CyberSage, Threat Modeling Automation

CyberSage Customer Data & Privacy Statement

 

  1.  CUSTOMER DATA & PRIVACY. 1.1. Use of Customer Data. Provider shall not: (a) access, process, or otherwise use Customer Data solely to facilitate the SaaS, implementing industry-standard encryption and security measures to protect Customer Data.
    (b) not give Customer Data access to any third party, except subcontractors who are bound by data protection agreements consistent with this Agreement and are subject to a reasonable written agreement governing the use and security of Customer Data. Further, Provider: (c) shall exercise reasonable efforts to prevent unauthorized disclosure or exposure of Customer Data; and (d) shall comply with all Privacy/Security Laws that are applicable both specifically to Provider and generally to data processors in the jurisdictions in which Provider does business and operates physical facilities.

    1.2. Statutory Special Terms. The parties recognize and agree that Attachment 1 ("Special Data Handling Terms"): (a) governs the processing of Special Categories of Personal Data as defined under GDPR and Protected Health Information under HIPAA (hereinafter "Special Category Data"); and (b) applies only to such Special Category Data and not to any of the parties’ other rights or duties pursuant to this Agreement. If Provider receives a “right to know,” deletion, “right to be forgotten,” or similar request related to Customer Data, Provider may respond in accordance with applicable law. Nothing in this Agreement precludes Provider from asserting rights or defenses it may have under applicable law related to such requests.

    1.3. Additional Fees. Customer recognizes and agrees that Provider may charge additional fees (without limitation) (a) for activities (if any) required by Privacy/Security Laws and (b) for activities Customer requests to help it comply with Privacy/Security Laws.

    1.4. Privacy Policy. Customer acknowledges and agrees to the terms of the Privacy Policy as outlined in this Agreement. This policy governs the collection, use, storage, and sharing of Customer Data, including but not limited to, personal information and any data generated through the use of the SaaS. Customer recognizes and agrees that the Provider reserves the right to amend the Privacy Policy, provided such amendments comply with applicable laws and regulations and do not result in a material diminution of security or privacy rights without the Customer's consent. Any amendments will be effective upon their posting within this Agreement or in an updated version of this document provided to the Customer.

    1.5. De-Identified Data. Provider may use De-Identified Data only in a manner that complies with applicable privacy laws and ensures that such data cannot be re-identified. (“De-Identified Data” refers to Customer Data with the following removed: information that identifies or could reasonably be used to identify an individual person, a household, or a Customer.)

    1.6. Erasure. Provider may permanently erase Customer Data if Customer’s account is delinquent, suspended, or terminated for 30 days or more, without limiting Provider’s other rights or remedies.

    1.7. Required Disclosure. Notwithstanding the provisions above of this Article 4, Provider may disclose Customer Data as required by applicable law or by proper legal or governmental authority. Provider shall give Customer prompt notice of any such legal or governmental demand and reasonably cooperate with Customer in any effort to seek a protective order or otherwise to contest such required disclosure, at Customer’s expense.

    1.8. Risk of Exposure. While the Provider implements industry-standard security measures to protect Customer Data, the Customer acknowledges the inherent risks of online data hosting. Provider commits to complying with applicable data protection laws and will promptly notify Customer and take remedial action in the event of any data breach.

    1.9. Data Accuracy. Provider and Customer shall collaborate to ensure the accuracy of Customer Data. Upon identification of inaccuracies, Provider shall assist Customer in correcting such inaccuracies where feasible.

    1.10. Excluded Data. “Excluded Data” refers to any data that is subject to special data protection laws, such as health, financial, or children's data, which require additional safeguards. Customer warrants it will not transmit Excluded Data to Provider unless expressly agreed upon in writing, with Provider implementing the necessary additional protections.