跳至内容

数据处理协议 -Managed Solutions

本数据处理协议(“DPA”)补充并构成客户与Equinix之间的协议(“协议”)的一部分,该协议管辖向客户提供Managed Solutions(“服务”),在数据保护法适用于 Equinix 对客户个人数据处理的范围内。

因此,双方同意并签订本 DPA,以管理此类处理活动。

定义。下文未定义的任何大写术语将具有协议中赋予的含义。

“CCPA”是指 2018 年加州消费者隐私法案、民法典第 1798.100 节及以下条款。

“控制者”是指决定个人数据处理目的和方式的实体。

“跨情境行为广告”具有 CCPA 赋予的含义。

“客户数据”包括客户在使用服务过程中加载、存储、接收、检索、传输或以其他方式处理的所有数据。

“客户个人数据”是指构成客户数据一部分的所有个人数据。

“客户标准合同条款协议”是指客户与 Equinix 之间的协议,该协议包含标准合同条款,是本数据处理协议的一部分,自任何受限转移开始之日起生效,并载于 Equinix – 客户标准合同条款协议

“数据保护法”是指适用于Equinix在提供服务过程中处理客户数据的、规范个人数据处理的所有法律。

“数据主体”是指与个人数据相关的已识别或可识别的在世个人。

“GDPR” 指《通用数据保护条例》,即 (EU) 2016/679 条例。

“个人数据”是指与已识别或可识别的自然人有关的任何信息,其收集、使用、披露、存储或以其他方式处理受数据保护法的管制。

“个人数据泄露”是指安全漏洞,导致传输、存储或以其他方式处理的个人数据被意外或非法破坏、丢失、更改、未经授权披露或访问。

“处理者”是指代表控制者处理个人数据的实体。

“处理”(包括“已处理”和“处理”)是指对个人数据执行的任何操作或一组操作,例如访问、收集、记录、组织、存储、检索、查阅、使用,以及该术语在数据保护法下的进一步定义。

“限制转移”是指在没有标准合同条款或其他适用法律机制的情况下,任何国际或跨境的客户个人数据转移,根据数据保护法均属非法。

“安全事件” 可能违反 Equinix 的安全或保密政策,或以其他方式威胁Equinix维护与数据、人员或其他Equinix资源相关的足够安全性、保密性或可用性的能力的事件。

“出售”具有 CCPA 赋予的含义。

“标准合同条款”或“SCC”是指适用于双方之间任何限制性转移的个人数据国际转移的相关标准合同条款(i)载于欧洲实施决定(EU)2021/914(“欧盟 SCC”);(ii)载于英国附录;或(iii)由主管部门根据任何其他适用的数据保护法颁发。

“定向广告”具有 CCPA 赋予的含义。

“英国附录”是指英国信息专员根据 2018 年数据保护法第 119A(1) 条颁发的标准合同条款的国际数据传输附录。

1. 处理的执行

1.1 如果 Equinix 因提供服务而处理客户个人数据,则客户作为数据控制者,Equinix 作为数据处理者,本数据处理协议的条款将适用,并应根据服务产品政策和责任共担模型的条款进行解读和补充。责任共担模型描述了双方的责任,详情请见:责任共担模型

1.2 各方将遵守其在数据保护法下的各自义务,并将至少按照数据保护法的要求对客户个人数据提供保护级别。

1.3 Equinix 处理客户个人数据的范围和性质在本 DPA 附表 1 中列出。

1.4 客户将确定处理客户个人数据的目的和方式。在不影响 Equinix 在本协议和本数据保护协议项下的义务以及不限制其在数据保护法项下的义务的情况下,客户将采取一切必要措施,确保Equinix能够合法地获取客户个人数据,并根据客户在本协议和本数据保护协议项下指示的目的合法地处理客户个人数据。

1.5 Equinix仅会出于履行其在本协议和本数据保护协议 (DPA) 项下义务的特定业务目的处理客户个人数据。本协议和本数据保护协议构成客户就处理客户个人数据向Equinix发出的完整书面指示。尽管有上述规定, Equinix仍可根据适用的数据保护法处理客户个人数据,但会在处理前告知客户该法律要求,除非该法律禁止此类信息。客户有权在收到通知后采取合理且适当的措施,以阻止和纠正 Equinix 对客户个人数据的未经授权的使用。

1.6 除非数据保护法另有明确允许,否则Equinix不会出售、保留、使用、共享、披露或以其他方式处理客户个人数据,无论是汇总形式还是单独形式:

