Last Updated – June 2025
This Data Processing Agreement (“DPA”) forms an integral part of the Silverfort Software License Agreement (“Agreement”) by and between the Client (“Client”) and Silverfort entity noted in the Agreement(“Silverfort”). Both parties shall be referred to as the “Parties” and each, a “Party”.
WHEREAS, Silverfort shall provide the Client with the Services as described in the Agreement. In the course of providing the Services pursuant to the Agreement, Silverfort may process Personal Data on Client’s behalf;and
WHEREAS, The Parties wish to set forth the arrangements concerning the processing of Personal Data (defined below) within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:
1. INTERPRETATION AND DEFINITIONS
1. The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.
1.1 References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated.
1.2 Words used in the singular include the plural and vice versa, as the context may require.
1.3 Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
1.4 Definitions:
(a) “Adequate Country” is a country that received an adequacy decision from the European Commission or other applicable data protection authority. The terms “Business”, “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Holder”, “Sensitive Data”, “Service Provider”, “Sale” (or “Sell”) and “Share”, “Special Categories of Personal Data”, “Sub-processor” and “Supervisory Authority”, shall all have the same meanings as ascribed to them under applicable Data Protection Laws. Further, under this DPA “Data Subject” shall also mean and refer to a “Consumer”; “Personal Data” shall also mean and refer to “Personal Information”; “Special Categories of Data” or “Highly Sensitive Data” shall also mean and refer to “Sensitive Data”; and “Data Processor” shall mean and refer to the Data Processor, the Service Provider or Third Party as applicable and the “Data Controller” shall mean and refer to the Business as well.
(b) “Authorized Affiliate” means any of Client’s Affiliate(s) which (a) is subject to the Data Protection Laws and Regulations and (b) is permitted to use the Services pursuant to the Agreement between Client and Silverfort, but has not signed its own agreement with Silverfort and is not a “Client” as defined under the Agreement.
(c) “Client Data” means any Personal Data processed by Silverfort in the course of providing the Services.
(d) “Data Privacy Framework” or “DPF” means the EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
(e) “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework available at: https://www.dataprivacyframework.gov/program-articles/Participation-Requirements-Data-Privacy-Framework-(DPF)-Principles; as may be amended, superseded or replaced.
(f) “Data Protection Laws and Regulations” means any and all applicable privacy and data protection laws and regulations including, where applicable, European Data Protection Laws, Israeli Data Protection Laws and the US Data Protection Laws, as may be amended or superseded from time to time.
(g) “European Data Protection Laws” means collectively, the laws and regulations of the European Union, the EEA, their Member States, and the United Kingdom, applicable to the Processing of Personal Data, including (where applicable): (i) EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); Regulation 2018/1725; and the e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (ii) UKData Protection Act 2018 (DPA 2018), as amended, and EU GDPR as incorporated into UK law as amended (“UK GDPR” and collectively with the EU GDPR shall be referred to herein as the “GDPR”); (iii) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) and the Ordinance on the Federal Act on Data Protection; (iv) any national data protection laws made under, pursuant to, replacing or succeeding the EU GDPR or the e-Privacy Law; (v) any amendment or legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority.
(h) “Instructions” means the written, documented instructions issued by the Client to Silverfort directing Silverfort to perform a specific or general action with regard to Client Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA).
(i) “Israeli Data Protection Laws” means, collectedly, the: (i) Israeli Privacy Protection Law, 5741-1981, (as amended under Amendment 13); (ii) the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and the Israeli Protection of Privacy (Transfer of Data to Databases Abroad) Regulations, 5761-2001; (iii) any amendments or legislation replacing or updating any of the foregoing, and; (iv) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or certification mechanisms approved by the Israeli Privacy Protection Authority.
(j) “Member State” or “EEA”means the European Economic Area. “Union” means the European Union.
(k) “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Client, as updated from time to time, and will be made available to Client upon a request sent by Client to Silverfort at [email protected].
(l) “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data. Any Personal Data Breach will comprise a Security Incident.
(m) “Silverfort” means the relevant Silverfort entity of the following Silverfort legal entities: Silverfort Inc., Silverfort Ltd., and any other wholly owned subsidiary of Silverfort, Inc. or Silverfort Ltd; and or its Affiliates.
(n) “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, (ii) the UK “International Data Transfer Addendum to the European Commission Standard Contractual Clauses” \(“UK SCC”); or (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”), all incorporated herein by reference.
