Data Processing Agreement

Last updated: 25th February 2022

  1. Preamble
    1. This Data Processing Agreement (the “DPA“) is entered into between Dixa and Customer (as defined in the Order Form and Terms (“Principal Agreement“), which this DPA is incorporated into by reference).
      The Customer and Dixa may each be referred to as a “Party” and jointly as the “Parties“.
    2. In providing the Services, Dixa will engage, on behalf of the Customer, in the Processing of Customer Personal Data. A description of the subject matter, nature and purpose of Processing, the type of Personal Data, categories of Data Subjects and duration of Processing, is contained in Annex 1 to this DPA. 
    3. Each party will comply with the obligations applicable to it under Data Protection Law with respect to the Processing of Customer Personal Data. This DPA solely applies in relation to the Processing by Dixa of Customer Personal Data in Dixa’s capacity as a (Sub)Processor.
  2. Definitions
    1. In this DPA, the following terms, in singular or plural form, shall have the meanings set out below:
      1. Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Dixa or the Customer (respectively);
      2. Applicable Law” means means, with respect to any person (whether legal or natural), any transnational, domestic or foreign federal, state or local law (statutory, common or otherwise), constitution, treaty, convention, ordinance, code, rule, regulation, order, injunction, judgment, decree, ruling or other similar requirement enacted, adopted, promulgated or applied by a governmental authority or court that is binding upon or applicable to such person; 
      3. Customer Personal Data” means any Personal Data Processed by Dixa or a Subprocessor on behalf of the Customer pursuant to or in connection with the Principal Agreement; 
      4. Data Protection Law” means the GDPR and any other data protection or privacy laws of any other EU member state as applicable to a Party.;
      5. Delete” means to delete or destroy Personal Data such that it cannot be recovered or reconstructed using reasonable means;
      6. EEA” means the European Economic Area;
      7. EU” means European Union;
      8. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
      9. Services” means the services and other activities to be supplied to or carried out by or on behalf of Dixa for the Customer pursuant to the Principal Agreement;
      10. Standard Contractual Clauses” or “SCC” means the contractual clauses adopted by the EU Commission in decision 2021/914; and
      11. Subprocessor” means any person (including any third party and any Dixa Affiliate, but excluding an employee of Dixa) appointed by or on behalf of Dixa or any Dixa Affiliate to Process Personal Data on behalf of the Customer in connection with the Principal Agreement.
    2. The terms “Anonymisation”, “Commission“, “Controller“, “Binding Corporate Rules”, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, Processing“, “Processor”, “Special Categories Data” (also known as “Sensitive Data”) and “Supervisory Authority” shall have the same meaning as given in the GDPR.
    3. The capitalized terms used in this DPA shall have the meanings set forth in this Clause 2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. 
  3. Controller and Processor
    1. By using the Services, the Customer is responsible as Controller, or a Processor, for the Processing of Customer Personal Data.
    2. During the Customer’s use of the Services, Dixa will process Customer Personal Data on behalf of the Customer as Processor (or Subprocessor insofar the Customer acts in the capacity of a Processor). Unless otherwise agreed, Dixa will not act, or be deemed to act, as a Controller (or equivalent concept) of the Customer Personal Data under any Applicable Law.
  4. Customer’s obligations
    1. The Customer shall be responsible, among others, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis. 
    2. It is the Customer’s responsibility to comply with all mandatory requirements and obligations in relation to registrations and permissions from authorities (if required).
    3. The Customer shall not Process Sensitive Data or payment card data when using the Services unless explicitly stated in Annex 1.
    4. The Customer shall provide Data Subjects with the necessary information regarding the Processing, as described under ‘the right to be informed’ under Data Protection Law.
  5. Data Processor’s obligations
    1. Dixa shall process the Customer Personal Data in accordance with Controller’s documented instructions (1) as set out in the Applicable Law, the Principal Agreement, and in this DPA, and (2) as needed to provide Services according to the Principal Agreement, and (3) as further specified via the Customer’s use of the Services (including e.g. the configurations settings and API usage), and/or (4) as further documented in any other written instructions given by the Customer and its representatives.
    2. Dixa shall not Process Customer Personal Data for other purposes than fulfilment of the Customer’s instructions unless Processing is required by Applicable Law or administrative or court orders to which Dixa, the relevant Dixa Affiliate or the relevant Subprocessor is subject to, in which case Dixa, the relevant Dixa Affiliate or the relevant Subprocessor shall to the extent permitted by Applicable Law inform the Customer of that legal requirement before the relevant Processing of that Customer Personal Data. 
    3. Dixa shall immediately inform the data controller if instructions given by the Customer, in the opinion of Dixa, contravene  Data Protection Law.
    4. Dixa shall ensure that members of its personnel are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    5. Dixa shall only grant access to the Customer Personal Data to members of its personnel to the extent necessary for the fulfilment of the instructions and the implementation, management, and monitoring of the Services.
  6. Technical and organisation measures (Security)
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Dixa shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
    2. In assessing the appropriate level of security, Dixa shall conduct risk assessments and take into account the risks that are presented by the Processing and in particular from a Personal Data Breach.
    3. The Customer shall give Dixa all relevant information regarding Customer Personal Data and the implementation of technical and organisational measures to safeguard the rights of the Data Subjects.
    4. The current technical and organisational measures are listed in Annex 2, and are deemed approved as sufficient by the Customer upon acceptance of this DPA. Dixa may update or modify such technical and organisational measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
  7. Subprocessing
