Table of contents
THIS DATA PROCESSING AGREEMENT IS CONCLUDED BETWEEN:
BJT Partners also known as Ringover Group, SAS (Simplified Joint-Stock Company) with its registered office at 50 bis rue Maurice Arnoux, 92120 MONTROUGE, FRANCE, registered in the Paris Companies Register under number 480 234 210, hereinafter referred to as the "Processor" or "Ringover", the company that owns the "Ringover" brand. Contact email address: firstname.lastname@example.org.
The Client: (hereinafter referred to as the "Data Controller" or "Client").
Individually a "Party" and collectively the "Parties".
WHO AGREED AS FOLLOWS:
In the course of providing the Services to the Client under the Agreement, Ringover may process Personal Data on behalf of the Client and the Parties agree to comply with the following provisions regarding any Personal Data, each acting reasonably and in good faith.
This Data Processing Agreement is an integral part of the Ringover Service Contract between Ringover and the Client to which it is attached, and reflects the agreement of the Parties with respect to the Processing of Personal Data.
1. DEFINITIONS AND INTERPRETATION
In this Contract and unless otherwise defined in the Ringover Service Contract, all capitalized terms used in this
Contract shall have the meanings set forth below:
- STANDARD CONTRACTUAL CLAUSES: means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data to Processors established outside the European Economic Area in countries that do not ensure an adequate level of protection of Personal Data, pursuant to the European Commission’s decision (2021/914) of June, 4th 2021.
- CONTRACT: means this data processing agreement between Ringover and the Client.
- RINGOVER SERVICE CONTRACT: means the Ringover general terms and conditions for the provision, use and access of the services agreed between the Parties, to which this Contract is attached and which can be accessed here.
- PERSONAL DATA: means any information relating to an identified subject, who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic or physical nature, cultural or social identity.
- DATA SUBJECT: means the data subject whose Personal Data is processed by Ringover and/or the Client under this Contract.
- APPLICABLE DATA PROTECTION REGULATIONS: means all laws and regulations, including the laws and regulations of the European Union, the European Economic Area and their Member States, including the French Data Protection Act (Loi Informatique et Libertés no. 78-17) as amended, applicable to the processing of Personal Data under the Contract, including the GDPR as defined below.
- DATA CONTROLLER or CLIENT: means the company signing this Contract, which determines the instructions and the means and purposes of the processing of Personal Data, also referred to as the "Client".
- GDPR: means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- RINGOVER SERVICE: means the services offered by Ringover (as defined in the Ringover Service Contract) that the Client has purchased or deployed or to which the Client has subscribed under the Ringover Service Contract.
- PROCESSOR or RINGOVER: refers to the company BJT Partners and its brand Ringover, which carries out personal data processing on behalf of and on the instructions of the Client, also referred to as "Ringover".
- SUB-PROCESSOR: means any Data Processor hired by Ringover to process all or part of the personal data on behalf of and at the direction of Ringover.
- PROCESSING: means any operation or set of operations which is performed on personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, as described in Appendix A.
All terms relating to the protection of personal data that are not specifically defined in the contract, such as "supervisory authority", "file", "recipient", "data breaches", "consent", shall have the meaning given to them in Article 4 of the GDPR.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties
The Parties acknowledge and agree that, with respect to the Processing of Personal Data, the Client is the Controller, Ringover is the Processor and that Ringover may hire Sub-Processors in accordance with the provisions of Article 4 "Sub-Processing" below.
2.2 Processing of Personal Data by the Client
The Client, acting as Data Controller, determines the purposes and means of processing Personal Data. The Client undertakes, when using the Ringover Services, to process Personal Data in accordance with the requirements of the Applicable Data Protection Regulations. To avoid any doubts, the Client’s instructions for processing personal data must comply with the Applicable Data Protection Regulations. The Client is solely responsible for the accuracy, quality and legality of the personal data and the means by which the Client has acquired Personal Data. The Client shall also inform the Data Subjects of the Processing of their Personal Data by Ringover.
2.3 Processing of Personal Data by Ringover
Ringover, acting as a Processor, undertakes to treat Personal Data as confidential information and undertakes to process Personal Data only on behalf of the Client and in accordance with the Client’s documented instructions. The Client instructs Ringover to process Personal Data for the following purposes: (i) processing for the performance of this Contract, the Ringover Service Contract and any applicable order form(s); (ii) processing initiated by Client in the course of using the Ringover Services and generally for the provision of the Ringover Services, (iii) processing to comply with any other reasonable and documented instructions from Client (e.g., by e-mail) so long as such instructions are consistent with the terms of the Contract.
