Standard Contractual Clauses

Data Processing Agreement 

ELEARNINGFORCE Data Processing Agreement

Last updated: December 1., 2021

Introduction

This Data Processing Agreement is based on The Danish Data Protection Agency’s standard template for Data Processing Agreements. The Danish Data Protection Agency is the independent authority that supervises compliance with the rules on protection of personal data in Denmark.

Please find the Danish Data Protection Agency’s standard template here.

Following the EDPB opinion (July 2019) on the draft standard contractual clauses (SCCs) for contracts between controller and processor submitted to the Board by the Danish Supervisory Authority (SA), the final text of the Danish SCCs, as adopted by the Danish SA, has been published in the EDPB’s Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

This Data Processing Agreement is based on this standard processor agreement, that has been adopted by the Danish SA pursuant to art. 28(8) GDPR and aims at helping organizations to meet the requirements of art. 28 (3) and (4), given the fact that the contract between controller and processor cannot just restate the provisions of the GDPR but should further specify them, e.g. with regard to the assistance provided by the processor to the controller.

The possibility of using SCCs adopted by a SA does not prevent the parties from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects.

For the purposes of Article 28(3) of Regulation 2016/679 (the GDPR)

the data processor

and

the data controller

each a ‘party’; together ‘the parties’

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject.

Contents

1. Preamble

  1. These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller.
  2. The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  3. In the context of the provision and development of a software as a Service (SaaS) learning management system (LMS365) that provides course and content management, supports multiple course types and learning styles, reporting and tracking, training plans and certifications and compliance, the data processor will process personal data on behalf of the data controller in accordance with the Clauses.
  4. The Clauses shall take priority over any similar provisions contained in other agreements between the parties.
  5. Four appendices are attached to the Clauses and form an integral part of the Clauses.
  6. Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
  7. Appendix B contains the data controller’s conditions for the data processor’s use of sub-processors and a list of sub-processors authorised by the data controller.
  8. Appendix C contains the data controller’s instructions with regards to the processing of personal data, the minimum security measures to be implemented by the data processor and how audits of the data processor and any sub-processors are to be performed.
  9. Appendix D contains provisions for other activities which are not covered by the Clauses.
  10. The Clauses along with appendices shall be retained in writing, including electronically, by both parties.
  11. The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.

2. The rights and obligations of the data controller

  1. The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State[1] data protection provisions and the Clauses.
  2. The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
  3. The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.

3. The data processor acts according to instructions

  1. The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. Such instructions shall be specified in appendices A and C. Subsequent instructions can also be given by the data controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically, in connection with the Clauses.
  2. The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.

4. Confidentiality

  1. The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.
  2. The data processor shall at the request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the abovementioned confidentiality.

5. Security of processing

  1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
    The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:Pseudonymisation and encryption of personal data.

    a. Pseudonymisation and encryption of personal data.

    b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.

    c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

    d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.
  3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.

    If subsequently – in the assessment of the data controller – mitigation of the identified risks requires further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.

6. Use of sub-processors

  1. The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).
  2. The data processor shall therefore not engage another processor (sub-processor) for the fulfilment of the Clauses without the prior written authorisation of the data controller.

    The data processor has the data controller’s general authorisation for the engagement of sub-processors. The data processor shall inform in writing the data controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). Longer time periods of prior notice for specific sub-processing services can be provided in Appendix B. The list of sub-processors already authorised by the data controller can be found in Appendix B.
  3. Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the same data protection obligations as set out in the Clauses shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Clauses and the GDPR.

    The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR.
  4. A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the sub-processor. Clauses on business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller. 
  5. The data processor shall agree a third-party beneficiary clause with the sub-processor where – in the event of bankruptcy of the data processor – the data controller shall be a third-party beneficiary to the sub-processor agreement and shall have the right to enforce the agreement against the sub-processor engaged by the data processor, e.g. enabling the data controller to instruct the sub-processor to delete or return the personal data.
  6. If the sub-processor does not fulfil his data protection obligations, the data processor shall remain fully liable to the data controller as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the data controller and the data processor, including the sub-processor.

