In the course of using the Veeam Cloud Services or any other services offered by Veeam (“Services”), you (the “Customer”) may transfer to Veeam certain Personal Data (as defined below) among the data you store using the Services or among the technical logs you may share with Veeam (“Customer-Provided Data”). Separately, you may provide Veeam with certain Personal Data that Veeam uses to provide the Services to you, including the business contact information you provide for billing purposes or in the course of seeking support or maintenance related to the Veeam Services you have purchased (“Provisioning Data”).
This Data Processing Addendum (the “Addendum” or “DPA”) is by and between the Customer on behalf of itself and, to the extent required under applicable data protection laws and regulations, in the name and on behalf of its Authorized Affiliates (collectively, the “Customer”), and the contractual party (as defined in the Agreement of specific Services) and Veeam Affiliates (collectively, “Veeam,” and Veeam and Customer together, the “Parties”), and is incorporated by reference into the Agreement between Customer and Veeam for the purpose of setting forth the terms and conditions under which the parties may exchange Customer-Provided Data to ensure compliance with applicable data protection laws and regulations.
With respect to Customer-Provided Data, Veeam acts as a “Processor,” as this term is defined in the General Data Protection Regulation ((EU) 2016/679) and relevant member state implementations thereof (collectively, “GDPR”), or a “Service Provider,” as this term is defined in the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq, and regulations adopted pursuant thereto (collectively, “CCPA”). Consistent with the requirements set forth in GDPR, CCPA, and other applicable laws, this Addendum contains the mandatory stipulations required for contracts between Controllers and Processors or Businesses and Service Providers.
With respect to Provisioning Data, Veeam acts as a “Controller” or “Business” as those terms are used in GDPR and CCPA, respectively. For more information on the purposes for which Veeam processes this information, please visit Veeam’s Privacy Notice (https://www.veeam.com/privacy-notice.html). This Addendum does not otherwise address Veeam’s handling of Provisioning Data or any other Personal Data for which Veeam is a Controller. Customer shall ensure that all information provided is kept accurate and up-to-date.
WHEREFORE, THE PARTIES AGREE AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions:
Authorized Persons or Affiliates: the persons, categories of persons, or entities that the Controller or Business authorizes to give the Processor or Service Provider personal data processing instructions.
Agreement: the Cloud Service Agreement (which for ease of reference can be found at https://www.veeam.com/eula.html#vdc), or any other agreement that sets out the terms and conditions of the relationship between the Parties.
Controller, Processor, Business, Service Provider: have the same meaning as set forth in the Data Protection Laws.
Customer- Provided Data: means any Personal Data among the data Customer stores using the Services and/or may transfer to Veeam in relation to the Services.
Data Protection Laws: means all applicable privacy and data protection laws including the GDPR (Regulation ((EU) 2016/679)) (“EU GDPR”) ; and/or the EU GDPR as it forms part of the UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including the Data Protection, Privacy,, the CCPA (as amended), and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
Data Subject: means the individual natural person to whom any Personal Data may relate.
Effective Date: the date on which Agreement goes into effect as between the Parties.
Personal Data: means the same as the term “Personal Data” or “Personal Information” in the Data Protection Laws. This Addendum applies to Personal Data that is part of Customer-Provided Data.
Personal Data Breach: a breach of Veeam’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer-Provided Data in Veeam’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer-Provided Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other attacks on firewalls or networked systems).
Processing, processes and process: means either any activity that involves the use of Personal Data or as Data Protection Laws may otherwise define these terms.
Services: means Veeam Cloud Services and/or any other services offered by Veeam.
Standard Contractual Clauses (SCC): the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to controllers established in third countries, as set out in the Annex to Commission Decision 2021/914/EU, as may be amended from time to time.
Veeam Affiliates: includes Veeam Software Group GmbH, Veeam Software UK Limited, Veeam Software France SARL, Veeam Software GmbH, Veeam Pty Ltd, Veeam Software Corporation, Veeam Software Portugal Unipessoal LDA, Veeam Software (Czech Republic) s.r.o., VS International Holdings Limited, Coveware Inc., and Veeam Software SRL.
1.2 Rules of Construction.
1.2.1 The Appendices to this Addendum form part of this Addendum and will have effect as if set out in full in the body of this Addendum.
1.2.2 A reference to “writing” or “written” includes faxes and email.
1.2.3 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this Addendum and any provision contained in the Appendices, the Appendices will prevail;
(b) the terms of any accompanying invoice or other documents annexed to this Addendum and any provision contained in the Appendices, the Appendices will prevail;
(c) any of the provisions of this Addendum and the provisions of the Agreement, this Addendum will prevail; and
(d) any of the provisions of this Addendum and any executed (or deemed executed) SCC, the provisions of the executed SCC will prevail.
