<img alt="" src="https://secure.norm0care.com/148569.png" style="display:none;">
Technology trends -Web resource-featured-2

Report

Technology Trends in Accounting 2021 Research Report
Discover the progress accountancy firms have made in their business and client service transformation, and what impact the pandemic has had on their use of technology.

Silverfin Data Processor Addendum

Last update: 6 December 2021

Deze verwerkersovereenkomst is momenteel enkel in het Engels beschikbaar. Wenst u een vertaling in het Nederlands van deze overeenkomst, gelieve dan contact op te nemen met legal@silverfin.com. Cet addendum au traitement des données à caractère personnel est actuellement disponible uniquement en anglais. Si vous souhaitez obtenir une traduction de cet accord en français, veuillez contacter legal@silverfin.com.

Pursuant to the Agreement, Silverfin provides the Silverfin Platform and the Service (both as defined below) to the Customer (as defined below). The provision of the Silverfin Platform and the Service leads to the collection and processing of Personal Data (as defined below) by Silverfin, in its capacity as a data processor, on behalf of the Customer. Therefore, Silverfin provides the Customer with this Data Processing Addendum (“DPA”) which sets out (i) how Silverfin shall manage, process and secure the Personal Data; as well as (ii) all parties’ obligations to comply with the Privacy Legislation (as defined below).

By concluding the Agreement with Silverfin, the Customer has indicated that it has read, understands and accepts the terms and conditions of this DPA, which forms an integral part of said Agreement.

This DPA may be updated from time to time by Silverfin, in which case Silverfin shall notify the Customer through its Website (as defined below) or the Silverfin Platform. In any event, the latest version of this DPA can always be accessed on the Website, as well as on the Silverfin Platform.
You can find our archived Silverfin DPA here. The current Silverfin DPA can be found in pdf format here.

1. DEFINITIONS

1.1. Capitalized terms shall have the meaning as set out below:

Affiliate:

unless otherwise defined in the Agreement, a business entity that (in)directly controls, is controlled by or is under common control (i.e. the direct of ownership of more than 50% of the voting securities of a business entity) with such party;

Agreement:

the combined term for the (i) Terms of Use; (ii) Silverfin proposal; (iii) additional orders; and (iv) documents to which reference is made in the Terms of Use;

Authorized Users:

individuals authorized by the Customer to have access to and make use of the Service and the Silverfin Platform;

Customer:

the party with whom Silverfin has concluded the Agreement, including its Participating Affiliate(s);

Data Subject:

The natural person to whom the Personal Data relates, as described in Annex I;

End Customer:

the end customers of the Customer and their affiliates, advisors, representatives, officers, directors, employees, agents and consultants which may be serviced or processed through the Service by the Customer;

Participating Affiliate:

an Affiliate of the Customer that has not entered into a separate Agreement with Silverfin and has been authorized to access and use the Service under an existing Agreement between Silverfin and the Customer;

Personal Data

personal data (within the meaning of Privacy Legislation), as described in Annex I;

Silverfin Platform:

the Silverfin platform as described and represented via www.silverfin.com;

Service: 

the online service of Silverfin, including the integrations, features and modules as set out in the Agreement;

Privacy Legislation:

the (supra)national privacy legislation applicable to the processing of personal data by the Customer or Silverfin within the scope of the Agreement, such as, but not limited to: (i) the General Data Protection Regulation 2016/679 of April 27, 2016 (“GDPR”); (ii) United Kingdom (UK) Data Protection Act 2018; (iii) the Belgian Privacy Law of 30 July 2018; (iv) the ePrivacy Directive 2002/58/EC of 12 July 2002, including future amendments and revisions thereof; and/or (v) (future) national legislation regarding the implementation of the GDPR;

Silverfin:

Silverfin NV, a limited liability company with registered office at Gaston Crommenlaan 12, 9050 Gent, registered with the Crossroad Database for Enterprises under number 0524.802.662;

Sub-processor

Affiliates of Silverfin and other third parties engaged by Silverfin to process the Personal Data on behalf of the Customer and in accordance with the Customer’s instructions, as identified in Annex III;

Website:

the Silverfin website, namely: https://www.silverfin.com

 

1.2. The (uncapitalized) terms “(data) controller”; “personal data”; “personal data breach”; “process”; “processing”; “(data) processor” shall have the meaning attributed to them in the Privacy Legislation.