7. Transfer of data to third countries or international organisations

  1. Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions through a ticket submitted to the support-system at Data Processor by the data controller and shall always take place in compliance with Chapter V GDPR.
  2. In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
  3. Without documented instructions from the data controller, the data processor therefore cannot within the framework of the Clauses:

    a. transfer personal data to a data controller or a data processor in a third country or in an international organisation

    b. transfer the processing of personal data to a sub-processor in a third country

    c. have the personal data processed in by the data processor in a third country
  4. The data controller’s instructions regarding the transfer of personal data to a third country including, if applicable, the transfer tool under Chapter V GDPR on which they are based, shall be set out in Appendix C.6.
  5. The Clauses shall not be confused with standard data protection clauses within the meaning of Article 46(2)(c) and (d) GDPR, and the Clauses cannot be relied upon by the parties as a transfer tool under Chapter V GDPR.

8. Assistance to the data controller

  1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.

    This entails that the data processor shall, insofar as this is possible, assist the data controller in the data controller’s compliance with:

    a. the right to be informed when collecting personal data from the data subject
    b. the right to be informed when personal data have not been obtained from the data subject
    c. the right of access by the data subject
    d. the right to rectification
    e. the right to erasure (‘the right to be forgotten’)
    f. the right to restriction of processing
    g. notification obligation regarding rectification or erasure of personal data or restriction of processing
    h. the right to data portability
    i. the right to object
    j. the right not to be subject to a decision based solely on automated processing, including profiling
  2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:

    a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, Datatilsynet / The Danish Data Protection Agency – www.datatilsynet.dk, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;

    b. the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;

    c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);

    d. the data controller’s obligation to consult the competent supervisory authority, Datatilsynet / The Danish Data Protection Agency – www.datatilsynet.dk prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.
  3. The parties shall define in Appendix C the appropriate technical and organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations foreseen in Clause 9.1. and 9.2.

9. Notification of personal data breach

  1. In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.
  2. The data processor’s notification to the data controller shall, if possible, take place within 24 hours after the data processor has become aware of the personal data breach to enable the data controller to comply with the data controller’s obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.
  3. In accordance with Clause 9(2)(a), the data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, meaning that the data processor is required to assist in obtaining the information listed below which, pursuant to Article 33(3)GDPR, shall be stated in the data controller’s notification to the competent supervisory authority: 

    a. The nature of the personal data including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned

    b. the likely consequences of the personal data breach

    c. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  4. The parties shall define in Appendix C all the elements to be provided by the data processor when assisting the data controller in the notification of a personal data breach to the competent supervisory authority.

10. Erasure and return of data

On termination of the provision of personal data processing services, the data processor shall be under obligation to delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so unless Union or Member State law requires storage of the personal data.

11. Audit and inspection

The Parties acknowledge that, data processor uses external auditors to verify the adequacy of its security measures.
This audit:
(i) Will be performed at least annually.
(ii) Will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001.
(iii) Will be performed by independent third party security professionals at the data processor’s selection and expense.

At the data controller’s written request and without charge, the data processor will provide the data controller with a confidential summary of the Report (“Summary Report”) so the data controller can reasonably verify the data processor’s compliance with the security and audit obligations under this DPA. The Summary Report will constitute the data processor’s Confidential Information under the confidentiality provisions of the data processor’s MSA.

The data controller agrees that the audit procedures described above satisfy any right it may have to conduct an audit or inspection under Article 28 of the GDPR, or under the EU Commission’s “Controller-to-Processor Standard Contractual Clauses” (annexed to the EU Commission Decision 2010/87/EU and included as Exhibit C of this DPA), if applicable.

12. Governing law and venue

  1. This data processing agreement is governed by material Danish law other than such rules that lead to the application of any other law than Danish.
  2. Any dispute arising out of or in connection with this data processing agreement, including any disputes regarding the existence, validity or termination thereof, shall be settled by arbitration administrated by The Danish Institute of Arbitration in accordance with the rules of arbitration procedure adopted by The Danish Institute of Arbitration and in force at the time when such proceedings are commenced.
  3. The arbitral tribunal shall be composed of three arbitrators. The place of arbitration shall be Aarhus , Denmark. The language to be used in the arbitral proceedings shall be Danish, however, documents may be presented in English to the extent such have not been drafted in Danish and the arbitral tribunal allows for this.