1.2.4 This Addendum is drafted in the English language and its text will prevail over the text of any version of this Addendum translated into another language. Each notice, instrument, certificate or other communication to be given under this Addendum will be in the English language and its text will prevail over the text of any version of such notice, instrument, certificate or other communication translated into another language.
2. ROLES AND RESPONSIBILITIES REGARDING PROCESSING OF CUSTOMER-PROVIDED DATA
2.1 Party Roles. In the provision of the Services, Veeam processes Customer-Provided Data on behalf of and at the direction of the Customer, and therefore Veeam in this context is a Processor or Service Provider acting on behalf and at the direction of the Customer.
2.2 Veeam Responsibilities.
2.2.1 Veeam shall Process the Customer-Provided Data only on documented instructions from the Customer, unless otherwise required by applicable Data Protection Laws. Veeam as Service Provider agrees to process any Personal Data in the Customer-Provided Data only to perform the Services or any related processing as described in this Addendum.
2.2.2 Veeam shall ensure that personnel authorized by Veeam to process Customer-Provided Data have committed themselves to confidentiality.
2.2.3 To the extent required by applicable Data Protection Laws, Veeam will immediately inform the Customer if, in Veeam’s opinion, any Customer instruction would violate applicable Data Protection Laws.
2.2.4 If Veeam receives a valid request or legal process (such as a subpoena or court order) for Customer-Provided Data, Veeam will attempt to redirect the governmental entity or third party requester to request Customer-Provided Data directly from the Customer. If compelled to disclose Customer-Provided Data to a governmental entity or third party requester, Veeam will give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy, unless Veeam is legally prohibited from providing such notice.
2.2.5 If Veeam receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with the Services for which Veeam is a data processor, Veeam will redirect the data subject to make its request directly to Customer. Veeam will promptly notify Customer if Veeam receives a request from a Data Subject to exercise his or her rights under applicable Data Protection Laws with respect to Customer-Provided Data (“Data Subject Request”). Customer shall be solely responsible for responding to any such Data Subject Request or communications involving Customer-Provided Data. Veeam shall, to the extent legally required, provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the processing of Customer-Provided Data.
2.2.6 To the extent that information is reasonably available to Veeam, and Customer does not otherwise have access to the required information, Veeam will provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by Data Protection Laws and solely in relation to Processing Customer-Provided Data, by and taking into account the nature of the Processing by, and information available to, Veeam.
2.3 Customer Responsibilities.
2.3.1 Customer shall: (i) ensure that there is, and will be throughout the Term of the Agreement, a valid legal basis for the Processing by Veeam of Customer-Provided Data and the means by which the Customer acquired Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such processing) for the purposes of all applicable Data Privacy Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); (ii) comply with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of Customer-Provided Data, including, but not limited to, obtaining any necessary consents and authorizations from Data Subjects (including as required by Articles 12-14 of the GDPR (where applicable)); (iii) ensure it has the right to transfer, or provide access to, Customer-Provided Data to Veeam for processing in accordance with the terms of the Agreement; and (iv) ensure that its instructions to Veeam regarding the processing of Customer-Provided Data are lawful and comply with, and do not cause Veeam to violate, applicable laws, including the Data Protection Laws. Customer shall promptly inform Veeam if any of the foregoing representations are no longer accurate.
2.3.2 Customer acknowledges and agrees that Veeam does not have a means to verify any of the following: (i) the residency of each Data Subject, or (ii) specific data identifiers that are provided to Veeam by the Customer in connection with each Customer request to process Customer-Provided Data. Accordingly, it shall be sole the responsibility of the Customer to identify and verify, as necessary, the relevant Data Protection Law(s) that may apply to Customer-Provided Data.
3. SECURITY OF CUSTOMER-PROVIDED DATA
3.1 Both parties shall maintain appropriate technical and organizational measures to protect Customer-Provided Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.
3.2 Customer agrees that the Service, the Security Measures and Veeam’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Provided Data.
3.3 In accordance with applicable Data Protection Laws, Veeam shall notify Customer without undue delay upon becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer-Provided Data (a “Personal Data Incident”). Veeam shall make reasonable efforts to identify the cause of a Personal Data Incident and take those steps as deemed necessary and reasonable in order to remediate the cause of such Personal Data Incident. Veeam’s obligations set forth herein shall not apply to Personal Data Incidents that are caused directly or indirectly by Customer or a non-Veeam processor engaged by Customer.
