changes.

2.4. Customer Processing of Personal Data

Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Law in its processing of Customer Personal Data and any processing instructions it issues to 5Soft, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Law for 5Soft to process personal data (including but not limited to any special categories of personal data) and provide the Services pursuant to the Agreement (including this DPA).

2.5. 5Soft Processing of Personal Data

When 5Soft processes Customer Personal Data in its capacity as a processor on behalf of the Customer, 5Soft will process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with the documented lawful instructions of Customer (as set forth in the Agreement, in this DPA, or as directed by the Customer or Customer's End Users through the Cloud Products) (the "Permitted Purpose"). 5Soft will not retain, use, disclose or otherwise process the Customer Personal Data for any purpose other than the Permitted Purpose except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law, and will not "sell" the Customer Personal Data within the meaning of the CCPA or otherwise. 5Soft will promptly inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law.

2.6. Restricted transfers

The parties agree that when the transfer of personal data from Customer (as "data exporter") to 5Soft (as "data importer") is a Restricted Transfer and Applicable Data Protection Law requires that appropriate safeguards are put in place, the transfer will be subject to the Standard Contractual Clauses, which are deemed incorporated into and form a part of this DPA, as follows:

(a) In relation to transfers of Customer Personal Data protected by the EU GDPR and processed in accordance with Section 2.2(a) of this DPA, the EU SCCs will apply, completed as follows:

  • (i) Module Two or Module Three will apply (as applicable);
  • (ii) in Clause 7, the optional docking clause will apply;
  • (iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 2.10 of this DPA;
  • (iv) in Clause 11, the optional language will not apply;
  • (v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  • (vi) in Clause 18(b), disputes will be resolved before the courts of Ireland;
  • (vii) Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and
  • (viii) Subject to Section 2.8 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Exhibit B to this DPA;

(b) In relation to transfers of personal data protected by the EU GDPR and processed in accordance with Section 2.2(b) of this DPA, the EU SCCs apply, completed as follows:

  • (i) Module One will apply;
  • (ii) in Clause 7, the optional docking clause will apply;
  • (iii) in Clause 11, the optional language will not apply;
  • (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  • (v) in Clause 18(b), disputes will be resolved before the courts of Ireland;
  • (vi) Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and
  • (vii) Subject to Section 2.8 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Exhibit B to this DPA;

(c) In relation to transfers of personal data protected by UK Data Protection Law, the EU SCCs: (i) apply as completed in accordance with paragraphs (a) and (b) above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum is deemed completed respectively with the information set out in Section 2.9, as well as Exhibits A and B of this DPA; Table 4 in Part 1 is deemed completed by selecting "neither party." Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

(d) In relation to transfers of personal data protected by the Swiss DPA, the EU SCCs will also apply in accordance with paragraphs (a) and (b) above, with the following modifications:

  • (i) any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA, and references to specific Articles of "Regulation (EU) 2016/679" will be replaced with the equivalent article or section of the Swiss DPA;
  • (ii) references to "EU", "Union", "Member State" and "Member State law" will be interpreted as references to Switzerland and Swiss law, as the case may be, and will not be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;
  • (iii) Clause 13 of the EU SCCs and Part C of Annex 1 are modified to provide that the Federal Data Protection and Information Commissioner ("FDPIC") of Switzerland will have authority over data transfers governed by the Swiss DPA. Subject to the foregoing, all other requirements of Clause 13 will be observed;
  • (iv) references to the "competent supervisory authority" and "competent courts" will be interpreted as references to the FDPIC and competent courts in Switzerland;
  • (v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and
  • (vi) Clause 18(b) states that disputes will be resolved before the applicable courts of Switzerland.

(e) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA), the Standard Contractual Clauses prevail to the extent of such conflict;

(f) Although 5Soft does not rely on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks ("Privacy Shield") as a legal basis for transfers of personal data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for so long as 5Soft is self-certified to the Privacy Shield 5Soft will continue to process personal data in accordance with the Privacy Shield Principles. 5Soft will promptly notify Customer if it makes a determination that 5Soft can no longer meet its obligations under the Privacy Shield Principles; and

(g) If 5Soft adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or Privacy Shield adopted pursuant to Applicable Data Protection Law) for the transfer of personal data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism will apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which personal data is transferred).

