DATA PROCESSOR AGREEMENT

Appendix 2
1. Introduction

1.1 This appendix regulates the general personal data law matters in connection with Creditro’s modules, to the extent that Creditro is the data processor for the customer. Creditro is the data processor to the extent that tasks are performed to pursue the Customer’s purpose and on the Customer’s instructions. The agreement does not regulate Creditro’s processing of personal data, where Creditro is data responsible.

1.2 The Annex is designed to comply with the Data Protection Regulation, including Art. 28, para. The purpose is thus to ensure that the data processor’s (Creditros) processing of personal data takes place within the framework stipulated by this agreement.

1.3 The provisions in this appendix 2 are the main provisions for the data processing, in continuation of this agreement, for each module or acquisition, the Customer subscribes to at Creditro, specific coverage of processing and instructions for the specific processing in the appendix for the module or acquisition. The main agreement states which modules and purchases the Customer subscribes to.

 

2. Instructions

2.1 As a data processor, Creditro only processes personal data on behalf of the Customer in accordance with its express instructions. Such instructions consist of the Agreement, including this data processor agreement, and include Creditro’s settlement of the modules to which the Customer subscribes, to the extent that Creditro processes personal data on behalf of the Customer.

2.2 If Creditro is subject to requirements as a result of EU law or national law to carry out special processing of personal data in addition to the processing instructed by the Customer, Creditro does so, but will, to the extent this is legal, inform the Customer about this before the processing is initiated. In that case, Creditro will be considered as the independent data controller for this processing.

2.3 To the extent that the Customer may give Creditro an instruction on the processing of personal data or otherwise, which in Creditro’s assessment is illegal, Creditro notifies the Customer of this.

2.4 Creditro shall generally carry out such processing of personal data as is necessary for the operation and delivery of Creditro’s modules to the Customer, cf. the Agreement, including Creditro shall store data which is uploaded to the modules by the Customer, carry out operations of and make the modules available as described in the Agreement, including performing event logging and backup. Below is a more detailed description of the instructions for each of Creditro’s modules.

 

3. Assistance

3.1 Taking into account the nature of the processing, Creditro assists the Customer with its compliance with the data subjects’ rights, cf. Chapter III of the Data Protection Ordinance, including by forwarding to the Customer any inquiries in this regard without undue delay.

3.2 Taking into account the nature of the processing and the information available to Creditro, Creditro assists the Customer in complying with its obligations under the nature of the Data Protection Regulation. 32-36.

3.3 For work that cannot be categorized as simple notification, or follows from the obligations that otherwise accrue to Creditro on the basis of the Agreement with the Customer, Creditro is entitled to remuneration with its current hourly rate for the time used, cf. section 4 of the standard conditions. asserts i.a. in cases where Creditro provides the Customer with assistance, cf. 9.1 and 10.2.

 

4. Sub-processors

4.1 Creditro uses the sub-processors listed below in connection with its data processing on behalf of the Customer. The sub-processors listed below are approved by the Customer at the conclusion of this agreement.

Sub-processor Place for data processing and storage Data processing task Relevant for module
Hetzner GmbH Falkenstein, Germany
Helsinki, Finland
Hosting and operation of Creditro’s IT environment.
Backup across operations center.
The server setup is dedicated to Creditro
Assess,
Comply,
StoreMyID,
and Sign
Onlinecity.io ApS Odense, Denmark Sending text messages Comply
Visma Solutions Oy Helsinki, Finland Broadcast and digital signatures Comply,
and Sign
Sendinblue Paris, France E-mail sending Assess,
Comply,
StoreMyID,
and Sign
Experian Copenhagen, Denmark RKI storage Assess
Backblaze Inc. Amsterdam, Netherlands Backup service job Assess,
Comply,
StoreMyID,
and Sign
Criipto ApS Holte, Denmark Login to StoreMyID via Nemid/MitID StoreMyID

 

4.2 Creditro has entered into written data processor agreements with all sub-data processors, which impose on the sub-data processor conditions that are at least equivalent to the conditions for personal data processing to which Creditro is subject under this agreement. Creditro warrants that a valid transfer basis exists for any third country transfer and that there is a satisfactory Transfer Impact Assessment.

