Last modified: November 27, 2018 | Previous versions
The party ("Company") agreeing to these Data Processing and Security Terms (these "Terms"), and Jibe Mobile Inc. ("Jibe") have entered into an agreement (as amended from time to time, the "Agreement") under which Jibe has agreed to provide RCS Business Messaging (as described at https://developers.google.com/business-communications/rcs-business-messaging(the "Services"). These Terms take effect with and supplement the Agreement.
These Terms reflect the parties' agreement with respect to the terms governing the processing and security of Company Personal Data under the Agreement.
2.1 Capitalized terms used but not defined in these Terms have the meanings set out in the Agreement. In these Terms, unless stated otherwise:
- "Alternative Transfer Solution" means a solution, other than the Transfer Solution, that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).
- "Company End Users" or "End Users" means end users of the Services.
- "Company Personal Data" means personal data provided by or on behalf of Company or Company End Users via the Services.
- "Data Incident" means a breach of Jibe's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data on systems managed by or otherwise controlled by Jibe. "Data Incidents" will not include unsuccessful attempts or activities that do not compromise the security of Company Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- "EEA" means the European Economic Area.
- "European Data Protection Legislation" means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) ("FDPA").
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- "Jibe's Third Party Auditor" means a Jibe-appointed, qualified and independent third party auditor, whose then-current identity Jibe will disclose to Company.
- "ISO 27001 Certification" means an ISO/IEC 27001:2013 certification or a comparable certification in relation to the Services.
- "Non-European Data Protection Legislation" means data protection or privacy legislation other than the European Data Protection Legislation.
- "Notification Email Address" means the email address(es) designated by Company to receive certain notifications from Jibe.
- "Security Documentation" means all documents and information made available by Jibe under Section 6.5.1 (Reviews of Security Documentation).
- "Security Measures" has the meaning given in Section 6.1.1 (Jibe's Security Measures).
- "SOC 2 Report" means a confidential Service Organization Control (SOC) 2 report (or a comparable report) on Jibe's systems examining logical security controls, physical security controls, and system availability, as produced by Jibe's Third Party Auditor in relation to the Services.
- "SOC 3 Report" means a Service Organization Control (SOC) 3 report (or a comparable report), as produced by Jibe's Third Party Auditor in relation to the Services.
- "Subprocessors" means third parties authorized under these Terms to have logical access to and process Company Personal Data in order to provide parts of the Services.
- "Transfer Solution" means a lawful mechanism to ensure an adequate level of protection for Company Personal Data transferred outside of the EEA to a third country in accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).
2.2 The terms "personal data", "data subject", "processing", "controller", "processor" and "supervisory authority" as used in these Terms have the meanings given in the GDPR, in each case irrespective of whether the GDPR, FDPA or Non-European Data Protection Legislation applies.
3. Scope of Data Protection Legislation
3.1 Application of European Legislation. The parties acknowledge and agree that the European Data Protection Legislation will apply to the processing of Company Personal Data if, for example:
- the processing is carried out in the context of the activities of an establishment of Company in the territory of the EEA; and/or
- the Company Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behaviour in the EEA.
3.2 Application of Non-European Legislation. The parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Company Personal Data.
3.3 Application of Terms. Except to the extent these Terms state otherwise, these Terms will apply irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies to the processing of Company Personal Data.
4. Processing of Data
4.1 Roles and Regulatory Compliance; Authorization.
4.1.1 Processor and Controller Responsibilities. If the European Data Protection Legislation applies to the processing of Company Personal Data, the parties acknowledge and agree that:
- the subject matter and details of the processing are described in Appendix 1;
- Jibe is a processor of that Company Personal Data under the European Data Protection Legislation;
- Company is a controller or processor, as applicable, of that Company Personal Data under European Data Protection Legislation; and
- each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Company Personal Data.
4.1.2 Authorization by Third Party Controller. If the European Data Protection Legislation applies to the processing of Company Personal Data and Company is a processor, Company warrants to Jibe that Company's instructions and actions with respect to that Company Personal Data, including its appointment of Jibe as another processor, have been authorized by the relevant controller.