2.7. Confidentiality of processing

5Soft must ensure that any person that it authorizes to process Customer Personal Data (including 5Soft's staff, agents and Sub-processors) will be subject to a duty of confidentiality (whether a contractual duty or a statutory duty), and must not permit any person to process Customer Personal Data who is not under such a duty of confidentiality.

2.8. Security

5Soft and, to the extent required under the Agreement, Customer must implement appropriate technical and organizational measures in accordance with Applicable Data Protection Law (e.g., Art. 32 GDPR) to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data. 5Soft's current technical and organizational measures are described in Exhibit B ("Security Measures"). Customer acknowledges that the Security Measures are subject to technical progress and development and that 5Soft may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.

2.9. Sub-processing

Customer agrees that 5Soft may engage Sub-processors to process Customer Personal Data on Customer's behalf. The Sub-processors currently engaged by 5Soft and authorized by Customer are listed at https://astry.fr/en/dataprocessingaddendum. 5Soft will: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by Applicable Data Protection Law (and in substance, to the same standard provided by this DPA); and (ii) remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant processing activities under Applicable Data Protection Law.

2.10. Changes to Sub-processors

5Soft must (i) make available an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer if it adds any new Sub-processors at least fourteen (14) days' prior to allowing such Sub-processor to process Customer Personal Data. Customer must subscribe to receive notice of updates to the list of Sub-processors, using the link in Section 2.9. Customer may object in writing to 5Soft's appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties are not able to achieve resolution, Customer, as its sole and exclusive remedy, may terminate the Agreement (including this DPA) for convenience.

2.11. Cooperation obligations and data subjects' rights

(a) Taking into account the nature of the processing, 5Soft must provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, to rectification, to erasure, to restriction, to objection, and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Customer Personal Data that 5Soft processes on Customer's behalf;

(b) In the event that any request, correspondence, enquiry or complaint (referred to under paragraph (a) above) is made directly to 5Soft, 5Soft acting as a processor will not respond to such communication directly without Customer's prior authorization, unless legally required to do so, and instead, after being notified by 5Soft, Customer may respond. If 5Soft is legally required to respond to such a request, 5Soft will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so; and

(c) To the extent 5Soft is required under Applicable Data Protection Law, 5Soft will (at Customer's request and expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities, taking into account the nature of processing and the information available to 5Soft.

2.12. Security incidents

Upon becoming aware of a Security Incident, 5Soft will inform Customer without undue delay and provide timely information (taking into account the nature of processing and the information available to 5Soft) relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under Applicable Data Protection Law. 5Soft will further take reasonable steps to contain, investigate, and mitigate the effects of the Security Incident. 5Soft's notification of or response to a Security Incident in accordance with this Section 2.12 will not be construed as an acknowledgment by 5Soft of any fault or liability with respect to the Security Incident.

2.13. Deletion or return of Data

Upon written request from Customer, 5Soft will delete or return to Customer all Customer Personal Data (including copies) processed on behalf of the Customer in compliance with the procedures and retention periods outlined in the DPA; this requirement does not apply to the extent 5Soft is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data 5Soft will securely isolate and protect from any further processing, as further detailed in Exhibit A, Annex 1(B), Part A.

2.14. Audit

(a) Customer acknowledges that 5Soft is regularly audited by independent third-party auditors and/or internal auditors including as may be described from time to time at https://astry.fr/en/termsofservice. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with 5Soft, 5Soft must:

  • (i) supply (on a confidential basis) a summary copy of its audit report(s) ("Report") to Customer, so Customer can verify 5Soft's compliance with the audit standards against which it has been assessed, and this DPA; and
  • (ii) provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires, that are necessary to confirm 5Soft's compliance with this DPA, provided that Customer cannot exercise this right more than once per calendar year.