2. ROLE OF THE PARTIES


2.1
The parties acknowledge that with regard to the processing of Personal Data under the Agreement, the Customer shall be considered the ‘data controller’ and Silverfin ‘data processor’ in accordance with the Privacy Legislation. Further, Silverfin may engage (a) Sub-processor(s) pursuant to the provisions of
Section 7.


2.2 Each party shall comply with its respective obligations under the Privacy Legislation with respect to the processing of the Personal Data.

3. SUBJECT MATTER


3.1
The Customer acknowledges that by making use of the Silverfin Platform and/or Service, pursuant to the Agreement, it may provide (certain sets of) the Personal Data to Silverfin for processing. The nature and purpose of said processing, as well as a description of the Personal Data and categories of Data Subjects processed under the Agreement are further specified in
Annex I.



3.2
Silverfin shall process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules/best-practices concerning the processing of personal data.



3.3
More specifically, Silverfin shall


  • during the performance of the Service, provide all its know-how in order to perform the Agreement according to the rules of art, as it fits a specialised and ‘good’ data processor; and,

  • shall adopt, to the best of its abilities, the necessary security measures (cfr. Annex II) and provide all its know-how in order to perform the Service in accordance with the rules of art.

     

3.4 The Customer keeps full control concerning the following: (i) how the Personal Data must be processed by Silverfin; (ii) the types of Personal Data processed; (iii) the categories of Data Subjects whose Personal Data is subjected to the processing; (iv) the purpose of the processing; and (v) the fact whether such processing is proportionate.

3.5 This DPA is without prejudice to the provisions of the Silverfin Terms of use with regard to ‘Data Protection’.

 

 

4. INSTRUCTIONS FROM / RESPONSIBILITY OF THE CUSTOMER

4.1 Instructions. Silverfin shall only process the Personal Data upon the Customer’s request and in accordance with the Customer’s lawful instructions in Annex I, unless any legal obligation states otherwise. Silverfin shall inform the Customer, if in its opinion, the instructions infringe the Privacy Legislation. If the Customer subsequently cannot guarantee the validity or legality of the instruction or fails or refuses to change the unlawful instruction so that it no longer violates the Privacy Legislation, Silverfin shall be entitled to (i) suspend/refuse the performance of said instruction and (ii) at its discretion, to either continue to process the Personal Data in accordance with previously provided instructions or to stop the processing altogether, until the Customer has revised its instruction so that it no longer violates the Privacy Legislation.


4.2 Responsibilities. Furthermore, the Customer acknowledges that it is responsible for:


  • the accuracy, quality and legality of (the collection and transfer of) the Personal Data;

  • compliance with all transparency and lawfulness requirements under the Privacy Legislation for the collection and processing of the Personal Data and the transfer thereof to Silverfin; and,

  • ensuring compliance of its instructions (cfr. Annex I) with the Privacy Legislation.

Customer shall inform Silverfin without undue delay if it is not able to comply with its responsibilities under this Section or the Privacy Legislation.

5. USE OF THE SILVERFIN PLATFORM AND THE SERVICE

5.1 In relation to (the processing of) the Personal Data, the Customer recognizes that:


  • Silverfin acts as a facilitator of the Service. Therefore, the Customer shall be responsible on how and to what extent it makes use thereof;

  • it is responsible for all acts and omissions of Authorized Users (i.e. in case the Authorized User does (not) take sufficient measures to protect its account on the Silverfin Platform);

  • Silverfin allows the Customer to make adjustments and/or changes to the Personal Data and shall never consult or adjust such Personal Data itself, unless the Customer requests Silverfin to do so;

  • it is responsible for the material and/or data (including Personal Data) provided by the Data Subject. The Customer is, as controller, thus responsible for complying with the Privacy Legislation and/or any other regulations with regard to aforementioned material and/or data;

  • it shall comply with all laws and regulations (such as, but not limited to: with regard to the retention period or rights of the Data Subject) imposed on it by making use of the Service.

5.2 In case of any misuse of the Service or the Silverfin Platform by the Customer or its Authorized  Users in relation to the Personal Data and/or under this DPA or the Privacy Legislation, Silverfin can never be held liable in this respect nor for any damage that would occur.

