Data Processing Agreement Cadence
Table of contents
- 1. DEFINITIONS AND INTERPRETATION
- 2. PROCESSING OF PERSONAL DATA
- 3. ROLES AND RESPONSIBILITIES
- 4. SUB-PROCESSING
- 5. SECURITY
- 6. INCIDENT MANAGEMENT AND DATA BREACHES
- 7. AUDITS
- 8. DATA OWNERSHIP, TRANSFER AND DELETION
- 9. RIGHTS OF DATA SUBJECTS
- 10. COOPERATION AND ASSISTANCE
- 11. LIABILITY AND COMPENSATION
- 12. CONFIDENTIALITY
- 13. DURATION OF THE CONTRACT
- 14. APPLICABLE LAW, JURISDICTION AND DISPUTES
- 15. MISCELLANEOUS
- APPENDIX A: Details of data processing
- APPENDIX B: List of processors
- APPENDIX C: Technical & Organisational Security Measures
- 1. DATA HOSTING
- 2. APPLICATION SECURITY LEVEL
- 3. TRAINING & AWARENESS RAISING OF CADENCE EMPLOYEES
- 4. SECURITY MEASURES APPLICABLE TO OUR PREMISES & EMPLOYEES
- 5. PASSWORD HASHING TECHNOLOGY
- 6. SEGREGATION OF WORKING ENVIRONMENTS: PRODUCTION & DEVELOPMENT
- 7. VULNERABILITY MONITORING AND REMEDIATION (WORKSTATION & PRODUCTION)
- 8. SERVER UPDATES, FIREWALLS, NETWORK BACKUPS & ANTI-VIRUS
- 9. PRIVILEGES AND SEGMENTATION OF ADMINISTRATION USES
- 10. RESPONSIBLE DISCLOSURE
THIS DATA PROCESSING AGREEMENT IS CONCLUDED BETWEEN:
BJT Partners also known as Ringover Group, SAS (Simplified Joint-Stock Company) with its registered office at 50 bis rue Maurice Arnoux, 92120 MONTROUGE, FRANCE, registered in the Paris Companies Register under number 480 234 210, hereinafter referred to as the "Processor" or "Cadence", the company that owns the "Cadence" brand. Contact email address: dpo@ringover.com.
AND
The Client: (hereinafter referred to as the "Data Controller" or "Client").
Individually a "Party" and collectively the "Parties".
WHO AGREED AS FOLLOWS:
In the course of providing the Services to the Client under the Agreement, Cadence may process Personal Data on behalf of the Client and the Parties agree to comply with the following provisions regarding any Personal Data, each acting reasonably and in good faith.
This Data Processing Agreement is an integral part of the Cadence Service Contract between Cadence and the Client to which it is attached, and reflects the agreement of the Parties with respect to the Processing of Personal Data.
1. DEFINITIONS AND INTERPRETATION
In this Contract and unless otherwise defined in the Cadence Service Contract, all capitalised terms used in this Contract shall have the meanings set forth below:
- STANDARD CONTRACTUAL CLAUSES: means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data to Processors established outside the European Economic Area in countries that do not ensure an adequate level of protection of Personal Data, pursuant to the European Commission’s decision (2021/914) of June, 4th 2021.
- CONTRACT: means this data processing agreement between Cadence and the Client.
- CADENCE SERVICE CONTRACT: means the Cadence general terms and conditions for the provision, use and access of the services agreed between the Parties, to which this Contract is attached and which can be accessed here.
- PERSONAL DATA: means any information relating to an identified subject, who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic or physical nature, cultural or social identity.
- DATA SUBJECT: means the data subject whose Personal Data is processed by Cadence and/or the Client under this Contract.
- APPLICABLE DATA PROTECTION REGULATIONS: means all laws and regulations, including the laws and regulations of the European Union, the European Economic Area and their Member States, including the French Data Protection Act (Loi Informatique et Libertés no. 78-17) as amended, applicable to the processing of Personal Data under the Contract, including the GDPR as defined below.
