For the purposes of this Data Processing Agreement, the following terms shall have the meaning provided below:
All other capitalised terms shall have the same meaning provided in the Agreement.
Schedule A – Instructions
The Contractor shall comply with any further written instructions with respect to processing by the Customer.
Any such further instructions shall be incorporated into this Schedule.
Description | Details |
Subject matter of the processing | FalconDive provides a platform to the Client which provides access, in real time, to data concerning registration, deposit, log in, player bets, the result of a bet and other transactional data on its end users, to allow the Client to efficiently manage, segment and perform analytics on such end users. |
Duration of the processing | For the Term of the Agreement. |
Nature and purposes of the processing | New transactions and events will be transferred to FalconDive in real time or agreed data refresh cycle. Historical data (transactions such as deposits, withdrawals, bets placed) may be migrated from time to time and will be transferred via secure FTP upload, imported once to FalconDive and then the source file will be destroyed. FalconDive will not be collecting any data on their own and will solely depend on the data provided by the Client. The Client will be using FalconDive platform to orchestrate various reporting and analytical activities. FalconDive platform will process transactional data and the Client may act, based on such data engage the customer, and/or notify internal teams. FalconDive will not process, store, transmit, or access any sensitive personal data of the Client’s customers. |
Type of Personal Data | Marketing consent, age, birthday, country, transactional data (deposits, withdrawals), transactional data relating to spins or bets made, bonus and rewards information, blocked / self-exclusion statuses, registration date, affiliate reference, dates of transactions, device usage, current balance which in no way includes sensitive personal data of the client’s customers such as name, last name and address. |
Categories of Data Subject | Customers of the Client (not including any personal or sensitive specific data of the customers of the client). |
Plan for return and destruction of the Personal Data once the processing is complete | In accordance with Clause 11 of this Agreement, FalconDive shall comply with a request to return and/or delete any and all copies of Client Personal Data within 40 days of such request, ensuring the same with regard to each Sub-processor. Nonetheless, Client Personal Data may be retained to the extent required by applicable Data Protection Legislation for as long as required by such laws, always ensuring the confidentiality of such data and upon notice to the Client. |
Full Name and Details of Sub-processor | Location of Processing | Nature and Purpose of Processing |
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg | London | FalconDive may use the technical infrastructure provided by Amazon Web Services (AWS) in order to perform the Services stipulated in the Agreement with the Client. AWS is used for the following main purposes: – Store the personal and transactional data of the Client’s customers on AWS servers and databases. – Enable the performance of the Services rendered by FalconDive, including the launch of marketing campaigns by the Client in relation to the Client’s customers or data modelling/science activities. – Enable segmentation processes of the data transferred by the Client to FalconDive, in accordance with the instructions of the Client. AWS is SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017 and ISO 27018 certified. FalconDive uses AWS data center from London, England. However, in case the Client stores data on servers located outside Europe, for technical performance purposes, FalconDive may rely on other data center of AWS and shall inform the Client accordingly about the location of such data center. |
Control ID | Requirements |
5.1.1. a | A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
5.1.1. b | The Contractor shall ensure that their Personnel agree to terms and conditions concerning information security. |
15.1.1 b | A formal information security risk assessment process shall be defined and implemented |
15.1.1 c | An information security risk treatment process shall be implemented to select appropriate information security risk treatment options. |
15.1.3 e | Contractor of cloud services should include requirements to address the information security risks associated with information and communications technology services through its product supply chain. |
15.1.3 f | All structured and unstructured data shall be available to the customer and provided to them upon request in an industry-standard format |
6.1.1 | All information security responsibilities shall be defined and allocated |
6.1.2 | Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. |
6.1.3 | A policy and supporting security measures shall be implemented to protect information accessed, processed or stored when using mobile computing and teleworking. |
7.1.1 | Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
7.2.2 | All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organisational policies and procedures as relevant for their jobs |
8.1.2 | Ownership of an asset shall be assigned and managed during the asset’s lifecycle. |
8.1.3 | All employees and external party users shall in a timely manner return all of Operator’s assets in their possession upon termination of their employment, contract or agreement. |
8.2.1 | Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification |
8.2.2 | An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization |
8.2.3 | Sensitive and removable storage media (e.g. CDs, DVDs and USB memory sticks) shall be protected against unauthorized access, misuse or corruption during transportation. |
8.3.3 | Media containing confidential information shall be protected against unauthorised access, misuse or corruption during transportation. |
9.2.1 a | The Contractor shall protect Client’s information from its other cloud customers’ or unauthorized persons’ access. |
9.1.2 b | A formal user registration and de-registration process shall be implemented to assign or revoke access rights for all user types to all systems and services |
9.2.1 b | The use of individual user identities shall be enforced. |
9.2.3 | The allocation and use of privileged access rights should be restricted and controlled. |
9.2.4 a | Default and temporary passwords and cryptographic keys shall be kept confidential and be changed from defaults prior to use. |
