Data Processing Agreement - Bitdefender Offensive Services

 

The following Data Processing Agreement applies only to the specific Services described in Appendix 1 and the Main Agreement (SoW and Terms and Conditions) and does not replace any other data processing arrangement for the provision of other services or solutions.

This Agreement does not cover the processing of personal data by Bitdefender as a Data Controller, including names, surname, address, email, telephone number and other personal data of employees of the Client integrated into the information processed by Bitdefender directly necessary for the provisions of the services  (e.g. contracts, invoices, contact persons for services provision etc.)

 

1.      Definitions

The following terms shall have the following meaning when used in this Agreement:

"Agreement" means the terms of this data processing agreement including its Appendixes and any document expressly cross referenced from either;

"Data Protection Legislation" means General Data Protection Regulation 2016/679 ("GDPR"), Directive  2002/58/EC and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities;

"data controller", "data processor", "data subject", "personal data", "processing" and "appropriate technical and organisational measures", “personal data breach” shall be interpreted in accordance with applicable Data Protection Legislation in the relevant jurisdiction;
 

1. General Terms on processing personal data

1.1 Bitdefender agrees that the Client is the data controller of personal data which Bitdefender will process and that Bitdefender is a data processor in relation to personal data that is processed by or on behalf of the Client pursuant to the Scope of Work concluded by the two parties and this Agreement. The processing will be carried out until the date that Bitdefender ceases to provide the Services to the Client. Appendix 1 of this Agreement sets out the nature and purpose of the processing, the types of personal data Bitdefender processes and the categories of data subjects whose personal data is processed.

1.2 The personal data will only be processed in accordance with written instructions from the Client, (which are instructions of a general nature as set out in the Scope of Work, this Agreement, Proposal, or as otherwise specified by the Client to Bitdefender via written communication methods, as described in the agreement). If Bitdefender is required to process such personal data for any other purpose by European Union or Member State laws to which Bitdefender, its staff or subcontractors are subject, Bitdefender will promptly inform the Client of this requirement first, unless such law(s) prohibit this;

2. Obligations of the Data Controller

◦         complies with GDPR when processing personal data, and only gives lawful instructions to Data Processor;

◦         guarantees that data subjects have been informed of the uses of personal data as required by GDPR, including about sharing their data with the Data Processor, if required; confirms it relies on a valid legal ground for the processing of personal data under GDPR, including if required obtaining consent from data subjects;

◦         complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of processing, and objection to the processing;

◦         implements appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of personal data is performed in accordance with GDPR, including for securing the transfer of data from its data subjects to the Data Processor; 

◦         cooperates with Data Processor to fulfill their respective data protection compliance obligations in accordance with GDPR;

◦         does its own analysis of the data processing, based on its specific policies

◦         In any situation when the Data Controller must fulfill an obligation, such as informing the data subject on a data breach, the Data Processor can’t be held responsible of the inaction of the Data Controller from that obligation.
 

3. Obligations of the Data Processor 

o   Only processes personal data on behalf of Data Controller in accordance with its specific instructions as mentioned in Article 1.2 or as otherwise agreed by both parties in writing.

o   Will promptly inform Data Controller if, in its opinion, the Data Controller’s instructions infringe GDPR, and/or if Data Processor is unable to comply with the Data Controllers’ instructions.  

o   will ensure that personnel required to access such personal data are subject to a binding duty of confidentiality in respect of such personal data;

o   will notify Data Controller without undue delay after becoming aware of a personal data breach when the data is processed by the Data Processor. Data Processor will take reasonable steps to mitigate the effects and to minimize any damage resulting from the personal data breach.  Any processing of personal data by the Data Processor for sole purpose of provisioning of the Services will not be considered a personal data breach, as the Data Controller provided a written agreement to Data Processor for these services in the Scope of Work.

o   will assist Data Controller in complying with data security, data breach notifications, and other requirements under GDPR, taking into account the nature of the processing and the information available to Data Processor. To the extent authorized under applicable law, Data Controller shall be responsible for any costs arising from Data Processor’s provision of such assistance.

o   taking into account the nature of the processing, will assist Data Controller by appropriate technical and organizational measures, insofar as this is possible, to fulfill Data Controller’s obligation to respond to data subjects’ requests to exercise their rights as provided under GDPR. To the extent authorized by applicable law, Data Controller shall be responsible for any costs arising from Data Processor’s provision of such assistance.

