This Data Processing Addendum, including its Schedules (together, the “DPA”), forms part of the Master Subscription Agreement (the “MSA”, accessible at https://www.siffletdata.com/msa) and govern the relationship between Sifflet and “Customer” (as identified in an Order Form) for the purchase of Services from Sifflet (as defined in the MSA) to reflect the Parties’ agreement with regard to the Processing of Personal Data.
By signing an Order Form, Customer enters into this DPA (including its Schedules 1 and 2) on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
While providing the Services to Customer pursuant to the Agreement, Sifflet may Process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” has the meaning defined in the MSA.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Sifflet, but has not signed its own Order Form with Sifflet.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer” means the entity that executed an Order Form.
“Customer Data” means personal data of the Customer, as a data controller, which are collected and processed by Sifflet when providing the Sifflet Applications or Services to the Customer.
“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states.
“Data Subject” means the identified or identifiable person to whom Personal Data relates or from whom it originates.
“Effective Date” means the date mentioned in an Order Form.
“Europe” means the European Union, the European Economic Area, Switzerland, and the United Kingdom.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
“Order Form” means the ordering document(s) executed by the Parties that represents the purchase of Customer’s Subscription.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
“Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
“Public Authority” means a government agency or law enforcement authority, including judicial authorities.
“Security, Privacy, and Architecture Documentation” means the Security, Privacy, and Architecture Documentation applicable to the Services purchased by Customer, as updated from time to time, and accessible via Sifflet’s Trust and Compliance webpage at: https://www.siffletdata.com/trust-center, or as otherwise made reasonably available by Sifflet.
“Sifflet” means Sifflet, a French société par actions simplifiée, incorporated in Paris, France under n° 901631416, having its registered office 149 Avenue du Maine 75014 Paris, France.
“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
“Sub-processor” means any Processor engaged by Sifflet.
The Parties acknowledge and agree that regarding the Processing of Personal Data, Customer is a Controller, Sifflet is a Processor, and that Sifflet will engage Sub-processors pursuant to the requirements set forth in section 5 “Sub-processors” below.
Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Sifflet as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and how Customer acquired Personal Data. Customer expressly acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted out from sales or other disclosures of Personal Data to the extent applicable under Data Protection Laws and Regulations.
Sifflet shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
The subject matter of Processing of Personal Data by Sifflet is the performance of the Services pursuant to the Agreement. The duration of the Processing, nature, and purpose, and types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Description of Processing/Transfer) to this DPA.
Sifflet shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the GDPR and/or (ii) if Sifflet is unable to follow Customer’s instructions for the Processing of Personal Data.
Sifflet shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject, such as a Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Sifflet shall not respond to a Data Subject Request itself, except that Customer authorizes Sifflet to redirect the Data Subject Request as necessary to allow Customer to respond directly. Considering the nature of the Processing, Sifflet shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.
In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Sifflet shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Sifflet is legally permitted to do so, and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Sifflet’s provision of such assistance.
Sifflet shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Sifflet shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
Sifflet shall take commercially reasonable steps to ensure the reliability of any Sifflet personnel engaged in the Processing of Personal Data.
Sifflet shall ensure that Sifflet’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
Sifflet has appointed a data protection officer. The designated person may be reached at privacy@siffletdata.com
Customer acknowledges and agrees that (a) Sifflet’s Affiliates may be retained as Sub-processors; and (b) Sifflet and Sifflet’s Affiliates may engage third-party Sub-processors in connection with the provision of the Services. Sifflet or a Sifflet Affiliate has entered into a written agreement with each Sub-processor (including Sifflet Affiliates when they act as Sub-processor of Sifflet for the processing activities subject to this DPA), containing, in substance, data protection obligations no less protective than those in the Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.
The current list of Sub-processors engaged in Processing Personal Data for the performance of each applicable Service:
Sub-processor / Sub-service organization: Snowflake
Processing Activities: Internal analytical purposes
Location: North America, Europe, Asia Pacific
Sub-processor / Sub-service organization: AWS
Processing Activities: IaaS Cloud Services Provider
Location: Europe (several) regions, US (several) regions, Asia Pacific (Singapore) region
Sub-processor / Sub-service organization: OpenAI
Processing Activities: Description generation (option can be removed)
Location: Microsoft Azure US
Customer hereby consents to these Sub-processors, their locations, and processing activities pertaining to their Personal Data. The Infrastructure and Sub-processor Documentation contains a mechanism to subscribe to notifications of new Sub-processors for each applicable Service, and if Customer subscribes, Sifflet shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.
