TestGorilla Customer Data Processing Agreement

This Data Processing Agreement, including its Addenda and Appendices, (“DPA”) is incorporated into and forms part of the Agreement between Customer and TestGorilla B.V. (“TestGorilla”).

1. Scope

This DPA between Customer, and if applicable, Customer’s Affiliates, and TestGorilla contains the legal terms and conditions that apply to the processing of End User Data, which may include personal data, by any of the Services.

2. Definitions

Insofar as not already defined in the Agreement, the following definitions apply throughout this DPA:

• “Agreement” means TestGorilla’ End User Agreement, unless a separate agreement governing use of the Services exists between the parties.
• “Data Protection Laws” means data protection laws applicable to TestGorilla in its processing of personal data under this DPA, including, where applicable, the GDPR and the CCPA.
• “DPA” means this Customer Data Processing Agreement.
• “End User Data” means data that may be accessed or collected by the Services during the relationship governed by the Agreement, in the form of logs, session data, telemetry, user data, usage data, threat intelligence data, and copies of potentially malicious files detected by the Product. End User Data may include confidential data and personal data, such as source and destination IP addresses, active directory information, file applications, URLs, file names, and file content.
• “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• “Information Security Measures” the technical and organizational measures for ensuring the security of the processing, as described in TESTGORILLA INFORMATION SECURITY MEASURES
• “Security Incident” means any unauthorized access to any End User Data stored on TestGorilla’ equipment or in TestGorilla’ facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of End User Data that compromises the privacy, security or confidentiality of such End User Data.

Terms used in this DPA that are specifically defined in the GDPR shall have the same meaning as set forth in the GDPR. Terms used in this DPA that are not specifically defined in the GDPR shall have the same meaning as set forth in the Agreement.

3. Responsabilities of processing personal data as a processor

To the extent TestGorilla processes personal data on behalf of Customer as a processor (as defined by applicable Data Protection Laws), TestGorilla shall do so only on documented instructions from Customer pursuant to this DPA and the Agreement, to operate the Services, and as permitted or required by applicable law. Such instructions may include configuration of the Product by the Customer. TestGorilla shall immediately inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.

• Insofar as TestGorilla processes personal data as a processor as defined by applicable Data Protection Laws, the following shall apply:
  • Processing Required by Law. In the event TestGorilla is required by applicable law to process Customer personal data, TestGorilla will carry out such processing and notify Customer of such legal requirement, unless such notification is prohibited by applicable law, giving Customer the ability to issue revised instructions or to cease using the Services.
  • Compliance with Applicable Data Protection Laws. TestGorilla will process Customer personal data in accordance with applicable Data Protection Laws and will make available to Customer upon request the information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and other applicable Data Protection Laws.
  • Data Subject Requests. TestGorilla shall provide reasonable assistance to Customer to comply with its obligations with regard to data subject rights under applicable Data Protection Laws, taking into account the nature of the data processing and the information available to TestGorilla. If TestGorilla or any sub-processor receives a request or a complaint from a data subject or its representative, including requests regarding the data subject’s rights under applicable Data Protection Laws, TestGorilla will forward the request without undue delay to Customer for handling unless TestGorilla is required by law to address that request. The Customer hereby authorizes TestGorilla to share the test data provided by a data subject with this data subject in case the latter requests such data from TestGorilla directly.
  • Data Protection Impact Assessment. Upon Customer’s written request, TestGorilla shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services. TestGorilla shall also provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under applicable Data Protection Laws.
  • Authorized Personnel. TestGorilla shall ensure that authorized personnel who process Customer personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. Furthermore, except where required by applicable law, TestGorilla will not share Customer personal data with third parties other than with authorized sub- processors.
  • Sub-Processors. Customer authorizes TestGorilla to engage the sub-processors (identified at Appendix 1 to this agreement) to process personal data. In the event TestGorilla engages any new sub-processor, it will:
    • notify Customer through the support portal within fifteen (15) days of such change to give Customer the opportunity to object to such sub-processing. If Customer objects to a new sub-processor, TestGorilla will then endeavor to offer alternate options for the delivery of the relevant Product that does not involve the new sub-processor, without prejudice to any of Customer’s termination rights;
    • impose appropriate contractual obligations upon the sub-processor that are no less protective than this DPA; and
    • remain responsible and liable for the sub-processor’s compliance with this DPA and for any acts or omissions of the sub-processor that cause TestGorilla to breach any of its obligations under this DPA.
  • Cross-Border Transfers. If Customer personal data is transferred outside of the European Economic Area or Switzerland, TestGorilla will comply with the European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of personal data from the European Economic Area and Switzerland. Data transfers will be subject to appropriate safeguards as described in Article 46 of the GDPR. The Standard Contractual Clauses as adopted by the European Commission on 4 June 2021, together with its annexes, are incorporated herein by reference and made a part hereof. As a result of the Schrems II decision TestGorilla has implemented adequate supplementary technical and organizational security measures. These measures are described in the Information Security Measures. Execution of this DPA shall constitute execution of the Standard Contractual Clauses. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
• Safeguarding Confidentiality and Security of Personal Data. TestGorilla has implemented practices and policies to maintain appropriate organizational, physical and technical measures to safeguard the confidentiality and security of Customer personal data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the rights and freedoms of natural persons, including as appropriate:
  • the pseudonymization, de-identification or encryption of data;
  • the ability to restore the availability and access to Customer personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of TestGorilla’s Information Security Measures.
• Incident Response Plan. TestGorilla shall implement and maintain an incident response plan that specifies actions, including containment, investigation, reporting, and remediation, to be taken in the event of a Security Incident.
• Security Incident. In the event of a Security Incident affecting Customer personal data, TestGorilla will, without undue delay: (a) inform Customer of the Security Incident; (b) investigate and provide Customer with available detailed information about the Security Incident; and (c) take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident as required by applicable Data Protection Laws.
• Audit. TestGorilla shall make available to Customer, upon written request, subject to appropriate confidentiality obligations, a summary copy of applicable third-party audit report(s) or certifications it maintains for its Services (e.g. ISO 27001 or SOC2 Type II standard), so that the Customer can verify TestGorilla’s compliance with this DPA, the audit standards against which it has been assessed, and the standards specified in the Security Measures.
• Retention and Deletion. TestGorilla shall process and retain Customer personal data no longer than necessary for the purposes for which it is processed. Upon termination of this DPA or the Agreement, TestGorilla shall: (i) delete Customer personal data that is no longer necessary to carry out any of the purposes under this DPA or the Agreement; or (ii) upon Customer’s request, provide options to return or erase, destroy, and render unrecoverable the Customer personal data, where reasonably possible. This section does not pertain to personal data of data subjects outside of Customer, such as that of test results.