4.3 Creditro is responsible for ensuring that all current and future sub-processors comply with the rules in force in the area at any given time and this data processor agreement in general.

4.4 When adding or replacing sub-data processors, Creditro informs the Customer as soon as possible and with at least 30 days written notice thereof. If the Customer submits objections that are deemed to be justified, Creditro is not entitled to add or replace the sub-data processor in relation to the processing of personal data on behalf of the Customer. Creditro is obliged to prepare TIA for transfer to insecure third countries where this is required.

 

5. Transfers to third countries

5.1 Creditro does not make transfers of personal data to insecure third countries (ed. Countries outside the EU / EEA that are not approved as secure third countries through, for example, adequacy clauses), without prior satisfactory TIA and notice as stated in pkt. 4.4.

 

6. Disclosure

6.1 Creditro does not pass on information that is processed on behalf of the Customer without specific instructions from the Customer.

 

7. Confidentiality

7.1 Creditro ensures that Creditro’s employees and others, including sub-data processors, who process the personal data processed for the Customer, are obliged to keep any of the personal data processed for the Customer confidential, and do not have access to more personal data than is necessary. Creditro also ensures that all access to the Customer’s information takes place in a technically and organizationally sound manner and in accordance with industry-known standards.

 

8. Security

8.1 Taking into account the current technical level, the implementation costs and the nature, scope, coherence, purpose and risks of the treatment in question of varying probability and seriousness for the rights and freedoms of natural persons, Creditro has ensured (and has a duty to ensure) an appropriate level of technical and organizational security. in connection with the processing of personal data on behalf of the Customer, as described below.

8.2 Access control

Prevention of unauthorized product access:
Outsourced processing: Creditro hosts our service with outsourced cloud infrastructure providers. In addition, contractual relationships are maintained with suppliers to provide the service in accordance with the data processor agreement, cf. also section 4.2. Creditro relies on contractual agreements, including data processor agreements and vendor compliance programs, to protect data processed or stored by those vendors.

Physical and environmental safety:
We host our product infrastructure with multi-level outsourced infrastructure providers. The physical and environmental safety checks are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication:
Creditro uses a consistent password policy for our customer products. Customers who interact with the products through the user interface must authenticate before accessing non-public customer data.

Authorization:
Customer data is stored in multi-tenant storage systems that are only accessible to customers via application user interfaces and application programming interfaces. Customers do not have direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the properly assigned individuals can access relevant features, views, and customization options. Data set authorization is performed by validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access:
Public product APIs can be accessed using an API key or via Oauth authorization.

Prevention of unauthorized product use:
Creditro uses industry-standard access control and detection features for the internal networks that support its products.

Access control:
Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from accessing the product infrastructure. The implemented technical measures differ from infrastructure providers and includes Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Detection and prevention of intrusion:
Creditro uses a Web Application Firewall (WAF) solution to protect hosted customer sites and other Internet-accessible applications. WAF is designed to identify and prevent attacks on publicly available network services.

Static code analysis:
Security checks of code stored in our source code repositories are performed at appropriate intervals and are checked for best coding practices and identifiable software errors.

8.3 Restrictions on privileges and authorization requirements

Product access:
A subset of our employees have access to the products and to customer data via controlled interfaces. The purpose of providing access to a subset of employees is to provide effective customer support, troubleshoot potential issues, detect and respond to security incidents, and implement data security. Access is activated through “just in time” access requests; all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants are initiated daily. Employee roles and accesses are reviewed at least once each year.

Background check:
All Creditro employees undergo a background check before being offered a job offer, in accordance with and as permitted by applicable law. All Creditro employees are required to behave in a manner that is consistent with company policies, confidentiality requirements and ethical standards.

8.4 Transmission control

During transport:
Creditro makes HTTPS encryption (also called SSL or TLS) available on all its login interfaces and free of charge on all customer websites hosted on the Creditro products. Our HTTPS implementation uses industry standard algorithms and certificates. Creditro ensures that as min. sent via the encryption level required by the Danish Data Protection Agency, pt. TLS 1.2, on all data during transport.