- DATA CONTROLLER or CLIENT: means the company signing this Contract, which determines the instructions and the means and purposes of the processing of Personal Data, also referred to as the "Client".
- GDPR: means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- CADENCE SERVICE: means the services offered by Cadence (as defined in the Cadence Service Contract) that the Client has purchased or deployed or to which the Client has subscribed under the Cadence Service Contract.
- PROCESSOR or CADENCE: refers to the company BJT Partners and its brand Cadence, which carries out personal data processing on behalf of and on the instructions of the Client, also referred to as "Cadence".
- SUB-PROCESSOR: means any Data Processor hired by Cadence to process all or part of the personal data on behalf of and at the direction of Cadence.
- PROCESSING: means any operation or set of operations which is performed on personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, as described in Appendix A.
All terms relating to the protection of personal data that are not specifically defined in the contract, such as "supervisory authority", "file", "recipient", "data breaches", "consent", shall have the meaning given to them in Article 4 of the GDPR.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties
The Parties acknowledge and agree that, with respect to the Processing of Personal Data, the Client is the Controller, Cadence is the Processor and that Cadence may hire Sub-Processors in accordance with the provisions of Article 4 "Sub-Processing" below.
2.2 Processing of Personal Data by the Client
The Client, acting as Data Controller, determines the purposes and means of processing Personal Data. The Client undertakes, when using the Cadence Services, to process Personal Data in accordance with the requirements of the Applicable Data Protection Regulations. To avoid any doubts, the Client’s instructions for processing personal data must comply with the Applicable Data Protection Regulations. The Client is solely responsible for the accuracy, quality and legality of the personal data and the means by which the Client has acquired Personal Data. The Client shall also inform the Data Subjects of the Processing of their Personal Data by Cadence.
2.3 Processing of Personal Data by Cadence
Cadence, acting as a Processor, undertakes to treat Personal Data as confidential information and undertakes to process Personal Data only on behalf of the Client and in accordance with the Client’s documented instructions. The Client instructs Cadence to process Personal Data for the following purposes: (i) processing for the performance of this Contract, the Cadence Service Contract and any applicable order form(s); (ii) processing initiated by Client in the course of using the Cadence Services and generally for the provision of the Cadence Services, (iii) processing to comply with any other reasonable and documented instructions from Client (e.g., by e-mail) so long as such instructions are consistent with the terms of the Contract.
2.4 Details of the processing of Personal Data
The purpose of the Processing of Personal Data by Cadence is the provision of the Cadence Services in accordance with the Cadence Service Contract as described in this Contract. The duration of the Processing, the nature and purpose of the Processing and the types of Personal Data and categories of Data Subjects processed under this Contract are set out in Appendix A (Details of the Processing).
3. ROLES AND RESPONSIBILITIES
3.1 Obligations of the Client
The Client undertakes to:
- provide documented instructions on the purposes and means of the Processing of Personal Data provided by the Client to Cadence in accordance with the Contract;
- comply with its obligations, in particular under the Applicable Data Protection Regulations, with regard to the protection of Personal Data, and with regard to the security of the collection and Processing of Personal Data provided by the Client to Cadence; and to
- designate, at Cadence’s request, a single point of contact to receive and respond to Cadence’s enquiries regarding the administration of the Client’s Personal Data related to the Cadence Service Contract.
