Data Processing Agreement

Effective Date: 4 December, 2024

Last Updated: 4 December, 2024

1.Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meaning provided below:

  • Data Controller, Data Processor, Data Protection Officer, Data Subject, Personal Data, Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as found in the GDPR.
  • Data Protection Legislation shall mean the GDPR, and any other applicable national implementing law as amended from time to time, as well as any other applicable law concerning the processing of personal data and privacy.
  • Data Subject Request shall mean a request by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation regarding their Personal Data.
  • GDPR shall mean the General Data Protection Regulation (Regulation (EU) 2016/679).
  • Protective Measures shall mean appropriate technical and organisation measures to ensure a level of security appropriate to the risk, which may include, but are not limited to, the pseudonymisation and encrypting of Personal Data, ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner in the event of an incident and regularly testing, assessing and evaluating the effectiveness of the measures adopted.
  • Sub-processor shall mean any vendor appointed to process Personal Data on behalf of FalconDive related to this Agreement.

All other capitalised terms shall have the same meaning provided in the Agreement.

2.Processing of Personal Data

  1. The Parties acknowledge that, for the purposes of the Data Protection Legislation, the Client is the Data Controller and FalconDive is the Data Processor. The processing of Personal Data that FalconDive is authorised to perform is exhaustively listed in Schedule A and may not be determined or amended by FalconDive at any time. FalconDive may only process the Personal Data, including in respect of international transfers, in line with the written instructions of the Client and may not use the Personal Data for its own purposes unless FalconDive is required to do otherwise by Law.
  2. Provided that if so required and permissible at law, FalconDive shall notify the Client, without delay, prior to processing such data.
  3. The Client agrees to share the personal data detailed in Schedule A with FalconDive in order for the agreed processing to take place, as required for the provision of the services as detailed in the Main Agreement.
  4. FalconDive shall comply with all applicable Data Protection Legislation in the processing of the Client’s Personal Data.
  5. FalconDive shall notify the Client immediately if it considers that any of the instructions infringe Data Protection Legislation.
  6. The Client shall be responsible for notifying Data Subjects of a data breach or for a request from the Data Subject themselves or from a corresponding provision of an otherwise applicable national data protection law.
  7. The Client agrees and warrants that it shall comply fully with the terms of the GDPR and shall ensure that the Personal Data that it supplies or discloses to FalconDive has been obtained fairly and lawfully and in accordance with the provisions of the Data Protection Legislation.

3. Protective Measures

  1. FalconDive shall ensure that Protective Measures, which are in line with the requirements of Article 32 of the GDPR and detailed in Schedule C are in place to appropriately protect against a Personal Data Breach, having taken into account the:
    1. nature of the data to be protected.
    2. harm that might result from a Personal Data Breach;
    3. state of technological development; and
    4. cost of implementing any measures.
  2. In determining the appropriate level of Protective Measures, FalconDive shall take into account the risks that are presented by the Processing taking place and in particular from a Personal Data Breach.

4. FalconDive Personnel

  1. FalconDive shall ensure that FalconDive personnel do not process Personal Data except in accordance with this Agreement and that all reasonable steps are taken to ensure the reliability and integrity of any FalconDive personnel who have access to the Personal Data, particularly that they:
    1. are aware of and comply with FalconDive’s duties under this Agreement;
    2. are subject to appropriate confidentiality undertakings, or professional or statutory obligations of confidentiality with FalconDive;
    3. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Client or as otherwise permitted by this Agreement; and
    4. have undergone adequate training in the use, care, protection and handling of Personal Data.
  2. FalconDive shall limit access to the Client’s Personal Data to those employees that need to know or access the Personal Data as is strictly necessary for the purposes of the main Agreement between the Parties.

5. International Data Transfers

  1. FalconDive shall not transfer Personal Data outside of the EEA unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
    1. FalconDive complies with the general conditions laid down in relation to such transfers (in accordance with GDPR Article 44);
    2. FalconDive complies with its obligation to provide appropriate safeguards, which safeguards shall ensure the availability of enforceable Data Subject rights and of effective legal remedies (in accordance with GDPR Article 46);
    3. All transfers take place with appropriate security measures in place to protect the personal data; and
    4. FalconDive complies with any reasonable instructions notified to it in advance by the Client with respect to the transfer of the Personal Data.

