DATA PROTECTION ADDENDUM


This Data Processing Addendum ("Addendum") is is made by and between the users and subscribers of Host Color Europe (HCE), "The Client" and RAX.LLC (also RAX.bg EOOD) an entity which operates HCE website, its data and services, which is incorporated in Republic of Bulgaria, with registration number 175142210 and corporate address ul. Atanas Uzunov 18, Sofia, 1505, "The Company".

INTRODUCTION

a) The Client and the Company are parties to an agreement(s) ("Agreement") under which the Company provides various services to the Client, including IT Colocation, IT Hosting, Cloud Computing, Dedicated Hosting, Virtual Servers, Shared Hosting, Managed Services and other IT services;

b) Under such Agreement the Company may process personal data on behalf of the Client; and

c) Pursuant to art. 28 of the GDPR the parties wish to set out their roles and responsibilities with respect to the processing of the personal data and hereby agree the following:

DEFINITIONS

The terms used in this Addendum shall have the meanings set forth in this Addendum. The terms "processing" (and its derivatives), "personal data", "data controller", "data processor", "international organisation", "data subject", "representative" and "Member State" where used in this Addendum shall have the meaning given to them in the Data protection laws. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

"Data protection laws" means all applicable European Union or Member State laws concerning the processing of personal data, including, but not limited to The General Data Protection Regulation (EU) 2016/679 ("GDPR") and, to the extent applicable and not in conflict, the data protection laws of another country, with all their amendments or replacements.

"Controller-to-Processor SCCs" means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010 - available here at the date of this Addendum: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087 - as may be amended or replaced from time to time by the European Commission.

1. Roles: The Client is the data controller and the Company is the data processor with respect to the personal data that the Company may process on behalf of the Client in the provision of services under the Agreement.

2. Details of processing: The data subjects affected, the type of data and the purposes of processing include, but may not be limited to:

Data subjects: Data subjects may include Client's representatives, end users, employees, job applicants, contractors, collaborators, partners, suppliers, customers, clients, visitors and others as defined by the Client.

Nature and purposes of processing: The Company (and any persons acting under the authority of the Company) will process personal data solely for the purpose of (i) providing the services in accordance with the Agreement and this Addendum (ii) complying with Client's documented written instructions in accordance with the Data protection laws, or (iii) complying with Company's obligations under the Data protection laws.

Type of data:The processed data is the personal data provided by the Client to the Company in connection with its use of the services under the Agreement. Such personal data may include name, email address, contact information, home address, home telephone or mobile number, fax number, email address, and passwords, age, date of birth, marital status, number of children, job title and function, employment history, salary, identification number, prices, goods and services provided, IDs of customers, IP addresses, online behaviour and interest data, etc.

3. Company's obligations and responsibilities: When processes personal data on behalf of the Client the Company shall:

3.1. Scope of processing: process only personal data in accordance with the provisions of this Addendum, to the extent necessary for the performance of the Agreement and on documented instructions from the Client, unless required to do so by Union or Member State law to which the Company is subject. If the Company believes, in its opinion, that an instruction infringes any Data protection law, the Company shall inform the Client and may suspend the implementation of such instruction until the Client changes or confirms it. The Company shall not disclose personal data except as provided under this Addendum.

3.2. Authorised persons: takes commercially reasonable steps to ensure that persons authorised to process the personal data are strictly limited to only those Company's personnel who need to know/access such personal data and have committed themselves (in writing) to confidentiality with respect to such personal data. The Company also represents and warrants that the persons authorised to process the personal data are made aware of the terms of this Addendum, are not allowed to process personal data outside of the scope of this Addendum and have contractually undertaken to comply with the data privacy and confidentiality, including after termination of their relationship with the Company.

3.3. Security measures: take technical and organisational measures with respect to security of the personal data. In particular that include measures and controls as defined in Schedule A to this Addendum.

3.4. Sub-processing: The Company uses sub-processors for the provision of its services, including those under the Agreement. The Company maintains a list of its sub-processors as provided in Schedule B to this Addendum. The Client agrees that the Company may replace its sub-processors or engage another sub-processors for the provision of the services under the Agreement. In such case the Company shall inform the Client of any intended changes in the sub-processors and shall give the Client the opportunity to object to that sub-processing. The Client may object to the proposed sub-processing within 14 days of receipt of the notice and providing in writing reasonable justifiable grounds on the objection, including, where applicable related to the ability of the proposed new sub-processor to adequately protect personal data in accordance with this Addendum or Data protection laws. In the event the objection of the Client is justified the parties may work together in good faith to make mutually acceptable change in the provision of services that will allow to avoid the proposed sub-processing or to replace proposed sub-processing with more appropriate one. In the event that such change cannot be made within reasonable time from the objection and if the Company insists on the use of the proposed sub-processing in the provision of services under the Agreement the Client may terminate the Agreement by written notice to the Company.