At-rest:
Creditro stores user passwords according to policies that follow industry-standard security practices. Creditro has implemented technologies to ensure that stored data is encrypted at rest.

8.5 Access control

Registration:
Creditro has designed our infrastructure to log comprehensive information about system behavior, traffic received, system approval, and other application requests. Internal systems aggregate log data and warn relevant employees of malicious, unintentional or abnormal activities. Our staff, including security, operations and support staff, are responsive to known incidents.

Response and tracking:
Creditro maintains a record of known security incidents that includes description, dates and times of relevant activities and the disposition of the incident. Suspected and confirmed security incidents are investigated by security, operations or support personnel; and appropriate settlement steps are identified and documented. For all confirmed events, Creditro will take appropriate steps to minimize product and customer damage or unauthorized disclosure. Notice to the Customer will be in accordance with the terms of the agreement.

8.6 Accessibility control

Infrastructure availability:
Infrastructure providers use a commercially reasonable effort to ensure a minimum of 99.95% uptime. Providers maintain a minimum of N + 1 redundancy for power and network.

Fault tolerance:
Backup and replication strategies are designed to ensure redundancy and fail -over protection during a significant processing error. Customer data is backed up to multiple durable data warehouses and replicated across multiple accessibility zones.

Online replicas and backups:
Where possible, production databases are designed to replicate data between no less than a primary and a secondary database. All databases are backed up and maintained using at least industry standard methods.

Our products are designed to ensure redundancy and hassle-free failover . The server instances that support the products are also designed with the goal of preventing individual error points. This design helps our operations maintain and update the product applications and backend while limiting downtime.

IT and data security is a focus for Creditro. The customer can find several security-related documents and approvals on Creditro’s website, including the most recently prepared declarations, cf. 10.2 .

 

9. Personal data breach

9.1 If Creditro becomes aware that in connection with the processing of personal data that Creditro carries out on behalf of the Customer, there has been a breach of personal data security, Creditro notifies the Customer without undue delay. Creditro is not entitled to charge for this notification or other clarification, answering questions from the Customer or the supervisory authorities, in connection with a security breach, which is linked to Creditro’s processing of personal data on behalf of the Customer, unless the questions from the Customer go beyond what can be expected according to the contractual relationship. In this connection or as soon as possible thereafter, and to the extent possible, Creditro informs the Customer about the nature of the breach, categories and number of affected registrants and personal data, probable consequences of the breach, and what measures Creditro has taken or recommends the Customer to take in occasion of the breach. Creditro is entitled to notify the Customer immediately, this can be done step by step as Creditro becomes aware of the circumstances.

 

10. Oversight

10.1 To the extent that Creditro is the data processor for the Customer, Creditro assists in the Customer’s, or a third party hired by the Customer auditing and inspecting Creditro’s compliance with Creditro’s personal data law obligations. Creditro is entitled to remuneration with its applicable hourly rates for such work for the time used for audit and inspection, if audit or inspection is requested by the Customer, just as Creditro is entitled to payment for its costs, including any costs for sub-processors.

10.2 Creditro undergoes general IT security audit which will at all times correspond to the ISAE 3402 standard and GDPR audit which at all times will correspond to an ISAE-3000 standard. The audit is usually performed in the third quarter of the calendar year. Upon request, the customer may receive a copy of the publicly prepared declaration prepared on such occasion free of charge. The latest statements can be found at any time on Creditro’s website.

10.3 Creditro is obliged to supervise the sub-processors used. The supervision method must follow the principles in the Danish Data Protection Agency’s guidelines for supervision of data processors, and Creditro must be able to demonstrate compliance with this point to the Customer.

 

11. Deletion of the data processed for the Customer

11.1 Personal data that Creditro processes on behalf of the Customer is deleted by Creditro immediately after the agreed processing, including storage period, has been completed or at the latest at the end of the Agreement with the exception of backup. However, personal data which is processed or has been processed on behalf of the Customer, and which may be stored in connection with backups, will be deleted no later than 6 months after the completion of the processing or the termination of the Agreement.