(b) Only to the extent Customer cannot reasonably satisfy 5Soft's compliance with this DPA through the exercise of its rights under Section 2.14(a) above, where required by Applicable Data Protection Law or the Standard Contractual Clauses, Customer and its authorized representatives may conduct audits (including inspections) during the term of the Agreement to establish 5Soft's compliance with the terms of this DPA, on the condition that Customer and its authorized representatives have entered into an applicable non-disclosure agreement with 5Soft. Notwithstanding the foregoing, any audit (or inspection) must be conducted during 5Soft's regular business hours, with reasonable advance notice (which may not be less than 45 calendar days) and subject to reasonable confidentiality procedures. Such audit (or inspection) may not require 5Soft to disclose to Customer or its authorized representatives, or to allow Customer or its authorized representatives to access:

  • (i) any data or information of any other 5Soft customer (or such customer's End Users);
  • (ii) any 5Soft internal accounting or financial information;
  • (iii) any 5Soft trade secret;
  • (iv) any information that, in 5Soft's reasonable opinion, could: (1) compromise the security of 5Soft systems or premises; or (2) cause 5Soft to breach its obligations under Applicable Data Protection Law or its security, confidentiality and or privacy obligations to any other 5Soft customer or any third party; or
  • (v) any information that Customer or its authorized representatives seek to access for any reason other than the good faith fulfillment of Customer's obligations under the Applicable Data Protection Law and 5Soft's compliance with the terms of this DPA.

(c) An audit or inspection permitted in compliance with Section 2.14(b) will be limited to once per calendar year, unless (1) 5Soft has experienced a Security Incident within the prior twelve (12) months which has impacted Customer Personal Data; or (2) Customer is able to evidence an incidence of 5Soft's material noncompliance with this DPA.

2.15. Law enforcement

If a law enforcement agency sends 5Soft a demand for Customer Personal Data (e.g., a subpoena or court order), 5Soft will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, 5Soft may provide Customer's contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then 5Soft will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent 5Soft is legally permitted to do so.

2.16. Third party integrations and visibility

Through use of the products and certain features thereof, as further described in the Agreement and Documentation, Customer or Customer's End Users, as applicable, may elect to grant third parties (for example, third party apps, or the 5Soft community) visibility to data or content (which may include Customer Personal Data). Customer understands that user profile information for the products may become publicly visible. 5Soft may make Customer's data or content (which may include personal data) visible to third parties consistent with this paragraph, as instructed by Customer or Customer's End Users through the Cloud Products and relevant functionalities.

3. Relationship with the Agreement

3.1. The parties agree that this DPA replaces and supersedes any existing DPA the parties may have previously entered into in connection with the Services.

3.2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the processing of Customer Personal Data. If there is any conflict between the Standard Contractual Clauses and the Agreement (including this DPA), the Standard Contractual Clauses will prevail to the extent of that conflict in connection with the processing of Customer Personal Data governed under the Standard Contractual Clauses.

3.3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party and each party's affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

3.4. Any claims against 5Soft or its affiliates under this DPA can only be brought by the Customer entity that is a party to the Agreement against the 5Soft entity that is a party to the Agreement. In no event will this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

3.5. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.

3.6. This DPA and the Standard Contractual Clauses will terminate simultaneously and automatically upon deletion by 5Soft of the Customer Personal Data processed on behalf of the Customer, in accordance with Section 2.13 of this DPA.

Customer Signatures

For signing this document, you need to provide:

  • Customer name (required)
  • Address
  • Signature (required)
  • Name (required)
  • Title (optional)
  • Date (required)
  • EU representatives (required only where applicable)
  • Contact details
  • Data Protection Officer (required only where applicable)
  • Contact details

Exhibit A: Description of the Processing Activities / Transfer

Annex 1(A) List of Parties

Data Exporter:

  • Name: Customer
  • Address / Email Address: as provided for in the DPA
  • Contact Person's Name, position, and contact details: as provided for in the DPA
  • Activities relevant to the transfer: see Annex 1(B) below
  • Role: see Annex 1(B)

Data Importer:

  • Name: 5Soft
  • Address / Email Address: contact@astry.fr
  • Contact Person's Name, position, and contact details: as provided for in the DPA
  • Activities relevant to the transfer: see Annex 1(B) below
  • Role: see Annex 1(B)

Annex 1(B) Description of processing and transfer (as applicable)

The parties acknowledge that 5Soft's processing of personal data will include all personal data submitted or uploaded to the Services by Customer from time to time, for the purposes of, or otherwise in connection with, 5Soft providing the Services to Customer.

Set out below are descriptions of the processing and transfers of personal data as contemplated as of the date of this DPA. Such descriptions are subject to change or may be supplemented pursuant to Section 2.3 of the DPA.