13. Commencement and termination

  1. The Clauses shall become effective on the date of both parties’ signature.
  2. Both parties shall be entitled to require the Clauses renegotiated if changes to the law or inexpediency of the Clauses should give rise to such renegotiation.
  3. The Clauses shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, the Clauses cannot be terminated unless other Clauses governing the provision of personal data processing services have been agreed between the parties.
  4. If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the data controller pursuant to Clause 11.1. and Appendix C.4., the Clauses may be terminated by written notice by either party.
  5. Signature

14. Data controller and data processor contacts/contact points

  1. The parties may contact each other using the following contacts/contact points:
  2. The parties shall be under obligation continuously to inform each other of changes to contacts/contact points.

                                       

On behalf of the data processor

Name : Flemming Blåbjerg              

Position                    : Head of Compliance

Telephone : +45 7027 9191

E-mail :                     [email protected]

Appendix A – Information about the processing

A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller is:

The data controller and the data processor have entered into the Master Service Agreement (“MSA”) pursuant to which the data controller is granted a license to access and use the service for the duration of the subscription term. In providing the service, the data processor will engage, on behalf of the data controller, in the processing of personal data submitted to and stored within the service by the data controller or third parties with whom the data controller transacts using the service.

A.2. The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):

The data processor will host and process personal data in the course of providing its cloud-based Learning Management System (LMS) platform services to the data controller.

A.3. The processing includes the following types of personal data about data subjects:


The data processor processes personal data defined as:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier of that person.

The data processor does not process sensitive personal data, following the definition of “sensitive personal data” as personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade or union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offenses and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).

The data processor does not process data specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, including identifiers such as genetic data and all data pertaining to a data subject’s health status.

The data processor processes the following data on employees and authorised users (data subjects) from the data controller that is relevant for the processing of training:

•                     Account name

•                     User display name

•                     Email address

•                     Department

•                     Job title

•                     Office

•                     Country

•                     City

•                     Manager ID/email

•                     Training records *

•                     Competencies

* Training records consist of information about which training a learner has historically enrolled into, started and/or completed. This includes data on pass/fail information of assessments as well as assessment scores, if used.

A.4. Processing includes the following categories of data subject:

The data processor processes personal data about the following categories of data subjects on behalf of the data controller:

•                     Relevant contact details of the data controller.

•                     Data controller’s users of the LMS365 platform whom are authorised by the data controller to use the LMS365 platform (and are natural persons).

A.5. The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:

When a subscription expires, data is no longer processed. The LMS365 SaaS terms and conditions can be downloaded here: https://lms365.com/lms365-saas-terms/

Appendix B – Authorised sub-processors

B.1. Approved sub-processors

On commencement of the Clauses, the data controller authorises the engagement of the following sub-processors:

The data controller shall, on the commencement of the Clauses, authorise the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation – to engage a sub-processor for a different processing than the one which has been agreed upon or have another sub-processor perform the described processing.

Appendix C – Instruction pertaining to the use of personal data

C.1. The subject of/instruction for the processing

The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following instruction. The instruction for the processing, being what the data processor is instructed to do with the data types being processed related to fulfilling and achieving the purpose of the processing activities on behalf of the data controller and the data subjects, is:

Deliver and manage training (add, use, record, store, edit, structure, organise, analyse, export and delete personal data) on behalf of the data controller and its employees and authorised data subjects to provide the LMS365 platform, its components and features. The data processor processes:

  • Account name
  • User display name
  • Email address
  • Department
  • Job title
  • Office
  • Country
  • City
  • Manager ID/email
  • Training records *
  • Competencies

* Training records consist of information about which training a learner has historically enrolled into, started and/or completed. This includes data about pass/fail information of assessments as well as assessment scores, if used.

C.2. Security of processing

The level of security shall take into account the nature, scope, context and purposes of the processing activity, as well as the risk for the rights and freedoms of natural persons.

Since processing activities involve processing of personal data a “high” level of security has been established. The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security. 

The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller. This sets out the minimum security requirements that the data processor and its sub-processors will adhere to in relation to the processing of personal data.

