2. We follow customers’ instructions.
We process personal data contained in business data transmitted to us, only on behalf of our customers, to the extent necessary for our services and in accordance with our customers’ instructions. In legal terms, we are data processor and our customers are data controllers. After expiry of our services, we delete the personal data of the related customers from our systems, unless if otherwise required by law.
3. Our worldwide subprocessors are qualified.
We select qualified subprocessors to support the delivery of our cloud services. We are responsible for them and have appropriate data processing arrangements in place with them. We make information available about our current subprocessors and notify relevant customers in case we change any such subprocessor. Before we transfer personal data for processing to any subprocessor outside the EU, we provide for GDPR-proof appropriate safeguards.
4. Security of data is core.
Through our information security program, we maintain appropriate technical and organisational security measures designed to protect the security and integrity of data. Our security measures are based on globally accepted standards and described in a separate notice, available upon request. We audit our security measures. We notify our related customers in the unlikely event of a security breach on our systems of which we become aware.
5. We assist.
Our services allow our customers to respond to legitimate requests from individuals, mainly to rectify, block or erase their personal data. If this is not possible, we will assist. When our customers perform security and data protection assessments, security incident notifications or reply to consultations of supervisory authorities that relate to our services, and think we can be of any help, we will assist where we can. We also assist customers wanting to audit our compliance.