3.2 Obligations of Cadence
Cadence, as a Processor, undertakes to:
- ensure that all persons authorised by Cadence to participate in the Processing of Personal Data on behalf of the Client (including its staff, agents and sub-contractors) have undertaken to maintain confidentiality or are subject to an appropriate legal obligation of confidentiality and to comply with the principles of Personal Data protection. Cadence undertakes to take commercially reasonable steps to ensure the reliability of any of its staff involved in the Processing of Personal Data. The Processor undertakes to restrict access to Personal Data to only those members of its staff who strictly need access to such data in order to carry out their duties and obligations under the Cadence Service Contract, the applicable order form(s) and this Contract;
- inform the Client without delay if, in its opinion, an instruction violates the provisions of the Applicable Data Protection Regulations;
- take all technical and organisational measures necessary to ensure the security of the Processing. In particular, Cadence undertakes to implement the appropriate technical and organisational measures described in Appendix C, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the Processing, as well as the risks related to the likelihood and seriousness of harm to the rights and freedoms of the Data Subjects resulting from the Processing of Personal Data. These measures may be reviewed and updated as and when the Applicable Data Protection Regulations change or as and when Cadence deems necessary;
- reasonably assist the Client in demonstrating compliance with its obligations relating to the protection of Personal Data and in particular its obligations to notify and communicate in the event of a data breach, by carrying out a data privacy assessment and consulting with the supervisory authority where appropriate, taking into account the nature of the processing and the information available to Cadence;
- cooperate with the relevant supervisory authorities where necessary; and
- make available to the Client all information reasonably necessary to demonstrate compliance with the Client’s Personal Data Protection obligations.
- As far as possible, the Parties undertake to cooperate with each other in the event of an inspection by the CNIL or any other competent authority concerning the Processing implemented.
4. SUB-PROCESSING
4.1 Authorisation of Sub-Processors
The Client acknowledges and agrees that Cadence may hire Sub-Processors in connection with the provision of the Cadence Services. In such event, Cadence shall have entered into a written agreement with each Sub-Processor containing privacy obligations with respect to the protection of Client’s Personal Data to the extent applicable with respect to the nature of the Cadence Services provided by said Sub-Processor.
4.2 Responsibility of Sub-Processors
Cadence remains liable for the acts and omissions of its Sub-Processors under the same conditions as if Cadence was directly responsible for providing the Cadence Services entrusted to the Sub-Processors under this Contract, except where the Cadence Service Contract provides otherwise.
4.3 List of current Sub-Processors and notification of new Sub-Processors
Cadence makes available to the Client a list of current Sub-Processors who may be involved in the provision of the Cadence Services and for the Processing described in Appendix A. The list of current Sub-Processors is available in Appendix B and will be available on the Cadence personal space accessible by users with "super administrator" privileges.
Cadence undertakes to inform the Client in the event of the addition or deletion of Sub-Processors at least ten (10) working days before such changes.
4.4 The Client’s right to object to new Sub-Processors
The Client may object to Cadence’s appointment of a new Sub-Processor, if it objectively considers that such SubProcessor prevents the Client from complying with its legal obligations, in particular under the Applicable Data Protection Regulations to which it is subject, by promptly notifying Cadence in writing within ten (10) business days of receipt of Cadence’s notification in accordance with the mechanism described in Article 4.3. If the Client objects to the appointment of a new Sub-Processor, Cadence shall use reasonable efforts to offer the Client an alternative solution in the provision of the Cadence Services or to recommend a commercially reasonable change in the Client’s configuration or use of the Cadence Services to avoid the Processing of Personal Data by the new Sub-Processor who was objected to, without this constituting an unreasonable effort for the Client.
5. SECURITY
5.1 Security measures
Cadence undertakes to implement and maintain appropriate technical and organisational security measures to ensure the security (including protection against unauthorised or unlawful Processing, and against accidental or unlawful loss, destruction, alteration, damage, unauthorised or unlawful disclosure of or access to the Client’s Personal Data), confidentiality and integrity of the Personal Data provided by the Client in accordance with the security standards of Cadence described in Appendix C (“Appendix C: Security measures"). Cadence regularly checks compliance with these measures. Cadence undertakes not to substantially reduce the overall security of the provision of the Cadence Services during the period of their subscription by the Client.
5.2 Security updates
It is the Client’s responsibility to verify the information made available by Cadence regarding the security of Personal Data and to independently determine whether the Cadence Services meet the Client’s legal requirements and obligations under the Applicable Data Protection Regulations. The Client acknowledges that security measures are subject to technical progress and development and that Cadence may update or modify the security measures from time to time, without prior notice to the Client, provided that such updates and modifications do not result in a significant degradation of the overall security of the service provided to the Client. The Client may at any time obtain information on changes to Cadence’s security measures by contacting dpo@ringover.com.