4.2 Scope of Processing.
4.2.1 Company's Instructions. By entering into these Terms, Company instructs Jibe to process Company Personal Data only in accordance with applicable law: (a) to provide and improve the Services; (b) as further specified via Company's use of the Services; (c) as documented in the form of the Agreement, including these Terms; and (d) as further documented in any other written instructions given by Company and acknowledged by Jibe as constituting instructions for purposes of these Terms.
4.2.2 Jibe's Compliance with Instructions. Jibe will comply with the instructions described in Section 4.2.1 (Company's Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Jibe is subject requires other processing of Company Personal Data by Jibe, in which case Jibe will notify Company (unless that law prohibits Jibe from doing so on important grounds of public interest).
4.3 End User Consents. Company will obtain and maintain any required consents necessary to (i) permit the access, storage, and processing of Company Personal Data by Jibe, and (ii) permit the access, processing and storage of Company Personal Data provided to Jibe, in each case for the purpose of providing and improving the Services. Any terms of service and/or privacy policies provided by Company to End Users in relation to its products and services shall make clear that such terms of service and/or privacy policies do not apply to End Users' use of the Services (or any other service provided by Jibe or its Affiliates), and that such services may be subject to separate terms of service and/or privacy policies.
5. Data Deletion
5.1 Deletion by Company. Jibe may enable Company to delete Company Personal Data during the term of the Agreement in a manner consistent with the functionality of the Services. If Company uses the Services to delete any Company Personal Data during the term of the Agreement and that Company Personal Data cannot be recovered by Company, this use will constitute an instruction to Jibe to delete the relevant Company Personal Data from Jibe's systems in accordance with applicable law. Jibe will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
5.2 Services Without Deletion Functionality. If the functionality of the Services does not include the option for Company to delete Company Personal Data, then Jibe will comply with any reasonable request from Company to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Services. Jibe may charge a fee (based on Jibe's reasonable costs) for any data deletion under this Section 5.2. Jibe will provide Company with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.
5.3 Deletion on Termination. On expiry or termination of the Agreement, Company instructs Jibe to delete all Company Personal Data (including existing copies) from Jibe's systems in accordance with applicable law. Jibe will, after a recovery period of up to 30 days following such expiry, comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
6. Data Security
6.1 Jibe's Security Measures, Controls and Assistance.
6.1.1 Jibe's Security Measures. Jibe will implement and maintain technical and organizational measures to protect Company Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the "Security Measures"). As described in Appendix 2, the Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Jibe's systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Jibe may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
6.1.2 Security Compliance by Jibe Staff. Jibe will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.1.3 Jibe's Security Assistance. Company agrees that Jibe will (taking into account the nature of the processing of Company Personal Data and the information available to Jibe) assist Company in ensuring compliance with any of Company's obligations in respect of security of personal data and personal data breaches, including if applicable Company's obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
- implementing and maintaining the Security Measures in accordance with Section 6.1.1 (Jibe's Security Measures);
- complying with the terms of Section 6.2 (Data Incidents); and
- providing Company with the Security Documentation in accordance with Section 6.5.1 (Reviews of Security Documentation) and the information contained in the Agreement including these Terms.
6.2 Data Incidents.
6.2.1 Incident Notification. If Jibe becomes aware of a Data Incident, Jibe will: (a) notify Company of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Company Personal Data.
6.2.2 Details of Data Incident. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Jibe recommends Company take to address the Data Incident.
6.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Jibe's discretion, by direct communication (for example, by phone call or an in-person meeting). Company is solely responsible for ensuring that the Notification Email Address is current and valid.
**6.2.4 No Assessment of Company Personal Data by Jibe. **Jibe will not assess the contents of Company Personal Data in order to identify information subject to any specific legal requirements. Company is solely responsible for complying with incident notification laws applicable to Company and fulfilling any third party notification obligations related to any Data Incident(s).
6.2.5 No Acknowledgement of Fault by Jibe. Jibe's notification of or response to a Data Incident under this Section 6.2 (Data Incidents) will not be construed as an acknowledgement by Jibe of any fault or liability with respect to the Data Incident.