o   Data deletion at termination. When the Services under the SOW are delivered or the SOW term expires or at the end of the storage term as defined in the Appendix, the Data Processor will delete all personal data and  existing copies, unless EU or EU member state law prevents it from returning or destroying all or part of the personal data or requires storage of the personal data (in which case Data Processor must keep them confidential) or unless the Client specifically instructs or requests a different data retention period;

o   Data retention. Data Processor shall however keep the Deliverables for the duration of the business relationship (including extensions and/or renewals) with the Client and for extra 3 years after its completion, in the Client’s interest for additional services from Bitdefender that may require data from such Deliverables, unless the Client specifically instructs or requests a different data retention period. Any additional requests regarding the performance of the service may only be made 14 days before the deletion of the data.  If a complaint is made Bitdefender may retain data and suspend any deletion regarding such complaint, for the legitimate interest of Bitdefender and Client, until such complaint is resolved and finalized or until the complaint is retracted.

o   Deletion request prior to termination. The Client may ask for deletion of data before termination of contract or completion; however, such deletion may interfere with the efficiency of the Deliverables and Client accepts and acknowledges that Bitdefender may not be able to deliver the Services as provisioned, considering access to data is an essential condition for providing the Services.
 

4. Security of the processing

The Data Processor must implement appropriate technical and organizational measures, such as compliance with standards ISO 27001 and Soc 2 Type 2, to ensure standard industry security measures appropriate to the risk. In assessing the appropriate level of security, Data Processor must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. The Data Processor shall take steps to ensure that any person acting under its authority who has access to personal data is bound by enforceable contractual or statutory confidentiality obligations.
 

5. Sub-processors

5.1. Data controller agrees with the usage of the specific sub-processors by the Data Processor specified in Appendix 1

5.2. Data Controller gives a general authorization to the Data Processor to share personal data to other future Sub-Processors than the ones previously mentioned, under the conditions set below:

▪         Data Processor shall inform Data Controller of any addition or replacement of Sub-Processors and allow Data Controller to reasonably object to such changes by notifying Data Processor in writing within five business days after receipt of Data Processor’s notice of the addition or replacement of a Sub-Processor. Data Controller’s objection should be sent to dpo@bitdefender.com and explain the reasonable grounds for the objection.

▪         Data Processor guarantees that it will have an agreement with its Sub-Processors which imposes on the Sub-Processor similar data protection obligations as are imposed on Data Processor under this Agreement or by GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures to ensure the processing will meet requirements under GDPR, to the extent applicable to the nature of the service provided by the Sub-Processors. Where the Sub-Processor fails to fulfill its data protection obligations under such agreement, Data Processor shall remain fully liable towards Data Controller for the performance of the Sub-Processor’s obligations under such agreement.

▪         Data Processor guarantees that all the sub-processors will process data exclusively within a Member State of the European Union (EU), within a Member State of the European Economic Area (EEA) or in any state with an adequate data protection regime as recognized by the European Commission or other appropriate safeguards, including Standard Contractual Clauses.
 

6. Data Protection Audit. 

6.1. Upon prior written request by Data Controller, Data Processor agrees to cooperate and within reasonable time provide to Data Controller with:

(a) a summary of the audit reports demonstrating Data Processor’s compliance with its obligations under this Agreement, after redacting any confidential and commercially sensitive information; and

(b) confirmation that the audit has not revealed any material vulnerability in Data Processor’s systems, or to the extent that any such vulnerability was detected, that Data Processor has fully remedied such vulnerability. 

6.2. If the above measures are not sufficient to confirm compliance with GDPR or reveal some material issues, subject to the strictest confidentiality obligations, Data Processor allows Data Controller to request an audit of Data Processor’s data protection compliance program by external independent auditors, which are jointly selected by the parties. The external independent auditor cannot be a competitor of Data Processor, and the parties will mutually agree upon the scope, timing, and duration of the audit. The audit may not start with less than 30 days from the first request of the Data Controller.  Data Processor will make available to Data Controller the result of the audit of its data protection compliance program.  Data Controller must fully reimburse Data Processor for all expenses and costs for such audit.
 

7. Liability to data subjects.  

7.1. Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation of GDPR. The Data Controller and the Data Processor will share their responsibilities on ensuring personal data protection (for example on confidentiality or security of personal data processing) depending on access and effective control on personal data, both from a legal and technical perspective. 