The data processor is developing its products according to “best practices” and use of secure development procedures:

Secure Development Lifecycle (SDLC) – Trust Center (elearningforce.com)

Data processor, shall ensure by itself, and on behalf of all its sub-processors, that always complies with the following minimum-security requirements:

Availability

Data processor leverages the Microsoft Azure cloud platform and implements applicable and recommended security features available on Microsoft Azure.

As such data processor has security features in place including, but not limited to, firewall, DDOS protection, antimalware protection, anomaly detection on server behaviour and antivirus.

Further, data processor has access restrictions implemented throughout the platform in terms of authenticating both users and applications access to services which interact with data.

Data processor monitors every service and has alarm systems in place if anything out of the ordinary occurs. Also, data processor continuously evaluates the measures in place based on the implemented Information Security Policy.

Integrity

Every application in data processor’s services has logging services implemented which record all operations on the data.

Logging services have both audit logs and application logs which log historical events.

Further access to manipulating data is restricted to specific user roles and hence governed by managed access in the form of both implemented systems and organisational structures, preventing unintended and/or malicious or accidental access to data.

Being a multitenant environment and SaaS, data processor’s data architecture ensures the integrity and isolation of the data controller’s data by separating data logically based on universally unique identifiers (UUIDs) so customer data is separated logically and secured from other customers. Customers, therefore, share the cloud platform and application, but each tenant’s data is isolated and remains invisible to other tenants.

Confidentiality

Data processor leverages different technologies in terms of securing data, depending on the nature of the data. All databases are encrypted. Data stored in databases is further encrypted using industry-standard encryption algorithms.

Extremely sensitive data such as secrets and credentials are secured by an encryption service using Microsoft Azure Key Vault.

Data processor has confidentiality agreements with all employees. All data processor employees are required to use two-factor authentication and strong passwords that are unique from other services.

Furthermore, data processor maintains automatic access and security logs in multiple locations.

Personal data access is governed by our documented security policies and limited to a small set of employees as required for support and maintenance. Access is further limited to a small whitelist of IP addresses via VPN and requires public key authentication.

Individual employee access follows a principle of least access. Access rights are reviewed quarterly.

Data security and encryption:

Data at rest:

Database encryption

Azure SQL Transparent Data Encryption (TDE)* helps protect the Azure SQL server and database(s) against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups and transaction log files at rest. Each database page is decrypted when read into memory and then encrypted before being written to disk. Hence, data is never written to disk without first being encrypted.

*LMS365 uses TDE with a customer-managed key (BYOK) stored and managed securely within an Azure Key Vault within the Azure data region selected by the data controller while installing LMS365.

For further information, please visit: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql

Storage data (large file storage)

Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. All Azure Storage resources are encrypted, including blobs, disks, files, queues and tables. All object metadata is also encrypted.

For further information, please visit: Azure Storage encryption for data at rest | Microsoft Docs.

Data in transit

Transmission of data between the application and Azure is secured using an encrypted TLS 1.2+ connection with AES encryption. SSL/TLS certificates are signed by a publicly known Certificate Authority using the SHA256 with a 2048 bit key.

Cookies containing session information and other sensitive data from the LMS365 platform are all configured with HttpOnly and Secure flags enabled. This protects the cookie contents from being accessed by scripting as well as from being transmitted over unencrypted connections.

Furthermore, the LMS365 application domain is included in the HTTP Strict Transport Security (HSTS) preload list of all major browsers, meaning that these browsers will never connect to the LMS365 application without an encrypted connection.

Portability

LMS365 supports export of data in Excel, ZIP & JSON formats using built-in Export actions or the LMS365 Cloud API.

Resilience of systems

LMS365 is built entirely using Azure’s platform as a service component, all operated securely in the Microsoft Azure cloud fully managed by data processor. Maintenance and updates are included in your subscription to LMS365.

Currently, LMS365 is available in seven regional Azure data centres, and in the US Government Azure cloud.

Each customer can select which Azure data centre they would like to use for data location upon the first installation. The options are:

Azure facilities, premises and physical security

Data processor doesn’t have any in-house data centres, physical networks and/or servers connected to the LMS365 platform. Microsoft manages the physical and environmental security of our Azure-based data centres. The Azure physical security is described here and in our Platforms and Standards:

Advanced Platform Security & Threat Protection – Trust Center (elearningforce.com)

Our internal security program covers physical security at our offices.