Part A: Description of processing and transfer for Modules 2 and 3 of the Standard Contractual Clauses

  • Categories of data subjects: Customer, Customer's employees, Customer's collaborators, as well as all relevant End Users of the Services on behalf of the Customer.
  • Categories of personal data transferred: User Account Information, for example: 5Soft identifier associated with user account, Avatar Image and URL, Full Name, Email Address, Time zone. Personal identification, for example: IP address, cookie information, language setting, location/region/city, phone numbers, nicknames. Employment Information, for example: job title, company name.
  • Sensitive data transferred: none.
  • Frequency of the transfer: continuous.
  • Nature of the processing: Providing Services, including but not limited to the following features: import/export records, tracking activity, search query/content, create/edit pages and content, save/store files, display profiles, admin controls, alerts.
  • Purpose of the data transfer: Providing Services, including but not limited to: User/Team communication, account/login management, third party integration.
  • Duration of processing: When a configuration item, user, or alert, incident is deleted from 5Soft, the entity and child data will be deleted by 5Soft. When a user is deleted from 5Soft, Audit Logs will still have audit records like "Email notification sent to x@y.com", this is important as part of Incident audit. Customers can delete Incident, Incident Timeline and Logs will be deleted. Customer Logs visible on the Logs page are immutable, and have a retention of 1 year. When paid subscription ends, Customers may contact 5Soft Customer Support so that all data of Customers can be deleted. Legal & Security Auditing reasons: Customer Logs, Data Backup & System Log Archives will be stored as an archive for 1 year, regardless of whether Customer data is fully deleted or not. Archives can not be accessed directly by Customers, access is restricted to 5Soft authorized employees.

Part B: Description of processing and transfer for Module 1 of the Standard Contractual Clauses

  • Categories of data subjects: Customer, Customer's employees, Customer's collaborators, as well as all relevant End Users of the Services on behalf of the Customer.
  • Categories of personal data transferred: Personal data relating to or obtained in connection with the operation, support, or use of the services, e.g.: User Account Information, for example pseudonymous 5Soft IDs, Tenant IDs, Organization IDs. Payment and billing information, to the extent it includes personal data. Device and connection information, for example: IP address, Cookie information, device information, browser information. Information on the use of the Services, for example: Event Name (i.e., what action the user performed), Event Timestamp, Page URL, Referring URL. Personal data provided through various 5Soft support channels, including for example 5Soft ID, SEN (Support Entitlement Number), username, contact information and any personal data contained within a summary of the problem experienced or information needed to resolve the support case. If any user generated content is submitted via support tickets, 5Soft acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.
  • Sensitive data transferred: none.
  • Frequency of the transfer: continuous.
  • Nature of the processing: collection, storage, and processing of relevant personal data for the purposes identified in this Part B.
  • Purpose of the data transfer: Personal data will be processed for 5Soft's legitimate business purposes. This entails in particular the following: To facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery in order to protect Customers, End Users and 5Soft. To engage and to provide support and assistance to Customer and End Users as requested from time to time. To comply with legal and financial reporting obligations. To administer the Services, including to calculate usage-based billing. To derive insights in order to maintain, develop, and improve the Services and support, including for research and development purposes. To derive insights in order to inform internal business analysis and product strategy.
  • Duration: 5Soft may process personal data for the purposes described above for the duration of the DPA, and for as long as 5Soft has a legitimate need to retain the personal data for the purposes it was collected or transferred, in accordance with Applicable Data Protection Law.

Annex 1(C) Competent supervisory authority

The data exporter's competent supervisory authority will be determined in accordance with the GDPR.

Exhibit B: Technical and Organizational Security Measures

1. Purpose

This Exhibit describes 5Soft's security program, security certifications, and physical, technical, organizational and administrative controls and measures to protect Customer Data from unauthorized access, destruction, use, modification or disclosure (the "Security Measures"). The Security Measures are intended to be in line with the commonly-accepted standards of similarly-situated software-as-a-service providers ("industry standard"). Unless otherwise specified in the applicable Product-Specific Terms, the Security Measures apply to all 5Soft products that are available under the Agreement.

2. Updates and Modifications

The Security Measures are subject to technical progress and development and 5Soft may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially degrade or diminish the overall security of the products, as described in this document.

3. Definitions

Any capitalized terms used but not defined in this document have the meanings set out in the Agreement. The term "Customer Data" means any data, content or materials provided to 5Soft by or at the direction of Customer or its End Users via the products, including from Third-Party Products.

