This Data Processing Agreement (“DPA“) supplements the MANSIO Terms of Use for the MANSIO Software and the MANSIO Internet Portal at https://app.mansio-logistics.com/, as updated from time to time between the Customer and MANSIO, or other agreements between the Customer and MANSIO governing the Customer’s use of the MANSIO Services (the “Agreement“). This DPA is an agreement between you and the legal entity you represent (“
1. data processing.
1.1 Scope and roles. This DPA applies to the processing of customer data by MANSIO. In this context, MANSIO acts as a processor vis-à-vis the customer, who can act either as a controller or as a processor of customer data.
1.2 Details of data processing.
1.2.1 Object. The subject of data processing in accordance with this DPA is customer data.
1.2.2 Duration. In the relationship between MANSIO and the customer, the duration of data processing under this DPA is determined by the customer.
1.2.3 Purpose. The purpose of data processing under this DPA is to provide the services commissioned by the client from time to time.
1.2.4 Nature of Processing. Calculation, storage and other services as described in the Documentation and initiated by the Client from time to time.
1.2.5 Type of customer data. Customer data uploaded to the services under the customer’s MANSIO accounts.
1.2.6 Categories of data subjects. Data subjects may include customers, employees, suppliers and end users of the customer.
1.3 Compliance with laws. Each party shall comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including applicable data protection laws such as the GDPR.
2. instructions from the customer. The parties agree that this DPA and the Agreement (including the provision of instructions by the Customer via configuration tools and APIs provided by MANSIO for its Services) constitute the Customer’s documented instructions in relation to the processing of Customer Data by MANSIO (“Documented Instructions“). MANSIO will only process Customer Data in accordance with the Documented Instructions (which, if the Customer is acting as a Processor, may be based on the instructions of its Controllers). Additional instructions beyond the Documented Instructions (if any) require prior written agreement between MANSIO and the Customer, including an agreement on any additional fees payable by the Customer to MANSIO for the execution of such instructions. The customer is entitled to terminate this DPA and the contract if MANSIO refuses to follow instructions requested by the customer that are outside the scope of, or modified from, the instructions given or agreed in this DPA. Given the nature of the processing, the customer agrees that it is unlikely that MANSIO will be able to form an opinion as to whether documented instructions violate applicable data protection law. Should MANSIO reach such an assessment, MANSIO will inform the customer immediately, whereby the customer is entitled to withdraw or amend its documented instructions.
3. confidentiality of customer data. MANSIO will not access or use Customer Data or disclose it to any third party except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental authority (such as a subpoena or court order). If a government agency sends MANSIO a request for customer information, MANSIO will attempt to redirect the government agency to request that information directly from the customer. As part of this effort, MANSIO may provide the customer’s basic contact information to the government entity. If MANSIO is compelled to disclose customer information to a government entity, MANSIO will provide the customer with reasonable notice of the request to give the customer an opportunity to seek a protective order or other appropriate remedy, unless MANSIO is prohibited by law from doing so.
4. confidentiality obligations of MANSIO personnel. MANSIO prohibits its employees from processing customer data without authorization from MANSIO, as described in the security standards. MANSIO imposes corresponding contractual obligations on its employees, including relevant obligations regarding confidentiality, data protection and data security.
5. security of data processing
5.1 MANSIO has implemented and will maintain the technical and organizational measures as described in the Security Standards and this section. In particular, MANSIO uses AWS and the AWS network as a
(a) Security of the AWS network as set out in Section 1.1 of the Security Standards;
(b) physical security of the facilities in accordance with Section 1.2 of the Security Standards;
(c) measures to control access rights for authorized personnel to the AWS network in accordance with Section 1.3 of the Security Standards; and
(d) Procedures for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by AWS, as described in Section 2 of the Security Standards.