6. Sub-Processing

  1. The sub-processors which FalconDive uses for the processing of Personal Data in accordance with this Agreement are listed in Schedule B of this Agreement, as may be amended or updated from time to time upon notification to the Client.
  2. Pursuant to Article 28 (2) of the GDPR, the Client grants to FalconDive a general authorization to use Sub-processors to provide processing activities on Client’s data in accordance with this chapter 6. FalconDive website shall list the Sub-Processors used by FalconDive. At least 15 days before engaging with a Sub-processor, FalconDive shall update its website and notify the Client via email. The Client can object to such Sub-processor by (i) ceasing to use the Services for which FalconDive has appointed the respective Sub-processor or (ii) request to have the data stored in a data center/server which is not provided by the respective Sub-processor.
  3. Prior to FalconDive engaging a Sub-processor to process any Personal Data related to this Agreement, FalconDive must:
    1. carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by the Data Protection Legislation.
    2. notify the Client of the intended Sub-processor, processing and any international data transfers, in accordance with this chapter 6;
    3. enter into a written agreement with the Sub-processor, applying the same data protection obligations set out in this Agreement, in particular providing sufficient guarantees to meet the security requirements of Article 32 of the GDPR; and
    4. incorporate the European Commission Standard Contractual Clauses into any agreement with a sub-processor when an international transfer is taking place to a country not providing adequate safeguards
    5. provide the Client with such information, regarding the Sub-processor, as it may reasonably require.
  4. FalconDive shall remain fully liable for all acts or omissions of any Sub-processor.

7. Notification

  1. FalconDive shall notify the Client without delay if it:
    1. becomes aware of a Personal Data Breach;
    2. receives a Data Subject Request;
    3. receives any other request, complaint or communication relating to the Parties’ obligations under Data Protection Legislation;
    4. receives any communication from any Supervisory Authority or any other regulatory authority in connection with Personal Data processed under this Agreement; or
    5. receives a request from any third party for the disclosure of Personal Data.
  2. Provided that the obligation to notify shall include the prompt provision of further information to the Client, upon the Client’s request.
  3. FalconDive shall not respond to any such requests, except on the documented instructions of the Client, unless FalconDive is obliged to respond by law, in which case FalconDive shall notify the Client of that obligation before responding to the request.

8. Assistance

  1. FalconDive shall, taking into account the nature of the processing, provide the Client with reasonable assistance in relation to the Client’s obligations under Data Protection Legislation to respond to requests for exercising Data Subject rights and to security, breach notifications, and consultations with supervisory authorities, insofar as possible and as may reasonably be required by the Client and applicable Data Protection Legislation, including by promptly providing:
    1. the Client with full details and copies of the complaint, communication or request;
    2. such assistance as is reasonably requested by the Client to comply with any request made by a Data Subject exercising their rights within the relevant timescales set out in the Data Protection Legislation, including but not limited to access, rectification, or deletion of data;
    3. the Client, at its request, any Personal Data it holds in relation to a Data Subject;
    4. full assistance to the Client in ensuring compliance with Articles 32-36 of the GDPR regarding security of personal data and data breaches;
    5. assistance as requested by the Client with respect to any request from any Supervisory Authority, or any consultation between the Client and any Data Protection Supervisory Authority.
  2. FalconDive shall, in accordance with its legal obligations as Data Processor and at no additional charge, expense or fee to the Client, provide all reasonable assistance to the Client in the preparation of any privacy impact assessment prior to the commencement of any processing activities. Such assistance may, at the Client’s discretion, include but may not be limited to:
    1. a systematic description of the envisaged processing operations and the purpose of the processing;
    2. an assessment of the necessity and proportionality of the processing operations in relation to the services;
    3. an assessment of the risks posed to the rights and freedoms of the Data Subjects;
    4. the measures envisaged to address the risks and ensure the protection of Personal Data, including safeguards, security measures and mechanisms.