4. Security Measures

Measures of pseudonymisation and encryption of personal data

Data Encryption: 5Soft has and will maintain: (i) an established method to encrypt Customer Data in transit and at rest; (ii) an established method to securely store passwords following industry standard practices; and (iii) use established key management methods. Any Customer Data is encrypted in transit over public networks using TLS 1.2 or greater. Data drives on servers holding Customer Data and attachments use industry-standard, AES256 encryption at rest.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Security Program: 5Soft will maintain a security management program that includes but is not limited to:

  • a) executive review, support and accountability for all security related policies and practices;
  • b) a written information security policy and framework that meets or exceeds industry standards and that, as a baseline, includes (i) defined information security roles and responsibilities, (ii) a formal and effective risk mitigation program;
  • c) periodic risk assessments of all 5Soft owned or leased systems processing Customer Data;
  • d) prompt review of security incidents affecting the security of 5Soft systems processing Customer Data, including determination of root cause and corrective action;
  • e) a formal controls framework based on, among other things, formal audit standards such as ISO27001 (or any successor standard);
  • f) processes to document non-compliance with the security measures;
  • g) processes to identify and quantify security risks, develop mitigation plans, which must be approved by 5Soft's Chief Trust Officer (or one of their delegates), and track the implementation of such plans; and
  • h) a comprehensive security testing methodology that consists of diverse and independent approaches that, when combined, are reasonably designed to maximize coverage for a varied and diverse set of attack vectors.

5Soft will periodically (and, in any event, no less frequently than annually) review, test and, where applicable, update such security management program.

Security Incident Notification: 5Soft will notify Customer of Security Incidents in accordance with the 5Soft Data Processing Addendum.

Employee Screening, Training, Access and Controls: 5Soft will maintain policies and practices that include the following controls and safeguards applied to 5Soft staff who have access to Customer Data and/or provide Support and Services to Customer:

  • a) pre-hire background checks (including criminal record inquiries) on 5Soft job candidates, which are conducted by a third-party background check provider and in accordance with applicable Laws and generally accepted industry standards;
  • b) periodic security awareness training;
  • c) a disciplinary policy and process to be used when 5Soft staff violate 5Soft's security policies;
  • d) access to 5Soft IT systems only from approved 5Soft-managed devices with appropriate technical security controls (including two-factor authentication);
  • e) controls designed to limit access to Customer Data to only those 5Soft staff with an actual need-to-know such Customer Data. Such controls include the use of a formal access management process for the request, review, approval and provisioning for all 5Soft staff with access to Customer Data; and
  • f) separation of duties to prevent a single 5Soft employee from controlling all key aspects of a critical transaction or business process related to Customer Data or systems.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Resilience Program: During the Subscription Term, 5Soft's business continuity and disaster recovery plans (collectively, the "BCDR Plans") will address at least the following topics:

  • a) the availability of human resources with appropriate skill sets;
  • b) the availability of all IT infrastructure, telecommunications capabilities and any other technology used or relied upon by 5Soft in the provision of the Products;
  • c) 5Soft's plans for storage and continuity of use of data and software;
  • d) clear recovery time objectives (RTOs) and recovery point objectives (RPOs);
  • e) mechanisms for the geographic diversity or back-up of business operations;
  • f) the potential impact of cyber events and 5Soft's ability to maintain business continuity in light of such events, as well as a framework and procedure to respond to and remediate such events;
  • g) the management of data corruption incidents; and
  • h) procedures and frequency of testing of the BCDR Plans.

5Soft will periodically (and, in any event, no less frequently than annually) review, test and, where applicable, update the BCDR Plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Compliance Program: 5Soft will maintain a compliance program that includes independent third-party audits and certifications. 5Soft will make available to Customer, via the 5Soft Compliance Site, copies of the most up-to-date version of the following third-party certifications or reports in relation to the products: (i) an International Organization for Standardization (ISO) 27001 certificate and, upon written request, the relevant Statement of Applicability; or (ii) any successor of any of the foregoing. All such reports or certificates will be made available on the 5Soft Compliance Site, and will be made available within a commercially reasonable time of the relevant audit and/or certification process being completed.