5.3 Client’s responsibilities
Notwithstanding the foregoing, the Client agrees, except as otherwise provided in this Contract or the Cadence Service Contract, to be responsible for its secure use of the Cadence Service, including securing its account authentication credentials, protecting the security of the Client’s data in transit to and from the Cadence Service, taking appropriate steps to encrypt or securely back up the Client’s data uploaded to the Cadence Service. The Client also declares that it is responsible for the secure use of the Cadence Service by its employees or processors.
6. INCIDENT MANAGEMENT AND DATA BREACHES
Cadence maintains security incident management rules and procedures and will promptly notify the Client of any accidental or unlawful loss, destruction or alteration and any unauthorised disclosure of or access to Client Data, including Personal Data transmitted, stored or processed by Cadence or its Sub-Processors and of which Cadence becomes aware of, in accordance with the Applicable Data Protection Regulations. Cadence will use reasonable efforts to identify the cause of such incident, whether or not it constitutes a data breach within the meaning of the Applicable Data Protection Regulations, and will take such steps as it considers necessary and reasonable to remedy the cause of such incident, to the extent that the power to remedy such incident is within its control.
In particular, once Cadence becomes aware of a breach of Personal Data, Cadence:
- will in all cases inform the Client without undue delay and, where possible, not later than 72 hours after becoming aware of the security incident;
- will provide timely information to the Client regarding the data breach as and when it becomes aware of it or upon reasonable request by the Client; and
- will promptly take reasonable steps to contain and investigate any data breach. In any event, Cadence’s notification or response to a data breach shall not be construed as an admission by Cadence of any fault or liability in connection with the security incident; and
- will, where appropriate, notify the relevant supervisory authority of the Personal Data breach. This notification will include the following:
- The description and nature of the Personal Data breach including, if possible, the categories and approximate number of Data Subjects affected by the Personal Data breach and the categories and approximate number of records of Personal Data affected;
- The name and contact details of the Data Protection Officer or other point of contact from whom further information can be obtained;
- A description of the likely consequences of the Personal Data breach;
- A description of the measures taken or proposed to be taken by Cadence to remedy the Personal Data breach, including, if applicable, measures to mitigate any negative consequences.
These obligations do not apply to incidents caused by the Client.
7. AUDITS
Upon request and in strict compliance with the confidentiality obligations set forth in the Service Contract, Cadence agrees to make available to the Client all information reasonably necessary to demonstrate Cadence’s compliance with the terms of this Contract, including responses to information security questionnaires, provided that the Client is not a competitor of Cadence or an affiliate of a competitor of Cadence. Cadence will answer questions posed by the Client about the Processing of Personal Data provided by the Client.
In the event that the information provided by Cadence does not allow the Client to reasonably verify Cadence’s compliance with its obligations under this Contract or in the event of a breach of Personal Data, Cadence shall, in consultation with the Client, either:
- provide the Client with a certificate issued by an independent qualified third-party expert certifying that Cadence’s business processes and procedures that involve the Processing of Personal Data provided by the Client comply with this Contract; or alternatively
- allow an independent third-party expert, hired by the Client and at the Client’s expense, to conduct an audit of the facilities Cadence uses to process the Client’s Personal Data. The appointment of the independent thirdparty expert must be reasonably acceptable to Cadence, and such expert must be bound by confidentiality obligations satisfactory to Cadence. The Client shall provide Cadence with a copy of the audit report. The audit will be considered as confidential information of Cadence.
Audits may be conducted no more than once per year per Client, during the term of the Cadence Service Contract, during normal business hours, and shall be subject to (i) a written request submitted to Cadence at least sixty (60) days prior to the proposed audit date and (ii) a detailed written audit plan reviewed and approved by Cadence’s security organisation. Such audits may only be conducted in the presence of a representative of the Cadence security team or any other person appointed by Cadence for this purpose. Audits must not disrupt Cadence’s Processing activities or compromise the security and confidentiality of Personal Data belonging to other Cadence Clients.