6.3 Company's Security Responsibilities and Assessment.
6.3.1 Company's Security Responsibilities. Company agrees that, without prejudice to Jibe's obligations under Section 6.1 (Jibe's Security Measures, Controls and Assistance) and Section 6.2 (Data Incidents):
- Company is solely responsible for its use of the Services, including:
- making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Company Personal Data; and
- securing the account authentication credentials, systems and devices Company uses to access the Services.
- Jibe has no obligation to protect Company Personal Data that Company elects to store or transfer outside of Jibe's and its Subprocessors' systems (for example, offline or on-premise storage).
6.3.2 Company's Security Assessment.
- Company is solely responsible for reviewing the Security Documentation and evaluating for itself whether the Services, the Security Measures and Jibe's commitments under this Section 6 (Data Security) will meet Company's needs, including with respect to any security obligations of Company under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.
- Company acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Company Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Jibe as set out in Section 6.1.1 (Jibe's Security Measures) provide a level of security appropriate to the risk in respect of the Company Personal Data.
6.4 Security Certifications and Reports. Jibe will do the following to evaluate and help ensure the continued effectiveness of the Security Measures:
- obtain, as soon as reasonably practical, and maintain the ISO 27001 Certification; and
- obtain, as soon as reasonably practical, and update the SOC 2 Report and SOC 3 Report at least once every 18 months.
6.5 Reviews and Audits of Compliance.
6.5.1 Reviews of Security Documentation. In addition to the information contained in the Agreement (including these Terms), Jibe will once these are available provide Company the following documents and information to demonstrate compliance by Jibe with its obligations under these Terms:
- any certificates issued in relation to the ISO 27001 Certification;
- the then-current SOC 3 Report (if available); and
- the then-current SOC 2 Report (if available), following a request by Company in accordance with Section 6.5.3.
6.5.2 Company's Audit Rights.
- If the European Data Protection Legislation applies to the processing of Company Personal Data, Jibe will allow Company or an independent auditor appointed by Company to conduct audits (including inspections) to verify Jibe's compliance with its obligations under these Terms in accordance with Section 6.5.3 (Additional Business Terms for Reviews and Audits). Jibe will contribute to such audits as described in Section 6.4 (Security Certifications and Reports) and this Section 6.5 (Reviews and Audits of Compliance).
- Company may also conduct an audit to verify Jibe's compliance with its obligations under these Terms by reviewing the Security Documentation (which reflects the outcome of audits conducted by Jibe's Third Party Auditor).
6.5.3 Additional Business Terms for Reviews and Audits.
- Company must send any requests for reviews of the SOC 2 Report under Section 6.5.1(3) or audits under Section 6.5.2(1) or 6.5.2(2) to Jibe's RCS data protection contact as described in Section 11 (RCS Data Protection Contact; Processing Records).
- Following receipt by Jibe of a request under Section 6.5.3(1), Jibe and Company will discuss and agree in advance on: (i) the reasonable date(s) of and security and confidentiality controls applicable to any review of the SOC 2 Report under Section 6.5.1(3); and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under Section 6.5.2(1) or 6.5.2(2).
- Jibe may charge a fee (based on Jibe's reasonable costs) for any review of the SOC 2 Report under Section 6.5.1(3) and/or audit under Section 6.5.2(1) or 6.5.2(2). Jibe will provide Company with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Company will be responsible for any fees charged by any auditor appointed by Company to execute any such audit.
- Jibe may object in writing to an auditor appointed by Company to conduct any audit under Section 6.5.2(1) or 6.5.2(2) if the auditor is, in Jibe's reasonable opinion, not suitably qualified or independent, a competitor of Jibe, or otherwise manifestly unsuitable. Any such objection by Jibe will require Company to appoint another auditor.
7. Impact Assessments and Consultations
Company agrees that Jibe will (taking into account the nature of the processing and the information available to Jibe) assist Company in ensuring compliance with any obligations of Company in respect of data protection impact assessments and prior consultation, including if applicable Company's obligations pursuant to Articles 35 and 36 of the GDPR, by:
- providing the Security Documentation in accordance with Section 6.5.1 (Reviews of Security Documentation); and
- providing the information contained in the Agreement including these Terms.