(o) “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
(p) “US Data Protection Laws” means any U.S. federal and state privacy laws and regulations effective as of the Effective Date of this DPA and applies to Silverfort Processing of Client Data, and any implementing regulations and amendment thereto, including without limitation, the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018 including as modified by the California Privacy Rights Act as well as all regulations promulgated thereunder from time to time (“CCPA”), the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq (SB 21-190) (“CPA”); the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022) (“CTDPA”); the Delaware Personal Data Privacy Act (“DPDPA”); the Iowa Data Privacy Law; the Florida Digital Bill of Rights S.B 262 (“FDBR”); the Minnesota Consumer Data Privacy Act; the Montana Consumer Data Privacy Act 68th Legislature 2023, S.B. 0384 (“MTCDPA”); the Maryland Online Data Privacy Act; the Nebraska Data Privacy Act; the New Hampshire Privacy Act; the New Jersey Data Privacy Law; the Oregon Consumer Data Privacy Act ORS 646A.570-646A.589 (“OCDPA”); the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq (“TDPSA”); the Tennessee Information Protection Act (“TIPA”); the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq (“UCPA”); the Washington “My Health My Data” Act, Wash. Rev. Code § 19.373.005 et seq., and Nev. Rev. Stat. § 603A, as amended by Nevada S.B. 370 (together, the “Washington and Nevada Consumer Health Data Laws”); the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392) (“VCDPA”). All as amended or superseded from time to time and including any implementing regulations and amendments thereto.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Data Protection Laws and Regulations. A reference to any term or section of the Data Protection Laws and Regulations means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR depending on the applicable Law.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, Silverfort is the Data Processor and the Client is the Data Controller. For clarity, this DPA shall not apply with respect to Silverfort processing activity as a Data Controller.
2.2 Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, comply at all times with the obligations applicable to data controllers and comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to collect, Process and transfer to Silverfort the Personal Data and to authorize the Processing by Silverfort of the Personal Data which is authorized in this DPA. The Client shall be exclusively responsible to ensure its Instructions are compliant with applicable Data Protection Laws and enable a lawful Processing of Client Data. Client shall defend, hold harmless and indemnify Silverfort (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Client and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.
2.3 Silverfort’s Processing of Personal Data.
2.3.1 Subject to the Agreement, Silverfort shall Process Client Data only in accordance with Client’s instructions as necessary for the performance of the Services unless required to otherwise by Union or Member State law or any other applicable law to which Silverfort and its Affiliates are subject; in which case, Silverfort shall inform the Client of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
2.3.2 To the extent that Silverfort cannot comply with a request from Client relating to Processing of Client Data or where Silverfort considers such a request to be unlawful, Silverfort (i) shall inform Client, providing relevant details of the problem (but not legal advice), (ii) Silverfort may, without any kind of liability towards Client, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Client shall pay to Silverfort all the amounts owed to Silverfort or due before the date of termination. Client will have no further claims against Silverfort (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
2.3.3 Silverfort will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Silverfort, to the extent that such is a result of Client’s instructions.
2.3.4 Silverfort hereby certifies it understands the rules, requirements and definitions under applicable Data Protection Laws and Regulations, and shall not: (i) Sell or Share the Client Data; (ii) retain, use or disclose the Client Data for any purpose other than for a business purpose specified in the Agreement; (iii) receive or Process any Personal Information as consideration for any Services it provides to the Client; or (iv) combine the Client Data with other Personal Data that it receives from, or on behalf of another client.
2.3.5 Silverfort shall comply with the requirements set forth under applicable Data Protection Laws and Regulations with regards to processing of de-identified data.
2.3.6 Silverfort shall provide reasonable cooperation and assistance to the Client in ensuring compliance with its obligation to carry out data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws and Regulations (including data protection impact assessments and consultations with regulatory authorities), provided that Silverfort shall only be required to assist as for information which is reasonably available to Client.
2.3.7 Silverfort shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Client Data; and (ii) that persons authorized to Process the Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. RIGHTS OF DATA SUBJECTS
3.1 Data Subject or Authority Request. If Silverfort receives a request from a Data Subject or an applicable authority to exercise its rights or investigate the processing of Client Data, including request under the Data Privacy Framework (“Request”), Silverfort shall, to the extent legally permitted, promptly notify and forward such Request to Client in order to enable the Client to respond directly to the Request, unless otherwise required under applicable laws.
3.2 Taking into account the nature of the Processing, Silverfort shall use commercially reasonable efforts to assist Client to fulfil Client’s obligation in relation to the Request as required under Data Protection Laws. Client shall be responsible for any costs arising from Silverfort’s provision of such assistance.
4. AUTHORIZATION REGARDING SUB-PROCESSORS
4.1 Sub-processors. Client acknowledges and agrees that Silverfort may engage third-party Sub-processors in connection with the provision of the Services.
