Terms and Conditions at TehriHills - Data Processing

At TehriHills, we ensured that the processing of Personal Data by TehriHills on behalf of the Data Controller follows the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Definitions

• 'Personal Data' means any information relating to an identified or identifiable natural person as defined in Article 4 of the GDPR.
• 'Data Subject' means the individual to whom the Personal Data relates.
• 'Processing' means any operation or set of operations performed on Personal Data as defined under the GDPR.
• 'Sub-Processor' means any third party appointed by or on behalf of the Data Processor to process Personal Data.
• 'Data Controller' means a person or entity that determines how and why personal data is processed under the General Data Protection Regulation (GDPR). A data controller may be an individual, such as a sole trader or self-employed professional, or a legal entity, such as a company, public authority, or association. They determine the purposes and means of processing data. They are responsible for ensuring that the data is processed in a way that complies with the GDPR.
• 'Data Processor' means a person or entity that processes personal data on behalf of a data controller. They process personal data as instructed by the data controller. They are responsible for ensuring that the processing is carried out in accordance with the controller's instructions.

Subject Matter and Purpose

The Data Processor will process Personal Data on behalf of the Data Controller strictly for the purpose of providing the agreed-upon services as specified in the Service Agreement or any other written agreement between the parties. The scope, nature, and purpose of the processing, along with the type of Personal Data and categories of Data Subjects, are determined by the Data Controller. of the processing, along with the type of Personal Data and categories of Data Subjects, are determined by the Data Controller.

Responsibilities of the Data Processor

• Compliance with Laws: The Data Processor will comply with applicable data protection laws, including the GDPR, in the processing of Personal Data.
• Processing in Accordance with Instructions: TehriHills will process Personal Data only on the documented instructions of the Data Controller, including with regard to transfers of Personal Data to a third country.
• Confidentiality: The Data Processor will ensure that all personnel who have access to Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Technical and Organizational Measures (TOMs): The Data Processor will implement and maintain appropriate TOMs as set out in Annex 1 to ensure a level of security appropriate to the risk.
• Assistance with Data Subject Rights: The Data Processor will assist the Data Controller, using appropriate technical and organizational measures, to fulfill its obligations to respond to requests for exercising the rights of Data Subjects.
• Data Breach Notification: The Data Processor will notify the Data Controller without undue delay after becoming aware of a Personal Data breach.
• Data Transfers: The Data Processor will not transfer Personal Data outside the European Economic Area (EEA) without the explicit written consent of the Data Controller, unless such transfer is made in compliance with Chapter V of the GDPR. This includes implementing Standard Contractual Clauses (SCCs) or other appropriate safeguards to ensure that any transfer of Personal Data to non-EU countries meets GDPR standards.

Sub-Processors

The Data Processor may engage sub-processors only with the prior written authorization of the Data Controller. The Data Processor will ensure that all sub-processors adhere to the same data protection obligations.

Annex 1: Technical and Organizational Measures (TOMs)

TehriHills has implemented comprehensive Technical and Organizational Measures to ensure the security and protection of Personal Data processed on behalf of the Data Controller. These measures include:

Access Control

• User Authentication:
  • Implementation of strong password policies, requiring complex passwords that are regularly updated.
  • Multi-Factor Authentication (MFA) is mandatory for all users accessing systems that handle Personal Data.
• Role-Based Access Control (RBAC):
  • Access to Personal Data is limited to authorized personnel only based on their role and responsibilities within the organization.
  • Regular reviews of user access rights are conducted to ensure appropriateness.
• Visitor Access Control:
  • Physical access to facilities is controlled through access cards, biometric systems, or security personnel.
  • Visitors are logged and monitored while on premises.

Data Encryption

• Encryption in Transit: All data transmitted over public networks is encrypted using TLS (Transport Layer Security) or equivalent protocols to prevent interception.
• Encryption at Rest: Sensitive Personal Data stored on servers, databases, and backup systems is encrypted using AES-256 or comparable encryption standards.
• Key Management: Encryption keys are stored securely, with limited access granted only to authorized personnel. Regular key rotation practices are implemented.

Data Minimization and Retention

• Data Collection Policies: Personal Data is collected only for specified, legitimate purposes and is limited to what is necessary for processing.
• Data Retention Schedule: A defined data retention policy is in place to ensure Personal Data is not retained longer than necessary. Data is securely deleted or anonymized when it is no longer required.

Data Segregation

• Logical Separation of Data: Data belonging to different clients or projects is logically separated within databases to prevent unauthorized access or data breaches.
• Environment Isolation: Development, testing, and production environments are isolated to prevent unauthorized access to sensitive data during development or testing.

Data Backup and Recovery

• Regular Backup Procedures: Data backups are performed regularly, ensuring that Personal Data can be restored in case of data loss or corruption.
• Backup Security: Backup data is encrypted and stored securely in a separate location, with access limited to authorized personnel only.
• Disaster Recovery Plan: A disaster recovery plan is in place, including defined recovery time objectives (RTO) and recovery point objectives (RPO) to ensure business continuity.

Incident Response and Breach Notification

• Incident Response Plan: A documented incident response plan is in place, outlining procedures for detecting, responding to, and mitigating data breaches.
• Breach Notification Protocols: Procedures for notifying the Data Controller of any Personal Data breaches without undue delay, as required by GDPR.

Employee Training and Awareness

• Data Protection Training: Regular training sessions on data protection, GDPR compliance, and security awareness for all employees handling Personal Data.
• Phishing and Social Engineering Awareness: Training to recognize phishing attempts and social engineering tactics to reduce risks associated with human error.

Monitoring and Logging

• Access and Activity Logs: Detailed logs of access to Personal Data and processing activities are maintained for auditing and compliance purposes.
• Monitoring Systems: Continuous monitoring systems are implemented to detect unauthorized access, anomalies, or suspicious activities.
• Regular Review of Logs: Logs are regularly reviewed by security personnel to identify and investigate any irregularities.

Regular Audits and Compliance Checks

• Internal Audits: Regular internal audits of data processing activities and compliance with this Agreement and applicable data protection regulations.
• Third-Party Audits: Engaging external auditors to conduct periodic reviews of security measures and compliance with GDPR and other applicable laws.
• Risk Assessments: Regular risk assessments are conducted to identify potential vulnerabilities and implement necessary measures to mitigate risks.

Third-Party Service Providers

• Vendor Risk Management: Due diligence is conducted on third-party service providers to ensure they meet necessary data protection standards.
• Contractual Obligations: Contracts with third-party providers include clauses to ensure compliance with data protection laws and obligations regarding Personal Data processing.