9. Record Keeping

  1. In line with their legal obligations as a Data Processor, FalconDive shall maintain complete and accurate records and information to meet the requirements of Article 30(2) of the GDPR and as evidence of meeting the requirements of Article 28 of the GDPR. FalconDive shall also provide these records to the Client upon request.

10. Audits

  1. FalconDive shall allow for and contribute to audits of its Processing activity by the Client or the Client’s designated auditor.
  2. The Client shall give FalconDive reasonable notice of any audit and shall reasonably avoid causing any disruption to FalconDives operations, equipment, premises, and personnel while the audit is being carried out.
  3. FalconDive need not give access to its premises for the carrying out of such an audit:
    1. Outside normal business hours at those premises, unless the audit needs to be conducted on an emergency basis and the Client has given notice to FalconDive that this is the case prior to the commencement of the audit outside normal business hours;
    2. For the purposes of more than one audit, in respect of FalconDive, in any calendar year, except for any additional audits which:
      1. the Client reasonably considers necessary because of genuine concerns as to FalconDive’s compliance with this Agreement; or
      2. the Client is required or requested to carry out by Data Protection Legislation, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Legislation in any country or territory, or
      3. where the Client has identified its concerns or the relevant requirement or request in its notice to FalconDive of the audit.

11. Deletion and Return of Data

  1. Within ten (10) days of the termination date of this Agreement the Client may, in its absolute discretion and by written notice, request FalconDive to:
    1. return a complete copy of all Client Personal Data to the Client by secure file transfer in such format as is reasonably notified by the Client; and/or
    2. delete and procure the deletion of all other copies of Personal Data processed by FalconDive and any other contracted Sub-processor.
  2. If the Client does not request the return or retention of their data within thirty (30) days of the termination date of this Agreement, FalconDive will, without further notice, delete the Client’s data and provide a certificate of destruction to confirm the deletion. Silence or failure to act within this period will be considered acceptance of data deletion. FalconDive is also required to ensure that any Sub-processor that is engaged deletes or returns Personal Data.
  3. FalconDive and each contracted Sub-processor may nonetheless retain Personal Data to the extent required by Data Protection Legislation and any other applicable law to the extent and for such period as required by virtue of such laws and always ensuring the confidentiality of such data. FalconDive will notify the Client if this clause applies on receipt of a written notice as detailed under 11.1.

12. Agreement

  1. This Agreement expressly replaces and supersedes any and all other agreements, oral or written, between the Parties hereto with respect to the subject matter hereof.

13. Amendments

  1. The Client may, at any time, with no less than thirty (30) working days’ notice, revise this addendum by replacing the terms with applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme or those set by a relevant Supervisory Authority.

14. Data Protection Officer

  1. FalconDive shall, where required, appoint a Data Protection Officer (DPO) and provide the Client the contact details of such person. The transmission of any communication between the Parties related to the Personal Data should be performed by e-mail.
  2. If FalconDive is not required to appoint a Data Protection Officer, FalconDive will still provide details for a contact person for data protection issues.
  3. The Client must appoint a DPO and forward contact details to FalconDive
  4. FalconDive has appointed a DPO/responsible person for Data Protection matters – Rakesh Manne, who may be contacted on [email protected].
  1. Term and Termination
  1. This Agreement shall enter into force concurrently with the Agreement and shall thereafter remain in force as long as the Agreement remains in force. This Agreement shall terminate, without notice, concurrently with the Agreement, regardless of the reason, save for those clauses which have been expressly stipulated to survive termination.

16. Liability

  1. The Parties liability for damages as a result of breaches of this Agreement is, unless otherwise expressly stated, subject to the same limitations of liability as set forth in the Agreement. In case of multiple claims for damages under this Agreement and the Service Agreement, such liability shall be cumulative in relation to the maximum liability.
  2. Nothing contained within this Agreement relieves FalconDive of their own direct responsibilities and liabilities as a Data Processor under Data Protection Legislation.

17. Costs

  1. Each Party is responsible for its own costs in relation to the preparation and performance of this Agreement, including but not limited to fees and costs for its own representatives, advisors, brokers and other intermediaries and authorities.
  2. Any additional performance or speed enhancements beyond what has been agreed upon in this Agreement or its Schedules will be provided by FalconDive only at an additional cost. Such costs will be communicated and agreed upon with the Client prior to implementation.