Customer may object to Sifflet’s use of a new Sub-processor by notifying Sifflet promptly in writing within thirty (30) days of receipt of Sifflet’s notice in accordance with the mechanism set out in section 5.2. If Customer objects to a new Sub-processor as permitted in the preceding sentence, Sifflet will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If Sifflet is unable to make available such change within a reasonable period, which shall not exceed sixty (60) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which Sifflet cannot provide without the use of the objected-to new Sub-processor by providing written notice to Sifflet. Sifflet will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services without imposing a penalty for such termination on Customer.
Sifflet shall maintain appropriate technical and organizational measures for the protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy, and Architecture Documentation. Sifflet regularly monitors compliance with these measures. Sifflet will not materially decrease the overall security of the Services during a subscription term.
Sifflet shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Third-Party Certifications and Audits: Sifflet has obtained the third-party certifications and audits set forth in the Security, Privacy, and Architecture Documentation for each applicable Service. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Sifflet shall make available to Customer (or Customer’s Third-Party Auditor - as defined below in section 6.2.4) information regarding Sifflet’s compliance with the obligations set forth in this DPA in the form of a copy of Sifflet’s then most recent third-party audits or certifications set forth in the Security, Privacy, and Architecture Documentation. Such third-party audits or certifications may also be shared with Customer’s competent supervisory authority on its request. Where Sifflet has obtained ISO 27001 certifications and SSAE 18 Service Organization Control (SOC) 2 reports for a particular Service as described in the Documentation, Sifflet agrees to maintain these certifications or standards, or appropriate and comparable successors thereof, for the duration of the Agreement. Upon request, Sifflet shall also provide a requesting Customer with a report and/or confirmation of Sifflet's audits of third-party Sub-processors’ compliance with the data protection controls set forth in this DPA and/or a report of third-party auditors’ audits of third party Sub-processors that have been provided by those third-party Sub-processors to Sifflet, to the extent such reports or evidence may be shared with Customer. Customer acknowledges that (i) such third-party Sub-processor audit reports shall be considered Confidential Information as well as confidential information of the third-party Sub-processor and (ii) certain third-party Sub-processors to Sifflet may require Customer to execute a non-disclosure agreement with them in order to view a Third-party Sub-processor Audit Report.
Upon Customer’s request, Sifflet shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent, such information is available to Sifflet.
Sifflet maintains security incident management policies and procedures specified in the Security, Privacy, and Architecture Documentation and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Sifflet or its Sub-processors of which Sifflet becomes aware (a “Customer Data Incident”). Sifflet shall make reasonable efforts to identify the cause of such Customer Data Incident and take such steps as Sifflet deems necessary and appropriate to remediate the cause of such a Customer Data Incident to the extent the remediation is within Sifflet’s reasonable control. The obligations herein shall not apply to incidents that Customer or Customer’s Users cause.
In its role as a Processor, Sifflet shall maintain appropriate measures to protect Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including by implementing appropriate technical and organizational safeguards to protect Personal Data against any interference that goes beyond what is necessary for a democratic society to safeguard national security, defense, and public security. If Sifflet receives a legally binding request to access Personal Data from a Public Authority, Sifflet shall, unless otherwise legally prohibited, promptly notify Customer, including a summary of the nature of the request. To the extent Sifflet is not permitted by law to provide such notification, Sifflet shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Sifflet to communicate as much information as possible as soon as possible. Further, Sifflet shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider the request unlawful. Sifflet shall pursue possibilities of appeal. When challenging a request, Sifflet shall seek interim measures to suspend the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required under the applicable procedural rules. Sifflet agrees it will provide the minimum amount of information permissible when responding to a request for disclosure based on a reasonable interpretation of the request. Sifflet shall promptly notify Customer if Sifflet becomes aware of any direct access by a Public Authority to Personal Data and provide information available to Sifflet in this respect, to the extent permitted by law. For the avoidance of doubt, this DPA shall not require Sifflet to pursue action or inaction that could result in a civil or criminal penalty for Sifflet, such as contempt of court. Sifflet certifies that Sifflet (1) has not purposefully created back doors or similar programming to allow access to the Services and/or Personal Data by any Public Authority; (2) has not purposefully created or changed its business processes in a manner that facilitates access to the Services and/or Personal Data by any Public Authority; and (3) at the Effective Date is not currently aware of any national law or government policy requiring Sifflet to create or maintain back doors, or to facilitate access to the Services and/or Personal Data, to keep in its possession any encryption keys or to hand-over the encryption key to any third party.