  • 1.6.1 用于任何商业目的或任何其他目的,包括为第 1.5 条所述特定目的以外的其他业务提供服务

  • 1.6.2 在Equinix与客户之间的直接业务关系之外;或

  • 1.6.3 适用于跨情境行为广告或定向广告。

1.7 Equinix同意,其从客户处或代表客户接收的,或通过提供服务生成的任何汇总、匿名、去识别化或假名化的客户个人数据均不得重新关联或重新识别个人。Equinix 将公开承诺不会尝试重新识别此类信息。除非数据保护法允许,否则Equinix不会将客户个人数据与其从其他人或代表其他人接收的个人数据,或与其自身与数据主体的互动中收集的个人数据相结合。

1.8 作为控制方,客户有责任告知数据主体有关客户个人数据处理的情况,并负责响应根据数据保护法行使数据主体权利的请求。客户确认, Equinix已配置服务并实施了适当的技术和组织措施,旨在使客户能够访问、修改和删除客户个人数据,而无需Equinix提供进一步协助。考虑到处理的性质以及 Equinix 对客户个人数据的访问范围有限, Equinix将根据客户要求,提供任何合理所需的进一步协助,以使客户能够遵守数据主体权利。

1.9 客户授权Equinix聘用任何关联公司或第三方作为进一步的处理者(“子处理者”),但须遵守Equinix 的规定:

  • 1.9.1 与客户签订符合数据保护法的数据处理协议;

  • 1.9.2 提前通知客户其对子处理器的使用发生的任何变化,从而让客户有机会提出反对;以及

  • 1.9.3 如果子处理者未能履行与处理客户个人数据有关的义务,则仍需对客户承担责任。

自协议签署之日起,Equinix 聘用的子处理者为本 DPA 附表 2 中列出的子处理者。

2. 安全

2.1 作为客户个人数据的数据处理者,Equinix 将考虑到现有技术水平、实施成本和处理的性质、范围、背景和目的,以及对自然人权利和自由的不同可能性和严重程度的风险,采取其认为合理必要的适当技术和组织安全措施来保护客户个人数据,并在合理可行的范围内协助客户履行数据保护法规定的安全义务。双方承认,在某些情况下, Equinix可能会将额外的技术和组织安全措施作为单独的商业产品和服务提供,具体选择权完全在于客户。Equinix的安全控制措施,连同本第 2.1 条中做出的承诺,构成了 Equinix 对客户数据安全的唯一责任。Equinix的安全控制措施在附表 3 中进行了描述。此外,这些措施还符合 ISO 27001 中规定的要求。客户可根据要求获得针对这些要求的安全控制措施的说明。

2.2 一旦发现任何个人数据泄露, Equinix将立即通知客户。在Equinix掌握相关信息的范围内,Equinix 将向客户提供有关个人数据泄露的性质和可能后果的信息,以及已采取或将要采取的解决个人数据泄露的措施,以及客户根据数据保护法有权获得的任何其他信息。

2.3 Equinix将确保获得授权处理客户个人数据的人员已承诺保密或承担适当的法定保密义务。

3. 审计

3.1 Equinix的审计计划。Equinix 聘请外部审计师评估其在处理客户个人数据方面的安全措施的充分性。此类审计每年至少进行一次,费用由 Equinix 承担。审计由 Equinix 选定的合格独立第三方安全专业人员执行,并生成一份保密的审计摘要(“审计报告” ) 。Equinix 将根据客户的书面请求,在合理的时间间隔内向客户提供其最新审计报告的副本。所有此类审计报告均为 Equinix 的机密信息,仅供客户使用。

3.2 客户审计。客户同意,数据保护法授予的任何审计权利均通过出具本审计报告予以履行。如果客户能够证明审计报告未提供足够信息以验证 Equinix 是否遵守本数据保护协议 (DPA),或客户需要安排任何监管机构进行进一步审计,则双方应共同商定客户审计计划的范围,该范围如下:(a) 确保使用独立第三方;(b) 以书面形式提前合理通知Equinix审计开始时间;(c) 仅在正常工作时间内要求访问Equinix人员和基础设施;(d) 接受按 Equinix 当时的费率向客户收取Equinix人员在审计上所花费时间的费用;(e) 每年不超过一次;(f) 将其调查结果限制在与客户相关的数据范围内;(g) 在法律法规允许的范围内,要求客户及其第三方审计师对客户审计过程中披露或以其他方式收集的任何信息保密。

4. 退还或删除客户内容

4.1 根据客户的书面请求, Equinix将向客户提供删除或返回客户个人数据所需的任何进一步合理协助,费用由客户承担。

4.2 法律要求的保留。即使本第 4 条有任何相反规定,如果适用法律或法规(包括《数据保护法》)要求, Equinix可保留客户个人数据或其任何部分,前提是此类客户个人数据根据协议、本 DPA 和《数据保护法》的条款受到保护。