4. PERSONAL DATA BREACH
4.1 Veeam shall notify Customer without undue delay upon Veeam becoming aware of a Personal Data Breach affecting Customer-Provided Data. Veeam shall provide Customer with information (insofar as such information is within Veeam’s possession and knowledge and does not otherwise compromise the security of any Personal Data processed by Veeam) to allow Customer to meet its obligations under the applicable Data Protection Laws to report the Personal Breach. Veeam’s notification of response of or response to a Personal Data Breach shall not be construed as Veeam’s acknowledgment of any fault or liability with respect to the Personal Breach.
4.2 Veeam shall reasonably cooperate with Customer and take commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.
4.3 Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
4.4 If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, and Data Subject(s), the public or others under applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Veeam, where permitted by applicable laws, Customer agrees to:
(a) notify Veeam in advance; and
(b) in good faith, consult with Veeam and consider any clarifications or corrections Veeam may reasonably recommend or request to any such notification, which: (i) relate to Veeam’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
5. RETENTION, RETURN, AND DELETION OF PERSONAL DATA
5.1 Upon termination of the Agreement, Veeam will allow the Customer to retrieve their data from the Services as Section 9 (“Term and Termination”) of the Agreement prescribes. Additionally, upon the Customer’s written request, Veeam will either return or delete the Personal Data unless such data is required to be maintained by Data Protection Laws. In that case, it shall be held by the terms of this Addendum.
6. SUB-PROCESSOR
6.1 Customer authorizes and agrees that Veeam may engage third-party Sub-Processors in connection with its performance of the Agreement and this Addendum. As of the Effective Date, the current list of Approved Sub-Processors is in Appendix A. The list of Sub-Processors may vary depending on the specific Services being provided under the Agreement. The Customer is advised to refer to Appendix A for clarification on the Services for which each Sub-Processor is engaged.
6.2 If and to the extent Veeam engages third-party Sub-Processors to process Customer-Provided Data on Veeam’s behalf, Veeam will impose data protection terms on those Sub-Processors that provide at least the same level of protection as those in this Addendum, to the extent applicable to the nature of the services provided by such Sub-Processors. Veeam will remain responsible for each Sub-Processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-Processor that cause Veeam to breach any of its obligations under this Addendum.
6.3 Veeam will provide appropriate notification within thirty (30) days of any new third-party Sub-Processor to be engaged solely by Veeam. The Customer may object to Veeam’s engagement of such a new Sub-Processor by notifying Veeam in writing within fourteen (14) business days after receipt of Veeam’s notification. If the Customer objects to a new Sub-Processor, the Parties will work in good faith to achieve a commercially reasonable resolution. If no such resolution can be reached, Veeam will, at its sole discretion, choose to either not appoint the new Sub-Processor or permit the Customer to suspend or terminate the affected portion of the Agreement and this Addendum with respect only to those aspects which cannot be provided by Veeam without the use of the objected-to new Sub-Processor by providing written notice to Veeam.
7. CROSS-BORDER DATA TRANSFERS
7.1 Where Customer, as a Controller or as a Processor acting on behalf or at the direction of a Controller, transfers or directs the transfer of Customer-Provided Data from the European Union to Veeam, as Processor, in the United States, the Parties agree that the EU Standard Contractual Clauses shall be deemed executed by the Parties and incorporated into this Addendum as follows:
7.2 Where Customer, as a Controller or as a Processor acting on behalf or at the direction of a Controller, transfers or directs the transfer of Customer-Provided Data from the United Kingdom to Veeam, as Processor, in the United States, the Parties agree to be bound by and incorporate to this Addendum and the EU Standard Contractual Clauses by reference any additional modifications and amendments required by the UK Transfer Addendum. The information set forth herein shall be used to complete Parts 1 and 3 of the UK Transfer Addendum. In accordance with Section 19 of the UK Transfer Addendum, neither the data exporter nor data importer may terminate the UK Transfer Addendum for convenience.
7.3 Where Customer, as a Controller or as a Processor acting on behalf or at the direction of a Controller, transfers or directs the transfer of Customer-Provided Data from Switzerland to Veeam, as Processor, in the United States, the EU Standard Contractual Clauses as set forth above will apply to the transfer in a manner compliant with the Federal Act on Data Protection.
8. LIABILITY
The total aggregate liability of either Party, howsoever arising, under or in connection with this DPA and the SCC’s (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 8 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
9. TERM AND TERMINATION
9.1 This Addendum will remain in full force and effect so long as: (a) the Agreement remains in effect or (b) Veeam retains any Customer-Provided Data (the “Term”).