Vulnerability Management: 5Soft will maintain the following vulnerability management processes:

  • Vulnerability Scanning and Remediation: 5Soft employs processes and tools in line with industry standards to conduct frequent vulnerability scanning to test 5Soft's network and infrastructure and application vulnerability testing to test 5Soft applications and services. 5Soft applies security patches to software components in production and development environments as soon as commercially practicable in accordance with our Security Bug Fix Policy.
  • Identifying Malicious Threats: 5Soft employs processes and tools in line with industry standards to identify malicious actors and prevent them from accessing Customer Data or 5Soft systems that process Customer Data. These include, but are not limited to, maintaining software that attempts to identify and detect attempted intrusions, behaviors consistent with Internet-based attacks, and indicators of potential compromise. 5Soft will maintain a security incident and event management system and supporting processes to notify appropriate personnel in response to threats.
  • Vulnerability Testing: (a) 5Soft conducts internal vulnerability testing. We make the results of these internal tests publicly available on demand and commit to making bug fixes in line with our Security Bug Fix Policy. (b) Customer may, either itself or through an independent third party (who has entered into confidentiality obligations with 5Soft), perform its own vulnerability testing of its products in accordance with the Security Test Rules. Customer may report any vulnerabilities impacting the products to 5Soft in accordance with the procedures set forth in the Security Test Rules. (c) 5Soft will use commercially reasonable efforts to address identified security vulnerabilities in our products and our infrastructure in accordance with the Security Bug Fix Policy.

Measures for user identification and authorisation

5Soft cloud users can authenticate using username and password, or external IdPs (incl. via SAML). All managed credentials are hosted in the application database, which is encrypted at rest. Passwords are stored using a secure hash and salt algorithm. Administrators are able to enforce SSO.

Measures for the protection of data during transmission

See the item above titled "Measures of pseudonymisation and encryption of personal data"

Measures for the protection of data during storage

Data Hosting Facilities: 5Soft will periodically request assurances (e.g., in the form of an independent third party audit report and vendor security evaluations) from its data hosting providers that store or process Customer Data that:

  • a) such data hosting provider's facilities are secured in an access-controlled location and protected from unauthorized access, damage, and interference;
  • b) such data hosting provider's facilities employ physical security appropriate to the classification of the assets and information being managed; and
  • c) such data hosting provider's facilities limit and screen all entrants employing measures such as on-site security guard(s), badge reader(s), electronic lock(s), or a monitored closed caption television (CCTV).

Tenant Separation: 5Soft will use established measures to ensure that Customer Data is kept logically segregated from other customers' data when at-rest.

Data Encryption: See the item above titled "Measures of pseudonymisation and encryption of personal data".

Measures for ensuring physical security of locations at which personal data are processed

See the item above titled "Measures for the protection of data during storage".

Measures for ensuring events logging

Audit logging is available on demand by email.

Measures for ensuring system configuration, including default configuration

See the item above titled "Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services".

Measures for internal IT and IT security governance and management

See the item above titled "Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services".

Measures for certification/assurance of processes and products

See the item above titled "Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing"

Measures for ensuring data quality

See the items above titled "Measures of pseudonymisation and encryption of personal data", "Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services", and "Measures for the protection of data during storage".

Measures for ensuring limited data retention

Data Retention and Destruction Standard: 5Soft maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. The Data Retention and Destruction Standard is guided by the following principles:

  • Records should be maintained as long as they serve a business purpose.
  • Records that serve a business purpose, or which 5Soft has a legal, regulatory, contractual or other duty to retain, will be retained.
  • Records that no longer serve a business purpose, and for which 5Soft has no duty to retain, should be disposed. Copies or duplicates of such data should also be disposed. To the extent 5Soft has a duty to retain a specified number of copies of a Record, such number of copies should be retained.
  • 5Soft's practices implementing this Standard may vary across departments, systems and media, and will of necessity evolve over time. These practices will be reviewed under our company-wide policy review practices.

Measures for ensuring accountability

See the item above titled "Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing".

Measures for allowing data portability and ensuring erasure

Data Export: 5Soft allows Customer to export its Customer Data from the products as described in the Documentation.

Secure Deletion: 5Soft will maintain a process reasonably designed to ensure secure destruction and deletion of any and all Customer Data as provided in the Agreement. Such Customer Data will be securely destroyed and deleted by 5Soft so that: (a) Customer Data cannot be practicably read or reconstructed, and (b) the 5Soft systems that store Customer Data are securely erased and/or decommissioned disks are destroyed.

Questions about data processing?

Contact our Data Protection Officer.

Contact DPO