18. Severability

  1. If any provision, in whole or in part, of this Agreement shall be held by a court of competent jurisdiction to be illegal, invalid or unenforceable, then the provision in question shall be deemed null and void whilst remaining provisions shall continue in full force and effect.

19. Disputes and Governing Law

  1. The parties to this Agreement hereby submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims arising under this Agreement.

Miscellaneous

  1. In the event of any conflict between the terms of this DPA and any provision of the Services Agreement and any other agreement between the Parties, this DPA shall prevail solely with respect to any data protection matters.
  2. Amendments to this agreement shall be made exclusively in writing. This shall also apply to this requirement of written form.
  3. Should any provision of this agreement be invalid or ineffective, it shall, to the extent permitted by law, be replaced by that provision which comes closest in economic terms to the invalid or ineffective provision. 

Schedule A – Instructions

Processing, Personal Data and Data Subjects

The Contractor shall comply with any further written instructions with respect to processing by the Customer.

Any such further instructions shall be incorporated into this Schedule.

DescriptionDetails
Subject matter of the processingFalconDive provides a platform to the Client which provides access, in real time, to data concerning registration, deposit, log in, player bets, the result of a bet and other transactional data on its end users, to allow the Client to efficiently manage, segment and perform analytics on such end users.
Duration of the processingFor the Term of the Agreement.
Nature and purposes of the processing

New transactions and events will be transferred to FalconDive in real time or agreed data refresh cycle.

Historical data (transactions such as deposits, withdrawals, bets placed) may be migrated from time to time and will be transferred via secure FTP upload, imported once to FalconDive and then the source file will be destroyed.

FalconDive will not be collecting any data on their own and will solely depend on the data provided by the Client.

The Client will be using FalconDive platform to orchestrate various reporting and analytical activities.

FalconDive platform will process transactional data and the Client may act, based on such data engage the customer, and/or notify internal teams.

FalconDive will not process, store, transmit, or access any sensitive personal data of the Client’s customers. 

Type of Personal DataMarketing consent, age, birthday, country, transactional data (deposits, withdrawals), transactional data relating to spins or bets made, bonus and rewards information, blocked / self-exclusion statuses, registration date, affiliate reference, dates of transactions, device usage, current balance which in no way includes sensitive personal data of the client’s customers such as name, last name and address. 
Categories of Data SubjectCustomers of the Client (not including any personal or sensitive specific data of the customers of the client).
Plan for return and destruction of the Personal Data once the processing is complete

In accordance with Clause 11 of this Agreement, FalconDive shall comply with a request to return and/or delete any and all copies of Client Personal Data within 40 days of such request, ensuring the same with regard to each Sub-processor.

Nonetheless, Client Personal Data may be retained to the extent required by applicable Data Protection Legislation for as long as required by such laws, always ensuring the confidentiality of such data and upon notice to the Client.

Schedule B

Approved sub-processors
Full Name and Details of Sub-processorLocation of ProcessingNature and Purpose of Processing
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, LuxembourgLondon

FalconDive may use the technical infrastructure provided by Amazon Web Services (AWS) in order to perform the Services stipulated in the Agreement with the Client.

AWS is used for the following main purposes:

– Store the personal and transactional data of the Client’s customers on AWS servers and databases.

– Enable the performance of the Services rendered by FalconDive, including the launch of marketing campaigns by the Client in relation to the Client’s customers or data modelling/science activities.

– Enable segmentation processes of the data transferred by the Client to FalconDive, in accordance with the instructions of the Client.

AWS is SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017 and ISO 27018 certified.

FalconDive uses AWS data center from London, England. However, in case the Client stores data on servers located outside Europe, for technical performance purposes, FalconDive may rely on other data center of AWS and shall inform the Client accordingly about the location of such data center.