5.2 The customer may choose to take technical and organizational measures to protect customer data. Such technical and organizational measures include the following, which the customer may obtain from MANSIO, as described in the documentation, or directly from a third-party provider:
(a) Pseudonymization and encryption to ensure an appropriate level of security;
(b) measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services operated by the Customer; measures to enable the Customer to make and archive reasonable back-up copies to restore the availability and access to the Customer Data in a timely manner in the event of a physical or technical incident; and
(c) Procedures for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures taken by the client.
6. subcontracted processing.
6.1 Authorized Subprocessors. The Customer grants MANSIO general authorization to engage sub-processors to process Customer Data on behalf of the Customer (“Sub-Processors“) in accordance with this section. MANSIO’s website (currently at https://mansio-logistics.com/en-us/cdpa/) lists the Sub-Processors currently engaged by MANSIO. At least 30 days before MANSIO engages a Sub-Processor, MANSIO will update the relevant website and provide a mechanism for the Customer to be notified of this update. To object to a sub-processor, the customer may: (i) terminate the contract in accordance with its terms; (ii) cease using the service for which MANSIO has engaged the sub-processor.
6.2 Obligations of the sub-processor. If MANSIO authorizes a sub-processor as described in section 6.1:
(i) MANSIO limits the Subprocessor’s access to the Customer Data to what is necessary to provide or maintain the Services in accordance with the Documentation, and MANSIO prohibits the Subprocessor from accessing the Customer Data for any other purpose;
(ii) MANSIO enters into a written contract with the Sub-Processor, and to the extent that the Sub-Processor provides the same Data Processing Services that MANSIO provides under this DPA, MANSIO imposes the same contractual obligations on the Sub-Processor as MANSIO has under this DPA; and
(iii) MANSIO shall remain responsible for compliance with the obligations under this DPA and for any acts or omissions of the Subprocessor that result in a breach of MANSIO’s obligations under this DPA.
7. support from MANSIO for inquiries from affected persons. Taking into account the nature of the processing, MANSIO will assist the customer in fulfilling its obligations to respond to requests from data subjects in accordance with applicable data protection law. If a data subject makes a request to MANSIO, MANSIO will forward this request to the customer without undue delay once MANSIO has determined that the request originates from a data subject for whom the customer is responsible. The customer authorizes MANSIO to respond on its behalf and on behalf of its controllers, if the customer is acting as a processor, to any data subject who submits a request to MANSIO and to confirm that MANSIO has forwarded the request to the customer. The parties agree that MANSIO’s forwarding of data subject requests to the customer in accordance with this section constitutes the scope and extent of the support required by the customer.
8. notification of security incidents.
8.1 Security incident. MANSIO shall (a) notify the customer immediately after becoming aware of a security incident and (b) take appropriate measures to remedy the security incident, including measures to mitigate the adverse effects resulting from the security incident.
8.2 MANSIO Support. To enable the Customer to report a Security Incident to regulators or affected individuals (as the case may be), MANSIO will cooperate with and assist the Customer by including in the notification under Section 8.1(a) such information about the Security Incident as MANSIO is able to disclose to the Customer, taking into account the nature of the Processing, the information available to MANSIO and any restrictions on the disclosure of the information, such as confidentiality. Taking into account the nature of the processing, the customer agrees that it is in the best position to determine the likely consequences of a security incident.
8.3 Unsuccessful security incidents. The customer agrees that:
(i) an Unsuccessful Security Incident is not covered by this Section 8. An Unsuccessful Security Incident is an incident that does not result in unauthorized access to Customer Data or to MANSIO equipment or facilities where Customer Data is stored, and could include, but is not limited to, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful login attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond the headers), or similar incidents; and
(ii) MANSIO’s obligation to report or respond to a Security Incident under this Section 8 shall not be construed or deemed to be an admission of fault or liability on the part of MANSIO with respect to the Security Incident.
8.4 Communication. Notifications of any security incidents will be sent to one or more of the customer’s administrators in a manner chosen by MANSIO, including by email. It is the sole responsibility of the customer to ensure that the customer’s administrators maintain accurate contact information on the MANSIO platform and secure transmission at all times.
8.5 Notification obligations. If MANSIO notifies the customer of a security incident or the customer otherwise becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, customer data, the customer is responsible for (a) determining whether any resulting notification or other obligation exists under applicable data protection law and (b) taking the necessary steps to comply with such obligations. This does not limit MANSIO’s obligations under this Section 8.
9. AWS certifications and audits.
9.1 AWS ISO certification and SOC reports. In addition to the information contained in this DPA, MANSIO will provide the following AWS documents and information upon request of the customer and provided that the parties have entered into an applicable NDA:
(i) the certificates issued for ISO 27001 certification, ISO 27017 certification, ISO 27018 certification and ISO 27701 certification (or the certifications or other documentation demonstrating compliance with such alternative standards that are substantially equivalent to ISO 27001, ISO 27017, ISO 27018 and ISO 27701); and
(ii) the report on system and organizational controls (SOC) 1, the report on system and organizational controls (SOC) 2 and the report on system and organizational controls (SOC) 3 (or the reports or other documents describing the controls performed by AWS that replace or are substantially equivalent to SOC 1, SOC 2 and SOC 3).
9.2 AWS audits. AWS uses third-party auditors to verify the adequacy of its security measures, including the security of the physical data centers from which AWS provides its services. This audit: (a) is conducted at least annually; (b) is conducted in accordance with ISO 27001 standards or other alternative standards that are substantially equivalent to ISO 27001; (c) is conducted by independent security experts at AWS’s expense; and (d) results in the preparation of an audit report (“Report“), which is AWS’s Confidential Information.
9.3 Test reports. At the customer’s written request and provided that the parties have concluded an applicable non-disclosure agreement (NDA), MANSIO shall provide the customer with a copy of the report so that the customer can reasonably verify compliance with MANSIO’s or AWS’s obligations under this GCU.
9.4 Data protection impact assessment and prior consultation. Taking into account the nature of the processing and the information available to AWS, MANSIO, with the assistance of AWS, shall assist the Customer in complying with the Customer’s obligations in relation to the Data Protection Impact Assessment and prior consultation by providing the information made available by AWS in accordance with this Section 9.
10. customer audits. If the Customer elects to have an audit, including an inspection, conducted, it shall have the right, on its own behalf and on behalf of its controllers if the Customer is acting as a processor, to instruct MANSIO to conduct the audit described in Section 10, in accordance with applicable data protection law or the Standard Contractual Clauses. If the customer wishes to change this instruction regarding the audit, it has the right to request a change to this instruction by providing MANSIO with written notice as provided for in the contract. If MANSIO refuses to comply with an instruction requested by the customer with regard to audits, including inspections, the customer is entitled to terminate the contract in accordance with its provisions.
11. transmission of personal data.
11.1 Regions. MANSIO may specify the location(s) where the customer data will be processed within the AWS network (each a “Region”), including regions in the EEA. Once MANSIO has made its choice, AWS will not transfer Customer Data out of the Region(s) chosen by the customer unless it is necessary to provide the services contracted by the customer, or it is necessary to comply with the law or a valid and binding order of a governmental authority.
11.2 Application of standard contractual clauses. The standard contractual clauses only apply to customer data that is subject to the GDPR and is transferred either directly or by onward transfer to a third country (each a “data transfer”).
11.2.1 If the customer is acting as a controller, the clauses for processing by the controller shall apply to a data transfer.
11.2.2 If the customer is acting as a processor, the clauses for processors apply to a data transfer. Given the nature of the processing, the customer agrees that it is unlikely that MANSIO will know the identity of the customer’s data controllers, as MANSIO has no direct relationship with the customer’s data controllers, and therefore the customer will fulfill MANSIO’s obligations to the customer’s data controllers in accordance with the processor-to-processor clauses.
12. termination of the GCU. This DPA shall remain in force until the termination of the Agreement (the “Termination Date”).
13. return or deletion of customer data. Until the termination date and for 90 days after the termination date, MANSIO will return or delete the customer data in accordance with the terms of the contract if the customer requests such return or deletion. No later than the end of this 90-day period, the customer will close all MANSIO accounts containing customer data.
14. information obligations. If customer data is seized by third parties as part of bankruptcy or insolvency proceedings or similar measures while it is being processed by MANSIO, MANSIO will inform the customer immediately. MANSIO will immediately inform all relevant parties in such proceedings (e.g. creditors, bankruptcy trustee) that all customer data that is the subject of such proceedings is the property and responsibility of the customer and that the customer data is exclusively under the customer’s control.
15. entire agreement; conflict. This DPA incorporates the Standard Contractual Clauses by reference. Unless amended by this DPA, the Agreement shall remain in full force and effect. In the event of any conflict between the Agreement and this DPA, the terms of this DPA shall prevail, except that the Terms of Service shall prevail over this DPA. The Standard Contractual Clauses are not altered or modified in any way by this document.
16 Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA shall have the meanings set forth below:
“API” means an application program interface.
“Applicable Data Protection Law” means all laws and regulations applicable to and binding on the processing of Customer Data by a party, including, to the extent applicable, the GDPR.
“AWS Network” means the servers, network devices and host software systems (e.g. virtual firewalls) under the control of AWS and used to provide the Services.
“Binding Corporate Rules” has the meaning given to it in the GDPR “Controller” has the meaning given to it in the GDPR.
“Controller-Processor Clauses” means the standard contractual clauses between controllers and processors for data transfers as approved by the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 and currently available at https://d1.awsstatic.com/Controller_to_Processor_SCCs.pdf.
“Customer Data” means the personal data uploaded to the Services under the Customer’s MANSIO accounts.
“Documentation” refers to the current documentation for the services, which can be found at https://mansio-logistics.com/en-us/cdpa/.
“EEA” means the European Economic Area.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means personal data, personal information, personally identifiable information or other equivalent terms (each as defined in applicable data protection law).
“Processing” has the meaning given to it in the GDPR and “process”, “processing” and “processed” are interpreted accordingly.
“Processor” has the meaning defined in the GDPR.
“Processor Clauses” means the standard contractual clauses between processors for data transfers as approved by the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 and currently available at https://d1.awsstatic.com/Processor_to_Processor_SCCs.pdf.
“Region” has the meaning given to it in Section 11.1 of this GDPR.
“Security Incident” means a breach of MANSIO’s security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
“Safety Standards” means the safety standards attached to this DPA as Annex 1.
“Standard Contractual Clauses” means (i) the clauses for the Contract between Controller and Processor or (ii) the clauses for the Contract between Processor and Processor, as applicable pursuant to Sections 11.2.1 and 11.2.2.
“Third country” means a country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).
Appendix 1 AWS Security Standards
Capitalized terms not otherwise defined in this document shall have the meaning ascribed to them in the Agreement.
1 Information security program. AWS maintains an information security program designed to (a) enable Customer to protect Customer Data from accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable risks to the security and availability of the AWS network, and (c) minimize physical and logical security risks to the AWS network, including through periodic risk assessments and testing. AWS will designate one or more employees to coordinate and be responsible for the information security program.
The AWS information security program will include the following measures:
1.1 Logical security.
A. Access controls. AWS will make the AWS network accessible only to authorized personnel, and only to the extent necessary to maintain and provide the Services. AWS maintains access controls and policies to manage authorizations for access to the AWS network for each network connection and user, including through the use of firewalls or functionally equivalent technology and authentication controls. AWS maintains access controls designed to (i) restrict unauthorized access to data and (ii) segregate each customer’s data from the data of other customers.
B. Restricted user access. AWS will (i) provide and restrict user access to the AWS network in accordance with the principles of least privilege based on personnel duties, (ii) require review and approval prior to providing access to the AWS network beyond the principles of least privilege, including administrator accounts, review and approval, (iii) require at least a quarterly review of access rights to the AWS network and, if necessary, revoke access rights to the AWS network in a timely manner, and (iv) require two-factor authentication for access to the AWS network from remote locations.
C. Vulnerability assessments. AWS regularly conducts external vulnerability assessments and penetration tests of the AWS network, investigates identified issues and follows up on remediation in a timely manner.
D. Application safety. Prior to the public launch of new services or significant new features of services, AWS conducts an application security review to identify, mitigate and eliminate security risks.
E. Change management. AWS maintains controls to log, authorize, test, approve, and document changes to existing AWS network resources and documents the details of the changes in its change management or deployment tools. AWS tests the changes according to its change management standards prior to migration to production. AWS maintains processes designed to detect unauthorized changes to the AWS network and track identified issues to resolution.
F. Data integrity. AWS maintains controls to ensure the integrity of data during transmission, storage and processing on the AWS network. AWS will provide the customer with the ability to delete customer data from the AWS network.
G. Business continuity and disaster recovery. AWS maintains a formal risk management program to support the continuity of its critical business functions (“Business Continuity Program”). The Business Continuity Program includes processes and procedures to identify, respond to, and recover from events that could prevent or materially affect the provision of services by AWS (a “BCP Event”). The Business Continuity Program includes a three-tiered approach that AWS takes to managing BCP events:
(i) Activation and notification phase. If AWS identifies issues that are likely to lead to a BCP event, AWS will escalate, validate and investigate these issues. In this phase, AWS analyzes the root cause of the BCP event.
(ii) Recovery phase. AWS assigns responsibility to the appropriate teams to take steps to restore normal system functionality or stabilize the affected services.
(iii) Recovery Phase. AWS leadership reviews the actions taken and confirms that the recovery efforts have been completed and the affected parts of the services and AWS network have been restored. Following this confirmation, AWS conducts a post-mortem analysis of the BCP event.
H. Incident management. AWS maintains remediation plans and incident response plans to respond to potential security threats to the AWS network. AWS incident response plans include defined processes for detecting, containing, investigating, and reporting security incidents. AWS Incident Response Plans include incident review, attack analysis, containment, data collection, and remediation. AWS maintains an AWS Security Bulletin (as of the Effective Date, http://aws.amazon.com/security/security-bulletins/) that publishes and communicates security-related information that may impact the Services and provides guidance on how to mitigate identified risks.
I. Decommissioning of storage media. AWS maintains a storage media decommissioning process that is performed prior to final disposal of storage media used to store Customer Data. Prior to final disposal, storage media that has been used to store Customer Data is degaussed, erased, purged, physically destroyed or otherwise sanitized in accordance with industry standard practices designed to ensure that Customer Data cannot be retrieved from that type of storage media.
1.2 Physical security.
A. Access controls. AWS will (i) implement and maintain physical security measures to prevent unauthorized physical access to, damage to, or disruption of the AWS network, (ii) use appropriate controls to restrict physical access to the AWS network to authorized personnel who have a legitimate business need for such access, (iii) monitor physical access to the AWS network using intrusion detection systems designed to monitor, detect, and notify appropriate personnel of security incidents, (iv) log and periodically review physical access to the AWS network, and (v) conduct periodic audits to confirm compliance with these standards.
B. Availability. AWS will (i) implement redundant systems for the AWS network designed to minimize the impact of a disruption on the AWS network, (ii) design the AWS network to anticipate and tolerate hardware failures, and (iii) implement automated processes designed to route customer traffic away from the affected area in the event of a hardware failure.
1.3 AWS employees.
A. Safety training for employees. AWS will implement and maintain security training programs for employees regarding AWS information security requirements. Security awareness training programs will be reviewed and updated at least annually.
B. Background checks. To the extent permitted by law and to the extent available from the appropriate authorities, AWS will require that each employee undergo a background investigation that is reasonable and appropriate for the employee’s position and level of access to the AWS network.
2 Ongoing evaluation. AWS conducts regular reviews of the information security program for the AWS network. AWS will update or modify its information security program as necessary to respond to new security risks and to take advantage of new technologies.
Find out more about the IT service providers of the MANSIO transport system.