Sifflet shall ensure that Sub-processors involved in Processing Personal Data are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.
Sifflet shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data and its existing copies in accordance with the applicable law and the procedures and timeframes specified in the Security, Privacy, and Architecture Documentation. Until Customer Data is deleted or returned, Sifflet shall continue to comply with this DPA and its Schedules.
The parties acknowledge and agree that, by executing the Agreement, Customer enters this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. To avoid doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is a party only to this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement, and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Sifflet under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Sifflet, whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
For the avoidance of doubt, Sifflet’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
For the purposes of this section 12 these terms shall be defined as follows:
"EU C-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV to the extent they reference Module Two (Controller-to-Processor).
"EU P-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).
Sifflet will Process Personal Data in accordance with the GDPR requirements directly applicable to Sifflet’s provision of its Services. The parties acknowledge that since both parties to the Agreement are located in the EU, EU C-to-P Transfer Clauses will not apply to the transfers of data made by the Customer, acting as the controller, to Sifflet, acting as the Processor, without prejudice to clause 12.3 if this DPA.
If in the performance of the Services, Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe by Sifflet for the provision of the service as described in the Agreement, to countries that do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations of Europe, Sifflet shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place, such as:
As of the Effective Date, Sifflet has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data as set forth in the Infrastructure and Sub-processors Documentation, including any requirements to disclose Personal Data or measures authorizing access by a Public Authority, prevent Sifflet from fulfilling its obligations under this DPA. If Sifflet reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Customer. In such a case, Sifflet shall use reasonable efforts to make available to the affected Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening Customer. If Sifflet is unable to make available such change promptly, Customer may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which Sifflet cannot provide in accordance with the Local Laws by providing written notice in accordance with the “Notices” section of the Agreement. Customer shall receive a refund of any prepaid fees for the period following the effective termination date for such terminated Services.
List of Schedules:
Schedule 1: Description of Processing/Transfer
Schedule 2: Technical and Organizational Measures
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union
Name: Customer as defined in an Order Form and its Authorized Affiliates.
Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement and as further described in the Documentation.
Role: Controller
Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection.
Name: Sifflet SAS
Contact person’s name, position, and contact details:
Wajdi Fathallah, DPO, privacy@siffletdata.com
Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement and as further described in the Documentation.
Role: Processor
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Data exporter may submit special categories of data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The applicable security measures are described under the Security, Privacy, and Architecture Documentation applicable to the specific Services purchased by Customer, as updated from time to time made reasonably available by Sifflet.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Continuous basis depending on the use of the Services by Customer.
The nature of the Processing is the performance of the Services pursuant to the Agreement.
Sifflet will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Subject to section 9 of the DPA, Sifflet will Process Personal Data for the duration of the Agreement unless otherwise agreed upon in writing.
For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing:
As per 7 above, the Sub-processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement. Subject to section 9 of this DPA, the Sub-processor will Process Personal Data for the duration of the Agreement unless otherwise agreed in writing.
Identities of the Sub-processors used to provide the Services and their country of location is listed under the Infrastructure and Sub-processor Documentation, which can be found on Sifflet’s Trust and Compliance webpage.
Identify the competent supervisory authority/ies in accordance with clause 13: French supervisory authority: Commission Nationale de l’Informatique et des Libertés (CNIL)
Data importer will maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Personal Data uploaded to the Services, as described in the Security, Privacy, and Architecture Documentation applicable to the specific Services purchased by the data exporter, and in Schedule 2 of this DPA. Data Importer will not materially decrease the overall security of the Services during a subscription term. Data Subject Requests shall be handled in accordance with section 3 of the DPA.
The technical and organisational measures (TOMs) provided below apply to all Sifflet standard service offerings except where the Client is responsible for security and privacy TOMs. Upon request from the Client, evidence of the measures implemented and maintained by Sifflet may be presented in the form of up-to-date attestations, reports, or extracts from independent bodies.