2.4 Details of the processing of Personal Data
The purpose of the Processing of Personal Data by Ringover is the provision of the Ringover Services in accordance with the Ringover Service Contract as described in this Contract. The duration of the Processing, the nature and purpose of the Processing and the types of Personal Data and categories of Data Subjects processed under this Contract are set out in Appendix A (Details of the Processing).
3. ROLES AND RESPONSIBILITIES
3.1 Obligations of the Client
The Client undertakes to:
- provide documented instructions on the purposes and means of the Processing of Personal Data provided by the Client to Ringover in accordance with the Contract;
- comply with its obligations, in particular under the Applicable Data Protection Regulations, with regard to the protection of Personal Data, and with regard to the security of the collection and Processing of Personal Data provided by the Client to Ringover; and to
- designate, at Ringover’s request, a single point of contact to receive and respond to Ringover’s enquiries regarding the administration of the Client’s Personal Data related to the Ringover Service Contract.
3.2 Obligations of Ringover
Ringover, as a Processor, undertakes to:
- ensure that all persons authorised by Ringover to participate in the Processing of Personal Data on behalf of the Client (including its staff, agents and sub-contractors) have undertaken to maintain confidentiality or are subject to an appropriate legal obligation of confidentiality and to comply with the principles of Personal Data protection. Ringover undertakes to take commercially reasonable steps to ensure the reliability of any of its staff involved in the Processing of Personal Data. The Processor undertakes to restrict access to Personal Data to only those members of its staff who strictly need access to such data in order to carry out their duties and obligations under the Ringover Service Contract, the applicable order form(s) and this Contract;
- inform the Client without delay if, in its opinion, an instruction violates the provisions of the Applicable Data Protection Regulations;
- take all technical and organisational measures necessary to ensure the security of the Processing. In particular, Ringover undertakes to implement the appropriate technical and organisational measures described in Appendix C, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the Processing, as well as the risks related to the likelihood and seriousness of harm to the rights and freedoms of the Data Subjects resulting from the Processing of Personal Data. These measures may be reviewed and updated as and when the Applicable Data Protection Regulations change or as and when Ringover deems necessary;
- reasonably assist the Client in demonstrating compliance with its obligations relating to the protection of Personal Data and in particular its obligations to notify and communicate in the event of a data breach, by carrying out a data privacy assessment and consulting with the supervisory authority where appropriate, taking into account the nature of the processing and the information available to Ringover;
- cooperate with the relevant supervisory authorities where necessary; and
- make available to the Client all information reasonably necessary to demonstrate compliance with the Client’s Personal Data Protection obligations.
- As far as possible, the Parties undertake to cooperate with each other in the event of an inspection by the CNIL or any other competent authority concerning the Processing implemented.
4.1 Authorisation of Sub-Processors
The Client acknowledges and agrees that Ringover may hire Sub-Processors in connection with the provision of the
Ringover Services. In such event, Ringover shall have entered into a written agreement with each Sub-Processor containing privacy obligations with respect to the protection of Client’s Personal Data to the extent applicable with respect to the nature of the Ringover Services provided by said Sub-Processor.
4.2 Responsibility of Sub-Processors
Ringover remains liable for the acts and omissions of its Sub-Processors under the same conditions as if Ringover was directly responsible for providing the Ringover Services entrusted to the Sub-Processors under this Contract, except where the Ringover Service Contract provides otherwise.
4.3 List of current Sub-Processors and notification of new Sub-Processors
Ringover makes available to the Client a list of current Sub-Processors who may be involved in the provision of the
Ringover Services and for the Processing described in Appendix A. The list of current Sub-Processors is available in Appendix B and will be available on the Ringover personal space accessible by users with "super administrator" privileges.
Ringover undertakes to inform the Client in the event of the addition or deletion of Sub-Processors at least ten (10) working days before such changes.