8. Data Subject Rights; Data Export
8.1 Access; Rectification; Restricted Processing; Portability. Jibe will, in a manner consistent with the functionality of the Services and insofar as possible and legally required, enable Company to access, rectify and restrict processing of Company Personal Data, including via the deletion functionality provided by Jibe as described in Section 5, and to export Company Personal Data.
8.2 Data Subject Requests.
8.2.1 Company's Responsibility for Requests. If Jibe receives any request from a data subject in relation to Company Personal Data, Jibe will advise the data subject to submit their request to Company and Company will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
8.2.2 Jibe's Data Subject Request Assistance. Company agrees that Jibe will (taking into account the nature of the processing of Company Personal Data and insofar as possible and legally required) assist Company in fulfilling any obligation to respond to requests by data subjects, including if applicable Company's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, by complying with the commitments set out in Section 8.1 (Access; Rectification; Restricted Processing; Portability) and Section 8.2.1 (Company's Responsibility for Requests).
9. Data Transfers
9.1 Data Location and Transfers. Company acknowledges and agrees that the Services may involve the transfer and storage of Company Personal Data outside the EEA. Jibe may store or process the relevant Company Personal Data anywhere Jibe or its Subprocessors maintain facilities, provided that Jibe ensures an adequate level of protection for Company Personal Data by implementing a Transfer Solution. As of the effective date of the Agreement, the parties acknowledge that the Transfer Solution shall be Google LLC adherence to the EU-US Privacy Shield and Swiss to US Privacy Shield frameworks, on behalf of itself and it's wholly owned U.S. subsidiaries.
9.2 Alternative Transfer Solution. In the event that, an existing Transfer Solution is deemed by a court of competent jurisdiction not to be valid, Jibe shall adopt an Alternative Transfer Solution, at its discretion. Jibe will make information available to Company about its adoption of the Alternative Transfer Solution and ensure that any transfers of Company Personal Data are made in accordance with such Alternative Transfer Solution.
10.1 Consent to Subprocessor Engagement. Company specifically authorizes the engagement of Jibe's Affiliates as Subprocessors. In addition, Company generally authorizes the engagement of any other third parties as Subprocessors ("Third Party Subprocessors").
10.2 Information about Subprocessors. At the written request of the Company, Jibe will provide information regarding Subprocessors and their locations. Any such requests must be sent to Jibe using the contact details set out in Section 11.1 (Data Protection Contact for Jibe).
10.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Jibe will:
- ensure via a written contract that:
- the Subprocessor only accesses and uses Company Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including these Terms) and Alternative Transfer Solution adopted by Jibe as described in Section 9 (Data Transfers); and
- if the GDPR applies to the processing of Company Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in these Terms, are imposed on the Subprocessor; and
- remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
10.4 Opportunity to Object to Subprocessor Changes.
- When any new Third Party Subprocessor is engaged during the Term, Jibe will, at least 30 days before the new Third Party Subprocessor processes any Company Personal Data, inform Company of the engagement (including the name and location of the relevant subprocessor and the activities it will perform) by sending an email to the Notification Email Address.
- Company may object to any new Third Party Subprocessor by terminating the Agreement immediately upon written notice to Jibe, on condition that Company provides such notice within 90 days of being informed of the engagement of the subprocessor as described in Section 10.4(1). This termination right is Company's sole and exclusive remedy if Company objects to any new Third Party Subprocessor.
11. RCS Data Protection Contact; Processing Records
11.1 Jibe's RCS Data Protection Contact. Jibe's RCS data protection contact can be reached via http://issuetracker.google.com (and/or via such other means as Jibe may provide from time to time).
11.2 Jibe's Processing Records. Company acknowledges that Jibe is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Jibe is acting and, where applicable, of such processor's or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Company Personal Data, Company will, where requested, provide such information to Jibe and ensure that all information provided is kept accurate and up-to-date.
