Data Processing Addendum
Check Point Software Technologies Ltd, of Shlomo Kaplan, Tel-Aviv, Israel (“Check Point”) and [add customer name] (“Customer”) agree to the terms set out in this Data Processing Addendum (this “Addendum”). This Addendum shall become effective with respect to the Customer upon the effective date of the Agreement (as defined below) (the “Effective Date”), provided that this Addendum is incorporated to the Agreement by reference.
1.1 Agreement: the agreement governing Customer’s relations with Check Point; with respect to usage of Check Point’s products and services, the applicable end-user license agreement governing the Customer’s use of Check Point’s products and services.
1.2 Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with the relevant party.
1.3 Customer Personal Data: Personal Data provided by the Customer to Check Point or generated by Check Point in connection with the offering or provision of Check Point products and services and which is used solely by Check Point for the Permitted Purposes.
1.4 Data Protection Laws: All applicable laws and regulations relating to the processing of Personal Data including the Electronic Communications Data Protection Directive (2002/58/EC) and the EU’s General Data Protection Regulation (“GDPR”) (2016/679/EC), including all law and regulations implementing or made under them and any amendment or re-enactment of them. The terms “Controller”, “Personal Data”, “Process”, “Processor” and “Supervisory Authority” shall have the meanings given to them in the GDPR;
1.5 EU Standard Contractual Clauses: means the model clauses incorporated into this Addendum under clause 9 (International Transfers of Data) for the transfer of Personal Data in the EU to third countries where the exporter is a Processor and the importer is a Sub-processor as approved by the European Commission by its Implementing Decision (EU) 2021/914 of June 04, 2021 or any additional replacement model clauses approved by the European Commission from time to time;
1.6 Personal Data Breach: The accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
1.7 Permitted Purposes: Permitted Purposes shall mean the purposes for processing Personal Data specified in the Privacy Policy.
1.8 Privacy Policy: Check Point’s Privacy Policy, as available at Check Point’s public website (currently at: www.checkpoint.com/privacy/).
1.9 Sub-processor: A third party engaged by Check Point or one of its Affiliates to undertake some or all of Check Point’s obligations under the Agreement, including but not limited to Processing of Personal Data; and
1.10 UK Standard Contractual Clauses Addendum: means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses incorporated into this Addendum under clause 9 (International Transfers of Data) for the transfer of Personal Data in the UK to third countries and where the exporter is a Processor and the importer is a Sub-processor as approved by the UK Government.
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer is the Controller, Check Point is the Processor and that Check Point or Check Point Affiliates may engage Sub-processors pursuant to this Addendum.
2.2 Customer’s Processing of Personal Data. The Customer shall, in its use of the Check Point products and services, Process Personal Data in accordance with the requirements of Data Protection Laws.
2.3 Check Point Processing of Personal Data: Check Point shall only Process Customer Personal Data in the following ways: (i) Processing for the purposes of provision of the Check Point products and services and/or other Permitted Purposes and otherwise in accordance with the Agreement; (ii) Processing by Customer users in their use of the Check Point products and services; (iii) Processing to comply with other documented reasonable instructions provided by the Customer; and/or (iv) as described in the Privacy Policy. The Customer shall ensure that any instructions to Check Point in relation to the Processing of Customer Personal Data shall comply with Data Protection Laws. In the event of that any of the Processing described in this clause 2.3 conflicts with Data Protection Laws, Check Point shall not be obliged to carry out the data processing affected by the conflict and shall, unless such legal requirement prohibits it from doing so, inform the Customer of the relevant conflict.
2.4 Data Protection Impact Assessment: Upon the Customer’s request and at the Customer’s expense, Check Point shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligation under the GDPR to carry out a data protection impact assessment related to the Customer’s use of the Check Point products and services but only to the extent that the Customer does not otherwise have access to the relevant information, and only to the extent that such information is available to Check Point. Check Point shall provide reasonable assistance to the Customer, at the Customer’s expense, in relation to consultation with a Supervisory Authority in connection with a data protection impact assessment related to the Check Point products and services.
2.5 Details of the Processing:
(i) Subject-matter of Processing, the nature and purpose of the Processing: the provision of Check Point products and services to the Customer and/or or other Permitted Purposes.
(ii) Duration of the Processing: for as long as necessary in connection with the provision of Check Point products and services and/or for the Permitted Purposes
(iii) Types of Personal Data: the Customer can control the types of data analysed and collected through the Check Point products and services
(iv) Categories of Data Subjects: the Customer can control the types of Data Subjects whose Personal Data may be collected through the Check Point products and services
4.1 Confidentiality: Check Point shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities and are subject to confidentiality undertakings.
4.2 Reliability: Check Point shall take commercially reasonable steps to ensure the reliability of any Check Point personnel engaged in the Processing of Customer Personal Data.
6.1 Controls for the Protection of Customer Data: Check Point shall maintain appropriate technical and organisational measures for protection of the security (including protection against unauthorised or unlawful Processing, and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Customer Personal Data), confidentiality, and integrity of Customer Personal Data. Specific description of technical and security measures applied to ensure the security of data is available at www.checkpoint.com/privacy/security/ as updated from time to time.