4.2 List of Current Sub-processors. Client provides a general authorization to use the Sub-processors listed in Schedule 3 (“Sub-processor List”).
4.3 Notification of New Sub-processors. Silverfort’s most updated Sub-processors list will be available at https://www.silverfort.com/silverfort-sub-processors-list/.
4.4 Objection Right for Sub-processors. Client may reasonably object to Silverfort’s use of a new Sub-processor for reasons related to the data processing and security by notifying Silverfort promptly in writing within three (3) business days after receipt of Silverfort’s notice in accordance with the mechanism set out in Section 4.3 and such written objection shall include the reasons related to the data processing and security for objecting to Silverfort’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within three (3) business days following Silverfort’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Client reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Silverfort will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client. If Silverfort is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Client may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Silverfort without the use of the objected-to new Sub-processor by providing written notice to Silverfort provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Silverfort. Until a decision is made regarding the new Sub-processor, Silverfort may temporarily suspend the Processing of the affected Personal Data. Client will have no further claims against Silverfort due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
4.5 Agreements with Sub-processors. Silverfort shall, where it engages any Sub-processor, impose, through a legally binding contract between Silverfort and the Sub-processor, data protection obligations that are no less onerous than, and provide materially the same level of protection as, those set out in this DPA. Silverfort shall ensure that such contract will require the Sub-processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws and Regulations. Sub-processors shall be obligated, contractually, to reasonably cooperate with Silverfort or an applicable regulatory authority in the event of an investigation or Security Incident.
5. SECURITY
5.1 Controls for the Protection of Personal Data. Taking into account the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Silverfort shall maintain all industry-standard technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Client Data), confidentiality and integrity of Client Data, as set forth in the Security Documentation which are hereby approved by Client. Schedule 2 details the Technical Security Measures.
5.2 Third-Party Certifications and Audits. Upon Client’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Silverfort shall make available to Client that is not a competitor of Silverfort (or Client’s independent, third-party auditor that is not a competitor of Silverfort) a copy or a summary of Silverfort’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Client to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Silverfort’s prior written approval and, upon Silverfort’s first request, Client shall return all records or documentation in Client’s possession or control provided by Silverfort in the context of the audit and/or the certification). At Client’s cost and expense, Silverfort shall allow for and contribute to audits, including inspections of Silverfort’s, conducted by the controller or another auditor mandated by the controller (who is not a direct or indirect competitor of Silverfort) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, personal data that does not belong to Client.
6. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
To the extent required under applicable Data Protection Laws and Regulations, Silverfort shall notify Client without undue delay after becoming aware of a Security Incident. Silverfort shall make reasonable efforts to identify the cause of such Security Incident and take those steps as Silverfort deems necessary, possible and reasonable in order to remediate the cause of such a Security Incident to the extent the remediation is within Silverfort’s reasonable control. The obligations herein shall not apply to incidents that are caused by Client or Client’s users or are otherwise unrelated to the provision of the Services. In any event, Client will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
7. RETURN AND DELETION OF PERSONAL DATA
Subject to the Agreement, Silverfort shall, at the choice of Client, delete or return the Client Data following termination or expiration of the Agreement, and shall delete existing copies unless applicable law requires storage of the Client Data. In any event, to the extent required or allowed by applicable law, Silverfort may retain one copy of the Client Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If the Client requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Silverfort’s Clients.
8. AUTHORIZED AFFILIATES
8.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Silverfort and such Authorized Affiliates. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Client.
8.2 Communication. The Client shall remain responsible for coordinating all communication with Silverfort under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
9. TRANSFERS OF DATA
9.1 Transfers to countries that offer adequate level of data protection or other legally adequate transfer mechanism. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”) and the United Kingdom to Adequate Countries, without any further safeguard being necessary. Further, Silverfortparticipates in and certifies compliance with the Data Privacy Framework.
9.2 Transfers to other countries. If the Processing of Client Data includes transfers (including onward transfers) from the EEA or the United Kingdom to countries outside the EEA or the United Kingdom which are not recognized as providing an adequate level of protection for such Personal Data (within the meaning of the European Data Protection Law), Silverfort will take all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) confirming that the transfer is made (i) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (ii) to a recipient that has executed the Standard Contractual Clauses.
9.3 Standard Contractual Clauses. The parties agree that the transfer of Client Data from Client to Silverfort, shall be subject to the appropriate Standard Contractual Clauses as follows:
9.3.1 In relation to data that is protected by the EU SCCs, will apply completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out
in this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
(viii) Annex II of the EU SCCs shall be deemed completed with the Schedule 2.