 


5.3
The Customer shall avoid any misuse of the Service and the Silverfin Platform in relation to the Personal Data and/or under this DPA or the Privacy Legislation. Therefore, the Customer shall safeguard Silverfin when such misuse would occur as well as for any claim from a Data Subject and/or third party due to such misuse.

6. SECURITY

6.1 Silverfin takes the security of the processing activities very seriously. Silverfin implements appropriate technical and organisational measures, as set forth in Annex II, to ensure, to the best of its abilities, the protection of (i) the Personal Data – including protection against careless, improper, unauthorised or unlawful use and/or processing and against accidental loss, destruction or damage; and (ii) the confidentiality and integrity of the Personal Data. When implementing said measures, Silverfin has taken into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

7. SUB-PROCESSORS

7,1 Approval of Sub-processors
7.1.1 The Customer acknowledges and agrees that Silverfin may engage Sub-processors in connection with provision of the Service (and the performance of the Agreement). In such a case, Silverfin shall ensure that the Sub-processors are at least bound by the same obligations by which Silverfin is bound under this DPA.

7.1.2 Silverfin has currently appointed as Sub-processors its Affiliates and other third parties as listed in Annex III.

7.1.3 Silverfin shall be liable for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Service/processing of the Personal Data itself, directly under the terms of this DPA.

7.2 Update of Sub-processor list
7.2.1 Silverfin shall:

  • update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.);
  • clearly indicate the changes in the list; and,
  • add a timestamp (i) when the list was updated, and (ii) when the change of the Sub-processor went or will go into effect.

7.2.2 Silverfin shall notify the Customer (e.g. on the Website or through the Silverfin Platform) when changes to the list are made.

7.3 Objection
7.3.1 If the Customer wishes to exercise its right to object to a new Sub-processor, it shall notify Silverfin in writing (cfr. Section 15) and based on reasonable grounds by the latest within thirty (30) days after the notification. If the Customer fails to object within the aforementioned timeframe it shall be deemed to have waived its right to object and to have authorized Silverfin to engage the new Sub-processor.

7.3.2 In the event aforementioned objection is not found unreasonable by Silverfin, parties will discuss the Customer’s concerns with a view to achieving a reasonable solution. Such solution may include, at Silverfin’s discretion, to (i) make available to the Customer a change in the Service; or (ii) recommend a commercially reasonable change to the Customer’s use of the Service to avoid the processing of the Personal Data by the objected new Sub-processor without unreasonably burdening the Customer.

7.3.3 If the parties are, however, unable to come to a solution within a reasonable period of time (which shall not exceed thirty (30) days following the objection of the Customer), the Customer may terminate the Service (in whole or partly) if:

  • the Service/Silverfin Platform cannot be used by the Customer without appealing to the objected new Sub-processor; or,
  • such termination solely concerns that part of the Service which cannot be provided by Silverfin without appealing to the objected new Sub-processor;and this by providing written notice thereof to Silverfin (cfr. Section 15) within a reasonable time.

7.3.4 Termination of the Service within the meaning of Section 7.3.3 shall be without liability to either party (but without prejudice to any fees incurred by the Customer prior to suspension or termination of the Service).

8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

8.1 The Personal Data shall be primarily processed within the European Economic Area (“EEA”) and in North-America (in which case Section 8.2 applies).

8.2 The Customer recognizes that Silverfin is entitled to transfer and store the Personal Data to countries outside the EEA for the purpose of providing the Service and fulfilling its obligations under the Agreement, and provided that such transfer/storage is done in accordance with the Privacy Legislation regarding additional safeguards. In particular, any transfer of Personal Data outside the EEA by Silverfin to a third party whose domicile or registered office is in a country which does not fall under an adequacy decision enacted by the European Commission, shall be additionally subject to one or more of the listed EU-approved safeguards:

  • closing a data transfer agreement with the third country recipient, which shall contain the standard contractual clauses, as referred to in the 'European Commission implementing decision of 4 June 2021 (Decision (EU) 2021/914) on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council', including the performance of a transfer impact assessment. Before the transfer takes place, the recipient of the Personal Data/Sub-processor of Silverfin in the third country has to guarantee Silverfin that an adequate level of privacy compliance is ensured in this third party country; and/or
  • binding corporate rules. As it is the case for standard contractual clauses, the recipient of Personal Data/Sub-processor of Silverfin in the third country has to guarantee Silverfin that an adequate level of privacy compliance is ensured in the third party country; and/or,
  • certification mechanisms.