3.5. Transfer to third countries: The services the Company provides (and respectively the Client's data) are hosted in data centres on the territory as provided in the Agreement. In some events transfer of personal data to jurisdictions outside European Union or to an international organisation may take place ("transfer to third countries"), including for IT security purposes, maintenance and performance of the services and infrastructure, adding functionalities to the services, etc. In the event of such transfer to third countries of personal data of EU data subjects the Company shall: i) make such transfer always a) on the basis of an adequacy decision by the European Commission (art. 45 of the GDPR) or b) subject to appropriate safeguards as provided under art. 46 of the GDPR, including to rely on Controller-to-Processor SCCs; ii) impose the same data protection obligations as set out in this Addendum on each sub-processor by way of a contract; and iii) remain fully liable to the Client if the sub-processor fails to fulfil its data protection obligations.

3.6. Data subject's rights: taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR or in the applicable Data protection laws. In particular the Company agrees that if a data subject makes a written request to the Company requesting information concerning the processing of, or copies of their personal data, the Company shall promptly notify the Client of that request (including a copy of the request, if appropriate) and shall not respond to that request except in accordance with the prior written instructions of the Client or as required by the Data protection law (for which the Company shall promptly inform the Client).

3.7. Assistance to the Client: assist the Client in ensuring compliance with the obligations pursuant to art. from 32 to 36 of the GDPR including, taking into account the nature of processing and the information available to the Company. The Company shall also make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.

3.8. Return or deletion of data: at the choice of the Client, delete or return all existing personal data to the Client after the end of the provision of services relating to processing, and delete all existing copies unless Union or Member State law requires storage of the personal data.

3.9. Data breach notification: The Company shall, without undue delay and in reasonable time notify the Client after becoming aware of any loss, alteration, unauthorised disclosure of, or access to the personal data of the Client.

4. Client's obligations and responsibilities: The Client shall be responsible for compliance with its obligations as a data controller under the Data protection laws, in particular for processing only data that has been lawfully and validly collected, for the justification of any transmission of personal data to the Company, including providing any required notices and obtaining any required consents and/or authorizations, where applicable, the data are relevant and proportionate to the respective uses, the provision of the data does not violate the privacy rights, publicity rights, copyrights, contract rights, intellectual property rights, or any other rights of any person, and/or otherwise compiling with the Data protection laws.

5. General provisions

5.1. Amendments of the Data protection laws: The parties, acting in good faith and as soon as is reasonably possible will may make variations to this Addendum to ensure compliance of this Addendum and of the processing of personal data with any changes in the Data protection laws or as a result of a decision or act of any supervisory authority, the EU Commission, the European Data Protection Board, the Court of Justice or other similar body or organisation, which decision or act affects the Data protection laws and their application. The Company shall ensure that equivalent variations are made to any agreement put in place with any sub-processor affected.

5.2. Contact information: Contact points for data protection enquiries:
The Company:
Email: info@rax.bg
Office Address:
HCE / RAX.BG LLC
5 G.M. Dimitrov Str., Floor 2, Office 5
Plovdiv, 4000
Bulgaria
Each party will also provide the other information on its representative in the EU (as per article 27 of the GDPR) where applicable.

5.3. Survival: This Addendum shall remain in force and shall survive the termination or expiry of the Agreement, where applicable.

5.4. Severability: If any provision of this Addendum is adjudged by a court of competent jurisdiction to be invalid, void, or unenforceable this shall not affect the validity of the remaining provisions which shall remain valid and enforceable.

5.5. Precedence: In the event of inconsistencies between the provisions of this Addendum and the Agreement, including any further agreements to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail, except if otherwise explicitly agreed in writing between the parties.

5.6. Law and Jurisdiction: This Addendum shall be governed by the law of and shall be subject to the exclusive jurisdiction of the courts of Bulgaria.

5.7. With the submission of an Online Services Order or printed Service Order the Client accepts this Addendum.

The date of the last revision of this Addendum is May 14, 2018.

SCHEDULE A: Security Measures (Technical and Organisational Measures) and Data Center Standards

Data Center Standards & Security

HCE Clients' data is hosted in a ISO27001, ISO9001, ISO 5001, ISO 14001 and OHAS 18001 certified It telecommunication facility. It is secure resilient off-site environment that virtually eliminates the risk of physical loss or damage of the critical business systems. The data center where HCE and HCE Clients' equipment is housed has 24/7 security monitoring with armed guards and camera monitoring and recording. There is an operations system in place with a central command and control that ensures secure environment for all IT assets and data.