4. Details of personal data being processed

• Subject Matter: The subject matter of the Processing under this DPA is Customer Personal Information.
• Duration: TestGorilla may Process Customer Personal Information under this DPA until the termination or expiration of the Agreement.
• Purpose: The purpose of the Processing of Customer Personal Information under this DPA is to enable TestGorilla to deliver the Services and perform its obligations as set forth in the Agreement (including this DPA) or as otherwise agreed by the Parties in mutually executed written form.
• Nature of the Processing: To provide Services as described in the Agreement, TestGorilla will Process Customer Personal Information upon the instruction of Customer and in accordance with the terms of this DPA, including all applicable Addenda, and the Agreement.
• Categories of Data Subjects: Customer determines the categories and extent of any Customer Personal Information that it discloses to TestGorilla, which may include without limitation Customer Personal Information relating to the following categories of data subjects:
  • Employees, contractors, consultants, and individuals belonging to Customer, or Customer’s clients’ and partners’ workforce; or
  • Candidates applying to a Customer open job position
  • Other individuals whose Personal Information is Processed as part of the provision of the Services.
• Categories of Personal Information: Customer determines the categories of any Personal Information that it discloses to TestGorilla, which may include without limitation Customer Personal Information relating to the following categories:
  • Identification and contact data (e.g., name, address, phone number, title, email, other contact details);
  • Employment details (e.g., job title, role, manager);
  • Answers to test questions and results of tests
  • IT information (e.g., entitlements, IP addresses, usage data, cookies data, online identifiers);
  • Domain and device information (e.g., hostnames and qualified hostnames);
  • Information contained in logs related to security events identified and captured by Services; and/or
  • Unstructured data provided to TestGorilla for the purpose of providing support services (e.g., packet capture (PCAP) for file testing).
• Sensitive data transferred (if applicable): When Processing Personal Information, primarily with forensic investigations Product of which the purpose is to identify the underlying data, TestGorilla may process sensitive Personal Information. The nature and scope of the sensitive data that is transferred may not be known until after the Processing has taken place and may include: Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
• Frequency: The transfer of information between the Parties to facilitate TestGorilla’ Processing on behalf of Customer will occur as needed until the termination of the Agreement.

5. Processing of end user data

Customer can configure the Services to share and transfer End User Data (as described in the applicable Product documentation). Customer acknowledges, agrees and grants to TestGorilla the right, to the extent permitted by applicable law, to process and retain data, including personal data, relating to a security event, that is shared or transferred by Customer, for the legitimate interest of operating, providing, maintaining, developing, and improving security technologies and services, including for purposes compatible with providing such services.

6. Compliance with laws

The parties shall process personal data in accordance with applicable Data Protection Laws. Customer represents and warrants that its use of the Services, its authorization for TestGorilla’ access to and any related submission of data, including any Customer personal data, to TestGorilla, complies with all applicable laws, including those related to data privacy, data security, electronic communication and the export of technical, personal or sensitive data.

7. PCI Compliance

TestGorilla is not a payment processor and as such is not subject to compliance with PCI standards. However, TestGorilla acknowledges that credit card information may be provided by Customer during the performance or use of the Services and therefore TestGorilla shall use information data security controls that are compliant with PCI standards.

8. Limitation of liability

This DPA does not modify TestGorilla’ liability, whether in contract, tort or under any other theory of liability, towards the Customer based on other terms in force between the Customer and TestGorilla.

9. Conflict of terms

In the event of conflict between the terms of this DPA and other terms in force between the Customer and TestGorilla, the terms of this DPA shall prevail with regard to data processing activities.

Appendix 1 to DPA: List of Subprocessors