Data breach detection and notification

How data processort detects and responds to a breach of personal data, and notifies the data controller under the GDPR

All our services and personnel follow internal incident management procedures to ensure that we take proper precautions to avoid data breaches in the first place. However, in addition, LMS365 and Microsoft’s Azure cloud services have specific security controls in place across our platforms to detect data breaches in the rare event that they occur.

In the event of a breach, i.e. a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, data processor will, without undue delay, but no later than in 24 hours after becoming aware of the breach, notify the data controller in writing and, additionally, in any other reasonable and prompt manner (e.g. by phone or email).

In the event of a security breach, our team will promptly notify the data controller of unauthorised access to its data. Service availability incidents are published to our status page at status.lms365.com with additional information.

Should the data controller’s security team need additional logs for their investigation of an incident determined to affect its organisation, our security team will coordinate and provide access as needed.

The breach notification will contain at least the following:

  • A description of the nature of the breach including the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned.
  • The name and contact details of the person responsible for data processor’s data protection matters.
  • A description of likely consequences and/or realised consequences of the breach.
  • A description of the measures taken to address the breach and to mitigate its possible adverse effects.

Where, and as far as, it is not possible to provide the information listed at the same time, the information may be provided in phases without undue further delay.

Data processor takes all the necessary steps to protect the data after having become aware of the breach. After having notified the data controller in accordance with the above, data processor will, in consultation with the data controller, take appropriate measures to secure the data and limit any possible detrimental effect to the data subjects.

Data processor will cooperate with the data controller, and with any third parties designated by the data controller, to respond to the breach. The objective of the breach response will be to restore the confidentiality, integrity and availability of the LMS365 platform services, to establish root causes and remediation steps, to preserve evidence and to mitigate any damage caused to data subjects or the data controller.

Data backup, retention and media sanitation

LMS365 stores all data securely with full redundancy on Microsoft Azure. Each customer has their own dedicated Azure SQL Database with data and backups encrypted with Transparent Data Encryption (TDE) – see Appendix C – C.2. – Data Security and Encryption.

All database backups are managed automatically by Microsoft Azure and are backed up as follows:

Full backups   Weekly

Differential      Every few hours

Transaction log Every 5 – 10 minutes

Retention        35 days

Note that database backups will be geo-replicated to the paired region.

Physical security of locations at which personal data is processed

Data processor’s Information Security Policy contains specific controls, rules and guidelines regarding the locations at which personal data is processed, such as a password policy, rules of the password manager and enforcement of two-factor authentication.

Servers used by data processor belong to Microsoft, where main access to the data centre facilities are typically restricted to a single point of entry that is manned by security personnel. The main interior or reception areas have electronic card access control devices on the perimeter door(s), which restrict access to the interior facilities. Rooms within the Microsoft data centres that contain critical systems (servers, generators, electrical panels, network equipment etc.) are restricted through various security mechanisms, such as electronic card access control, keyed lock on each individual door, man traps and/or biometric devices.

Requirements for the use of home/remote working

Data processor’s employees are instructed in appropriate technical and organisational measures in order to uphold Confidentiality, Integrity and Availability (CIA) principles at the data processor office, and when remote working

Requirements for logging

Data processor uses Azure policies to ensure that all Azure resources are collecting the correct security and audit logs according to the Microsoft Azure ISO 27001:2013 Regulatory Compliance standards.

For log management and review, data processor has implemented Azure Sentinel. Azure Sentinel is a cloud-native Security Information and Event Management (SIEM) system that analyses all security and audit logging data in real time using cloud based compute power and artificial intelligence for automated investigation and response (AIR). These capabilities enable our security operations centre to operate more efficiently and effectively 24/7.

C.3. Assistance to the data controller

The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organisational measures:

Assistance to the data controller is provided by implementing a suitable set of standards and controls, including policies, processes, communication channels, procedures, organisational structures, software and hardware systems, that enable the data processor to provide the right level of assistance to the controller. These controls and standards are established, implemented, monitored, reviewed and improved where necessary to ensure that the specific security and compliance objectives, as well as the purposes of the data protection law GDPR, are met.