5. 国际转移

5.1 如果双方之间存在受限转让,双方同意按照 Equinix 客户标准合同条款协议(可在以下网址获取:Equinix – 客户标准合同条款协议)或其他适用的法律机制订立标准合同条款。客户标准合同条款协议已纳入本数据处理协议并构成其一部分,自双方之间开始进行受限转让之日起生效。

6. 信息请求

6.1 Equinix将根据客户要求,并考虑到处理的性质和Equinix可获得的信息,合理协助客户履行数据保护法所要求的数据保护或隐私影响评估方面的义务。

7. 其他

7.1 客户承认并同意, Equinix可自行决定不时修改本 DPA,其合理认为,此举对于确保双方持续遵守数据保护法是必要的,且此类修改后的 DPA 条款一经发布即生效。

7.2 本数据处理协议 (DPA) 的条款构成本协议条款的一部分,并作为本协议条款的补充。如本数据处理协议 (DPA) 的条款与本协议条款之间存在任何歧义、冲突或不一致,则以数据处理协议 (DPA) 的条款为准。本数据处理协议 (DPA) 取代Equinix作为客户个人数据处理方就服务所签订的任何其他协议。

数据处理协议附表 1

根据条款 1.3,这是 Equinix 处理的范围和性质。

Tier NameProduct examplesPurpose of ProcessingEquinix RoleCustomer RoleCategories of Personal Data
Infrastructure as a ServiceManaged Private Cloud(a) Backup, support, planning, and enabling migration, deployment, and development of Services; Encryption (enabled by default for data at rest in MPC Storage) (b) Infrastructure management (preventing, detecting, investigating, mitigating, and repairing problems, including security incidents and problems identified in the Services; and (c) Enhancing delivery, efficacy, quality, and security of our Services, including keeping Services up to date, and enhancing reliability, efficacy, quality, and security and fixing defects.Data ProcessorData ControllerAs determined by Customer
Enhanced Platform as a ServiceManaged Private BackupAs aboveData ProcessorData ControllerAs determined by Customer
Infrastructure as a ServiceManaged Private StorageAs aboveData ProcessorData ControllerAs determined by Customer

数据处理协议附表2

根据第 1.9 条,以下是子处理器列表:

Globally: Equinix Services Inc.

Equinix (US) Enterprises Inc.

Equinix (UK) Enterprises Ltd.

Equinix (Germany) Enterprises GmbH

Equinix (Netherlands) Enterprises BV

Virtu Secure Webservices BV

Equinix (Italy) Enterprises SRL

Equinix (Japan) Enterprises KK

Equinix (Japan) Technology Services KK

Equinix do Brasil Solucoes de Tecnologia en Informatica Ltda

Equinix do Brasil Telecommunicacoes Ltda

Equinix MX Services SA de CV

Equinix (Canada) Enterprises Ltd.

Equinix (Sweden) Enterprises AB

Equinix (France) Enterprises SAS

Equinix (Spain) Enterprises SAU

Equinix (Finland) Enterprises Oy

Equinix (Ireland) Enterprises Ltd

附表 3 – 技术和组织措施

下表说明了 Equinix 为提供服务而实施的技术和组织措施:

DomainPractices
Organization of Information Security Organizational Context Risk Management Strategy Roles, Responsibilities, and Authorities Policy OversightEquinix has organized governance of Information Security around the following teams and programs which review, evaluate and enhance Equinix security practices: Audit and compliance – Equinix formally complies with various industry standards, such as ISO 27001. Audit attestations and certificates are provided by qualified third-party auditors. These auditors coordinate activities with various business and technology teams like Business Assurance Services, Internal Audit, and Operations. Information Security team – Working closely with the legal organization, this team is charged to follow global and business unit guidelines to help ensure compliance with local and federal laws and regulations. Information Security Risk Management - Working closely with business representatives to establish Equinix' priorities, constraints, risk tolerance and appetite statements, and ensuring that assumptions are established, communicated, and used to support operational risk decisions. Information Security policies – The Equinix Information Security team administers and enforces a comprehensive set of confidential Information security policies that is reviewed and endorsed by senior management. This team ensures that the internal policies are global in scope, covering country-specific and region-specific laws, regulations, and business requirements. Areas covered by these internal security policies include, but are not limited to: acceptable use of technology, anti-virus and malware, data backup and retention, data classification, labeling and handling, logical access, passwords, patch management, mobile devices, personal computers, remote access and VPN, and social media.
Information Protection Human Resource SecurityEquinix has implemented and maintains employee security training programs regarding information security risks and requirements. The security awareness training programs are reviewed and updated at least annually. Where permitted by law, and to the extent available from applicable governmental authorities, Equinix requires each employee to undergo a background check.
Asset ManagementAsset Inventory - Equinix has implemented processes that focus on identifying and cataloging all assets used to deliver services. This process includes physical assets, virtual assets and intangible assets like software licenses. By maintaining an accurate up to date inventory, Equinix can effectively track its assets, monitor their usage, and plan for maintenance. Asset Handling - This involves implementing technical and organizational measures to protect assets from damage, theft, or unauthorized access. Technical measures may include implementing security systems to safeguard physical assets, such as surveillance cameras and access control systems. Equinix may employ encryption and authentication protocols to protect customer data stored on digital assets. Organizational measures involve establishing policies and procedures for asset handling, including guidelines for asset maintenance, usage, and disposal.
Physical and Environmental SecuritySafeguarding physical security of every IBX Center where information systems processing and storing customer data are located is a high operational priority. Each IBX Center uses an array of security equipment, techniques and procedures to monitor the facility and to control and record access. Access – The access control subsystem allows authorized users inside the building and within the facility. Biometric security devices, proximity cards and other technologies identify users to the access control system, and upon authentication allow contacts to navigate the IBX as permitted. Alarm Monitoring and Intrusion Detection – The alarm monitoring and intrusion detection subsystem monitor the status of various devices associated with the security system. Monitoring devices include door position switches, glass break detectors, motion detectors, and tamper switches. If the status of any device changes from their secure state, an alarm is activated, the event is recorded, and appropriate measure is taken. CCTV – The closed-circuit television subsystem provides the display, control, recording and playback of live video from cameras throughout the facility, as well as outside the facility where legally permitted. This system is integrated with the alarm monitoring and intrusion detection subsystem, so in the event of an alarm, cameras are displayed automatically to view the event in real time.
Communications and Operations ManagementVulnerability Assessments - Equinix performs regular internal and external vulnerability assessments and penetration testing of the Equinix EMS information systems and will investigate identified issues and track them to resolution in a timely manner. Malicious Software - Equinix has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data including malicious software originating from public networks. Change Management - Equinix maintains controls designed to log, authorize, test, approve and document changes to existing resources and will document change details within its change management or deployment tools. Equinix will test changes according to its change management standards prior to migration to production. Equinix will maintain processes designed to detect unauthorized changes to the Equinix information systems and track identified issues to a resolution. Data Integrity - Equinix maintains controls designed to provide data integrity during transmission, storage, and processing within the Equinix Services information systems. Event Logging - Equinix logs, or enables Customer to log, access and use information systems containing customer data -specific to that customer- registering the access ID, time, authorization granted or denied, and relevant activity. Backup/Restore – Customer Data is backed up where applicable via backup tooling. Equinix employees managing these backups have no access to the Customer Data. In case a restore is required, Customer can request this restore.
Access ControlEquinix makes the Customer Data accessible only to authorized personnel, and only as necessary to maintain and provide the Equinix Services. Equinix maintains access policies and controls to manage authorizations for access to the customer data from each network connection and user through the use of firewalls, controlled access connectivity or functionally equivalent technology and authentication controls. Data Segregation - Equinix maintains access controls designed to restrict unauthorized access to Customer Data and segregate each Customer's Data from other Customers' Data. User access controls - Relates to access to Equinix information include, but are not limited to: - least privilege principles based on personnel job functions - review and approval prior to provisioning access - at least quarterly review of access privileges - when necessary, revoke access privileges in a timely manner - two-factor authentication for access to the Customer Data - monitoring by Equinix (or enabled Customers) for anomalies in access activity such as for example (but not limited to) repeated attempts to gain access to the information system using an invalid password.
Information SecurityIncident Management Incident Response Process - Equinix maintains incident response plans (runbooks) to respond to potential security threats to the Managed Solution Services. Equinix runbooks will have defined processes to detect, mitigate, investigate, and report security incidents. The Equinix runbooks include incident verification, attack analysis, containment, data collection, and problem remediation. For each Security Breach that is a Security Incident, appropriate notification by Equinix EMS will be made in compliance with local regulations. Service Monitoring - Equinix monitors on a continuous basis, or enables Customer to monitor, for anomalies related to security events (for example but not limited to repeated attempts to gain access to the information system using an invalid password).
Business Continuity ManagementEmergency and Contingency plans - Equinix maintains emergency and contingency plans for the facilities in which Equinix information systems that process Customer Data are located. These plans will be tested annually. Data recovery - Equinix redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original or last-replicated state.
此页面有帮助吗?