9.2.4 b | The allocation of secret authentication information should be controlled through a formal management process. |
9.2.4.c | Passwords shall be stored and transmitted in a safe way to avoid being compromised. |
9.4.2 d | A secure password reset process shall be implemented. |
9.2.5 | Access rights shall be reviewed and documented at regular intervals. |
9.2.6 | The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. |
9.3.1 | Users should be required to follow the organization’s practices in the use of secret authentication information. |
9.4.3 | The use of quality passwords shall be enforced |
9.4.4 | The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled |
9.4.2 a | Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure. |
11.1.1 | Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities |
11.1.2 | Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access |
11.1.4 | Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. |
11.1.5 | Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. |
11.1.6 | Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities |
11.1.7 | Security shall be applied to off-site assets taking into account the different risks of working outside the organisation’s premises. |
12.1.1 | Operating procedures shall be documented and made available to all users who need them. |
12.1.2 b | Changes in system and services shall be authorized, approved and communicated by and to appropriate stakeholders according to defined rules. |
12.1.2 c | A fallback procedure shall be defined and tested prior a change is performed. |
12.1.2 d | The Contractor shall implement emergency changes when available and approved, unless such implementation introduces higher business risks. |
12.1.4 a | Development, testing and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. |
12.1.4 b | Activities and decision points in the change process shall be logged. |
12.1.4 c | Rules for the transfer of software from development to operational status shall be defined and documented. |
12.1.5 | Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. |
12.2.1 | Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. |
12.3.1 a | Backups of information, software and system images shall be taken according to business requirements for recovery point objective and recovery time objective. |
12.3.1 b | Backups shall be regularly tested to ensure data integrity and that business requirements for recovery point objective and recovery time objective can be met. |
12.3.1 c | Backups shall have a defined retention period, after which data can be disposed. |
12.4.1 a | Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly monitored. |
12.4.1 b | Logging shall be enabled on all firewalls and firewall logs shall be centrally retained and appropriately protected. |
12.4.2 | Logging facilities and log information shall be protected against tampering and unauthorized access. |
12.4.4 | The clocks of all relevant information processing systems within an organisation or security domain shall be synchronized to a single reference time source. |
12.5.1 a | Procedures shall be implemented to control that only supported and documented software are installed on operational systems. |
12.5.1 b | Physical and virtual machines shall be hardened according to Contractor recommendations. |
12.6.1 a | Vulnerabilities in systems and services shall be identified. |
12.6.1 b | Vulnerabilities in system and services shall be managed. |
13.1.1. a | Networks shall be managed and controlled to protect information in systems and applications |
13.1.1 b | Special controls shall be enabled to protect confidentiality and integrity of data in transit according to best practice and industry standards, e.g. TLS encryption, WPA2 encryption, managed firewall etc. |
13.1.3 | Web application firewalls shall be in place in front of public facing web application and services. |
13.2.4 | Requirements for confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information shall be identified, regularly reviewed and documented. |
14.2.1 | Rules for the development of software and systems should be established and applied to developments within the organization. |
14.2.5 | Principles for engineering secure systems should be established, documented, maintained and applied to any information systems implementation efforts. |
14.2.9 | Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. |
14.2.8 a | Contractor shall, at least annually, and after any significant infrastructure or application upgrade or modification offer penetration testing. |
14.2.8 b | Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations. |
14.2.8 c | The Contractor shall regularly perform manual and automated security testing of the application to assure that the application is reasonable free of application security defects. |
14.3.1 | Confidential or sensitive information, including but not limited to Personal Data and any information that is defined as Confidential information shall never be used for testing purposes. |
16.1.1 a | Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incident. |
16.1.1 b | Information security events shall be reported in a standardized fashion through appropriate management channels as quickly as possible. |
16.1.4 | Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents |
16.1.5 a | Specific Incident Response Plans (IRP) for identified and agreed Information security Incidents shall be documented to meet legal, regulatory and business demands. |
16.1.5 b | There shall be yearly exercises to train, test and improve the overall process and specific incident response plans based on an agreed and documented test plan. |
17.1.1 | All IT systems shall have a documented restore and recovery procedure to meet recovery time objectives. |
17.1.2 | All IT system disaster recovery plans and recovery procedures shall be verified and tested at regular intervals. |
18.1.1 a | Financial data shall be archived in accordance with applicable legislation. |
18.1.1 b | Segregation of duties when processing financial data shall be defined and implemented. |
18.1.1 c | Contractor shall maintain an SSL Labs rating of at least “A” for any external website used to store or access Client’s data. |
18.2.1 a | The Contractor shall provide support for compliance of external and internal audits that Client is subject to from time to time. All occurrences of technical audits (i.e. vulnerability and penetration testing of infrastructure and applications in scope) are subject to a joint assessment led by the Client. |
18.2.1 b | Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards. |
To ensure that data is accurate and correct at all times, three main measures have been put in place to achieve the highest possible integrity.
© 2024 All rights reserved Falcondive.