The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), adopted on April 27, 2016, is a regulation intended to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the transfer of personal data outside of the EU. The primary objectives of the GDPR are to enhance EU residents’ control of their personal data and to simplify the regulatory environment for international business by imposing uniform data protection requirements on all EU members. The GDPR replaces the data protection directive (officially Directive 95/46/EC) from 1995 and is effective from May 25, 2018.

KIT365 Limited is committed to compliance with the GDPR. Just like existing privacy laws, including the preceding data protection directive, compliance with the GDPR requires a partnership between KIT365 and our customers in their use of our services and products. KIT365 has reviewed the requirements of the GDPR, and is working to make enhancements to our services, products, documentation, and contracts to support our own compliance with the GDPR.

KIT365’s compliance with the GDPR

As a cyber security provider, data privacy and security is at the core of KIT365’s business and something KIT365 takes very seriously. KIT365 remains committed to protecting personal data in compliance with the highest standards of privacy and security. Below is a high-level summary of KIT365’s compliance with many of the key areas of the GDPR.

Data Protection

• As the data processor, KIT365 will only process personal data on behalf of the data controller and on written authorisation from the data controller (i.e. through a contract or order).

• KIT365 expects that its customers, as the data controllers, will notify their employees and users (i.e. the data subjects) of the processing carried out by KIT365 and will obtain their consent for KIT365 to do so.

• KIT365 ensures the confidentiality and availability of the personal data that it processes, and that appropriate technical and organisational measures are taken to protect such personal data.

• For the majority of KIT365’s services and products, personal data is never stored by or accessible by KIT365.

• Logs are never stored in clear text.

• KIT365 only allows access to personal data by personnel who are authorised administrators with appropriate privileges.

• KIT365 does not process or store any personal data that is not needed to perform the contracted services on behalf of the data controller.

• The personal data that KIT365 processes on behalf of the data controller will be accurate, complete, and kept up-to-date as much as technically possible.

• Personal data will not be disclosed, made available, or otherwise used for purposes other than to perform the contracted services on behalf of the data controller, except as required by law.

• All transfers of personal data outside of the European Economic Area (EEA) will only be done for the purposes of providing the contracted services to the data controller and will be subject to EU-US and Swiss-US Privacy Shield principles.

• KIT365 retains Logs in its provided applications for rolling periods of at least six months, after which the Logs are securely purged.

• At contract termination or expiration, the Logs will be purged pursuant to the six-month retention cycle, or as earlier requested in writing by the data controller.

• KIT365 will make available to the data controller all information reasonably necessary for the data controller to demonstrate its compliance with the GDPR.

• KIT365 will be accountable and responsible to ensure its own compliance under the GDPR.

Security Safeguards

• KIT365 protects personal data through reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification, or disclosure.

• KIT365 performs robust security measures on its systems such as antivirus, firewalls, scheduled vulnerability scanning, penetration testing and security code peer reviews.

• All KIT365 personnel who are authorised to process personal data have committed themselves (through employment and confidentiality agreements) to the confidentiality and security of personal data.

• KIT365 is able to ensure ongoing confidentiality, integrity, availability and resilience of its processing systems and services, in addition to restoring real-time availability and access to personal data in a timely manner in the event of a physical or technical incident.

• KIT365 has an internal process for regularly testing, assessing, and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing of personal data.

• KIT365 will notify the data controller without undue delay after becoming aware of a personal data breach and will assist the data controller in reporting to supervisory authorities and affected data subjects any personal data breaches.