4.4 The Client’s right to object to new Sub-Processors
The Client may object to Ringover’s appointment of a new Sub-Processor, if it objectively considers that such SubProcessor prevents the Client from complying with its legal obligations, in particular under the Applicable Data Protection Regulations to which it is subject, by promptly notifying Ringover in writing within ten (10) business days of receipt of Ringover’s notification in accordance with the mechanism described in Article 4.3. If the Client objects to the appointment of a new Sub-Processor, Ringover shall use reasonable efforts to offer the Client an alternative solution in the provision of the Ringover Services or to recommend a commercially reasonable change in the Client’s configuration or use of the Ringover Services to avoid the Processing of Personal Data by the new Sub-Processor who was objected to, without this constituting an unreasonable effort for the Client.
5.1 Security measures
Ringover undertakes to implement and maintain appropriate technical and organisational security measures to ensure the security (including protection against unauthorised or unlawful Processing, and against accidental or unlawful loss, destruction, alteration, damage, unauthorised or unlawful disclosure of or access to the Client’s Personal Data), confidentiality and integrity of the Personal Data provided by the Client in accordance with the security standards of Ringover described in Appendix C (“Appendix C: Security measures"). Ringover regularly checks compliance with these measures. Ringover undertakes not to substantially reduce the overall security of the provision of the Ringover Services during the period of their subscription by the Client.
5.2 Security updates
It is the Client’s responsibility to verify the information made available by Ringover regarding the security of Personal Data and to independently determine whether the Ringover Services meet the Client’s legal requirements and obligations under the Applicable Data Protection Regulations. The Client acknowledges that security measures are subject to technical progress and development and that Ringover may update or modify the security measures from time to time, without prior notice to the Client, provided that such updates and modifications do not result in a significant degradation of the overall security of the service provided to the Client. The Client may at any time obtain information on changes to Ringover’s security measures by contacting email@example.com.
5.3 Client’s responsibilities
Notwithstanding the foregoing, the Client agrees, except as otherwise provided in this Contract or the Ringover Service Contract, to be responsible for its secure use of the Ringover Service, including securing its account authentication credentials, protecting the security of the Client’s data in transit to and from the Ringover Service, taking appropriate steps to encrypt or securely back up the Client’s data uploaded to the Ringover Service. The Client also declares that it is responsible for the secure use of the Ringover Service by its employees or processors.
6. INCIDENT MANAGEMENT AND DATA BREACHES
Ringover maintains security incident management rules and procedures and will promptly notify the Client of any accidental or unlawful loss, destruction or alteration and any unauthorised disclosure of or access to Client Data, including Personal Data transmitted, stored or processed by Ringover or its Sub-Processors and of which Ringover becomes aware of, in accordance with the Applicable Data Protection Regulations. Ringover will use reasonable efforts to identify the cause of such incident, whether or not it constitutes a data breach within the meaning of the Applicable Data Protection Regulations, and will take such steps as it considers necessary and reasonable to remedy the cause of such incident, to the extent that the power to remedy such incident is within its control.
In particular, once Ringover becomes aware of a breach of Personal Data, Ringover:
- will in all cases inform the Client without undue delay and, where possible, not later than 72 hours after becoming aware of the security incident;
- will provide timely information to the Client regarding the data breach as and when it becomes aware of it or upon reasonable request by the Client; and
- will promptly take reasonable steps to contain and investigate any data breach. In any event, Ringover’s notification or response to a data breach shall not be construed as an admission by Ringover of any fault or liability in connection with the security incident; and
- will, where appropriate, notify the relevant supervisory authority of the Personal Data breach. This notification will include the following:
- The description and nature of the Personal Data breach including, if possible, the categories and approximate number of Data Subjects affected by the Personal Data breach and the categories and approximate number of records of Personal Data affected;
- The name and contact details of the Data Protection Officer or other point of contact from whom further information can be obtained;
- A description of the likely consequences of the Personal Data breach;
- A description of the measures taken or proposed to be taken by Ringover to remedy the Personal Data breach, including, if applicable, measures to mitigate any negative consequences.
These obligations do not apply to incidents caused by the Client.
Upon request and in strict compliance with the confidentiality obligations set forth in the Service Contract, Ringover agrees to make available to the Client all information reasonably necessary to demonstrate Ringover’s compliance with the terms of this Contract, including responses to information security questionnaires, provided that the Client is not a competitor of Ringover or an affiliate of a competitor of Ringover. Ringover will answer questions posed by the Client about the Processing of Personal Data provided by the Client.