7.2. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. For that purpose, both parties agree that Data Controller will be liable to data subjects for the entire damage resulting from a violation of GDPR with regard to processing of personal data for which it is a Data Controller, and that Data Processor will only be liable to data subjects for the entire damage resulting from a violation of the obligations of GDPR of the Data Processor and where it has acted outside of or contrary to Data Controller’s lawful instructions. 

7.3. Data Processor will be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.  
 

8. Data Controller and SCCs

If the Data Controller is a business located in a country outside the EU and/or the European Economic Area (EEA) or in a jurisdiction which offer adequate level of personal data protection according to European Union standards (art 45 GDPR), then  the following Standard Contractual Clauses (SCCs) in Appendix 2 will also be applicable. Any update made by the European Commission to these SCCs shall be applicable without the need to amend this agreement.
 

9. Final provisions.

9.1. This Agreement will enter into force on the effective date of the Main Agreement and may be changed by agreement of both parties.

9.2 In the event of any conflict or inconsistency between the provisions of the Scope of Work and these terms, the provisions of these terms shall prevail. Save as specifically modified and amended in these terms, all of the terms, provisions and requirements contained in the Scope of Work shall remain in full force and effect and govern this Agreement.

9.3. These terms and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the subject matter or formation shall be governed by and interpreted in accordance with the law of Romania and the parties agree that the courts of Romania have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) that arises out of, or in connection them.

 

 

 

Appendix 1 to the Data Processing Agreement for Professional Services

Bitdefender Penetration Testing / Bitdefender Red Teaming 

 

1. Nature and purpose and duration of the processing

Personal data shall be processed in order to allow Bitdefender to provide GravityZone Penetration testing and/or Red Teaming service for the Client, including support for this service. The processing shall take place for the duration of the Scope of Work, unless otherwise directed by the Client.

The sole purpose is to ensure ensuring network and information security for the Data Controller, by providing the services, including logging and reporting necessary for the provision of the services.

If necessary, the processing includes all operations performed on the collected personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, alignment or combination, restriction, erasure or destruction, unless otherwise instructed by the Data Controller.
 

2. Categories of data subjects whose personal data is processed

Depending on data that is disclosed by the system or application of the Client that is subject of the services, the categories of personal data may include Employees of the Client, Customers of the Client as well as any other person that uses the technical infrastructure of the Client, that is in-scope of the provided services.
 

3. Categories of personal data

Depending on data that is disclosed by the system or application of the Client that is subject of the services, the categories of personal data may include:

- Technical data of these devices or applications (e.g. IP, MAC Address, configuration data, running processes, system/network information). In most cases, these technical data may not lead to the direct or indirect identification, but in some very specific cases computer specialists might be able to identify a specific device. Therefore, we treat all such information as personal data and protect it as such. Other data that are only technical data and may not directly or indirectly be linked to a data subject, other than linked it with the data above, may also be collected according to details in the technical specifications of the product and the specified tools;

- other basic personal data (for example, username, email address or even name and surname) could be inadvertently or incidentally processed during the dynamic provisions of the services;

In case of Red Teaming services, personal data may be collected from publicly available sources (such as social media profiles, OSINT tools) and may additionally include: password and/or password hashes, email addresses, name, job title, linkedin profile URL, cookies/session tokens, system/network information.

There are no sensitive personal data presumed to be processed, except if otherwise specifically instructed by the Client.

4. Frequency of the transfer

This is a continuous basis transfer during the delivery of the Services.
 

5. Period of retention

By default, the personal data is being retained – by default - for entire the duration of the business relationship and 3 years after completion, unless the Client specifically instructs or requests a different data retention period.

The retention period may be changed, if both parties agree on different terms.
 

6. Subprocessors

Bitdefender uses the following sub-processors for this solution:

- Bitdefender Affiliate - Horangi PTE LTD. located in Singapore, as a security services provider.

The subprocessor has offices and may process data in Singapore or other countries outside of the EU, and as such Bitdefender has signed adequate Standard Contractual Clauses (SCCs) with this subprocessor, and has performed a security assessment with this subprocessor.