9.3.2 In relation to data that is protected by the UK SCC:
(i) the EU SCCs, completed as set out above in section 9.3.1. of this Clause shall also apply to transfers of Client Data, subject to sub-clause (ii) below;
(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options “neither party” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this Agreement.
9.3.3 For transfer of Customer Data from Switzerland, the Swiss SCC shall apply in with following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.
10. TERMINATION
This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
11. RELATIONSHIP WITH AGREEMENT
In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement.
Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) Silverfort’s (including Silverfort’s Affiliates’) entire, total and aggregate liability, related to personal data or information, privacy, or for breach of, this DPA and/or Data Protection Laws and Regulations, including, without limitation, if any, any indemnification obligation under the Agreement or applicable law regarding data protection or privacy, shall be limited to the amounts paid to Silverfort under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will Silverfort and/or Silverfort Affiliates and/or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Silverfort, Silverfort Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).
12. AMENDMENTS
This DPA may be amended at any time by a written instrument duly signed by each of the Parties.
13. ASSIGNMENT
Silverfort may assign this DPA or its rights or obligations hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any Silverfort obligation hereunder may be performed (in whole or in part), and any Silverfort right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Silverfort.
*****
List of Schedules
- SCHEDULE 1 – DETAILS OF THE PROCESSING
- SCHEDULE 2 – TECHNICAL AND ORGANISATIONAL MEASURES
- SCHEDULE 3 – SUB-PROCESSORS
SCHEDULE 1
DETAILS OF THE PROCESSING
A. LIST OF PARTIES
Data exporter(s) and Data Controller: The Client as defined above.
Data importer(s) and Data Processor: Silverfort as defined above.
B. DESCRIPTION OF PROCESSING AND TRANSFER
Subject matter
Silverfort will Process Client Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Client in its use of the Services.
Nature and Purpose of Processing
Collection, storage, organization, communication, transfer, host and other types of Processing for the purpose of providing the Services as set out in the Agreement.
Duration of Processing
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Silverfort will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data
Client may submit Client Data to Silverfort and/or to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First name
- Last name
- Corporate username
- Corporate email address
- IP address.
- Any other Personal Data or information that the Client decides to provide to Silverfort or the Services.
Categories of Data Subjects
Client may submit Personal Data to Silverfort and/or to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Users authorized by Client
- Users with access to the Client’s computer network (including without limitation, employees and subcontractors) which are audited and monitored by the Service
- Employees, agents, advisors of Client (who are natural persons)
SCHEDULE 2
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
| 1. Silverfort shall establish a procedure for allowing access Cient Data and restriction of such access. Silverfort shall ensure that access to Client Data is strictly limited to those individuals who “need to know” or need to access the relevant Client Data and as strictly necessary for the purpose of providing the Services and shall keep record of the persons authorised to access the Client Data. 2. Silverfort shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Client Data and shall ensure that each such individual (i) is informed of the confidential nature of Client Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to written confidentiality undertakings and signs written security protocols. 3. To the extent required under applicable law, Silverfort shall implement physical measures to ensure that access to the Client Data is granted only to authorized users. 4. Silverfort shall maintain and implement sufficient and appropriate environmental, physical and logical security measures with respect to Client Data and to Silverfort’s system’s infrastructure, data processing system (including the system in which the Client Data is processed), communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to Client Data or to the system or communication lines between Client and Silverfort. Silverfort further agrees that systems on which Client Data is processed shall be located in a secure location, which may be accessed only by properly authorized employees. 5. Silverfort shall list all components (hardware and software) used to process Client Data, including computer systems, communication equipment, and software. Silverfort shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them. 6. Silverfort shall act in accordance with an appropriate security policy and working procedures that comply with the security requirements under this Schedule and Data Protection Laws, including with respect to backup and recovery procedures. Silverfort shall review its security policies and operating procedures periodically and not less than on an annual basis, and when material changes to the systems or processing are made, all in order to amend them, if required. 7. Silverfort shall take measures to record the access to the Client Data, including recording the exit or entry of any employee for or into the facilities where the Client Data is processed, as well as any equipment brought in or taken out of such facilities. 8. Silverfort shall implement automatic control mechanism for verifying access to systems containing Client Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. Silverfort shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them. Control records shall be maintained for a minimum of 24 months. Silverfort records and any related reports and measures will be shared with Client, upon reasonable prior written request, and to extent required under applicable law, such records shall be backed-up by Silverfort. 9. Silverfort will perform security risk survey and penetration testing, at least once every 12 months and shall make required amendments in case of any irregularities are discovered. Silverfort records and any related reports and measures related to the risk survey and penetration testing will be shared with the Client, upon reasonable prior written request and subject to confidentiality. |