The Client shall pay for the time spent by Cadence and its teams or Sub-Processors on such an audit at Cadence’s professional service rates applicable at that time, which shall be made available to the Client upon request. Prior to the commencement of such an on-site audit, the Client and Cadence shall mutually agree on the scope, schedule and duration of the audit, as well as the costs for the time spent by Cadence and its teams or Sub-Processors, for which the Client shall be responsible. These costs must be reasonable, taking into account the resources expended by Cadence or its Sub-Processors. The Client undertakes to inform Cadence promptly of any non-compliance discovered during an audit.
8. DATA OWNERSHIP, TRANSFER AND DELETION
8.1 Data ownership
The Parties agree that Personal Data collected, processed, hosted, backed up or stored by Cadence on behalf of the Client, under this Contract and the Cadence Service Contract or at the Client’s initiative, is and remains the sole property of the Client.
8.2 Data transfer
In order to provide the Cadence Services under the Service Contract, Cadence may need to transfer certain Personal Data provided by the Client to Sub-Processors in accordance with Article 4 of the Contract, who may be located in countries outside the European Economic Area and who do not provide an adequate level of protection for Personal Data.
Cadence undertakes, in accordance with the Applicable Data Protection Regulations, to implement a mechanism to cover such a transfer in a manner that complies with the Applicable Data Protection Regulations and in particular with the Standard Contractual Clauses adopted by the European Commission to govern the transfer of Personal Data to Sub-Processors located outside the European Economic Area.
8.3 Return or deletion of Personal Data
Upon termination or expiration of the Cadence Service Contract, Cadence shall cease all operations on the Personal Data provided by the Client and, at the Client’s discretion, shall return or irretrievably delete all Personal Data provided by the Client under the Cadence Service Contract and shall require its Sub-Processors to do the same. If the Client does not make this choice, Cadence will automatically delete the Personal Data provided by the Client under the Cadence Service Contract.
If Cadence is prohibited by the Applicable Data Protection Regulations, its national law or a supervisory authority from destroying or returning all or part of such Personal Data, Cadence undertakes to maintain the confidentiality of such Personal Data and will not process any of these data for any other purpose. In such event, Cadence may retain a copy of the Personal Data provided by the Client as archives, to the extent required by the Applicable Data Protection Regulations, as authorised by the Client, or as necessary for dispute resolution purposes.
Once the data has been returned to the Client, Cadence will no longer be responsible for the security of the data and its integrity, in particular when it is stored, following the transfer of data from Cadence to the Client, on the Client’s servers or on the servers of a processor operating on behalf of the Client.
9. RIGHTS OF DATA SUBJECTS
If Cadence receives a request from a Data Subject to exercise his/her right to access, correct, restrict Processing, delete, data portability, object to Processing, set out instructions on the fate of his/her data after his/her death or not to be subject to an automated individual decision, Cadence undertakes to promptly notify the Client thereof.
Given the nature of the Processing, Cadence undertakes to provide reasonable assistance to the Client to the extent possible and by appropriate technical and organisational means to enable the Client to comply with its obligation to respond to any Data Subject’s request in accordance with the Applicable Data Protection Regulations. In addition, at the Client’s express request and to the extent that the Client does not have the ability to respond to a Data Subject’s request in the course of its use of the Cadence Services, Cadence agrees to use commercially reasonable efforts to assist the Client in responding to such a request. In the event that such cooperation and assistance requires significant resources on the part of Cadence, Cadence reserves the right to charge the Client at Cadence’s professional service rates in force at that time, which will be made available to the Client upon request, with prior submission of a quote.
If Cadence receives a request for disclosure of Personal Data provided by Client from law enforcement, a government security agency or a supervisory authority, Cadence will promptly notify the Client of such request, except where disclosure of such information is prohibited by law.