 

 

 

Appendix 2 to the Data Processing Agreement

Standard Contractual Clauses (SCC)

as per European Commission Implementing Decision 2021/914
 

 

SECTION I

Clause 1

Purpose and scope

    (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

    (b) The Parties:

    (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Appendix I.A (hereinafter each ‘data exporter’), and

    (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Appendix I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

    (c) These Clauses apply with respect to the transfer of personal data as specified in Appendix I.B.

    (d) The Appendix to these Clauses containing the Appendixes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

    (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

    (b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

    (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

    (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

    (ii) Clause 8.1 (b) and Clause 8.3(b);

    (iii) [Intentionally left blank];

    (iv) [Intentionally left blank];

    (v) Clause 13;

    (vi) Clause 15.1(c), (d) and (e);

    (vii) Clause 16(e); and

    (viii) Clause 18.

    (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

    (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

    (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

    (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Appendix I.B.

Clause 7

Docking clause

[Intentionally left blank]

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

    8.1 Instructions

    (a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

    (b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

    (c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

    (d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

    8.2 Security of processing

    (a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

    (b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

    (c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

    8.3 Documentation and compliance

    (a) The Parties shall be able to demonstrate compliance with these Clauses.

    (b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

[Intentionally left blank].

Clause 10

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

    (a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

Clause 12

Liability

    (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

    (b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

    (c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

    (d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

    (e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

[Intentionally left blank].

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

[Clause omitted as it has been indicated that the EU processor will not combine the personal data received from the third country-controller with personal data collected by the processor in the EU]

Clause 15

Obligations of the data importer in case of access by public authorities

[Clause omitted as it has been indicated that the EU processor will not combine the personal data received from the third country-controller with personal data collected by the processor in the EU]

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

    (a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

    (b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

    (c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

    (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

    (ii) the data importer is in substantial or persistent breach of these Clauses; or

    (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

    (d) Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

    (e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Romania.

Clause 18

Choice of forum and jurisdiction

 

Any dispute arising from these Clauses shall be resolved by the courts of Romania.

 

 

 

 

APPENDIX I to SCCs

 

Appendix I

A. LIST OF PARTIES

Data exporter(s): Bitdefender SRL, with the contact data from the Scope of Work

Role (controller/processor): Processor

Data importer(s): Client of Bitdefender Services, with the contact data from the Scope of Work

Role (controller/processor): Controller

 

B.  DESCRIPTION OF TRANSFER

As provided in Annex 1 (above)

 

 

 

ANNEX II to the SCCs

TECHNICAL AND ORGANISATIONAL MEASURES


EXPLANATORY NOTE:
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Data importer shall implement and maintain technical and organizational measures to safeguard personal data at least with the same protection level as the ones implemented by Bitdefender and listed below:

Security

Bitdefender guarantees appropriate technical and organizational measures to ensure standard industry security measures and best practices. Bitdefender is certified ISO 27001 and SOC 2 Type

In assessing the appropriate level of security, Bitdefender takes into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing data as well as the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to data transmitted, stored or otherwise by Bitdefender.

Personnel

Upon hire, employees that have access to Bitdefender data and information systems must acknowledge that they read and agree to a code of conduct that describes their responsibilities and expected behavior regarding data and information system usage. Employees are required to sign a confidentiality agreement upon hire. This agreement prohibits any disclosure of information and other data to which the employee has been granted access.

New personnel offered employment are subject to background checks or equivalent internal screening prior to their start date.

Management established defined roles and responsibilities to oversee implementation of security and the control environment and report any issues to the board of directors.

Bitdefender implemented controls reasonably necessary to prevent unauthorized use, disclosure, loss, acquisition of, or access to the company data. This includes, but is not limited to personnel security measures, such as background checks and clear job description for employees managing Bitdefender’s data, as well as providing evidence upon request of its employees completing an annual Information Security Awareness course.

Bitdefender security responsible subscribes to industry security bulletins and email alerts and uses them in order to monitor the impact of emerging technologies and security on the in-scope production systems.

Physical Security

Bitdefender implemented appropriate physical controls to prevent unauthorized physical access, damage, or interference to the working environment and the information processing facilities used by the Bitdefender, its affiliates, and subcontractors to access, process, transmit, or store Bitdefender Data, including badge access requirements, visitor and access logs, security alarm system(s), CCTVs, and other measures.