8.3 In the event the transfer (or disclosure) of the Personal Data to a third country is required by EU law, EU member state law or law of the United Kingdom to which Silverfin is subject to, Silverfin shall inform the Customer of that legal requirement before the transfer/disclosure, unless that law prohibits such information on important grounds of public interest.

9. CONFIDENTIALITY

9.1 Silverfin shall maintain the Personal Data confidential and thus not disclose nor transfer the Personal Data to third parties, without the Customer’s permission, unless when such disclosure and/or transfer is required by law or by a court or other government decision (of any kind). In such case Silverfin shall, prior to any disclosure and/or announcement, inform the Customer in full transparency on the scope and manner thereof.

9.2 Silverfin ensures the Customer that individuals engaged in the performance of the Service (such as, personnel, representatives, officers, directors, agents, advisors, affiliates and consultants) are (i) informed of the confidential nature of the Personal Data; (ii) are well aware of their responsibilities; and (iii) are bound by written confidentiality agreements. Silverfin ensures that such confidentiality obligations survive the termination of their employment or service contract.

9.3 Silverfin ensures the Customer that the access of its personnel to the Personal Data is limited to such personnel performing the Service in accordance with this DPA.

10. NOTIFICATION OBLIGATIONS AND ASSISTANCE

10.1 Notification. Silverfin shall use its best efforts to inform the Customer as soon as reasonably possible when it:

  • receives a request for information, a subpoena or a request for inspection or audit from a competent public authority (incl. supervisory authority) in relation to the processing of the Personal Data;
  • receives a request from a Data Subject invoking its privacy rights under the Privacy Legislation (cfr. Section 10.3);
  • has the intention to disclose Personal Data to a competent public authority (incl. supervisory authority); or,
  • determines or reasonably suspects a personal data breach has occurred in relation to the Personal Data.

10.2 Personal data breach. In case of a personal data breach, Silverfin:

  • shall notify the Customer without undue delay after becoming aware of this personal data breach and, to the extent possible, provide the information as required by Privacy Legislation (e.g. Article 33.3 GDPR). Upon request of the Customer, Silverfin shall provide – to the extent possible – assistance with respect to the Customer’s reporting obligation under the Privacy Legislation;
  • undertakes – as soon as reasonably possible – to take appropriate remedial actions to make an end to the personal data breach (if such has occurred under its responsibility) and to prevent and/or limit any future personal data breaches.

10.3 Rights of Data Subjects
10.3.1 Silverfin shall promptly notify the Customer if it receives a request from a Data Subject invoking its privacy rights under the Privacy Legislation. Silverfin shall not respond to any such Data Subject request without the Customer’s prior written consent, except to confirm that the request relates to the Customer to which the Customer hereby agrees.

10.3.2 If a Data Subject requests to exercise his/her/their rights, it is the Customer’s responsibility to assist the Data Subject in its request. Only if the Customer does not have the ability to correct, amend, block or delete the Personal Data (as required by Privacy Legislation), Silverfin shall assist the Customer (as long as commercially reasonable).

10.3.3 Notwithstanding the foregoing, the Customer remains responsible for compliance of such Data Subject requests.

10.4 Data Protection Impact Assessment. Taking into account the nature of the processing and to the extent that (i) a data protection impact assessment is required under Privacy Legislation and (ii) the required information is reasonable available to Silverfin and the Customer does not otherwise have access to said information, Silverfin shall – upon request of the Customer – provide reasonable assistance to the Customer with the execution of a data protection impact assessment and possible prior consultation with the competent supervisory authorities. To the extent permitted by the Privacy Legislation, the Customer shall be responsible for any costs arising from Silverfin’s provisions of such assistance.

11. LIABILITY

11.1Both parties are solely liable for all damage and/or claims of the other party or Data Subjects and fines of competent supervisory authorities that are the result of a party’s own breach of or non-compliance with (i) the provisions of this DPA, and (ii) the Privacy Legislation or other applicable rules concerning Personal Data. Each party shall indemnify the other party in this regard.