Schedule C – Technical and Organisational Security Measures

General Measures
Control IDRequirements
5.1.1. aA set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
5.1.1. bThe Contractor shall ensure that their Personnel agree to terms and conditions concerning information security.
15.1.1 bA formal information security risk assessment process shall be defined and implemented
15.1.1 cAn information security risk treatment process shall be implemented to select appropriate information security risk treatment options.
15.1.3 eContractor of cloud services should include requirements to address the information security risks associated with information and communications technology services through its product supply chain.
15.1.3 fAll structured and unstructured data shall be available to the customer and provided to them upon request in an industry-standard format
6.1.1All information security responsibilities shall be defined and allocated
6.1.2Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
6.1.3A policy and supporting security measures shall be implemented to protect information accessed, processed or stored when using mobile computing and teleworking.
7.1.1Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
7.2.2All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organisational policies and procedures as relevant for their jobs
8.1.2Ownership of an asset shall be assigned and managed during the asset’s lifecycle.
8.1.3All employees and external party users shall in a timely manner return all of Operator’s assets in their possession upon termination of their employment, contract or agreement.
8.2.1Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification
8.2.2An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization
8.2.3Sensitive and removable storage media (e.g. CDs, DVDs and USB memory sticks) shall be protected against unauthorized access, misuse or corruption during transportation.
8.3.3Media containing confidential information shall be protected against unauthorised access, misuse or corruption during transportation.
9.2.1 aThe Contractor shall protect Client’s information from its other cloud customers’ or unauthorized persons’ access.
9.1.2 bA formal user registration and de-registration process shall be implemented to assign or revoke access rights for all user types to all systems and services
9.2.1 bThe use of individual user identities shall be enforced.
9.2.3The allocation and use of privileged access rights should be restricted and controlled.
9.2.4 aDefault and temporary passwords and cryptographic keys shall be kept confidential and be changed from defaults prior to use.
9.2.4 bThe allocation of secret authentication information should be controlled through a formal management process.
9.2.4.cPasswords shall be stored and transmitted in a safe way to avoid being compromised.
9.4.2 dA secure password reset process shall be implemented.
9.2.5Access rights shall be reviewed and documented at regular intervals.
9.2.6The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
9.3.1Users should be required to follow the organization’s practices in the use of secret authentication information.
9.4.3The use of quality passwords shall be enforced
9.4.4The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled
9.4.2 aWhere required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.
11.1.1Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities
11.1.2Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
11.1.4Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.
11.1.5Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
11.1.6Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities
11.1.7Security shall be applied to off-site assets taking into account the different risks of working outside the organisation’s premises.
12.1.1Operating procedures shall be documented and made available to all users who need them.
12.1.2 bChanges in system and services shall be authorized, approved and communicated by and to appropriate stakeholders according to defined rules.
12.1.2 cA fallback procedure shall be defined and tested prior a change is performed.
12.1.2 dThe Contractor shall implement emergency changes when available and approved, unless such implementation introduces higher business risks.
12.1.4 aDevelopment, testing and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.
12.1.4 bActivities and decision points in the change process shall be logged.
12.1.4 cRules for the transfer of software from development to operational status shall be defined and documented.
12.1.5Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored.
12.2.1Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.
12.3.1 aBackups of information, software and system images shall be taken according to business requirements for recovery point objective and recovery time objective.
12.3.1 bBackups shall be regularly tested to ensure data integrity and that business requirements for recovery point objective and recovery time objective can be met.
12.3.1 cBackups shall have a defined retention period, after which data can be disposed.
12.4.1 aEvent logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly monitored.
12.4.1 bLogging shall be enabled on all firewalls and firewall logs shall be centrally retained and appropriately protected.
12.4.2Logging facilities and log information shall be protected against tampering and unauthorized access.
12.4.4The clocks of all relevant information processing systems within an organisation or security domain shall be synchronized to a single reference time source.
12.5.1 aProcedures shall be implemented to control that only supported and documented software are installed on operational systems.
12.5.1 bPhysical and virtual machines shall be hardened according to Contractor recommendations.
12.6.1 aVulnerabilities in systems and services shall be identified.
12.6.1 bVulnerabilities in system and services shall be managed.
13.1.1. aNetworks shall be managed and controlled to protect information in systems and applications
13.1.1 bSpecial controls shall be enabled to protect confidentiality and integrity of data in transit according to best practice and industry standards, e.g. TLS encryption, WPA2 encryption, managed firewall etc.
13.1.3Web application firewalls shall be in place in front of public facing web application and services.
13.2.4Requirements for confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information shall be identified, regularly reviewed and documented.
14.2.1Rules for the development of software and systems should be established and applied to developments within the organization.
14.2.5Principles for engineering secure systems should be established, documented, maintained and applied to any information systems implementation efforts.
14.2.9Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.
14.2.8 aContractor shall, at least annually, and after any significant infrastructure or application upgrade or modification offer penetration testing.
14.2.8 bApplications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
14.2.8 cThe Contractor shall regularly perform manual and automated security testing of the application to assure that the application is reasonable free of application security defects.
14.3.1Confidential or sensitive information, including but not limited to Personal Data and any information that is defined as Confidential information shall never be used for testing purposes.
16.1.1 aManagement responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incident.
16.1.1 bInformation security events shall be reported in a standardized fashion through appropriate management channels as quickly as possible.
16.1.4Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents
16.1.5 aSpecific Incident Response Plans (IRP) for identified and agreed Information security Incidents shall be documented to meet legal, regulatory and business demands.
16.1.5 bThere shall be yearly exercises to train, test and improve the overall process and specific incident response plans based on an agreed and documented test plan.
17.1.1All IT systems shall have a documented restore and recovery procedure to meet recovery time objectives.
17.1.2All IT system disaster recovery plans and recovery procedures shall be verified and tested at regular intervals.
18.1.1 aFinancial data shall be archived in accordance with applicable legislation.
18.1.1 bSegregation of duties when processing financial data shall be defined and implemented.
18.1.1 cContractor shall maintain an SSL Labs rating of at least “A” for any external website used to store or access Client’s data.
18.2.1 aThe Contractor shall provide support for compliance of external and internal audits that Client is subject to from time to time. All occurrences of technical audits (i.e. vulnerability and penetration testing of infrastructure and applications in scope) are subject to a joint assessment led by the Client.
18.2.1 bInformation systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.