11.2 The Customer may at any time have personal data which Creditro processes on behalf of the Customer deleted within a reasonable time upon request, taking into account the amount of data, the complexity of the deletion and the circumstances in general. Creditro’s assistance to the Customer is settled as stated in Section 4 of the Standard Terms.

11.3 Creditro’s obligation to delete personal data, which is processed on behalf of the Customer, is in all cases subject to the law prescribing Creditro’s continued storage.

 

12. Duration

12.1 This data processor agreement applies as long as the Customer subscribes to one or more of Creditro’s modules in accordance with which Creditro performs personal data processing on behalf of the Customer, cf. the agreement. The data processor agreement applies as long as Creditro may process personal data on behalf of the Customer, also where this may be after the termination of the Agreement, eg because personal data is still processed in connection with backup or in accordance with p. 11.1.

12.2 The data processor agreement cannot be terminated, but can nevertheless be replaced by another data processor agreement. Creditro is entitled to update the data processor agreement when this is relevant, including in the event of changes in the law and or changes in Creditro’s modules. The customer will be notified of such an update.

 

 

Appendix 2A

 

This appendix applies to those of Creditro’s customers who have purchased the module Creditro Comply, cf. the main agreement. Creditro Comply has three packages, Basic, Premium and Enterprise, the main agreement will also state which package the Customer has purchased.

 

1. Data processing in Creditro Comply

General provisions on the processing of personal data can be found at the top of Appendix 2, this appendix 2A describes the specifications that apply to Creditro Comply in Creditro’s role as data processor in the delivery of Creditro Comply. The Customer is thus data responsible when the Customer provides information on its Clients to Creditro, and Creditro will therefore be the data processor for this personal data. Creditro becomes an independent data controller to the extent that the Customer’s clients create a profile with Creditro. The Customer is data responsible for personal data about clients provided by the Customer to Creditro prior to and for the purpose of conducting a money laundering investigation, and Creditro thus acts as a data processor in the performance of this task. For further elaboration and visualization of the role distribution and flow, see section 1.2 below.

1.1 Purpose

1.1.1 The purpose of the processing of personal data is to assist the Customer in complying with the Customer’s obligations under the money laundering legislation, including inviting the persons associated with the Customer’s Clients to be established as End Users of Creditro and to keep documentation for money laundering investigations.

 

1.2 Overview

Here is a visualization of the role distribution and personal data flow using Creditro Comply:

Annex_2A_Data_Comply_EN-1024x589
1.2.1 In particular about Creditro Comply – Where the Customer uses Creditro Comply, Creditro must obtain information about such persons in relation to money laundering, including information about the persons’ possible status as PEP or RCA. Furthermore, Creditro must obtain information on whether the person in question, according to public sanction lists, is subject to sanctions. On the basis of the information uploaded by the Customer and the information obtained from third parties, Creditro must, in accordance with the Customer’s instructions, make an assessment of the risk of the Client’s involvement or risk of involvement in money laundering or terrorist financing. In connection with Creditro Comply, Creditro continuously monitors and updates information about persons obtained by Creditro for the Customer.

 

1.2.2 Especially about Store My ID – Creditro can, on the basis of the personal information from the Customer in connection with the Customer’s creation of a person in Creditro Comply, look up in its ID database (Store My ID) of persons who have been created as the user in Store My ID and:

 

  1. If the User is already registered in Store My ID and accepts that Creditro passes on a copy of his identification documents to the Customer, Creditro must make such transfer to the Customer.

  1. If the money laundering person is not registered in Store My ID or does not accept the transfer, Creditro must per. e-mail, on behalf of the Customer, contact the person with a request to complete the process.

    1. If the money laundering person makes a profile in Store My ID, and consents to the transfer, Creditro then passes on a copy of identification documents to the Customer.

    1. If the relevant money laundering person does not wish to register in Store My ID, or if the person does not want Creditro to share his identification documents with the Customer, the Customer is informed of this and must obtain identification documents from the money laundering relevant person.

Creditro is the data controller for personal information in Store My ID. The Customer is the Data Responsible for personal information, which is passed on to the Customer from Store My ID.