11.2 In case of a proven breach by Silverfin of its obligations under this DPA or under the Privacy Legislation, Silverfin shall:

  • be liable for the proven direct damages incurred by the Customer;
  • not be liable for indirect, immaterial and/or consequential damages, including (but not limited to: loss of profit, loss of opportunities, loss of and/or damage to data, loss of reputation, sanctions, and unforeseeable damages).

Silverfin’s liability towards the Customer shall in any case be limited to the total amount paid by the Customer to Silverfin during the last twelve (12) months under the Agreement.

12. TERM

12.1 The total term of this DPA shall be the term of the Agreement. If no term is determined, this DPA shall remain in force as long as the Service has not come to an end.

13. RETENTION, RETURN AND DELETION OF PERSONAL DATA

13.1 Silverfin shall only retain the Personal Data as long as needed to provide the Service or for the term of the Agreement (cfr. Section 12). The Customer accepts that Silverfin may create back-ups of the Personal Data stored on the Silverfin Platform.

13.2 Upon termination of the Service or the Agreement, the following shall apply:

  • the Service and Silverfin Platform shall be deactivated. Any Personal Data, stored on the Silverfin Platform shall as from that moment no longer be available to the Customer;
  • the Customer may request the Personal Data to be returned (‘export’) within two (2) months following the end of the Agreement or the Service, upon which Silverfin shall assess whether such export is possible from a technical perspective. In any event, Silverfin may, at its sole discretion, determine the format of the export. Silverfin reserves the right to charge any costs relating to such exports to the Customer.
  • after said two (2) month-period, the Personal Data on the Silverfin Platform shall be deleted within one (1) month , unless it is required by applicable law to retain the Personal Data.
  • the Personal Data may be present on back-ups. The Personal Data shall be deleted once the last back-up containing the Personal Data is rotated.

13.3 Please note that data or material provided to or submitted to Silverfin by the Customer during the use of the Service that does not contain Personal Data may be further stored by Silverfin following the termination of the Agreement or the Service.

14. COMPLIANCE / INSPECTIONS

14.1 Compliance. Upon the Customer’s request, Silverfin shall make available to the Customer all information necessary and to the extent as requested by law to demonstrate its compliance with its obligations under this DPA.

14.2 Inspections
14.2.1 Silverfin shall allow the Customer (or a third party on its behalf) to carry out inspections – such as, but not limited to: an audit – and shall provide the necessary assistance thereto.

14.2.2 However, the Customer shall limit its initiatives to perform an inspection to a maximum of once a year. The Customer must notify Silverfin at least thirty (30) working days in advance. The performance of inspections may in any case not cause any delay in the performance of the Service by Silverfin.

14.2.3 The Customer shall impose sufficient confidentiality obligations on its (internal/external) auditors. As to ensure the confidentiality of other Silverfin customers, Silverfin has the right to require from the Customer and its auditors to sign a non-disclosure agreement before the start of the inspection and to limit the scope of the inspection or the access of the Customers to certain premises

14.2.4 All inspection costs are exclusively borne by the Customer, except if (and to the extent that) a severe security incident/personal data breach (at Silverfin/under Silverfin’s responsibility) or a violation of this DPA is determined during the inspection.

15. NOTIFICATION / CONTACT SILVERFIN

15.1 Notifications by the Customer under this DPA and/or any questions or concerns with regard to the provisions of this DPA must be directed at legal.notices@silverfin.com.

16. GOVERNING LAW & JURISDICTION

16.1 This DPA, including its Annexes, shall be governed by the law and subject to the jurisdiction clause as provided in the Agreement.

 

Annex I – Data Processing

1. OVERVIEW OF THE PERSONAL DATA

Data Subjects – Category 1

  Name

   Company

  Surname

   Financial data (e.g. accounting data)

  Residence Address

   Email address

  Telephone number

   Any other personal data filled in by the Customer or Authorized User of the Silverfin Platform in a free form field

Data Subjects – Category 2

  Name

   Company

  Surname

   Financial data

  Residence Address

   Email address

  Telephone number

  Any other personal data filled in by the Customer or Authorized User of the Silverfin Platform in a free form field

Data Subjects – Category 3

  Email address

  Electronic identification data (IP address; log-in data, usage data, browser data, cookies, geolocation information, passwords, analytic data….)