Specific Measures

Data Accuracy

To ensure that data is accurate and correct at all times, three main measures have been put in place to achieve the highest possible integrity.

  1. The Client must ensure to capture and manage any and all errors from FalconDive integration API. Every transmission must be verified as received by FalconDive with an OK.
  2. Client shall assume that upon receiving such verification through an OK, FalconDive is responsible to ensure that this data is processed and reflected in the FalconDive platform.
  3. For avoidance of doubt, Client is responsible to provision the necessary monitoring to manage any failures in transmission of data, as well as any supplementary remedy of the failed data transmission. FalconDive is responsible for provisioning the necessary monitoring to manage any failures in the processing of such data inside FalconDive platform. FalconDive will provide a dashboard providing transparency of data recon and any related issue to Client that is updated after the refresh takes place.

Data Access and Data Security

  • Historical transactional data, or specific data corrections of data points of non-sensitive nature (anything but contact details) may in some cases not be available in API and must then be transferred in bulk. In such a case, the file including such transactions will be transferred securely using FTP (SFTP). Such files will be destroyed immediately after being processed in FalconDive’s systems.

API Security

  • Client will provide FalconDive with an API key. This key is required when using the API.
  • All communication should be made over an encrypted channel using https.
  • Whitelisting of specific IPs used by FalconDive platform to access the Client’s API.

Encryption of User Data

  • Outside of whatever encryption FalconDive platform already provides, the Client may suggest further encryption of fields or customer data and FalconDive may propose a solution to support this within a reasonable timeframe.

Penetration Testing / System Audit

  • FalconDive has not undergone or scheduled any penetration testing to date.
  • The Client can, at its own discretion, organize potential penetration testing to audit the system. FalconDive will in that case provide relevant resources to support such tests. The Client should give 14 days’ notice before such a test takes place in order for FalconDive to ensure that it has sufficient resources available.
  • FalconDive shall address any critical issues that might arise out of such a test.

Access to Environments

  • FalconDive should have total control and relevant access rights to the environment to keep FalconDive platform operational at all times. With that said, both Parties should regularly review and ensure that minimal required access is provided.

Environments

  • AWS Environment may be provided by the Client and administered by FalconDive.