9.2 Any provision of this Addendum that expressly or by implication should survive termination of the Agreement in order to protect Customer-Provided Data will remain in full force and effect..
9.3 Either Party’s failure to comply with the terms of this Addendum is a material breach of the Agreement. In such event, the non-breaching party may terminate the relationship as set forth in the Terms of Use, without further liability or obligation.
9.4 Veeam shall be entitled to terminate the Agreement, insofar as it concerns the processing of personal data under this DPA, where:
i) Veeam is unable to adhere to, perform, or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities;
ii) Veeam is unable to adhere to, perform, or implement any such instructions which would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise);
iii) In the event there is a change in the applicable Data Privacy Laws that Veeam considers (acting reasonably) would mean that Veeam is no longer able to provide the Services (including any Processing and/or restricted transfer(s) of Customer’s Personal Data) in accordance with its obligations under applicable Data Privacy Laws. In such case, Veeam reserves the right to make changes to the Services and to amend any part of the attached DPA as it considers reasonably necessary to ensure that Veeam is able to provide the Services in accordance with applicable Data Privacy Laws.
10. AUDIT
10.1 Veeam agrees to make available to the Customer on request, such information as Veeam (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.
10.2 Subject to paragraphs 10.3 to 10.8, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Veeam pursuant to paragraph 10.1 is not sufficient in the circumstances to demonstrate Veeam’s compliance with this DPA, Veeam shall allow for and contribute to audits by Customer or an auditor mandated by Customer in relation to the Processing of Customer-Provided Data by Veeam.
10.3 Customer shall give Veeam reasonable notice of any audit to be conducted under Paragraph 10.2 (which shall in no event be less than thirty (30) business days’ notice unless required by a Supervisory Authority pursuant to paragraph 10.6(f) and shall use its best efforts and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Veeam in respect of, any destruction, damage, injury or disruption to Veeam’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Veeam’s other customers or the availability of Veeam’s services to such other customers).
10.4 Prior to conducting an audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results of findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Veeam will review the proposed audit plan and provide Customer with any concerns or questions (for example any request for information that could compromise Veeam’s security, privacy, employment or other relevant policies). Veeam will work with Customer to agree on a final audit plan.
10.5 If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Veeam has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.
10.6 Veeam need not give access to its premises for the purposes of such an audit:
(a) where an Audit Report is accepted in lieu of such controls or measures in accordance with Paragraph 10.5;
(b) to any individual unless they produce reasonable evidence of their identity and authority;
(c) to any auditor whom Veeam has not approved in advance (acting reasonably);
(d) to any individual who has not entered into a non-disclosure agreement with Veeam;
(e) where, and to the extent that, Veeam considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Veeam’s other customers or the availability of Veeam’s services to such other customers;
(f) outside normal business hours at those premises; or
(g) on more than one occasion in any calendar year during the term of the Agreement, except for audits which Customer (i) reasonably considers necessary because of a Personal Data Breach affecting Customer-Provided Data or (ii) is required to be carried-out under the GDPR or by a Supervisory Authority, in each case provided that Customer has identified the Personal data Breach or the relevant requirement in its notice to Veeam of its audit.
10.7 Nothing in this DPA shall require Veeam to furnish more information about its Sub-Processors in connection with such audit than such Sub-Processors make generally available to their customers.
10.8 Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Veeam (at Veeam’s then-current professional services rates) in Veeam’s provision of any cooperation and assistance provided to Customer under this Paragraph 10 (excluding any costs incurred in procurement, preparation or delivery of Audit Reports to Customer pursuant to Paragraph 10.5), and shall on demand reimburse Veeam any such costs incurred by Veeam. The audits described in Clauses 8.9(c) and 8.9(d) of the SCC’s shall be subject to any relevant terms and conditions detailed in this Paragraph 10.
11. NOTICE
11.1 Notices in connection with this Addendum must be in writing and delivered consistent with the requirements in the Agreement.