In the event that the information provided by Ringover does not allow the Client to reasonably verify Ringover’s compliance with its obligations under this Contract or in the event of a breach of Personal Data, Ringover shall, in consultation with the Client, either:
- provide the Client with a certificate issued by an independent qualified third-party expert certifying that Ringover’s business processes and procedures that involve the Processing of Personal Data provided by the Client comply with this Contract; or alternatively
- allow an independent third-party expert, hired by the Client and at the Clientºs expense, to conduct an audit of the facilities Ringover uses to process the Client’s Personal Data. The appointment of the independent thirdparty expert must be reasonably acceptable to Ringover, and such expert must be bound by confidentiality obligations satisfactory to Ringover. The Client shall provide Ringover with a copy of the audit report. The audit will be considered as confidential information of Ringover.
Audits may be conducted no more than once per year per Client, during the term of the Ringover Service Contract, during normal business hours, and shall be subject to (i) a written request submitted to Ringover at least sixty (60) days prior to the proposed audit date and (ii) a detailed written audit plan reviewed and approved by Ringover’s security organisation. Such audits may only be conducted in the presence of a representative of the Ringover security team or any other person appointed by Ringover for this purpose. Audits must not disrupt Ringover’s Processing activities or compromise the security and confidentiality of Personal Data belonging to other Ringover Clients.
The Client shall pay for the time spent by Ringover and its teams or Sub-Processors on such an audit at Ringover’s professional service rates applicable at that time, which shall be made available to the Client upon request. Prior to the commencement of such an on-site audit, the Client and Ringover shall mutually agree on the scope, schedule and duration of the audit, as well as the costs for the time spent by Ringover and its teams or Sub-Processors, for which the Client shall be responsible. These costs must be reasonable, taking into account the resources expended by Ringover or its Sub-Processors. The Client undertakes to inform Ringover promptly of any non-compliance discovered during an audit.
8. DATA OWNERSHIP, TRANSFER AND DELETION
8.1 Data ownership
The Parties agree that Personal Data collected, processed, hosted, backed up or stored by Ringover on behalf of the Client, under this Contract and the Ringover Service Contract or at the Client’s initiative, is and remains the sole property of the Client.
8.2 Data transfer
In order to provide the Ringover Services under the Service Contract, Ringover may need to transfer certain Personal Data provided by the Client to Sub-Processors in accordance with Article 4 of the Contract, who may be located in countries outside the European Economic Area and who do not provide an adequate level of protection for Personal Data.
Ringover undertakes, in accordance with the Applicable Data Protection Regulations, to implement a mechanism to cover such a transfer in a manner that complies with the Applicable Data Protection Regulations and in particular with the Standard Contractual Clauses adopted by the European Commission to govern the transfer of Personal Data to Sub-Processors located outside the European Economic Area.
8.3 Return or deletion of Personal Data
Upon termination or expiration of the Ringover Service Contract, Ringover shall cease all operations on the Personal Data provided by the Client and, at the Client’s discretion, shall return or irretrievably delete all Personal Data provided by the Client under the Ringover Service Contract and shall require its Sub-Processors to do the same. If the Client does not make this choice, Ringover will automatically delete the Personal Data provided by the Client under the RingoverService Contract.
If Ringover is prohibited by the Applicable Data Protection Regulations, its national law or a supervisory authority from destroying or returning all or part of such Personal Data, Ringover undertakes to maintain the confidentiality of such Personal Data and will not process any of these data for any other purpose. In such event, Ringover may retain a copy of the Personal Data provided by the Client as archives, to the extent required by the Applicable Data Protection Regulations, as authorised by the Client, or as necessary for dispute resolution purposes.
Once the data has been returned to the Client, Ringover will no longer be responsible for the security of the data and its integrity, in particular when it is stored, following the transfer of data from Ringover to the Client, on the Client’s servers or on the servers of a processor operating on behalf of the Client.
9. RIGHTS OF DATA SUBJECTS
If Ringover receives a request from a Data Subject to exercise his/her right to access, correct, restrict Processing, delete, data portability, object to Processing, set out instructions on the fate of his/her data after his/her death or not to be subject to an automated individual decision, Ringover undertakes to promptly notify the Client thereof.
Given the nature of the Processing, Ringover undertakes to provide reasonable assistance to the Client to the extent possible and by appropriate technical and organisational means to enable the Client to comply with its obligation to respond to any Data Subject’s request in accordance with the Applicable Data Protection Regulations. In addition, at the Client’s express request and to the extent that the Client does not have the ability to respond to a Data Subject’s request in the course of its use of the Ringover Services, Ringover agrees to use commercially reasonable efforts to assist the Client in responding to such a request. In the event that such cooperation and assistance requires significant resources on the part of Ringover, Ringover reserves the right to charge the Client at Ringover’s professional service rates in force at that time, which will be made available to the Client upon request, with prior submission of a quote.