 

1.3 Categories of registered

1.3.1 Personal data is processed on:

 

  • Persons from whom the Customer wishes to carry out money laundering investigations
  • Persons who are related to companies, companies or organizations, etc., including persons who can state who in such companies are real owners
  • Persons appearing on documents that the Customer uploads to Creditro’s service

 

1.4 Data types

1.5 General personal information:

 

  • Name
  • Contact information, including email address and cell phone number;
  • Relationship to company, corporation or organization, including role as owner, management member, position; status as PEP
  • Money laundering reports
  • Copies of identity papers
  • Media coverage
  • Information in documents that the Customer uploads to Creditro’s service
  • Information that Creditro, in agreement with the Customer, collects for the Customer’s use

 

2. Data processing for Nordic / International data

2.1 Purpose

2.1.1 The purpose of the processing is, on behalf of the Customer, to obtain international data for use in Creditro Comply. The customer has entered into an agreement with the data provider.

2.2 Instructions

2.2.1 Creditro must, at the Customer’s request, obtain information from the data provider defined by the customer about the persons requested by the Customer and have such data included in Creditro’s other modules. Where this is otherwise covered by the Agreement, Creditro shall carry out ongoing Monitoring and updating of International data obtained by Creditro for the Customer.

2.3 Categories of registered:

  • Persons about whom Customers want to obtain information
  • Persons who are related to companies, companies or organizations about which the Customer wishes to obtain information

 

2.4 Data types

2.4.1 General personal data:

  • Name
  • Contact information, including email address and cell phone number
  • Relationship to company, company or organization, including role as owner, management member, position
  • Status as PEP

 

 

Appendix 2B

 

This appendix applies to those of Creditro’s customers who have purchased the module Creditro Asses , cf. the main agreement.

 

3. Data processing in Creditro Assess

General provisions on data processing can be found in Appendix 2 to the Agreement, this section describes the specifications that apply to Creditro Assess in Creditro’s role as data processor in the delivery of Creditro Assess.

3.1 Purpose

3.1.1 The purpose is to obtain and provide information on financial matters and credit-related matters to the Customer and to store the information obtained for the Customer.

3.2 Instructions

3.2.1 Creditro must obtain information about financial matters and credit-related matters about such companies and persons as the Customer wishes. Creditro must perform analysis of such information in the scoring models defined and / or approved by the Customer. Creditro must, on behalf of the Customer, store information obtained and prepared analyzes, just as Creditro must, by agreement, regularly collect updated information regarding companies about which the Customer has obtained information.

3.3 Categories of registered

3.3.1 Personal data is processed on:

  • Companies and persons about whom the Customer wishes to obtain information.

3.4 Data types

3.4.1 General personal data:

  • Name
  • Contact information, including email and cell phone number
  • Relationship to company, company or organization, including role as owner, management member and position
  • Company reportsr
  • Economic conditions
  • Media coverage
  • Information that Creditro, in agreement with the Customer, collects for the Customer’s use

 

 

Appendix 2C

 

This appendix applies to those of Creditro’s Customers who have purchased the module Creditro Sign, cf. the main agreement.

 

4. Data processing in Creditro Sign

General provisions on the processing of personal data can be found in Appendix 2 to the contract, this section describes the specifications that apply to Creditro Sign in Creditro’s role as data processor in the delivery of Creditro Sign.

4.1 Purpose

4.1.1 The purpose is to send out documents in order for the Customer to obtain a digital signature of these and to store such documents for the Customern.

4.2 Instructions

4.2.1 Creditro must electronically send the documents determined by the Customer for digital signature to such persons as the Customer determines. Creditro must register which of the recipients has signed the sent documents digitally and keep signed documents and documentation for digital signatures on behalf of the Customer.

4.3 Categories of registered

4.3.1 Personal data is processed on:

  • Persons who must sign documents
  • Persons mentioned in documents sent for signature

4.4 Data types

4.4.1 General personal data:

  • Name
  • Contact information, including email address and cell phone number
  • Relationship to company, company or organization, including role as owner, management member, position
  • Information in documents for signature
  • Signature documentation, including electronic ID information