Purpose and nature of the processing
|To provide the Services to the Customer as provided in the Terms or as instructed by the Customer.
Categories of the data subjects
|Customer’s end users of the Services, including Customer’s employees, representatives, contractors, customers, and any other natural persons that are authorized by and/or receive access to the Services through the Customer.
Categories of the Personal Data
|Basic organization contact information, account registration and login information, user emails, information on user roles and status, invites, referrals, passwords’ status, health and breach information, basic device information (e.g., device name, device ID, IP address, OS, platform), activity and email logs, authentication attempts, metadata about items in the vault (e.g., deleted at, last used at, type, pending shares, access rights), application diagnostics, email masking activity (e.g., user identifier, email mask and its description, email addresses, email forwarding status, content, sender and recipient email server IP address, timestamps, metadata).
|Basic organization contact information, account registration and login information, user emails, information on user roles and status, invites, referrals, basic device information (e.g., device name, device ID, IP address, OS, platform), activity and email logs, authentication attempts, metadata about items in the vault (e.g., deleted at, last used at, type, pending shares, access rights), application diagnostics.
Duration and frequency of the processing
|The processing is performed on a continuous basis for the period of providing the Services to the Customer.
The subject matter, nature, and duration of the processing by sub- processors
|Sub-processors are an integral part of the Services provided to the Customer. Sub-processors are used in all stages of providing the Service and the Customer’s Personal Data is processed for as long as it is needed to provide the Service.
Description of the TOMs implemented by Nord
Control of Assets in Server Infrastructure
- Nord’s information is kept in secure and physically inaccessible, encrypted servers located in different places around the world.
- All regular servers are discless (RAM servers). These allow to create a centrally controlled network where nothing is stored locally.
- Nord performs a data center security assessment before onboarding a new vendor.
- All infrastructure is protected by firewalls and other security measures.
Vulnerability Assessment and Remediation
- Security of the Customer’s Personal Data is ensured by security professionals and outside consultants that perform periodic penetration tests for Nord’s websites and applications.
- Security, management, and control of access to information are ensured. Access to the Customer’s Personal Data is granted only to persons, who require the Customer’s Personal Data to carry out their functions (on need-to-know basis).
- Nord uses secure jump boxes to access the network infrastructure from remote locations.
- Admin level privileges to Nord’s infrastructure are restricted to only a limited number of employees.
- Nord uses configuration management software that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and other IT needs. The software has a role-based access control engine that allows Nord to easily set policies on who can run what automation in what environments, ensuring that only the proper people have the ability to access machines and apply the configuration.
Data Recovery Capability
- In case of any failures, it is possible to restore the Customer’s Personal Data and critical information from back-up copies (if applicable). Back-up copies are encrypted, and data is regularly recorded to data files in different physical places outside Nord’s premises.
Control of Software and Hardware Assets in HR
- Nord maintains employee device inventory and is able to detect and block any rogue devices.
- Nord maintains employee software inventory and is able to detect unauthorized software.
- Computers provided to employees by Nord have mobile device management systems installed that ensure the security of the equipment, appropriate and timely update of software as well as safe destruction of the data in an event of losing the equipment.
- Authorized employees are responsible for the security of Nord’s devices – installing and updating anti-virus, firewall, as well as other security measures.
- Nord requires the use of unique user IDs, strong passwords, two-factor authentication in the majority of applications, and carefully monitored access lists to minimize the potential for unauthorized use. The majority of systems containing the Customer’s Personal Data are accessible to employees only through whitelisted IP addresses.
- All new employees undergo training on information security awareness.
- Nord’s premises are accessible only by persons authorized by Nord.
- Nord’s employees access premises only with key cards that collect information on their use. All premises have operating alarm systems.
- To ensure that Nord’s premises are accessed only by authorized persons, Nord carries out video surveillance of entrance points and passageways.
- Nord’s employees must store documents and data files properly, in a secure manner and refrain from making unnecessary copies. Sensitive paper documents are stored in lockers or safes.
The TOMs to be taken by sub-processors
|Nord implements technical and organizational measures to ensure that security practices upheld by its sub-processors are not less protective than those provided in the DPA with respect to the protection of the Customer’s Personal Data (to the extent applicable depending on the nature of the services provided by a sub- processor).