2. OVERVIEW OF THE DATA SUBJECTS

Category 1

  End Customers

  Directors of End Customers

  Employees of End Customers

  Shareholders of End Customers

  Suppliers of End Customers (or their employees / representatives)

  Customers of End Customer (or their employees / representatives)

Category 2

  Shareholders of Customer

  Directors of Customer

  Suppliers of Customer (or their employees / representatives)

 

Category 3

  Authorized Users

  Employees of Customer

 

3. NATURE OF THE PROCESSING

  Collecting

  Consulting

  Sorting

  Comparing

  Structuring

  Interconnecting

  Modifying

  Communicating

  Saving

  Restricting

  Transferring

  Deleting

 

4. MEANS OF PROCESSING

  Through the Silverfin Platform

  Electronic communication

5. PURPOSE OF THE PROCESSING

Providing the Service and access to/use of the Silverfin Platform pursuant to the Agreement.

6. DURATION

For the term of the Agreement (cfr. Silverfin’s Terms of Use applicable to the Customer). Upon termination of the Agreement (for whatsoever reason), access to the Silverfin Platform shall be deactivated and the Personal Data shall either be deleted or returned to the Customer as provided in Section 13.

 

Annex II – Security

1 MANAGEMENT DIRECTION FOR INFORMATION SECURITY

(i) Silverfin has implemented an appropriate information security policy.
(ii) Silverfin has suitably qualified information security specialists, supported by the Silverfin business leadership.
(iii) Silverfin management requires employees and third-party contractors with access to Customer information to commit to written, confidentiality, and privacy responsibilities with respect to that information. These responsibilities survive termination or change of employment or engagement.

2. HUMAN RESOURCE SECURITY

(i) Silverfin provides information security awareness information to employees and relevant third-party contractors.

3. ACCESS CONTROL

3.1. User Access Management
(i) Silverfin implements access control policies to support creation, amendment and deletion of user accounts for systems or applications holding or allowing access to Customer information.
(ii) Silverfin implements a user account and access provisioning process to assign and revoke access rights to systems and applications.
(iii) The use of “generic” or “shared” accounts is prohibited without system controls enabled to track specific user access and prevent shared passwords.
(iv) Silverfin monitors and restricts access to utilities capable of overriding system or application security controls.
(v) User access to systems and applications storing or allowing access to Customer information is controlled by a secure logon procedure.

3.2 Physical Access Management
(i) Physical access to facilities where Customer information is stored or processed is protected in accordance with good industry practices

4. COMMUNICATIONS SECURITY

4.1 Network Security
(i) Silverfin logically segregates Customer data within a shared service environment.
(ii) Silverfin secures network segments from external entry points where Customer data is accessible.
(iii) External network perimeters are hardened and configured to prevent unauthorized traffic.
(iv) Inbound and outbound points are protected by firewalls and intrusion detection systems (IDS). c. Ports and protocols are limited to those with specific business purposes.
(v) Silverfin synchronizes system clocks on network servers to a universal time source (e.g. UTC) or network time protocol (NTP).

4.2 Cryptographic Controls
(i) Customer data, including personal data, is encrypted at rest.
Cloud Controls
(i) Silverfin encrypts data during transmission between each application tier and between interfacing applications.

5. OPERATIONS SECURITY

5.1 Service Management
(i) Silverfin has implemented formal operating procedures for system processes impacting Customer data. This notification may occur through generic change logs. Procedures must track author, revision date and version number, and must be approved by management.
(ii) Silverfin monitors service availability.

5.2 Vulnerability Management
(i) Silverfin performs annual penetration testing for systems and applications that store or allow access to Customer data, including Personal Data. Identified issues must be remediated within a reasonable timeframe.
(ii) Silverfin has implemented a patch and vulnerability management process to identify, report and remediate vulnerabilities by:

  • performing a security assessment of the application and underlying infrastructure on a regular basis;
  • implementing vendor patches or fixes; and,
  • developing a remediation plan for critical vulnerabilities.

(iii) Silverfin has implemented controls to detect and prevent malware, malicious code and unauthorised execution of code. Controls must be updated regularly with the latest technology available (e.g. deploying the latest signatures and definitions).

5.3 Logging and Monitoring
(i) Silverfin generates administrator and event logs for systems and applications that store or allow access to Customer data.
(ii) Silverfin reviews system logs periodically to identify system failures, faults, or potential security incidents affecting Customer information.

