General Data Protection Regulation Addendum

This General Data Protection Regulation Addendum ("DPA") forms part of the Terms of Service available at https://connectana.app/home/page/terms_of_service or, if applicable, any other separate written agreement (the "Agreement"), by and between Connectana, Pat Ltd, a Zimbabwean Company ("Connectana") and the Customer named in the Agreement, pursuant to which Customer has purchased a subscription to access and use the Service (as defined in the Agreement). The parties intend this DPA to be an extension of the Agreement that will outline certain requirements for Connectana’s processing of certain personal data provided or made available by Customer, or collected or otherwise obtained by Connectana, in the course of providing services to Customer.

Contents

1. Definitions

2. Scope

3. Data Protection

Appendix 1: Subject Matter and Details of the Data Processing

Appendix 2: Overview Of Connectana’s Technical And Operational Security Measures

 

Appendix 1: Subject Matter and Details of the Data Processing

Data exporter

The data exporter is Customer.

 

Data importer

The data importer is Connectana, Pvt Ltd

 

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

 

Categories of data

The personal data transferred concern the following categories of data (please specify):

 

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): 

 

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):  As described in the Agreement.

Appendix 2: Overview Of Connectana’s Technical And Operational Security Measures

Connectana adopts an Information Security Management Systems (ISMS) as a framework for continuous improvement of security. 

This ISMS includes (but is not limited to):

Policies

Connectana has and periodic reviews the Information Security Policies as the major guidelines for security practices. This includes Risk Management, Data Classification, Access Control, Software Development and Data Breaches.

Awareness

Awareness on security and compliance is fundamental and provided to all users. Some users may have additional specific awareness, relevant for their function.

Access control

Access is granted on a need-to-know basis and only a small number of users can access production systems where information from Customers is stored. Authentication to production systems is made with 2-factor Authentication as a standard.

Audit logging

Relevant audit logs are maintained, including access to sensitive information (including personal data). The logs are kept in separate infrastructure and only accessed by Security team.

Data Breaches

Processes are defined to handle Data Breaches. These processes include notification to relevant stakeholders, according to type of incident and applicable legislation.

Network security

Connectana implemented several security measures to protect our infrastructure from external and internal threats. This includes encryption, firewalls, IDS and other cloud provider specific. Access to production systems is made in secure mode and encryption in transit is a default. Sensitive information is also encrypted at rest.

Physical Security

Connectana uses data centers managed by cloud providers and delegates all physical security to them, after a due diligence.

Business Continuity

Connectana has several technical implementations to assure business continuity of its service. Those include backups, resilient and redundant infrastructure and a Disaster Recovery Plan.

Development

Development is made using a secure development methodology that includes peer review and secure coding and testing.

Continuous improvement and review 

Connectana security posture is based on a continuous improvement process that includes periodic review of security controls effectiveness.