Power Supply & Configuration

Power redundancy features 4 mid voltage power feeds, two transformers, ATS at low voltage. Generators: N+1. AC Distribution is 2N. UPS systems have 2N topology with 1+1 parallel redundant modules.

Power configuration & infrastructure per rack: A & B infrastructure

Power cables: All cables located at overhead cable trays. All cables are direct feeds from A & B floor power distribution units to the rack.

Level of power redundancy: Four mid voltage power feeds, two transformers, ATS at low voltage. Power Generators: N+1.

AC Distribution: 2N UPS systems: 2N topology with 1+1 parallel redundant modules.

Air-Conditioning

Air conditioning system: Chill water based free-cooling system

Airflow: Pumped through raised floor, front vented racks

HVAC control range: 22° Celsius ±2°, relative humidity 50%, ±15%, Independent temperature & humidity control

Air conditioning redundancy: N+1 air-handling units, 1+1 pumps, N+1 dry coolers

Service Level Availability (SLA) for cooling: 99.97% on annual basis

Physical Security

IT Equipment Enclosures: A Multi-lock key system used for the steel rack doors.

Access Control: HID iClass DG access cards for all doors. 24/7 CCTV camera monitoring of the DC rooms and doors in the data center.

IT Equipment Enclosures: Only authorized personnel are allowed to enter the facility and access the cabinets with the IT equipment

Fire Detection and Suppression

Fire Detection to technical space: Smoke & temperature based addressable system, Bosch

Aspirating Smoke Detection System: VESDA Bosch installed in co-location rooms

Fire Suppression: Gaseous based fire extinguishing system, environment & humane friendly NAF S 125 gas agent, manual and automatic operation

Initial responsibility to fire detection alarm: 24/7 NOC operator and Security guard for evacuation

Cable paths fire protection: All data center room to room crossings are filled in with Intumescent fire-stop sealant

Secure Network & Internet Connectivity

Network: Multi-tenant Internet network with redundancy of the network connectivity

Network Protection: Routing engine with natural protection of against distributed denial of service attacks

Physical Interfaces: Dual logical protection with unused ports kept as “Inactive”

Protection from Data Loss, Corruption

Data Protection: Storage appliances with Dual-Active controller architecture. If one controller fails, the other controller can transparently seamlessly take over all storage services

Multipath Storage Access: MPIO fault-tolerance and performance enhancement technique which allows the use of more than one path to the volume from the same host server.

Data Snapshots: Snapshots can be run on selected Virtual Disks manually, each15 minutes, hourly, daily or on other intervals.

Data Backup Copies: Data backups in accordance with all legal requirements and based on customer's custom requirements.

Account Access Policy: HCE (RAX.BG LLC) employees have different level of the access the Account Management System depending on their positions, qualifications and responsibilities.

Access to Data: Clients Data on the Storage Area network is accessible only after a specific procedure is passed by a HCE/RAX employee.

Application Level Security

Private Environments: Private computing instances without public IP addresses, inaccessible over the public Internet are allocated to Clients for their internal business operations.

Password Protection Policy: User account passwords are hashed and clients are required to use special symbols and strongest possible password for their accounts.

Secure Connection: Account Management system is protected with SSL certificate and securely transmits data between customer's appliances and HCE/RAX environment.

Protected Account Environment: The login screen and Administration level of the HCE/RAX Account Management are accessible over the Internet only after the user passes pre-login browser protection check with username and password different from those used to login to the Account Management System.

Internal IT Security & Levels of Access

Office Security: HCE/RAX Office is secured with Access Control Security system against unauthorized access. The entrance to the office is locked 24/7.

Social Media: HCE/RAX does not use Social media to provide Customer Support. Any sensible information is only sent to the authorized email recorded in the Client's account, inside HCE Account Management System.

Privacy Safeguard Agreement: HCE/RAX employees sign Client Privacy Safeguard Agreement, which outlines their responsibility in protecting customer data.

 

SCHEDULE B: List of sub-processors

Accounting Firm Prima Intelect OOD: The entity has access to bank statements of RAX.BG LLC and is aware of the Clients' bank account number, BIC, invoice amounts paid, first name, last name, entity name, and entity details such as registration number, VAT number, incorporation address and other details in order to comply with the Accountancy Law.

Equinix (Bulgaria) Data Centers EAD: The entity has access to contact details, including National ID card, picture and personal data, collected after a permission is given by the Client, in order to follow the security procedures which apply when Clients requests an access to one's own equipment housed in the telecommunication building and data center.