AskCorral is now everywhere you need it. Introducing Vibe coding for BI 🚀

Last updated: November 28, 2022

CorralData Inc. (“us”, “we”, “our” or “company”) has adopted in full an industry standard Data Processing Agreement (DPA) from oneDPA.

The oneDPA contract was created collaboratively by a group of leading law firms and in-house teams with input from the wider legal community. The terms of oneDPA have been discussed extensively to not only ensure it meets legal requirements, but also to make it balanced, fair and easy to understand.

This page will outline the specific stipulations of CorralData Inc.’s DPA as a processor to our customers.

Parties’ Relationship

Processor (Company) to Controller (Customer).

Parties’ roles

The customer will act as the Controller (as defined in Section 1 of the Terms).

Corral Data Inc. will act as the Processor (as defined in Section 1 of the Terms).

Term

Our DPA will commence on the final date of signature and will continue for 30 days after the end of the Main Agreement.

Breach Notification Period

Without undue delay after becoming aware of a personal data breach.

Sub-processor Notification Period

30 days before the new sub-processor is granted access to Personal Data.

Liability Cap

Each party’s aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement.

Governing Law and Jurisdiction

As per the Main Agreement.

Data Protection Laws

All laws, regulations and court orders which apply to the processing of Personal Data, including in the United States of America (USA).

This includes the:

… each as amended from time to time.

Services Related to Processing

The provision of a data analysis tool and ongoing support services provided by Company to Business.

Duration of Processing

For the Term of the DPA.

Nature and Purpose of Processing

Personal data processing activities include the ingestion, storage and management of Personal Data, in instances when hashed or aggregated data use is not possible, for Company to provide its services as described in the Main Agreement.

Personal Data

The types of personal data processed are customer email addresses, shipping, billing address, and other personal data which may be provided and are dependent on the platforms integrated by Company and data within those platforms.

Data Subjects

The individuals whose Personal Data will be processed are Customer’s Customers and Prospects.

Transfer Mechanism

Not applicable.

Terms

  1. What is this agreement about?
  2. What are each party’s obligations?
  3. Sub-processing
  4. International personal data transfers
  5. Other important information

ANNEX 1

Security Measures

Technical and organisational measures to ensure the security of Personal Data.

a) Access Control

i) Preventing Unauthorized Product Access

Outsourced processing: We host our Service on Amazon Web Services (AWS). Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: We host our product infrastructure on AWS. We do not own or maintain hardware located at AWS data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems, and each other. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: We implement a uniform password policy for our customer products. Furthermore, Customers who have access to PII data within their CorralData interface are required to use Microsoft or Google Sign-in with two factor authentication to view any PII data.

Authorization: Customer Data is stored in storage systems accessible to Customers via only application user. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

ii) Preventing Unauthorized Product Use

We implement industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.

Penetration testing: We maintain relationships with industry recognized penetration testing service providers for our penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. Penetration tests are performed against the application layers and infrastructure layers of the CorralData technology stack.

iii) Limitations of Privilege & Authorization Requirements

Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” (JITA) requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Administrative or high risk access permissions are reviewed at least once every six months.

Background checks: Where permitted by applicable law, CorralData employees undergo a third-party background or reference check. In the United States, employment offers are contingent upon the results of a third-party background check. All CorralData employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control

In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every customer site hosted on the CorralData products. Our HTTPS implementation uses industry standard algorithms and certificates.

At-rest: We store user passwords following policies that follow industry standard practices for security. For Customers that have access to PII data, passwords are not stored since we rely on Google or Microsoft sign-in for two factor authentication. We have implemented technologies to ensure that stored data is encrypted at rest.

c) Input Control

Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by our team; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.

d) Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes. Our platform is designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

ANNEX 2

Sub-processors

Current sub-processors.

CorralData uses services of certain vendors for processing of customer data while providing services to its customers (”sub-processors”). Prior to engaging any third party sub-processor, CorralData thoroughly analyzes and evaluates the impact of such engagement on privacy aspects in the context of processing within CorralData products.

Current list of Company sub-processors providing services which might impact CorralData’s customers may be found here: https://corraldata.com/sub-processors/

Book a demo Start for free