If Ringover receives a request for disclosure of Personal Data provided by Client from law enforcement, a government security agency or a supervisory authority, Ringover will promptly notify the Client of such request, except where disclosure of such information is prohibited by law.
In any case, Ringover will never respond to a request from a Data Subject whose Personal Data is processed on behalf of the Client, unless specifically instructed beforehand to do so by the Client in writing. Similarly, when the request is made by an authority and Ringover can inform the Client of this in accordance with the stipulations of the previous paragraph, Ringover will never respond to such a request unless specifically instructed beforehand to do so by the Client in writing.
10. COOPERATION AND ASSISTANCE
In addition to the obligations set forth in Articles 3 and 9, Ringover shall use its best efforts to cooperate with the Client to reasonably assist the Client in the performance of its obligations under the Applicable Data Protection Regulations and within the scope of Ringover and its Sub-Processors, including but not limited to the obligations to notify about any data breach or obligations to consult a supervisory authority.
Ringover’s cooperation and assistance to the Client may particularly include the following:
- upon request, Ringover will cooperate with the Client in responding to any request from a supervisory authority;
- Ringover undertakes to assist the Client in proving compliance with the rules prescribed by Articles 32 to 36 of the GDPR and in particular in carrying out a data protection impact assessment; and
- in the event of proceedings filed against a Party, the other Party shall cooperate in good faith and without undue delay, to the extent possible, with such proceedings.
In the event that such cooperation and assistance requires significant resources on the part of Ringover, Ringover reserves the right to charge the Client at Ringover’s professional service rates in force at that time, which will be made available to the Client upon request, with prior submission of a quote.
11. LIABILITY AND COMPENSATION
The entire liability of each Party arising out of or in connection with this Contract and the Ringover Service Contract and any order form, whether in contract, tort or otherwise, is subject to the "Limitation of Liability" article in the Ringover Service Contract, and any reference to a Party’s liability in that article means that Party’s entire liability under the whole of this Contract, the Ringover Service Contract and any order form signed between the Parties.
Each Party shall treat this Contract and information received from the other Party and its activities in relation to this Contract as confidential information and shall keep it in a proper and secure manner. Each Party shall not use or disclose such confidential information without the prior written consent of the other Party, unless (i) disclosure is required by law or (ii) the relevant information has already been made public.
13. DURATION OF THE CONTRACT
The Contract shall remain in force between the Parties for the duration of the provision of the Ringover Services in accordance with the terms of the Ringover Service Contract and any related order forms.
14. APPLICABLE LAW, JURISDICTION AND DISPUTES
This Contract is governed by French law. The Parties shall use their best efforts to resolve amicably, in a fair and equitable manner, any dispute relating to the formation, interpretation, performance and termination of this Contract. The Parties agree to meet after receipt of a notification to this effect sent by registered mail with acknowledgement of receipt by one of the Parties with the intention of resolving this dispute amicably. If the Parties fail to reach an amicable settlement by signing a settlement agreement within sixty (60) days following the amicable settlement meeting, the Parties shall submit their dispute to the competent court within the jurisdiction of the Paris Court of Appeal, which shall have exclusive jurisdiction to settle the dispute.
This Contract constitutes the entire agreement between the Parties with respect to its subject matter. Any modification to this Contract shall be made in a written amendment signed by both parties. In the event of any conflict between this Contract, the Ringover Service Contract or any order form, this Contract shall prevail except where the Ringover Service Contract is expressly given precedence.
All notices and communications given under this Contract shall be in writing and shall be sent by post or email to the postal and email addresses set out in the heading of this Contract. If one of the parties changes its address during the term of the Ringover Service Contract, it shall be responsible for informing the other party of this within a reasonable period of time by post or e-mail.
This Contract is duly accepted by the Parties and takes effect on the date of signature of the order form.