12. Third Party Beneficiary
Notwithstanding anything to the contrary in the Agreement, Google LLC will be a third party beneficiary of Section 6.5 (Reviews and Audits of Compliance), and Section 10 (Consent to Subprocessor Engagement) of these Terms.
13. Effect of These Terms
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between these Terms and the remaining terms of the Agreement, these Terms will govern.
Appendix 1: Subject Matter and Details of the Data Processing
Jibe's provision of the Services to Company.
Duration of the Processing
The effective date of the Agreement plus the period from the expiry or termination of the Agreement until deletion of all Company Personal Data by Jibe in accordance with the Terms.
Nature and Purpose of the Processing
Jibe will process Company Personal Data for the purposes of providing and improving the Services to Company in accordance with the Terms.
Categories of Data
Data relating to individuals provided to Jibe via the Services, by (or at the direction of) Company or by Company End Users.
Data subjects include the individuals about whom data is provided to Jibe via the Services by (or at the direction of) Company or by Company End Users.
Appendix 2: Security Measures
Jibe will implement and maintain the Security Measures set out in this Appendix 2. Jibe may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. Solely purposes of this Appendix 2, "Jibe" refers to Jibe and its Affiliates.
1. Data Center and Network Security
(a) Data Centers.
Infrastructure. Jibe maintains geographically distributed data centers. Jibe stores all production data in physically secure data centers.
Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow Jibe to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer's or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.
Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.
Server Operating Systems. Jibe servers use an operating system customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy. Jibe employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.
Businesses Continuity. Jibe replicates data over multiple systems to help to protect against accidental destruction or loss. Jibe has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
(b) Networks and Transmission.
Data Transmission. Data centers are typically connected via high-speed private networks to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Jibe transfers data via Internet standard protocols.
External Attack Surface. Jibe employs multiple layers of network devices and intrusion detection to protect its external attack surface. Jibe considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.
Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Jibe's intrusion detection involves:
- tightly controlling the size and make-up of Jibe's attack surface through preventative measures;
- employing intelligent detection controls at data entry points; and
- employing technologies that automatically remedy certain dangerous situations.
Incident Response. Jibe monitors a variety of communication channels for security incidents, and Jibe's security personnel will react promptly to known incidents.
Encryption Technologies. Jibe makes use of HTTPS encryption (also referred to as SSL or TLS connection). Jibe servers may use ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.
2. Access and Site Controls
(a) Site Controls.
On-site Data Center Security Operation. Jibe's data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor closed circuit TV (CCTV) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.
Data Center Access Procedures. Jibe maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made through e-mail, and require the approval of the requestor's manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.
On-site Data Center Security Devices. Jibe's data centers employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual's electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual's job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 30 days based on activity.
(b) Access Control.
Infrastructure Security Personnel. Jibe has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Jibe's infrastructure security personnel are responsible for the ongoing monitoring of Jibe's security infrastructure, the review of the Services, and responding to security incidents.
Access Control and Privilege Management. Company's administrators must authenticate themselves via a central authentication system or via a single sign on system in order to administer the Services.
Internal Data Access Processes and Policies – Access Policy. Jibe's internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Jibe designs its systems to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Jibe employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing SSH certificates are designed to provide Jibe with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Jibe requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel's job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Jibe's internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards may include password expiry, restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g. credit card data), Jibe uses hardware tokens.
(a) Data Storage, Isolation and Logging. Jibe stores data in a multi-tenant environment on Jibe-owned servers.
(b) Decommissioned Disks and Disk Erase Policy. Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned ("Decommissioned Disk"). Every Decommissioned Disk is subject to a series of data destruction processes (the "Disk Erase Policy") before leaving Jibe's premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk's serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.
4. Personnel Security
Jibe personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Jibe conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Jibe's confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Company Personal Data are required to complete additional requirements appropriate to their role (eg., certifications). Jibe's personnel will not process Company Personal Data without authorization.
5. Subprocessor Security
Before onboarding Subprocessors, Jibe conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Jibe has assessed the risks presented by the Subprocessor, then subject to the requirements set out in Section 10.3 (Requirements for Subprocessor Engagement) of these Terms, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.