In any case, Cadence will never respond to a request from a Data Subject whose Personal Data is processed on behalf of the Client, unless specifically instructed beforehand to do so by the Client in writing. Similarly, when the request is made by an authority and Cadence can inform the Client of this in accordance with the stipulations of the previous paragraph, Cadence will never respond to such a request unless specifically instructed beforehand to do so by the Client in writing.
10. COOPERATION AND ASSISTANCE
In addition to the obligations set forth in Articles 3 and 9, Cadence shall use its best efforts to cooperate with the Client to reasonably assist the Client in the performance of its obligations under the Applicable Data Protection Regulations and within the scope of Cadence and its Sub-Processors, including but not limited to the obligations to notify about any data breach or obligations to consult a supervisory authority.
Cadence’s cooperation and assistance to the Client may particularly include the following:
- upon request, Cadence will cooperate with the Client in responding to any request from a supervisory authority;
- Cadence undertakes to assist the Client in proving compliance with the rules prescribed by Articles 32 to 36 of the GDPR and in particular in carrying out a data protection impact assessment; and
- in the event of proceedings filed against a Party, the other Party shall cooperate in good faith and without undue delay, to the extent possible, with such proceedings.
In the event that such cooperation and assistance requires significant resources on the part of Cadence, Cadence reserves the right to charge the Client at Cadence’s professional service rates in force at that time, which will be made available to the Client upon request, with prior submission of a quote.
11. LIABILITY AND COMPENSATION
The entire liability of each Party arising out of or in connection with this Contract and the Cadence Service Contract and any order form, whether in contract, tort or otherwise, is subject to the "Limitation of Liability" article in the Cadence Service Contract, and any reference to a Party’s liability in that article means that Party’s entire liability under the whole of this Contract, the Cadence Service Contract and any order form signed between the Parties.
12. CONFIDENTIALITY
Each Party shall treat this Contract and information received from the other Party and its activities in relation to this Contract as confidential information and shall keep it in a proper and secure manner. Each Party shall not use or disclose such confidential information without the prior written consent of the other Party, unless (i) disclosure is required by law or (ii) the relevant information has already been made public.
13. DURATION OF THE CONTRACT
The Contract shall remain in force between the Parties for the duration of the provision of the Cadence Services in accordance with the terms of the Cadence Service Contract and any related order forms.
14. APPLICABLE LAW, JURISDICTION AND DISPUTES
This Contract is governed by French law. The Parties shall use their best efforts to resolve amicably, in a fair and equitable manner, any dispute relating to the formation, interpretation, performance and termination of this Contract. The Parties agree to meet after receipt of a notification to this effect sent by registered mail with acknowledgement of receipt by one of the Parties with the intention of resolving this dispute amicably. If the Parties fail to reach an amicable settlement by signing a settlement agreement within sixty (60) days following the amicable settlement meeting, the Parties shall submit their dispute to the competent court within the jurisdiction of the Paris Court of Appeal, which shall have exclusive jurisdiction to settle the dispute.
15. MISCELLANEOUS
This Contract constitutes the entire agreement between the Parties with respect to its subject matter. Any modification to this Contract shall be made in a written amendment signed by both parties. In the event of any conflict between this Contract, the Cadence Service Contract or any order form, this Contract shall prevail except where the Cadence Service Contract is expressly given precedence.
All notices and communications given under this Contract shall be in writing and shall be sent by post or email to the postal and email addresses set out in the heading of this Contract. If one of the parties changes its address during the term of the Cadence Service Contract, it shall be responsible for informing the other party of this within a reasonable period of time by post or e-mail.
This Contract is duly accepted by the Parties and takes effect on the date of signature of the order form.