    1. Subject to the conditions in this Clause 7, Dixa has the Customer’s general authorisation for the engagement of Subprocessors. Dixa shall inform, in writing (included electronic/email), the Customer of any addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Customer the opportunity to object to such changes prior to the engagement of the concerned Subprocessor(s). 
    2. Dixa shall maintain an up-to-date list of the names and locations of all Subprocessors used for the Processing of Personal Data under this DPA, which can be found in Annex 3.
    3. If the Customer notifies Dixa, in writing, of an objection to a Subprocessor, Dixa shall not disclose any Customer Personal Data to the proposed Subprocessor until reasonable steps have been taken to address the objections raised by the Customer. If the reasons of the objection cannot be remedied before the commencement of use of a new Subprocessor, or within a reasonable time for an existing Subprocessor:
      1. the Customer shall be entitled to terminate (a) the subscription for the part of the Services which the Subprocessor is used for (i.e. where the Subprocessor is only used for that specific part/feature of the Services) (a “Modular Subprocessor”), or (b) the Principal Agreement insofar the Subprocessor is a fundamental/core Subprocessor and all aspects of the Services are affected by the use of the Subprocessor. 
      2. If the termination according to 7.3.1 is based on:
        (a) Dixa not being able to reasonably document the Subprocessor’s compliance with Data Protection Law and this DPA, the Customer shall be entitled to receive a pro-rata reimbursement of pre-paid fees for the affected Subscription(s) or Principal Agreement (as applicable), or;
        (b) If an objection is based on Customer’s discretion, without it being reasonably based on the Subprocessor’s non-compliance with Data Protection Law and this DPA, the Customer’s sole remedy shall be ceasing use of the part of Services, or all Services, which the Subprocessor’s Processing activities relate to (as applicable from case to case), and it is not Dixa’s concern or responsibility that the Customer may not enjoy the Services from the data processor as it may have expected, and the Customer shall not be entitled to reimbursement of Fees.
    4. With respect to each Subprocessor, Dixa shall:
      1. ensure that each Subprocessor only Processes Customer Personal Data to the extent required to perform the obligations subcontracted;
      2. instruct Subprocessors to act only on Dixa’s instructions when Processing the Customer Personal Data (which instructions shall be consistent with the Customer’s Processing instructions to Dixa under Clause 5.1); 
      3. carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Principal Agreement, before the Subprocessor first Processes Customer Personal Data;
      4. ensure that the arrangement between Dixa and each Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this DPA and in other legal acts under Union or Member State law and that the arrangement meets the requirements of Article 28(3) of the GDPR;
      5. if that arrangement involves transfers of Customer Personal Data to third country outside the EU/EEA, ensure legal ground for the transfer under Clause 14.3; 
      6. provide to the Customer for review copies of the data processing agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) whenever requested; and
      7. ensure that each Subprocessor performs the obligations under Article 28(3) of the GDPR, as described in this DPA.
    5. When engaging any Subprocessor, Dixa remains fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
  8. Data Subject Rights
    1. Taking into account the nature of the Processing, Dixa shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Law. 
    2. Dixa shall:
      1. promptly notify the Customer if Dixa receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
      2. ensure that neither Dixa, nor its Subprocessors, respond to that request except on the documented instructions of the Customer or the relevant Customer Affiliate, or as required by Applicable Law to which Dixa or the Subprocessor is subject, in which case Dixa shall to the extent permitted by Applicable Law, inform the Customer of that legal requirement before responding to the request.
    3. If Dixa becomes aware that the Customer Personal Data it has received is inaccurate, or has become outdated, it shall inform the Customer without undue delay. In this case, Dixa shall cooperate with the Customer to rectify or erase the data.
  9. Personal Data Breach
    1. Dixa shall, without undue delay and, if possible, no later than forty-eight (48) hours upon becoming aware of a Personal Data Breach affecting Customer Personal Data, notify the Customer.
    2. Dixa shall provide all relevant information to allow the Customer to meet any obligations to report or inform Data Subjects and/or a Supervisory Authority of such Personal Data Breach under the Data Protection Law. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and an approximate number of data subjects and personal data records concerned), its likely consequences, and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
    3. Dixa shall cooperate with the Customer and take such reasonable steps as may be requested by the Customer, to assist in the investigation, mitigation, and remediation of a Personal Data Breach.
  10. Data Protection Impact Assessment and prior consultation
    1. Subjected to payment, Dixa shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations, with a Supervisory Authority or other competent supervisory authorities, which the Customer reasonably considers to be required of the Customer by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law.
  11. Deletion and return of Customer Personal Data
    1. Processing by Dixa shall only take place for the duration specified in Annex 1.
    2. Dixa shall within three (3) months of the termination or expiry of the Subscription to the Service, delete and procure the deletion of all copies of Customer Personal Data.
    3. The Customer may, by giving written notice to Dixa within 10 (ten) days of the termination or of expiry of the Subscription to the Services, require Dixa to return a complete copy of all Customer Personal Data to the Customer prior to the deletion mentioned in Clause 11.2. Any assistance provided by Dixa regarding the return of Data to the Customer shall be invoiced separately with due consideration to complexity and format.
    4. In case of Applicable Law, which Dixa is subject to, prohibits the return or deletion of Customer Personal Data, Dixa warrants that it will continue to ensure compliance with these DPA and will only process it to the extent and for as long as required under Applicable Law.
  12. Audit rights
    1. The Parties shall be able to demonstrate compliance with these DPA. In particular, Dixa shall keep appropriate documentation on the processing activities carried out on behalf of the Customer.
    2. Subject to Clause 12.3, Dixa shall make available to the Customer upon request, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by Dixa.