APPENDIX A: Details of data processing
|DATA CATEGORIES||DATA RETENTION PERIOD|
|General information: company name, address, number of employees, etc.||For the lifetime of the Client. Upon termination, this data is kept for one (1) year for any potential requisition by the competent authorities.|
|Call and fax logs: all information about incoming and outgoing calls||This data is kept for one (1) year for any potential requisition by the competent authorities.|
|Call recordings: audio recordings of incoming and outgoing calls||The records are kept for a maximum of six (6) months on Ringover’s servers.|
|SMS logs||This data is kept for one (1) year for any potential requisition by the competent authorities.|
|SMS content||SMS Content is kept for a maximum of one (1) year and is deleted upon termination.|
|MMS logs||This data is kept for one (1) year for any potential requisition by the competent authorities.|
|MMS content||MMS Content is kept for a maximum of one (1) year and is deleted upon termination.|
|Webhooks logs||Webhook call logs are kept for one (1) month.|
|Fax||This data is kept for one (1) year for any potential requisition by the competent authorities.|
|Transactional emails||Ringover does not store transactional email history containing Client information.|
|CRM Contact||3 years from the last active exchange with the Client / prospect.|
|Client contact, created manually by the Client on Ringover||Any contact manually deleted by the Client is deleted by Ringover. Upon termination of the Client, Ringover deletes all contacts.|
|Client contact, synchronised with CRM||The Client has the possibility to desynchronise its contacts directly in its administration space via an option available on its Ringover dashboard. When the Client activates th desynchronisation of CRM contacts, Ringover no longer has any contacts of the Client.|
|Client contact, retrieved by webhook||Upon termination by the Client, Ringover will delete or return all contacts upon request by the Client. Any contact manually deleted by the Client is deleted by Ringover.|
COMPLIANCE WITH THE LEGAL RETENTION PERIOD FOR ELECTRONIC COMMUNICATIONS
As an operator of electronic communications services within the meaning of Article L.33-1 of the French Postal and Electronic Communications Code, our activity is declared to the ARCEP and we are required to keep certain personal data relating to electronic communications services for a legal period of 12 months in accordance with the provisions of Article L.34-1 of the French Postal and Electronic Communications Code (III. to VI.) and its implementing decrees 2006-538 and 2012-436.
APPENDIX B: List of processors
|NAMES OF PROCESSORS||ACTIONS TAKEN ON THE DATA||LOCATION OF SERVERS||MEASURES TO COVER THE TRANSFER (if applicable)|
|SCALEWAY||Storage of our databases, cloud service, API load balancer & CDN/S3||FRANCE||N/A|
|DATAPACKET||Storage of our databases, web servers, Telecom servers||FRANCE||N/A|
|CLOUDFLARE||DNS and API load balancer||UNITED STATES||No transfer outside EU, data localization suite option (data stored in EU)|
|COLT||Number rental||UNITED KINGDOM||N/A, SCC or any other measure replacing them post-Brexit|
|VONAGE||Number and SMS rental||UNITED STATES||SCC|
|BICS||Telecommunication services, SIP TRUNK and emergency calls||BELGIUM||N/A|
|TOFANE||Telecommunication services, international call terminations||FRANCE||N/A|
|TATA COMMUNICATIONS||Telecommunication services, international call terminations||UNITED KINGDOM||SCC|
|ORANGE INTERNATIONAL CARRIERS||International VoIP telecommunication service||FRANCE||N/A|
|SALESFORCE||CRM for customer management and followup||UNITED STATES||SCC|
|FINANCIAL FORCE||Billing management||UNITED STATES||SCC|
|SENDGRID||Mailing (backup provider)||UNITED STATES||SCC|
|SLACK||Internal communication tool||UNITED STATES||SCC|
|DEEPTRANSCRIPT||Transcription of telephone conversations||FRANCE||N/A|
APPENDIX C: Technical & Organisational Security Measures
1. DATA HOSTING
All the centres where the data necessary for the provision of Ringover services are hosted are located in France, thus not generating any data transfer outside the European Union or the European Economic Area.
These hosts have the following certifications:
|Telehouse 2||Paris||PCI-DSS for service providers|
|Scaleway DC 3||Vitry-sur-Seine||HDS certification|
1.3 Business continuity plan
We also have a business continuity and incident response plan in place.
1.4 Organisation and safety
- our data centres manage physical security 24/7, using biometric scanners or high-level identity checks;
- we have 2 different electrical inputs for each rack;
- we have implemented DDOS mitigation measures in all our data centres;
- we have different Class 3 providers for IP transit; and
- our services rely on multiple operators for voice and SMS to ensure a seamless service and better security.