Document Management
Sifflet will validate that necessary documentation is in place between Sifflet and the Client where Sifflet, if applicable, processes Personal Data covered by the GDPR. In case of a change to the defined scope, any change to the processing of Personal Data will be reviewed to determine any impact on required TOMs and other contract exhibits. Sub-processors, if applicable, will be identified for Client approval with periodic review to validate ongoing adherence to the agreed-upon contractual TOMs.
Sifflet will create and maintain the following security and privacy documentation as well as store them in a central repository with restricted access control:
Security Incidents
Sifflet will maintain an Incident Response Playbook (incident response policy and procedures) and follow documented incident response policies, including data breach notification to the Data Controller (Client) without undue delay where a breach is known or reasonably suspected to affect Client Personal Data.
Risk Management
Sifflet will assess risks related to the processing of Personal Data and create an action plan to mitigate identified risks.
Security Policies
Sifflet will maintain and follow IT security policies and practices that are integral to Sifflet’s business and mandatory for all Sifflet employees, including supplemental personnel. IT security policies will be reviewed periodically, and such policies will be updated as Sifflet deems reasonable to maintain the protection of services and content processed therein.
Sifflet will maintain an inventory of Personal Data reflecting the instructions in the DPA and DPA Exhibit, including disposal instructions upon contract closure. Computing environments with resources containing Personal Data will be logged and monitored.
Sifflet employees will complete security and privacy awareness education annually and certify each year that they will comply with Sifflet's ethical business conduct, confidentiality, and security policies, as set out in Sifflet's Employee Handbook and code of conduct. Additional policy and process training will be provided to persons granted administrative access to security components specific to their role within Sifflet’s operation and support of the service and as required to maintain compliance and certifications.
Physical Security
Sifflet does not maintain a physical corporate office or company data center that contains customer-sensitive information, Personal Data, or other confidential client information.
User Access Management
Sifflet will maintain proper controls for requesting, approving, granting, modifying, revoking, and revalidating user access to systems and applications containing Personal Data. Only employees with a clear business need access to Personal Data located on servers, within applications and databases, and/or the ability to download data within Sifflet’s network environment. All access requests will be approved based on individual role-based access and reviewed regularly for a continued business need. All systems must meet corporate IT Security Standards and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources.
For Client access, Sifflet will enable additional controls for user access to Client Personal Data to help prevent unauthorized access.
Sifflet will limit privileged access to individuals for a limited time, and usage will be monitored and logged. Any shared access will be limited, and usage will be monitored, logged, and revalidated regularly.
System Network Security
Sifflet will employ encrypted and authenticated remote connectivity to Sifflet computing environments and Client systems unless otherwise directed by the Client.
Network security measures include; firewalls, remote access control via virtual private networks or remote access solutions, network segmentation, and detection of unauthorized or malicious network activity via security logging and monitoring.
Data availability through business continuity and disaster recovery planning supports our documented risk management guidelines. Sifflet will have defined, documented, maintained, and annually validated business continuity and disaster recovery plans consistent with industry-standard practices.
Controls and Validation
Sifflet will maintain policies, procedures, and governance controls designed to manage risks associated with applying changes to the Client systems.
Before implementing changes to Sifflet systems, networks, and underlying components, the changes will be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, a risk statement addressing the impact to the Client, expected outcome, rollback plan, and documented approval by authorized personnel.
Media Handling
Sifflet does not allow removable storage media.
Workstation Protections
Sifflet will implement protections on end-user devices and monitor those devices to be in compliance with the security standard requiring hard drive passwords, screen savers, antivirus software, firewall software, unauthenticated file sharing, hard disk encryption, and appropriate patch levels. Controls are implemented to detect and remediate workstation compliance deviations.
Sifflet will securely sanitize physical media (laptops/workstations) intended for reuse before such reuse and will destroy physical media not intended for reuse.
Security and Privacy by Design
Sifflet will incorporate Security and Privacy by Design principles for systems and enhancements at the earliest stage of development and educate all employees on security and privacy annually.
Threat and Vulnerability Management
Sifflet will maintain measures meant to identify, manage, mitigate, and/or remediate vulnerabilities within the Sifflet computing environments. Security measures include: