Data Processing Agreement

Last modified: September 9, 2024

I Background

This Data Processing Agreement (this “DPA”) is incorporated into and shall become a part of the Agreement (as defined below), pursuant to which Customer purchased the right to use the Software and/or Services. Pursuant to the Agreement, Denodo may provide Services as agreed in detail between Denodo and Customer from time to time. Denodo's Services may include the processing of personal data, including personal data relating to Customer and Users on behalf of Customer. To the extent applicable, the data processing terms in this DPA shall apply to any such processing.

Definitions:

For purposes of these terms, “Agreement” shall be as defined in the applicable software license and/or services agreement, purchase order, order form or any other agreement between the parties.

"Adequate Country" means a country or territory recognized as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner's Office ("ICO") and/or Secretary of State under applicable UK Data Protection Laws, or (ii) the European Commission under EU Data Protection Laws.

"Applicable Data Protection Laws" means (as applicable to Customer and Denodo) EU Data Protection Laws, UK Data Protection Laws, CCPA & CPRA, and any other legislation or regulation from time to time relating to privacy, data protection and/or the collection, use and/or sharing of personal data anywhere in the world.

“CCPA and CPRA or “CCPA” means the California Consumer Privacy Act of 2018 and binding regulations promulgated thereunder, in each case, as may be amended from time to time. This includes but is not limited to the California Privacy Rights act of 2020. 

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. It shall have the same meaning ascribed to “controller” under the GDPR and other equivalent terms under Applicable Data Protection Laws (e.g., “Business” as defined under the CCPA), as applicable.

"EU Data Protection Laws" means (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”)); (ii) the European e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); and (iv) the Swiss Federal Data Protection Act of 19 June 1992 and, when in force, the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances in each case, as may be amended, superseded or replaced from time to time.

"EU SCCs" means standard contractual clauses contained in the annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and currently available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en and the corresponding annexes, attached at schedule 1 of this DPA.

“Personal Data” means any information, including personal information, relating to an identified or identifiable natural person (“data subject”) or as defined in and subject to Applicable Data Protection Laws. 

“Processor” means the entity which processes personal data on behalf of the Controller. It shall have the meaning ascribed to “processor” under the GDPR and other equivalent terms under other Applicable Data Protection Laws (e.g., “Service Provider” as defined under the CCPA), as applicable. 

"Processor Module" means all clauses contained in module 2 (transfer controller to processor) of the SCCs, unless stated otherwise.

“Sub-processor” means any third-party Processor engaged by Denodo or its affiliates to assist in fulfilling Denodo’s obligations under the Agreement and which processes Customer personal data. Sub-processors may include third parties or Denodo affiliates but shall exclude Denodo employees, contractors, or consultants. 

"UK Data Protection Laws" means the Data Protection Act 2018 and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (as the latter is implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended), in each case, as may be amended, superseded or replaced from time to time.

"UK SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries set out in the European Commission's Decision 2010/87/EU of 5 February 2010 and currently available at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 and the corresponding appendices attached at Schedule 2 of this DPA.

Capitalized terms used but not defined herein shall have the meanings set forth in the Agreement.

II Description of processing

The processing to be carried out by Denodo is as follows:

1. the subject matter of the processing is the provision of Services to Customer;
2. the duration of the processing will be throughout the period within which Denodo performs the relevant Services under the Agreement;
3. the nature of the processing is as described in the applicable Order;
4. the purpose of the processing is to enable Denodo to perform the relevant Services under the Agreement;
5. categories of data are those relating to individuals provided to Denodo by the Customer and the categories of data subjects include Customer's staff, Users or suppliers are as described in clause I above.

III Compliance with the Applicable Data Protection Laws

Both Customer and Denodo will comply with (and shall ensure that its staff and/or subcontractors comply) with Applicable Data Protection Laws in relation to their processing of Customer personal data.

With respect to CCPA & CPRA compliance specifically, Denodo shall not process, retain, use, or disclose Personal Data of “Consumers” for any purpose other than for the purposes set out in the Agreement, DPA and as permitted under the CCPA. Denodo shall not “Sell” or “Share” information. The terms “Consumer,” “Sell,” and “Share” are as defined under the CCPA. 

IV Responsible individuals and enquiries

Customer and Denodo will each notify the other of the individual within its organization authorized to respond from time to time to enquiries regarding the personal data and the processing which is the subject of the Agreement. Customer and Denodo shall each deal promptly and reasonably with all such enquiries.

V Processing of personal data by Denodo

In relation to the processing of personal data under the Agreement, Denodo shall:

(a) process the personal data (including when making an international transfer of the personal data) only to the extent necessary in order to provide the Services and then only in accordance with:

i. the terms of this Agreement;

ii. Customer's written instructions from time to time which shall be those instructions set out in the Order; unless otherwise required by law. Where Denodo is required by law to process the personal data otherwise than as provided by the Agreement, it will notify Customer before carrying out the processing concerned (unless applicable law also prevents Denodo from doing so for reasons of important public interest);

(b) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed under the Agreement;

(c) take all reasonable steps to ensure that only authorized personnel have access to the personal data and that any persons whom it authorizes to have access to the personal data will respect and maintain all due confidentiality in relation to the personal data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);

(d) not knowingly do, or omit to do, anything, which would cause Customer to be in breach of its obligations under the Applicable Data Protection Laws;

(e) as soon as reasonably practicable notify Customer if, in Denodo's opinion, any instruction given to Denodo infringes Applicable Data Protection Laws;

(f) where applicable in respect of any personal data processed under the Agreement, co-operate with and assist Customer in ensuring compliance with:

i. Customer's obligations to respond to requests from any data subject(s) seeking to exercise their rights under Applicable Data Protection Laws, including by notifying Customer of any written subject access requests Denodo receives relating to Customer's obligations under Applicable Data Protection Laws; and

ii. the Customer's obligations under Applicable Data Protection Laws to:

A. ensure the security of the processing;

B. notify the relevant supervisory authority, and any data subject(s), where relevant, of any personal data breaches;

C. carry out any data protection impact assessments (each a "DPIA") of the impact of the processing on the protection of personal data; and

D. consult the relevant supervisory authority prior to any processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by Controller to mitigate the risk.

VI Sub-processors

Denodo will ensure that any sub-processor it engages to provide any services on its behalf in connection with the Agreement does so only on the basis of a written contract which imposes on such sub-processor terms equivalent to those imposed on Denodo in this schedule subject to any standard data processing terms sub- processors may impose on Denodo where Denodo sees no reasonable prospect of successfully negotiating alternative terms (the "Relevant Terms"). Denodo shall procure the performance by the sub-processor of the Relevant Terms and shall be directly liable to Customer for:

(a) any breach by the sub-processor of any of the Relevant Terms;

(b) any act or omission of the sub-processor which causes:

i. Denodo to be in breach of this Agreement; or

ii. Customer or Denodo to be in breach of Applicable Data Protection Laws.

Customer gives its general authorization to Denodo's engagement of sub-processors provided such engagement is subject to the terms above. Denodo will maintain a list of sub-processors at a https://www.denodo.com/en/page/denodo-authorised-sub-processors and will add the names of new and replacement sub-processors to the list ten (10) days prior to them starting sub-processing of Personal Data.

Company may subscribe to updates to this list. Customer shall have the opportunity to object to the use of any new sub-processors and must object within 10 days of notification of the sub-processor. Where Customer objects within this time period, Customer shall suggest an alternative sub-processor but shall be responsible for any increased cost as a result of engaging an alternative sub-processor. Where Denodo requires use of the sub- processor in its discretion and is unable to satisfy Customer as to the suitability of the sub-processor or the documentation and protections in place between Customer and the sub-processor within ninety (90) days from Customer's notification of objections, Customer may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the Agreement and this DPA with at least thirty (30) days' written notice. If Customer does not provide a timely objection to any new or replacement sub-processor in accordance with this clause VI, Customer will be deemed to have waived its right to object. Denodo may use a new or replacement sub-processor whilst the objection procedure in this clause VI is in process.

VII Monitoring of Denodo's performance

(a) Denodo will, subject to the confidentiality terms in the Agreement, provide Customer such information in Denodo’ possession or control as may be necessary to demonstrate compliance with its obligations under this DPA or in order to respond to requests from an applicable Supervisory Authority. Where Customer suspects, acting reasonably, that Denodo is in material breach of this DPA or Customer is subject to a written requirement from its Supervisory Authority to conduct an audit (and can provide reasonable evidence thereof), Customer may itself or through appropriately-qualified personnel conduct, or commission a third party auditor to conduct, an audit into Denodo's compliance with this DPA on the terms set out below.

(b) Audits will (i) be on no less than fourteen days’ prior written notice unless otherwise agreed, (ii) be conducted during normal business hours; (iii) not unreasonably interfere with Denodo’s business activities; (iv) not take place more than once in any year except where required at law or as agreed between the parties; (v) involve reasonable access to personnel and Customer personal data; (vi) not compromise the security of (or grant access to) any data that is not Customer personal data; (vii) be subject to such reasonable security measures and limitations as Denodo may prescribe to protect its systems and its and third party information and (viii) be at Customer’s sole cost and expense.

VIII Data Transfers

Customer acknowledges that Denodo will transfer personal data:

(a) outside the European Economic Area ("EEA") and/or the United Kingdom ("UK"); or

(b) to third parties (which shall include any affiliates of Denodo) where such third party is located outside the EEA and/or the UK.

To the extent that Denodo processes Customer personal data to which EU Data Protection Laws apply, or transfers such personal data to a third party, outside the EEA (except if in a country or territory regarded as adequate pursuant to EU Data Protection Laws), the parties agree that the Controller to Processor Module 2 of the EU SCCs will apply and are incorporated into this DPA, and that Denodo is the 'data importer' and will comply with the obligations of the 'data importer' and the Customer is the 'data exporter' and will comply with the obligations of the 'data exporter' in the EU SCCs. 

(c) The following terms shall apply to the EU SCCs:

(i) The parties agree that the Docking Clause 7 shall be included in the EU SCCs and the optional wording in Clause 11 of the EU SCCs relating to an independent dispute resolution body shall not be included

(ii) Option 2 of Clause 9 (general authorization of sub-processors) of the Processor Module shall apply in relation to Customer's authorization of the use of Subprocessors and Denodo shall notify the Customer writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance and in accordance with clause VI of this DPA;

(iii) Clause 13(a) (Supervision) of Section II shall apply as follows:

Where the data exporter is established in the EU, clause 13(a) shall apply as follows: "the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority"

Where the data exporter is established outside of the EU but within the extraterritorial scope of the GDPR and has appointed an EU Representative, clause 13(a) shall apply as follows: "The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority"

Where the data exporter is established outside of the EU but within the extraterritorial scope of the GDPR, but is not required to appoint an EU Representative, clause 13(a) shall apply as follows: "The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located shall act as competent supervisory authority."; and

(iv) Option 1 of Clause 17 of the EU SCCs shall apply and the parties agree that the governing law shall be the law of the Agreement.

(d) To the extent that Denodo processes personal data to which UK Data Protection Laws applies, or transfers such personal data to a third party, outside the UK (except if in a country or territory regarded as adequate pursuant to UK Data Protection Laws), the parties agree that the UK SCCs will apply and that Denodo is the 'data importer' and will comply with the obligations of the 'data importer' and Customer is the 'data exporter' and will comply with the obligations of the 'data exporter' in the UK SCCs.

(e) The following terms shall apply to the UK SCCs:

(i) Customer may exercise its right of audit under clause of 5(f) of the UK SCCs as set out in and subject to the requirements of clause VII of this DPA; and

(ii) Denodo may appoint sub-processors as set out in and subject to the requirements of clause VI of this DPA.

(g)The parties agree that Denodo may (i) replace the UK SCC and/or the EU SCCS generally or in respect of the UK and/or the EEA only (as appropriate) with any alternative or replacement transfer mechanism in compliance with Applicable Data Protection Laws, including any standard contractual clauses approved by an applicable

Supervisory Authority or competent government body, and (ii) make reasonably necessary changes to this clause VII by notifying the Customer of the new transfer mechanism or content of any new alternative standard contractual clauses or approved addendum applying the EU SCC to transfers to which UK Data Protection Legislation applies (provided their content is in compliance with the relevant decision or approval), as applicable.

IX Completion of Services

Upon completion of the Services, Denodo will at Customer's discretion:

1. delete; or
2. return to the Customer (as directed by Customer);

all personal data (including copies) processed under the Agreement, except to the extent that Denodo is required by law to retain any copies of the personal data. 

De-identified, aggregate data is not personal data and may be used for statistical or financial purposes such as to improve products and services. 

SCHEDULE 1

ANNEX I TO THE EU SCCS

1. LIST OF PARTIES

Transfer controller to processor

Data exporter(s): The Customer identified in the Agreement.

Data importer(s): Denodo

2. DESCRIPTION OF TRANSFER

The personal data transferred concern the following categories of data subjects:

• Customer’s employees and individuals authorized by Customer to access Customer’s Denodo account(s) for Maintenance and Support Services in connection to the Denodo Platform (Denodo’s on-premises software offering); or use of Agora (Denodo’s managed service).
• Other: Data Subjects whose Personal Data may be included within Customers logs and database queries, as part of using Agora. 

Categories of personal data transferred:

Maintenance and Support (Denodo Platform): name; contact details; contact/ links within the organization; relevant employment information such as type of client; company name; role within the business; certain online activity information; log-in credentials.

Agora: name; contact details; contact/ links within the organization; relevant employment information such as type of client; company name; role within the business; certain online activity information; log-in credentials; database queries; any personal data contained in configuration files, log files, or metadata. 

Maintenance and Support (Denodo Platform): Denodo does not knowingly collect (and Customer shall not submit) any sensitive data or any special categories of data (as defined under Applicable Data Protection Legislation).

Agora: any special categories of data imported or entered into any logs or database queries. 

Maintenance and Support (Denodo Platform): Continuous. 

Agora: Continuous. 

Maintenance and Support (Denodo Platform): As an on-premises software, customer’s underlying data sources are never exposed to Denodo. In the context of providing maintenance and support services, through the customer support website, we collect identifier data such as name, email, and log-in information. 

Agora: As a managed service, customers have access to Agora through the internet. Personal data described in categories above may be collected, stored, analyzed, encrypted, and otherwise processed in connection with a customer’s use of Agora and the related maintenance and support services as stated in the Agreement.

Maintenance and Support (Denodo Platform): Maintenance and Support Services as stated in the Agreement. 

Agora: Product deployment and Maintenance and Support Services as stated in the Agreement. 

Denodo will process Personal Data as long as required (a) fulfill its duties under the Agreement; (b) for Denodo’s lawful and legitimate business needs’ or (c) in accordance with applicable law or regulation. 

Transfers to (sub-)processors comprise the same categories of data subjects and personal data and duration as set out above. Denodo sub-processors provide services to Denodo in connection with the delivery of the Services under the Agreement. 

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority is identified pursuant to clause VIII (c)(iv) of this DPA

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

SCHEDULE 2

Appendix 1

to the UK SCCs

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter shall be the Customer (the Controller) who is purchasing items as set out in the Service Order pursuant to the Agreement.

Data importer

The data importer shall be Denodo who is providing the items set out under the Service Order pursuant to the Agreement and is the processor.

Data subjects

The personal data transferred concern the following categories of data subjects:

• Customer’s employees and individuals authorized by Customer to access Customer’s Denodo account(s) for Maintenance and Support Services in connection to the Denodo Platform (Denodo’s on-premises software offering); or use of Agora (Denodo’s managed service).
• Other: Data Subjects whose Personal Data may be included within Customer's logs and database queries, as part of using Agora. 

Categories of data

The personal data transferred concern the following categories of data:

Maintenance and Support (Denodo Platform): name; contact details; contact/ links within the organization; relevant employment information such as type of client; company name; role within the business; certain online activity information; log-in credentials.

Agora: name; contact details; contact/ links within the organization; relevant employment information such as type of client; company name; role within the business; certain online activity information; log-in credentials; database queries; any personal data contained in configuration files, log files, and metadata. 

Special Categories of personal data (if appropriate)

The personal data transferred may concern the following special categories of personal data:

Maintenance and Support: Denodo does not knowingly collect (and Customer shall not submit) any sensitive data or any special categories of data (as defined under Applicable Data Protection Legislation). 

Agora: any special categories of data imported or entered into any logs or database queries. 

Processing operations

The personal data transferred will be subject to the following basic processing activities:

Maintenance and Support (Denodo Platform): As an on-premises software, customer’s underlying data sources are never exposed to Denodo. In the context of providing maintenance and support services, pursuant to the Agreement,through the customer support website, we collect identifier data such as name, email, and log-in information.

Agora: As a managed service, customers have access to Agora through the internet. Personal data described in categories above may be collected, stored, analyzed, encrypted, and otherwise processed in connection with a customer’s use of Agora and the related maintenance and support services as stated in the Agreement.

Appendix 2

to the Denodo SCCs

UK SCCS

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

For both Maintenance and Support (Denodo Platform) and Agora (Denodo’s managed service), Denodo currently observes the security practices described in this Appendix. Technical and organizational security measures specific to Agora are distinguished by use of an asterisk (*).

Notwithstanding any provision to the contrary otherwise agreed to by data exporter, Denodo may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices.

a) Access Control

Outsourced Processing: When necessary for the performance of Services under in the Agreement, Denodo may rely on trusted third-party providers listed on Denodo’s Sub-Processor list and otherwise in accordance with this DPA. All Denodo sub-processors undergo a vendor screening evaluation to ensure compliance with our security standards and certification requirements as well as legal review of contractual agreements, privacy policies, and overall vendor compliance programs in order to ensure the protection of customer data processed or stored by these sub-processors.

Physical and Environmental Security: Denodo hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited against international security standards such as SOC 2 Type II and ISO 27001.

Access Controls: Access controls apply at all levels of Denodo's Information Systems architecture and topology. This includes networks, platforms or operating systems and applications. The attributes of each of them reflect some form of identification and authentication, access authorization, verification of information resources and logging and monitoring of activities.

Physical Controls: Denodo implements measures to prevent unauthorized persons from gaining access to the data processing equipment where the personal data is processed or used in Denodo facilities: establishing security areas; procuring 24-hour security service; requiring all doors to be locked before and after entry; restricting and protecting access paths; securing the data processing equipment; establishing access authorizations for staff and third parties, including the respective documentation; restricting issuance of keycards; regulating keycards once issued; and logging, monitoring and tracking all access to systems. 

Authentication: Denodo has a uniform access control policy whereby Denodo credentials cannot be shared or reassigned to another person. Denodo leverages Multi-Factor Authentication (MFA) to authenticate the identity of employees before accessing any Denodo system or device.

Authorization: Denodo’s Information Classification Policy and access controls ensure that only authorized individuals can access information that they are allowed to access. Based on the level of classification, individuals may need to undergo background checks or additional vetting to ensure eligibility for data handling. Data may be accessible on a “need to know” basis and only to individuals who need the information to perform their job duties. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set. 

b) Transmission Control

In-transit: Denodo leverages firewall and encryption technologies to protect the gateways and pipelines through which personal data travels. Denodo makes encryption (also referred to as SSL or TLS) available on every one of its login interfaces at no additional cost on every customer site hosted on the Denodo products. Denodo’s encryption implementation uses industry standard algorithms and certificates.

At-rest: Denodo stores user passwords following policies that follow industry standard practices for

security. Denodo has implemented technologies to ensure, where it is reasonably possible, that stored data is pseudonymized, masked, or encrypted at rest.

Denodo uses commercially reasonable efforts to log, monitor and track data transmissions to prevent unauthorized persons from reading, copying, altering, or deleting data.

c) Monitoring and Incident Response

Detection: Denodo designed its services to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of anomalous activities. Denodo personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and Tracking: Denodo maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Denodo will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.

Communication: If Denodo becomes aware of unlawful access to Customer data stored within its applications, Denodo will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Denodo is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Denodo deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts.

d) Availability Control

Business Continuity Plan (BCP): Denodo implements a Business Continuity Management System as part of our ISO 27001:2022 certification and SOC 2. For additional information please visit our Business Continuity Policy Statement is available at: https://www.denodo.com/en/page/business-continuity-policy-statement. 

Control Distribution: Denodo’s Maintenance and Support Services teams are distributed worldwide, across various Denodo offices (the list of Denodo Support Centers can be found at https://support.denodo.com). The global distribution of our personnel and our ability to perform services remotely, via web, email, or phone facilitate the continuity of Denodo’s post-sales services.

Infrastructure Availability: Denodo uses commercially reasonable efforts to ensure Maintenance and Support Services are always available. This is implemented through reasonable infrastructure availability and backups. The services are also archived to assist Denodo operations in maintaining and updating applications and back-up while limiting downtime. *For Agora specifically, Denodo leverages the Availability capabilities of the cloud service provider.

Fault Tolerance: Backup strategies are designed to ensure protection during a significant processing failure. Data is backed up to multiple durable data stores and located outside the main location. All databases are backed up and maintained using industry standard methods and ensuring they are readily available for restoration in case of failure of storage infrastructure or database services.

e) Testing, Assessing, and Ongoing Evaluation

Code Analysis: Denodo conducts both static analysis of the code and vulnerability scanning by using Static and Dynamic Application Security Testing (SAST, DAST) tools, as well as internally developed security tests and code reviews (peer review by other developers). Those analyses are executed on every new software release and update.

Penetration Testing and Vulnerability Management: Denodo contracts a qualified third-party assessor to conduct penetration testing annually. Identified vulnerabilities are classified and remediated accordingly.

ISO 27001:2022 Certification: Denodo’s Information Security Management System (ISMS) is ISO/IEC 27001:2022 certified. At least once a year, Denodo measures, reviews, and documents its compliance with ISO/IEC 27001:2022. This process includes an audit by an accredited external body, demonstrating Denodo’s commitment to proactive security measures and attesting to the highest standards of quality, rigor, and integrity in our solutions and services.

*SOC Assurance: For Agora specifically, Denodo contracts with a qualified third-party assessor to annually renew the SOC 2 Type II and SOC 3 Type II reports, following the Standards Board of the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC) for Security, Availability, and Confidentiality.

CMMC Level 1: Denodo undergoes an annual audit to meet the US Department of Defense security requirements according to CMMC Level 1, version 2. 

Verification of Certifications: Upon the Customer’s written request, not more than once annually, Denodo will provide the necessary information to demonstrate compliance with its obligations under this DPA and make available, under non-disclosure obligations, a copy of Denodo’s most recent ISO/IEC 27001:2022 certificate or SOC 3 Type II audit report. 

f) Internal IT and IT security governance and management

Information Security Management System (ISMS): Denodo’s ISMS includes the implementation and maintenance of internal policies and processes to ensure compliance with all applicable data protection laws and security standards. Statements regarding these policies can be found at: Information Security Policy Statement: https://www.denodo.com/en/page/information-security-policy-statement. 

g) Additional controls for log data

Maintenance and Support Services (Denodo Platform): For Denodo’s on-prem offering, we rely on customers to physically limit access to personal information that may be contained in customer log files when procured by Denodo’s Maintenance and Support team for the provision of maintenance and support services. Customers should ensure that they do not share personal data and share only what is needed to fulfill the request. While Denodo will make its best effort to minimize information inadvertently sent in the log files, customers run the risk of having personal data in log files processed beyond the ordinary purpose limitation. Customers are responsible for notifying Denodo of inadvertent disclosure of information so that Denodo may take necessary action to return or delete such information. 

*Agora (Denodo’s managed service): Through Agora the processing of log files is not manual, but automatic. Log files may be accessible to Denodo’s Customer Support Representatives when necessary for maintenance and support services through the control plane. As an additional technical measure, Denodo uses data redaction techniques that mask personal data in customer logs processed through Agora so the personal information is not visible to Denodo employees who might otherwise have access.