The data processor has defined and implemented a policy for information security and privacy and will, for personal data, maintain the following technical and organisational measures to assist the data controller:

Organisation of Information Security, risk assessment and treatment

Appointed responsible for Information Security and assistance to the data controller

The data processor, , has appointed a responsible for delegating, coordinating and monitoring the security rules and procedures.

Information security policy

An information security policy governing how data processing, protection and privacy of personal data is ensured in compliance with relevant legislation, regulations and as required in the data processor Information Security Policy, and to ensure assistance of the data controller with compliance for exercising the data subjects’ rights, assistance of the data controller in relation to audits and inspections, and assistance of the data controller in relation to ensuring compliance with the obligations pursuant to Articles 32 – 36, are implemented.

Security roles and responsibilities

Data processor personnel with access to personal data are subject to confidentiality obligations.

Risk management

Data processor performs a risk assessment on processing activities before processing the personal data or launching new modules, components and features as part of the data processor LMS platform.

Data processor retains its security documents pursuant to its retention requirements after they are no longer in effect.

Data processor’s Information Security Policy may be sent via request.

Asset management

Asset inventory

All critical assets required for running the business are identified, have an owner and are documented in a register that is kept up-to-date by the pointed-out employer.

Asset handling

Data processor classifies personal data to help identify it and to allow for access to it to be appropriately restricted.

Data processor personnel must obtain authorisation prior to storing personal data on portable devices or remotely accessing personal data.

Human resources security

Security training, education and awareness

Data processor informs its personnel about relevant security procedures and their respective roles. Data processor also informs its personnel of possible consequences of breaching the security rules and procedures. Data processor will only use anonymous data in training.

Physical and environmental security

Access to processing physical processing activities

Data processor’s personnel and authorised and approved third party users protect assets from unauthorised access, disclosure, modification, destruction or interference.

Physical access to components

Data processor’s personnel has no physical access to physical components nor data centres for processing activities since the data processor’s LMS platform is a hosted on a cloud platform.

Component disposal

Data processor controls that vendors use industry standard processes to delete personal data when it is no longer needed.

Communications and operations management

Operational policy

Data processor maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to personal data.

Data recovery procedures

Backups are made continuously of all critical data and software, and everything is stored in the cloud by approved cloud vendors (sub-processors).

–  On an ongoing basis, to a specific point in time within 35 days, data processor maintains a full backup of personal data from which personal data can be recovered.

– Monitoring of data recovery procedures are in place to timely detect and correct errors in the backup process.

–  In case of a disruption recovery, procedures are defined in an internal process for incident management.

–  data processor has specific procedures in place for governing access to copies of personal data. Data processor ensures backups are not corrupt and can be used to restore data.

–  Data processor reviews data recovery procedures at least every six months, except for data recovery procedures for Azure Government Services, which are reviewed every twelve months.

–  Data processor logs data restoration efforts, including the person responsible, the description of the restored data and, where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.

Malicious software

Data processor has anti-malware controls to help avoid malicious software gaining unauthorised access to personal data, including malicious software originating from public networks.

Encryption

All personal data is to be encrypted and protected against physical or digital theft of the raw data. This implies all data is encrypted from the outside. Further some data is to be encrypted and/or inaccessible by unauthorised access such as data processor’s personnel who are not required to see the data in its raw format.

Application and event logging

All applications and/or services are required to log their internal behaviour with respects to understanding failures and daily operation. Any application and/or service that deals with sensitive information is required to keep an audit log which allows for complete auditing of the service. The log format is required to be viewable in a way which does not compromise data security in terms of sensitive information.

Data deletion

Data is continuously deleted after the respective retention period has ended or upon request by the data controller.

Access control

Access policy

Data processor maintains a record of security privileges of individuals that have access to personal data.

Access authorisation

  • Data processor maintains and updates a record of personnel authorised to access data processour’s systems that contain personal data.
  • Data processor deactivates authentication credentials that have not been used for a period of time not to exceed six months.
  • Data processor identifies those personnel who may grant, alter or cancel authorised access to personal data and resources.
  • Data processor ensures that where more than one individual has access to systems containing personal data, the individuals have separate identifiers/log-ins.

Least privilege

  • Technical support personnel are only permitted to have access to personal data when needed.
  • Data processor restricts access to personal data to only those individuals who require such access to perform their job function.