Visits to hosting sites: All Clients, suppliers and visitors do not have access to our hosting sites. Requests for access to hosting sites are strictly documented and must be justified by the appropriate Ringover staff.
2. APPLICATION SECURITY LEVEL
- All login pages (on our website and mobile website) transmit data via TLS.
- After login, the Ringover application uses a temporary token to identify the Client.
- The entire Ringover application is encrypted with TLS and SRTP for voice data.
- The dashboard allows you to restrict access to your account via Ringover support access.
- Your credit card details are not stored in our database. We use service providers (listed in Appendix B) that handle your payments with temporary wallet identifiers.
3. TRAINING & AWARENESS RAISING OF RINGOVER EMPLOYEES
All employees sign a privacy agreement outlining their responsibility to protect Client data.
We are implementing awareness-raising operations for our teams and we plan to increase the frequency and development of awareness-raising operations, particularly in the area of cyber security. In addition, good security practices are the subject of training communications (for example, when new employees join) and written material is accessible (posted in work areas and made available on the intranet). In addition, we train our employees to acquire the right data security reflexes and we also carry out internal tests (e.g. "fake phishing campaign", use of public Wi-Fi networks, etc.).
4. SECURITY MEASURES APPLICABLE TO OUR PREMISES & EMPLOYEES
We implement industry-standard physical security and protection measures. Our offices and our employees’ information systems are adequately secured and the measures implemented include, in particular:
- securing of the premises with an alarm;
- access control measures with reception staff present throughout the opening hours;
- secure, personal access badges with traceable logs;
- metal curtains protecting access to the premises;
- identifier and password strength requirements with the obligation to renew them regularly;
- limiting and controlling access to information systems according to the access privileges and access needs of employees.
Visit to the Ringover premises: Visitors, Clients and suppliers must register at the reception desk and are always accompanied by a member of the Ringover staff when entering our premises and during their time on site. The same goes for leaving.
5. PASSWORD HASHING TECHNOLOGY
We systematically implement a hashing technology with a salting that is at least as robust as the SHA-256 standard.
Passwords for Ringover accounts are hashed. Our own staff can’t even see them. If you lose your password, it cannot be recovered - it must be reset.
6. SEGREGATION OF WORKING ENVIRONMENTS: PRODUCTION & DEVELOPMENT
Our environments are strictly separated, both physically and logically. All developments are carried out on development environments that are separate from the production ones. We also implement a strict testing procedure on multiple environments before making the decision to go live.
In addition, all databases are separate and dedicated to the prevention of corruption and overlap. We have several layers of logic that separate user accounts from each other.
7. VULNERABILITY MONITORING AND REMEDIATION (WORKSTATION & PRODUCTION)
We actively monitor the emergence and identification of new potential vulnerabilities (0-day) and enforce the implementation of new security patches on all workstations and production environments.
8. SERVER UPDATES, FIREWALLS, NETWORK BACKUPS & ANTI-VIRUS
8.1 Policy applicable to our servers
Our servers are updated regularly, especially at every production launch.
We have a physical firewall (machine) with firewalling rules that only allow flows that are necessary for Ringover’s purposes and the provision of its services to Clients.
We have an automatic hot and cold backup system, machines and database clusters.
We do not use a VPN, but use SSH tunnels to access the servers.
8.2 Policy applicable to our premises
All workstations and production environments are protected by antivirus software. On each workstation, an automatic sleep mode is also set up and configured after 5 minutes of inactivity.
9. PRIVILEGES AND SEGMENTATION OF ADMINISTRATION USES
We have implemented several classes of access and permission privileges for our Clients:
- single user;
- super administrator; and
These 4 user classes ensure that the access and power of each of the Client’s users only have the rights necessary for them to use the services, on a strict "need to know" and "need to do" basis. These 4 levels of use enable the uses and administration rights of the Ringover solution to be segmented.
10. RESPONSIBLE DISCLOSURE
If you have discovered a vulnerability in the Ringover application, please do not share it publicly. Instead, please submit a report via the process described below. We review all security issues brought to our attention and take a proactive approach to emerging security issues. Every day, new security problems and new attack vectors are created. Ringover strives to keep abreast of the latest security developments, both internally and by collaborating with external security researchers and companies. We appreciate the community’s efforts to create a more secure website.
If you believe your account has been compromised or if you notice any suspicious activity on your account, please send an email to firstname.lastname@example.org.