    3. The Customer shall give Dixa a minimum notice of 4 (four) weeks of any audit or inspection to be conducted under Clause, ​​unless an audit is required by a Supervisory Authority within a shorter notice. Such notice shall contain at least a detailed plan describing the scope, duration, and start date of the audit. The Customer shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury, or disruption to Dixa’s Service, premises, equipment, personnel, and business while its personnel is on those premises in the course of such an audit or inspection. Dixa needs not give access to its premises for the purposes of such an audit or inspection:
      1. to any individual who, at Dixa’s reasonable decision, is not considered an expert within data protection, privacy, information security or auditing;
      2. to any individual unless he or she produces reasonable evidence of identity and authority;
      3. outside normal business hours at those premises; or
      4. for the purposes of more than one audit or inspection, in respect of Dixa, in any calendar year, except for any additional audits or inspections which:
        1. Customer reasonably considers necessary because of genuine concerns as to Dixa’s compliance with this DPA; or 
        2. Are required or requested to be carried out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Law in any country or territory.
    4. Audits and inspections by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by Dixa shall be conducted under confidentiality, and Dixa may require each person engaged by Customer signs a non-disclosure agreement provided by Dixa.
    5. If Dixa’s compliance has been confirmed under industry, or similar, standard (e.g. ISO27701, 27701, ISAE 3000 DK-GDPR) by a qualified independent auditor within the past 12 months, and Dixa confirms that no material changes have been made, the Customer shall accept such audit and not be entitled to perform its own audit with the same scope in that calendar year, except Customer may insist on an audit in case of a situation as listed under 12.3.4.1 and 12.3.4.2.
    6. Dixa may provide Supervisory Authorities which pursuant to Applicable Law may require access to Dixa’s facilities (or representatives acting on behalf of such Supervisory Authorities) with access to Dixa’s physical facilities and systems on presentation of appropriate identification.
  13. Assistance provided in relation to Processing
    1. Dixa will be entitled to charge a reasonable remuneration to cover the documented costs and time in connection to the assistance or information provided that exceeds the Data Processor’s duties and responsibilities under the Data Protection Law or this DPA. The payment will be invoiced by Dixa to the Customer after each task, prior to which the parties will negotiate the price according to their urgency and complexity. All invoices related to the assistance provided to a Customer shall be accompanied by a description of the work performed, job titles of who performed the work, time taken to perform the work (where an hour is divided at maximum into quarters), or the total amount for each item posted. For avoidance of doubt, if the request reveals to be included in the scope of Dixa’s obligations under Data Protection Law, or this DPA, then Dixa will bear its own costs and any reasonable and documented costs incurred by the Customer, unless the contrary is specifically stated in this DPA.
    2. Insofar Dixa has provided technical self-service options for gathering the necessary information for fulfilment of the Controller’s obligations, Dixa may charge for supplementary assistance pursuant this Clause. 
  14. Third country data transfers
    1. Any transfer of Customer Personal Data to third countries or international organisations by Dixa shall only occur on the basis of documented instructions from the Customer and shall always take place in compliance with Chapter V GDPR. For the avoidance of doubt, the Customer has instructed Dixa to transfer Customer Personal Data, for the provision of Services to the Customer, Dixa’s Subprocessors, Dixa Affiliates, as well as other Customer Personal Data recipients engaged by them (collectively a “Recipient”).
    2. Without prejudice to Clause 14.3, Dixa may Process Customer Personal Data where Dixa or its Recipients maintain facilities.
    3. Where Dixa Processes or permits the Processing of Customer Personal Data by any Recipients established in a third country outside the EU/EEA, Dixa will ensure:
      1. that the Subprocessor is located in a country for which the European Commission has issued an adequacy decision, or
      2. the Subprocessor ensures appropriate safeguards pursuant to Articles 46 or 47 of the GDPR, or
      3. Dixa itself or the relevant Subprocessor complies with Standard Contractual Clauses or Binding Corporate Rules;
      4. the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
      5. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
    4. Transfers described in Clause 14.3 are subjected to the following provisions:
      1. when used below, the terms “data exporter” and “data importer” shall have the meaning given to them in the SCCs.
      2. the Parties agree that the audits described in the Standard Contractual Clauses shall be conducted in accordance with the provisions of Clause 12 of this DPA.
      3. data exporter provides a general consent to data importer to engage onward Subprocessors. Such consent is conditional on the data importer’s compliance with the Subprocessing conditions set forth in Clause 7.5 of this DPA. The data exporter agrees that new Subprocessors may be appointed by the data importer in accordance with the provision of Clause 7.1 of this DPA and acknowledges and accepts that the data exporter has the objection rights documented in Clause 7 of this DPA.
  15. General Terms
    1. Governing law and jurisdiction
      1. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
      2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
    2. Order of precedence
      1. To the extent that any terms of the Principal Agreement conflict with the terms of this DPA, the terms of this DPA shall prevail in relation to its subject matter, unless the contrary is specifically stated in the Principal Agreement. 
      2. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses mentioned in Clause 14, the Standard Contractual Clauses shall prevail in relation to the Customer Personal Data subjected to a third country transfer.
    3. Severance
      1. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    4. Liability
      1. Any claims and liability arising out of this DPA shall be governed by the Principal Agreement, and, insofar it does not breach the fundamental rights or freedoms of the data subject and the protection afforded by the GDPR.
    5. Duration
      1. This DPA will, notwithstanding the termination or expiry of the Subscription to the Service, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Dixa as described in this DPA.

ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.

A. PARTIES

Customer:

Name: The entity identified as “Customer” in the Principal Agreement.

Address: The address for the Customer associated with its Dixa account or as otherwise specified in the Principal Agreement.

Contact person’s name, position and contact details: The contact details associated with the Customer’s account, or as otherwise specified in the Principal Agreement.

Activities relevant to the data transferred under these Clauses: The activities specified in the Principal Agreement.

Signature and date: By using the Services to transfer Customer Personal Data, the Customer will be deemed to have signed this Annex 1.

Role (controller / processor): Controller / Processor

Dixa:

Name: Dixa ApS

Address: The address for Dixa ApS specified in the Principal Agreement.

Contact person’s name, position and contact details: The contact details for Dixa ApS specified in the Principal Agreement.

Activities relevant to the data transferred under these Clauses: The activities specified in the Principal Agreement.

Signature and date: By processing Customer Personal Data on Customer’s instructions to provide the Services, the Dixa will be deemed to have signed this Annex 1.

Role (controller / processor): Processor

B. DESCRIPTION OF PROCESSING

 Categories of data subjects whose personal data is processed

  • Customer’s end-users
  • Customer’s employees/agents
  • Customer’s contacts
  • Customer’s current and potential customers and customers’ end users

Categories of personal data processed

The personal data relating to individuals which is processed by Dixa through the data exporter’s use of the Services. 

The Customer determines the types of data per each product or service used, which may include:

  • Personal identification (e.g. full name, social media account name, ID, unique person identifier, signature)
  • Contact information (e.g. phone number, address, personal or business email address)
  • Conversations/Messages (e.g. email or chat messages, audio call recordings)
  • Analytics (e.g. actions, traffic data, metadata)
  • Device information (e.g. operating system version, device token for push notifications (in case of Dixa messenger is used))
  • User account information (e.g. userID, roles and permissions, language preferences)
  • Other information shared with Dixa according to integrations used (e.g. expenses details, purchase tendencies)

Sensitive data processed (if applicable) 

The controller determines the types of data processed. Technical and organisational security measures are applied uniformly when using the Services.