Logical and Information Security

Authentication to the Bitdefender 's systems require unique usernames and passwords with MFA or authorized Secure Shell (SSH) keys, with privileged access to the production systems restricted only to authorized users with a clear business need and if it’s part of their job description.

The network is segmented to prevent unauthorized access to customer data, with access to firewalls restricted only to authorized network administrators and with periodic firewall rules review. No port is allowed to be exposed directly on the public internet without a documented justification, and any remote use Multi Factor Authentication.

Antimalware and Intrusion Detection and Prevention systems are used to provide continuous monitoring of the Bitdefender network and early detection of potential security breaches, together with a file integrity monitoring (FIM) tool that is used to notify system administrators of potential unauthorized changes to the production systems.

All of Partner’s data managed by Bitdefender is encrypted at rest and in transit by industry standard mechanisms and algorithms, and a clear inventory of all systems where such data is kept or processed.

Configuration of Partners systems, if applicable is done through a configuration management tool to ensure that system configurations are deployed consistently throughout the environment and to further mitigate the risk of human errors.

Bitdefender’s network and system hardening standards are documented, based on industry’s best practices and are reviewed at least annually.

In addition, a formal systems development life cycle (SDLC) methodology is in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements. All Bitdefender systems are updated to the latest available versions, with Critical patches being applied no longer than one week since release.

Bitdefender annually reviews documented formal procedures that outline the process its staff follows to perform access control functions like adding of new users, modifying an existing user's access, and removing an existing user's access.

Termination checklists is completed to track employee terminations, and access is revoked for employees within 24 hours at most as part of the termination process.

Documented user access reviews are conducted by management for systems or system components managing Partner’s data to help ensure that access is restricted appropriately, with tickets being created to add, remove or modify access as necessary in a timely manner.

Vulnerability and Incident Management

Bitdefender established and maintained a vulnerability management and penetration testing program for all information systems that process, transmit, or store Partners data. The program is designed to prevent exploitation of vulnerabilities by continuous monitoring and mitigation of vulnerabilities. 

The program includes periodic security audits of these systems via vulnerability scanning, penetration testing, vulnerability assessments and vulnerability remediation coupled with system and application patching.

Internal and external network vulnerability scans are performed quarterly and remediation plans with required changes will be implemented to remediate all critical and high vulnerabilities at a minimum.

Bitdefender has the final form of their software reviewed for security flaws, prior to delivery. Bitdefender warrants that the system is free of and does not contain any code or mechanism that collects personal information or asserts control of the system without Partners’s consent, or which may restrict Partner’s access to or use of its data. Bitdefender further warrants that it will not introduce, via any means, spyware, adware, ransomware, rootkits, keyloggers, viruses, trojans, worms, or other code or mechanisms designed to permit unauthorized access to Partners data, or which may restrict Partner’s access to or use of its data.

Bitdefender ensure that security events are logged, tracked, resolved according to the Bitdefender’s security incident response policies and procedures. All events are evaluated to determine whether they could have resulted in a failure to meet security commitments and objectives.
 

Bitdefender has an incident response plan that is tested by at least annually.

Risk Management

A risk assessment is performed by Bitdefender at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to the in-scope service commitments are identified and the risks are formally assessed.

Bitdefender Vendor management program is also in place, with components that must include maintaining a list of critical third-party Vendors, requirements for third-party Partners to maintain security practices and procedures.

Availability

Bitdefender has a documented business continuity/disaster recovery (BC/DR) plan that is tested annually. To further ensure availability, Bitdefender have daily incremental and weekly full backups for data stores housing Partners data.

Bitdefender continuously evaluates the capacity and ensure system changes are implemented to help ensure processing capacity can meet demand and that availability is ensured.

Processing Integrity

Bitdefender has policies and procedures which ensure that Partners data is prohibited from being used or stored in non-production systems or environments and must also ensure that data containing confidential information is purged or removed from the application environment in accordance with best practices when the contract ends.

Confidentiality & Security Breaches

If Bitdefender becomes aware of data that may have been accessed, disclosed, or acquired without proper authorization and contrary to the terms herein or the contract with Partner, then Bitdefender alerts the Partners of any data breach within a maximum of 48 hours, and immediately takes such actions as may be necessary to preserve forensic evidence and eliminate the cause of the data breach.

After resuming normal operations, Bitdefender provides a full report about the breach to allow the Partners to fully understand the nature and scope of the data breach.