APPENDIX A: Details of data processing
| DATA CATEGORIES | DATA RETENTION PERIOD |
|---|---|
| General information: company name, address, number of employees, etc. | The entire term of the Service Contract. Upon termination, this data is kept for one (1) year for any potential requisition by the competent authorities. |
| Transactional emails | Cadence does not store transactional email history containing Client information. |
| Client contact, imported manually by the Client on Cadence | Any imported contact that is manually deleted by the Client is deleted by Cadence. Upon termination of the Client, Cadence deletes all contacts. |
| Client contact, synchronised with CRM | Contacts are synchronised with CRM and remain available as long as they exist in CRM. |
| User number (OKTA, AZURE…) in case of SSO integration | These data will be kept for the term of the Service Contract. |
COMPLIANCE WITH THE LEGAL RETENTION PERIOD FOR ELECTRONIC COMMUNICATIONS
As an operator of electronic communications services within the meaning of Article L.33-1 of the French Postal and Electronic Communications Code, our activity is declared to the ARCEP and we are required to keep certain personal data relating to electronic communications services for a legal period of 12 months in accordance with the provisions of Article L.34-1 of the French Postal and Electronic Communications Code (III. to VI.) and its implementing decrees 2006-538 and 2012-436.
APPENDIX B: List of processors
| NAMES OF PROCESSORS | ACTIONS TAKEN ON THE DATA | LOCATION OF SERVERS | MEASURES TO COVER THE TRANSFER (if applicable) |
|---|---|---|---|
| SCALEWAY | Storage of our databases, cloud service, API load balancer & CDN/S3 | FRANCE | N/A |
| DATAPACKET | Storage of our databases, web servers, Telecom servers | FRANCE | N/A |
| CLOUDFLARE | DNS and API load balancer | UNITED STATES | No transfer outside EU, data localisation suite option (data stored in EU) |
| GETACCEPT | Signature certification | IRELAND | N/A |
| SALESFORCE | CRM for customer management and followup | UNITED STATES | SCC |
| FINANCIAL FORCE | Billing management | UNITED STATES | SCC |
| SENDINBLUE | Mailing | FRANCE | N/A |
| SENDGRID | Mailing (backup provider) | UNITED STATES | SCC |
| SLACK | Internal communication tool | UNITED STATES | SCC |
| ZENDESK | Ticket management | UNITED STATES | SCC |
| PLANHAT | Customer relationship management | BELGIUM | N/A |
APPENDIX C: Technical & Organisational Security Measures
1. DATA HOSTING
1.1 Location
All the centres where the data necessary for the provision of Cadence services are hosted are located in France, via Scaleway services, and in Germany via GCP Compute Engine, thus not generating any data transfer outside the European Union or the European Economic Area.
1.2 Certifications
These hosts have the following certifications:
| Hosting companies | Location | Type of data | Certifications |
|---|---|---|---|
| Scaleway DC | Vitry-sur-Seine, France | Database | Certification HDS Tier 3 ISO 27001 : 2013 ISO 50001 : 2011 |
| GCP Compute Engine | Frankfurt, Germany | Application | ISO/IEC 27001 ISO/IEC 27017 ISO/IEC 27018 SOC 1 FedRAMP |
1.3 Business continuity plan
We also have a business continuity and incident response plan in place.
1.4 Organisation and safety
In addition:
- our data centres manage physical security 24/7, using biometric scanners or high-level identity checks;
- we have 2 different electrical inputs for each rack;
- we have implemented DDOS mitigation measures in all our data centres;
- we have different Class 3 providers for IP transit; and
- our services rely on multiple operators for voice and SMS to ensure a seamless service and better security.
Visits to hosting sites: All Clients, suppliers and visitors do not have access to our hosting sites. Requests for access to hosting sites are strictly documented and must be justified by the appropriate Cadence staff.
2. APPLICATION SECURITY LEVEL
- All login pages (on our website and mobile website) transmit data via TLS.
- After logging in, the Cadence application uses a temporary token to identify the Client.
- The Cadence application uses oAuth2 for all its routes.
- The entire Cadence application is encrypted with TLS and SRTP for voice data.
- The dashboard allows you to restrict access to your account via support access Cadence.