6.2 Third-Party Certifications and Audits: Upon the Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Check Point shall make available to the Customer (or the Customer’s independent, third-party auditor that is not a competitor of Check Point) a summary of Check Point’s then most recent third-party certifications and/or security related audits, as applicable; and as may be available in respect of the products and/or services being provided.
6.3 Right of Audit and Inspection: Check Point shall afford to the Customer access on reasonable notice and at reasonable intervals (except where there has been an actual or reasonably suspected breach of this Addendum by Check Point), to books and records relevant to the Customer Personal Data to enable the Customer to ensure that Check Point is complying with its obligations under this Addendum.
9.1 Transfer mechanisms for data transfers: The Customer acknowledges that Check Point or any of its sub-processors (as defined above under 1.5) may transfer Customer Personal Data to locations outside the European Economic Area and / or the UK. Where this is the case, and to the extent that the data is transferred to a country which does not ensure an adequate level of data protection within the meaning of Data Protection Law, such transfers shall be subject to the Module Three Transfer (processor to processor) terms in either the EU Standard Contractual Clauses or the UK Standard Contractual Clauses Addendum, as applicable. A template of the Annexes to those EU Standard Contractual Clauses is attached in Annex A of this Addendum.
9.2 In the event that there is a conflict between the provisions of this Addendum and the provisions of the UK Standard Contractual Clauses Addendum or EU Standard Contractual Clauses, as applicable, the provisions of the UK Standard Contractual Clauses Addendum or EU Standard Contractual Clauses, as applicable, shall take precedence.
9.3 In the event that a relevant Supervisory Authority with jurisdiction over the parties or this Addendum revises, updates or replaces the UK Standard Contractual Clauses Addendum or EU Standard Contractual Clauses, or requires transfers of Personal Data made pursuant to the standard contractual clauses to be suspended, the parties will work in good faith to enter into updated standard contractual clauses or rely on an alternative safeguard under the Data Protection Laws in respect of such transfers.
A. LIST OF PARTIES
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union / UK
Name: Check Point Software Technologies Ltd. Address: Shlomo Kaplan 5, Tel-Aviv, Israel Contact person’s name, position and contact details: Daniel Kurtz, DPO, danielkur@checkpoint.com Activities relevant to the data transferred under these Clauses: The data exporter provides the products and services to the Customer in accordance with the Agreement. In this regard, Customer, as data controller, provides personal data to the data exporter. Customer acknowledges that Israel was determined to have an adequate level of data protection by European Commission’s adequacy decision of 31 January 2011 (2011/61/EU), so that the conclusion of SCCs is not necessary for such transfers. When providing the products and services to the Customer in accordance with the Agreement, the data exporter may transfer Customer personal data to the data importer, which acts as a sub-processor. For this purpose, data exporter and data importer have concluded EU SCCs. Role (controller/processor): Processor |
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: All Check Point subsidiaries or any other sub-processor Activities relevant to the data transferred under these Clauses: The data importer provides sub-services to the data exporter which are necessary for the data exporter to perform the Agreement. Role (controller/processor): (Sub-)Processor |
B DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Customer may provide Check Point through Check Point’s products, services and support data related to individuals, which might include, but not limited to, Personal Data of the Customer’s employees, agents, customers, users and vendors, provided that Customer shall obtain all necessary authorizations, approvals, consents and permits per the Data Protection Laws for providing such data to Check Point for processing in accordance with this Addendum.
Categories of personal data transferred:
Data related to individuals provided to Check Point by Customer (including via its users) through Check Point’s products, services and support.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Customer is requested not to share any sensitive data.
The frequency of the transfer:
Continuous basis during the term of the Agreement depending on the use of the Check Point’s products, services by Customer.
Nature of the processing:
The nature of the processing is the performance of Check Point’s obligations to provide products and services pursuant to the Agreement. Purpose(s) of the data transfer and further processing:
To provide Check Point’s products and services to the Customer and/or for other Permitted Purposes.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The term of the Agreement in which Check Point provides services and products to Customer plus the period thereafter until deletion of all Customer Personal Data by Check Point in accordance with Clause 8 of this Addendum. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The purpose, nature and duration of processing mentioned above.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 of the EU SCCs:
D. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
i. Check Point takes extensive measures to ensure that all Customer Personal Data is secured.
ii. Check Point employs a wide range of security tools and methodologies to manage security threats, including vulnerability scanning, penetration testing, security event management and advanced threat protection. Check Point strives to keep patch levels up to date for all systems holding the data of Check Point’s customers.
iii. Check Point uses many of its own products in securing its network and services, such as the latest firewalls and IPS solutions used for protecting and monitoring Check Point’s systems from unauthorized access, WAF and API protection, endpoint gateways and mobile devices protection, software blades used for managing access to applications, anti-malware and encryption technology.
iv. Access rights to Personal Data are restricted on a least privileged access principal basis, only as required for providing security and product functionality and limited to dedicated personnel for debugging and troubleshooting.
v. Rigorous security reviews are performed as part of a defined protocol.
Specific description of technical and organizational measures applied to ensure the security of data is available at www.checkpoint.com/privacy/security/ as updated from time to time.
E. LIST OF SUB-PROCESSORS
Check Point shall be permitted to engage further Check Point Affiliates and third-party Sub-processors at Check Point’s sole discretion in connection with the provision of the Check Point products and services, subject to the terms and conditions of this Agreement.