6. THIRD-PARTY SUPPLIER MANAGEMENT

(i) Silverfin has contractual agreements with third parties handling Customer information which must include appropriate information security, confidentiality, and data protection requirements, as detailed in the Agreement. Agreements with such parties are reviewed periodically to validate that information security and data protection requirements remain appropriate.
(ii) Silverfin reviews its third parties’ information security controls periodically and validates that these controls remain appropriate according to the risks represented by the third party’s handling of Customer information, taking into account any state-of-the-art technology and the costs of implementation.
(iii) Silverfin restricts third party access to Customer data, including Personal Data.
(iv) If requested by Customer, Silverfin provides the Customer a list of third parties with required access to Customer data, including Personal Data.
(v) Silverfin permits access to Customer data, including Personal Data, only as necessary to perform the services that the third party has contractually agreed to deliver.

7. RESILIENCE

(i) Silverfin performs business continuity risk assessment activities to determine relevant risks, threats, impacts, likelihood, and required controls and procedures.
(ii) Based on risk assessment results, Silverfin documents, implements, annually tests and reviews its Business Continuity and Disaster Recovery (BC/DR) plans to validate the ability to restore availability and access to Customer data in a timely manner, in the event of a physical or technical incident that results in loss or corruption of Customer data.

8. AUDIT AND COMPLIANCE

(i) Silverfin periodically reviews whether its systems and equipment storing or enabling access to Customer data, including Personal Data, comply with legal and regulatory requirements and contractual obligations owed to Customer.
(ii) Silverfin maintains current independent verification of the effectiveness of its technical and organisational security measures (e.g. ISO certification). The independent information security review are performed at least annually.

 

Annex III – Sub-processors

Silverfin engages the following Sub-processors to assist in providing the Service as described in the Agreement:

1. AFFILIATES

Name

Nature of processing

Territory

Silverfin Software Ltd.

Support Services

United Kingdom (London)

Silverfin Software B.V.

Support Services

The Netherlands (Amsterdam)

Silverfin Software ApS

Boltzmann B.V.

Support Services

Mapping automation and outlier detection

Denmark (Copenhagen)

EEA

2. OTHER SUB-PROCESSORS – SILVERFIN PLATFORM

Name

Nature of processing

Territory

 

Amazon AWS S3

Storage database’s back-up

EEA

 

Atlassian Pty Ltd (JIRA PST Ticket)

Product and Engineering

Asia Pacific  / EEA  / United States 

 

ClientSuccess, Inc.

Customer success management

United States

 

Datadog Inc.

Infrastructure monitoring

United States

 

DealHub Ltd.

Orders-approval signing

Israel

 

Delighted LLC

Customer feedback (NPS)

United States

 

Dogwood Labs, Inc. (Statuspage)

Product and Engineering

United States 

 

Fivetran, Inc.

Data transfer and integration of data sources

United States

 

Functional Software Inc. (Sentry)

Error logging in connection with the provision of the Silverfin Platform

United States

 

GitLab Inc. (DEV Tickets)

Product and Engineering

EEA

 

Google Ltd.

Cloud Infrastructure Hosting;

Centralized logging in connection to the provision of the Silverfin Platform

EEA

 

Headway App Inc.

Changelog and communication

United States

 

Heap Inc.

Transmitting, collecting, storing, and analyzing data (including from cookies and device local storage) to provide Customer with analytics information about its visitors’ and users’ use of its website, mobile applications and other online services.

United States

 

Help Scout

Customer onboarding

United States

 

HubSpot Inc.

Customer relationship management

United States

 

InsightSquared

Sales forecasting & analytics / pipeline metrics

United States

 

Looker Data Sciences, Inc.

Business & finance data analytics/metrics

United States

 

Microsoft (Power BI)

Business & finance data analytics/metrics

EEA

 

Outreach Corporation.io

SDR outbound

United States

 

Productboard, Inc.

Account management & support

United States / United Kingdom / EEA

 

Report-URI Ltd.

Security reporting

EEA

 

Salesforce

Customer relationship management

United States

 

Sqreen Inc.

Security management

United States

 

Userlane GmbH

Customer onboarding

EEA

 

VictorOps Inc.

Incident Response

United States

 

Wildbit, LLC. (Postmarkapp)

Sending emails in connection to the provision of the Silverfin Platform

United States