Integrity and confidentiality

  • Data processor instructs data processor personnel to disable administrative sessions when computers are otherwise left unattended.
  • Data processor stores passwords in a way that makes them unintelligible while they are in force.

Authentication

  • Data processor uses industry standard practices to identify and authenticate users who attempt to access information systems with personal data.
  • Where authentication mechanisms are based on passwords, data processor requires use of strong passwords of at least eight characters, in accordance with our password policy.
  • Data processor enforces use of multi-factor authentication for all user accounts.
  • Data processor ensures that deactivated or expired identifiers are not granted to other individuals.
  • Data processor uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed and during storage.

Information security incident management

Incident response process

  • Data processor maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, to whom the breach was reported and the procedure for recovering data.
  • In the event of a breach, i.e. a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, data processor will, without undue delay, but no later than in 24 hours after becoming aware of the breach, notify the data controller in writing and additionally in any other reasonable and prompt manner (e.g. by phone).
  • Data processor tracks, or enables controller to track, disclosures of personal data, including what data has been disclosed, to whom and at what time. Data processor must responsibly provide access as needed to additional logs for investigation of an incident determined to affect the data controller’s organisation.

Service monitoring

Data processor personnel verify logs at least every six months to propose remediation efforts if necessary, in accordance with our Information Security Policy.

Incident management

Data processor takes all necessary steps to protect the personal data after having become aware of an incident. After having notified the data controller in accordance with above, data processor will, in consultation with the data controller, take appropriate measures to secure the personal data and limit any possible detrimental effect to the data subjects. data processor will cooperate with the data controller, and with any third parties designated by the controller, to respond to the incident. The objective of the incident response will be to restore the confidentiality, integrity and availability of the data processor’s LMS platform and personal data affected, to establish root causes and remediation steps, preserving evidence and to mitigate any damage caused to data subjects or the data controller.

Business continuity management

Data processor maintains emergency and contingency plans for the facilities and the devices in which data processor access and process personal data. data processor’s contingency plan is tested at least once a year.

Data processor redundant storage and its procedures for recovering personal data are designed to attempt to reconstruct personal data in its original or last-replicated state from before the time it was lost or destroyed.

C.4. Storage period/erasure procedures

What happens to your data if you leave the service?

It is data processor’s responsibility to permanently destroy the date controller’s data upon the data controller’s request, with special emphasis on destroying all data in the scope in all locations and ensure all copies have been discarded.

Data processor shall at its own discretion determine data destruction schedules but shall wherever possible perform such destruction in accordance with the data controller’s requested timetable. data processor shall have the obligation to wipe persistent media used for storing the data controller’s data or secure deletion of the data controller’s data with related techniques before it is released into re-use.

Data deletion and retention period

When the LMS365 subscription ends, the data controller’s data will be deleted after 90 days from the LMS365 Azure Subscription. The data will still be available on the backup to a maximum of 35 days after which time the data will be completely unobtainable.

Data deletion on physical storage devices on Azure

Due to LMS365 being built on Microsoft Azure as a SaaS solution, data processor does not have physical access to wipe and destroy media used for storing the data controller’s data on Azure. The media used for storing the data on Azure follows Microsoft Media Sanitation guidelines below.

If a disk drive used for storage suffers a hardware failure, it is securely erased or destroyed before Microsoft returns it to the manufacturer for replacement or repair. The data on the drive is completely overwritten to ensure the data cannot be recovered by any means.

When such devices are decommissioned, they are purged or destroyed according to NIST 800-88 Guidelines for Media Sanitation.

Microsoft is governed by strict standards and removes cloud customer data from systems under our control, overwriting storage resources before reuse, and purging or destroying decommissioned hardware.

Course catalogues (SharePoint site collections), courses (subsites of the site collections) and content within these (objects stored – e.g., word documents, PDFs etc.):

These sites and their content belong entirely to the client’s Microsoft 365 tenant and, therefore, data processor does not delete these sites or their content.

Upon termination of the provision of personal data processing services, the data processor shall either delete or return the personal data in accordance with Clause 11.1., unless the data controller – after the signature of the contract – has modified the data controller’s original choice. Such modification shall be documented and kept in writing, including electronically, in connection with the Clauses.