- Your credit card details are not stored in our database. We use service providers (listed in Appendix B) that handle your payments with temporary wallet identifiers.
3. TRAINING & AWARENESS RAISING OF CADENCE EMPLOYEES
All employees sign a privacy agreement outlining their responsibility to protect Client data.
We are implementing awareness-raising operations for our teams and we plan to increase the frequency and development of awareness-raising operations, particularly in the area of cyber security. In addition, good security practices are the subject of training communications (for example, when new employees join) and written material is accessible (posted in work areas and made available on the intranet). In addition, we train our employees to acquire the right data security reflexes and we also carry out internal tests (e.g. "fake phishing campaign", use of public Wi-Fi networks, etc.).
4. SECURITY MEASURES APPLICABLE TO OUR PREMISES & EMPLOYEES
We implement industry-standard physical security and protection measures. Our offices and our employees’ information systems are adequately secured and the measures implemented include, in particular:
- securing of the premises with an alarm;
- access control measures with reception staff present throughout the opening hours;
- secure, personal access badges with traceable logs;
- metal curtains protecting access to the premises;
- identifier and password strength requirements with the obligation to renew them regularly;
- limiting and controlling access to information systems according to the access privileges and access needs of employees.
Visit to the Cadence premises: Visitors, Clients and suppliers must register at the reception desk and are always accompanied by a member of the Cadence staff when entering our premises and during their time on site. The same goes for leaving.
5. PASSWORD HASHING TECHNOLOGY
We systematically implement a hashing technology with a salting that is at least as robust as the SHA-256 standard.
Passwords for Cadence accounts are hashed. Our own staff can’t even see them. If you lose your password, it cannot be recovered - it must be reset.
6. SEGREGATION OF WORKING ENVIRONMENTS: PRODUCTION & DEVELOPMENT
Our environments are strictly separated, both physically and logically. All developments are carried out on development environments that are separate from the production ones. We also implement a strict testing procedure on multiple environments before making the decision to go live.
In addition, all databases are separate and dedicated to the prevention of corruption and overlap. We have several layers of logic that separate user accounts from each other.
7. VULNERABILITY MONITORING AND REMEDIATION (WORKSTATION & PRODUCTION)
We actively monitor the emergence and identification of new potential vulnerabilities (0-day) and enforce the implementation of new security patches on all workstations and production environments.
8. SERVER UPDATES, FIREWALLS, NETWORK BACKUPS & ANTI-VIRUS
8.1 Policy applicable to our servers
Our servers are updated regularly, especially at every production launch.
We have a physical firewall (machine) with firewalling rules that only allow flows that are necessary for Cadence’s purposes and the provision of its services to Clients.
We have an automatic hot and cold backup system, machines and database clusters.
We do not use a VPN, but use SSH tunnels to access the servers.
8.2 Policy applicable to our premises
All workstations and production environments are protected by antivirus software. On each workstation, an automatic sleep mode is also set up and configured after 5 minutes of inactivity. We also use VPNs.
9. PRIVILEGES AND SEGMENTATION OF ADMINISTRATION USES
We have implemented several classes of access and permission privileges for our Clients:
- single user;
- administrator;
- super administrator; and
- supervisor.
These 4 user classes ensure that the access and power of each of the Client’s users only have the rights necessary for them to use the services, on a strict "need to know" and "need to do" basis. These 4 levels of use enable the uses and administration rights of the Cadence solution to be segmented.
10. RESPONSIBLE DISCLOSURE
If you have discovered a vulnerability in the Cadence application, please do not share it publicly. Instead, please submit a report via the process described below. We review all security issues brought to our attention and take a proactive approach to emerging security issues. Every day, new security problems and new attack vectors are created. Cadence strives to keep abreast of the latest security developments, both internally and by collaborating with external security researchers and companies. We appreciate the community’s efforts to create a more secure website.
If you believe your account has been compromised or if you notice any suspicious activity on your account, please send an email to abuse@ringover.com.