Insofar Dixa shall process one or more categories of sensitive information on behalf of the Customer, the Customer must declare this by having it added to the Principal Agreement whereas Dixa otherwise assumes that the Customer does not handle sensitive personal data. 

The frequency of the processing 

 The frequency of the transfer is a continuous basis for the duration of the Agreement.

Nature of the processing

In order to provide the Services, Personal Data is collected, stored, transmitted, recorded, organized, structured, altered, searched, consulted, combined, erased, redacted, anonymised.

Purpose of the data processing and further processing

The Services are provided by a customer service Platform. The Services are centered around self-service via a Software as a Service solution that includes communication capability with end-users (customers and other data subjects listed below), via a range of communication channels (email, phone, messenger, chat, etc.) a central directory of end-user contact details, analytics, agent augmentation, and, when applicable, knowledge base. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Dixa processes Customer Personal Data for as long as necessary to fulfill the purposes of processing mentioned in this DPA and in the Principal Agreement, and any subsequent, lawful purposes. 

To the extent commercially feasible, Dixa will make available to the Customer technical measures to export, delete or anonymise Customer Personal Data. Insofar technical measures are not available, Dixa supports the said options through organisational measures.

It is the Customer’s responsibility to ensure deletion or anonymisation of data it exports from the Services. 

ANNEX 2 – TECHNICAL AND ORGANISATIONAL MEASURES 

Dixa will implement and maintain the technical and organisation security measures described in this Annex 2.

Storage. Dixa stores Customer Personal Data with a hosting provider (data centre) as listed in the Subprocessors’ list mentioned in Annex 3. Dixa ensures that the main storage of Customer Personal Data is located in the European Union. 

System Access Control. Dixa access control processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to Process Customer Personal Data. Dixa requires the use of unique IDs, passwords, password-less authentication and/or two-factor authentication. It employs documented permission processes and/or logging of access on several levels. Access to the database is only admissible through a Virtual Private Network (VPN). Authentication and authorization to the database rely on identity and access management (IAM) user, identity and access management access (IAM) roles and web identity tokens.

Access Control Management. Dixa employs a single-sign-on system in order to administer the permissions throughout Dixa’s internal systems and carefully monitors access lists to minimize the potential of unauthorized access. Access rights are granted or modified on a need-to-know basis. The off-boarding process takes effect by revoking access to systems, including any access the employee might have had to Customer Personal Data. 

Network security. Dixa restricts unwanted network traffic through the use of firewalls and security groups. 

Encryption. Dixa ensures all Customer Personal Data in the Platform is encrypted at rest and during transport, using transport layer security (TLS). 

Backup. Customer Personal Data is backed up periodically.

Monitoring and alerting. Dixa maintains a monitoring and alerting system where events and capacity are logged and alerts are set to known vulnerabilities. Logs are collected centrally..

Incident Response. Dixa maintains an Incident Response procedure. Personnel on call are trained to react promptly to known incidents. All incidents are logged. Causes, impact and immediate and long-term solutions related to an incident are part of a post-mortem evaluation.

Development security. Dixa employs code review to find and identify specific flaws within the code that could compromise confidentiality, security, integrity, and availability.

End-user workstation security. Dixa monitors vulnerabilities in employee workstations.

Data handling. Dixa maintains formal procedures for handling Customer Personal Data. No Customer Personal Data is ever downloaded into physical or mobile devices unless such is needed to meet specific requests and instructions from Customer representatives. 

Physical security. Dixa’s physical premises are secured with appropriate anti-theft monitoring and alarms. All offices have designated secure rooms for IT equipment and Internet setup. 

Training and awareness. Dixa requires privacy and security training as part of the training package for its personnel. Training is a part of a new employee’s onboarding process. 

Reference checks. Dixa performs references checks on new hires to protect technical competency within the organisation. 

Performance evaluation. As appropriate, Dixa establishes mechanisms or processes to communicate and hold individuals accountable, across the entities, in relation to work and security.

Vendor Management. Dixa maintains a Vendor Management Procedure. Dixa collects, and assesses, security documentation from its Subprocessors and other vendors, to manage risks in an appropriate manner.

ANNEX 3 – LIST OF SUB-PROCESSORS

The data exporter has authorised the use of the following sub-processors: https://www.dixa.com/legal/3rd-party-services-used-by-dixa/.