| VENDOR: DATA IMPORTER DETAILS | |
|
Name: |
Veeam VaaS Corporation |
|
Address: |
3000 Carillon Point Kirkland, Seattle WA 98033, USA |
|
Contact Details for Data Protection: |
Name: Mark Wong, General Counsel Email: Mark.Wong@veeam.com Copy to: Emily Georgiades, Corporate Senior Legal Counsel |
|
Veeam Activities: |
Veeam is a provider of Veeam Cloud Services or any other Services |
|
Role: |
Processor |
| CUSTOMER: DATA EXPORTER DETAILS | |
|
Name: |
As described in the Agreement. |
|
Address: |
As described in the Agreement. |
|
Contact Details for Data Protection: |
Name: As described in the Agreement. Role: Email: |
|
Customer Activities: |
As described in the Agreement. |
|
Role: |
Controller- In respect of any Processing of Customer Personal Data in respect of which is a Controller in its own right; and Processor- In respect of any Processing of Customer Data in respect of which Customer is acting as a Processor on behalf of any other person (including its affiliates if and when applicable). |
DETAILS OF PROCESSING:
Categories of Data Subjects:
Data subjects include the Customer’s representatives and end-users including employees, contractors, collaborators, and customers of the Customer. Customer may elect to include personal data from any of the following types of data subjects in the personal data:
Categories of Personal data:
The personal data that is included in e-mail, documents and other data in an electronic form in the context of the Services. Veeam acknowledges that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the following categories in the personal data:
Frequency of Transfer:
The frequency of the transfer shall be ongoing as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of Processing:
Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of Processing:
Customer-Provided Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing/Retention Period:
Ongoing as initiated by Customer in and through its use, or use on its behalf, of the Services.
Transfers to (sub-)processors:
Transfers to Sub-Processors are as, and the for the purposes, described from time to time in the Sub-Processor List (as may be updated from time to time in accordance with paragraph 4 of this DPA).
| Company name, business identity No, address and country of establishment | Services for which Sub-Processor is engaged | Description of data processing activity | Location of data processing | Measures for legal transfer to Processor (SCC, BCR) located outside of the EEA |
| Microsoft Corporation One Microsoft Way Redmond, Washington 98052 USA |
Veeam Claud Services | Provides Microsoft Azure Services used for Veeam Data Cloud | USA, EU, UK, APJ | Standard Contractual Clauses |
In accordance with the obligations set forth in this Addendum, it is within Veeam’s sole discretion to determine how to provide a secure technology environment that adheres to industry best practices, applicable laws, rules and regulations. The following sets forth Veeam’s general security controls.
Information Security Policy.
Veeam has established and maintains an Information Security Policy that is aligned with the principles and requirements of ISO 27001 and NIST Cybersecurity Framework.
Secure Network.
Maintain a secure Network. “Network” means Veeam’s corporate and product/services networks and Systems. “System” means all hardware, software, applications, infrastructure, peripheral equipment, (i.e., all technology resources) that comprise a computer environment and are used in the provision of the services provided under the Agreement.
Protect Personal Data. This includes controls such as:
Encryption of Personal Data at rest and in motion;
Processes and controls to prevent the unauthorized disclosure of Personal Data (such as data loss prevention systems);
Regular backup procedures; and
Data segmentation to prevent unauthorized access to Persona Data.
Maintain a Vulnerability Management Program. This includes:
Regular identification of vulnerabilities in the Network, application, database, software and operating systems, and remediation;
Where applicable, secure code development techniques in adherence with the OWASP standard; and
Annual penetration testing of the Network and assets by a qualified third party.
Access Controls.
Provide strong technical and organizational access control measures to prevent unauthorized access. This includes:
Non-generic, complex, periodically changing passwords;
Segregation of functions and duties;
Multi-factor authentication for administrative access;
Monitoring and logging access to assets processing or storing Personal Data;
Implementation and enforcement of least privilege access principle.
Security Controls for Devices Accessing Personal Data. This includes:
Industry standard end point protection such as antivirus and antimalware software;
VPN to remotely access secure Network or Veeam Networks or Systems containing Personal Data.
Incident Management.
Veeam has prepared and maintains an information security incident response plan. Veeam has controls and tools in place to detect and respond to information security incidents, including tools or services that identify, log and alert of security incidents.
Security Awareness, Training and Background Checks.
Veeam maintains and complies with information security policies and standards that comply with industry standards, including without limitation, conducting respective periodic company-wide information security awareness training, including training on the collection, handling, transport, maintenance and disposal of information, and security incident response;
Veeam perform employee background checks for employees with responsibilities for or access to Veeam Networks and Systems, as well as Personal Data (to the extent permitted by law).
Physical Security.
Veeam provides physical controls to protect Personal Data and the Network, which may include as appropriate:
Physical protection and maintenance of Veeam’s Systems and assets to prevent loss, disclosure, damage, theft, or compromise of Personal Data; and
Labeling and secure disposal of equipment, physical and electronic media that may contain Customer-Provided Data.
Business Continuity and Disaster Recovery.
Veeam maintains a consistent framework and a managed process for business continuity and disaster recovery that addresses information security requirements.
Updates to security measures.
Veeam may update the security measures outlined in this Appendix B as necessary to reflect changes in technology, the processing environment, or to address emerging security threats, provided the updated measures do not materially decrease the overall protection of Customer Provided Data.