C.5. Processing location

Processing of the personal data under the Clauses cannot be performed at other locations than the following without the data controller’s prior written authorisation:

Please see table in Appendix C.2., locations of data processing.

C.6. Instruction on the transfer of personal data to third countries

By entering into this data processing agreement, the data controller agrees that the data processor transfers personal data to and stores personal data in third countries to the extent necessary using the sub-data processors listed in Appendix B.1.

The data processor uses the EU Commission’s Standard Contractual Clauses as a basis for the transfer of personal data to third countries. The data controller authorises the data processor to enter into the EU Commission’s standard contractual provisions with sub-data processors in third countries in accordance with Appendix D.2.

If the data controller does not in the Clauses or subsequently provide documented instructions pertaining to the transfer of personal data to a third country, the data processor shall not be entitled within the framework of the Clauses to perform such transfer. 

C.7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor

The data processor shall once a year obtain an ISO 27001 certification report from an independent third party concerning the data processor’s compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.

The parties have agreed that the following types of inspection report may be used in compliance with the Clauses:

ISO 27001 certification report:

The inspection report shall, without undue delay, be submitted to the data controller for information. The data controller may contest the scope and/or methodology of the report and may in such cases request a new audit/inspection under a revised scope and/or different methodology.

Based on the results of such an audit/inspection, the data controller may request further measures to be taken to ensure compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.

The data controller or the data controller’s representative shall in addition have access to inspect, including physically inspect, the places, where the processing of personal data is carried out by the data processor, including physical facilities as well as systems used for and related to the processing. Such an inspection shall be performed, when the data controller deems it required.

C.8. Procedures for audits, including inspections, of the processing of personal data being performed by sub-processors

The Parties acknowledge that, data processor uses external auditors to verify the adequacy of its security measures.

This audit:

(i) Will be performed at least annually.

(ii) Will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001.

(iii) Will be performed by independent third party security professionals at the data processor’s selection and expense.

At the data controller’s written request and without charge, the data processor will provide the data controller with a confidential summary of the report (“Summary Report”) so the data controller can reasonably verify the data processor’s compliance with the security and audit obligations under this DPA. The Summary Report will constitute the data processor’s confidential information under the confidentiality provisions of the data processor’s MSA.

The data controller agrees that the audit procedures described above satisfy any right it may have to conduct an audit or inspection under Article 28 of the GDPR, or under the EU Commission’s “Controller-to-Processor Standard Contractual Clauses” (annexed to the EU Commission Decision 2010/87/EU and included as Exhibit C of this DPA), if applicable.

Appendix D The parties’ terms of agreement on other subjects

D.1. Compliance with Clause 6.6.

The parties agree that the data processor shall only comply with the obligation in Clause 6.6 to include the data controller as a beneficiary third party in its agreements with sub-data processors to the extent that this can reasonably be implemented vis-à-vis the relevant sub-data processors.

D.2. Power of attorney

D.2.1. Introduction

By entering into this data processing agreement, the data controller agrees that the data processor transfers personal data to and stores personal data in third countries to the extent necessary using the sub-data processors specified in Annex B.1.

D.2.2. Scope of power of attorney

By signing this data processing agreement, the data controller authorises the data processor to enter into the agreements necessary for the transfer of personal data to third countries. The purpose is to ensure an adequate level of protection for the personal data which the data controller has left for processing by the data processor in accordance with the Clauses.

The power of attorney includes the conclusion of the EU Commission’s Standard Contract Clauses on behalf of the data controller, so that the standard contract provisions apply directly to the data processing carried out by one or more sub-data processors established outside the EEA and adopted by the data processor on behalf of the data controller.

The power of attorney only includes the conclusion of the standard contract provisions in unchanged form.

D.2.3 Other

The data processor cannot give the power of attorney to a third party. The power of attorney is subject to Danish law.

D.3 Assistance to the data controller and extra documentation

The data processor’s assistance to the data controller in accordance with Clause 8 and regarding “extra documentation” in Clause C.7 and C.8 is remunerated. The remuneration is calculated on the basis of the data processor’s hourly rates and expenses incurred for external assistance, including from sub-data processors or advisors.

*References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”.

*Information Security Policy can be sent on request