Español
Español English 简体中文 Français
Español
Español English 简体中文 Français
Get in Touch

Acuerdo de procesamiento de datos

Ver 1.0 Última actualización: 21 de diciembre de 2023

This Data Processing Agreement (“DPA”), effective as of December 21, 2023 by and between Client (“Data Controller” or “Client”) and Eton Solutions, L.P. (“Data Processor” or “Eton”) sets forth the terms and conditions relating to the privacy, confidentiality, security and protection of Personal Data (as defined below) associated with services rendered by, and/or products provided by, Processor to Controller (and/or its Affiliates) pursuant to any agreement between Eton and Client (and/or its Affiliates), regardless of whether such agreement exist as of or after the Effective Date (such agreement as applicable, the “Services Agreement”), which, together with this DPA, the “Agreement”).

1. Definiciones

“Affiliates” means any entity that now or in the future directly or indirectly controls, is controlled by, or is under common control or ownership for as long as such control exists, where “control” (including the terms “controlled by” and “under common control with”) means the possession, directly or indirectly, of the power to direct, influence or cause the direction of the management policies of an entity, whether through the ownership of voting securities, by contract, or otherwise.

“Aggregate” means to combine information that relates to a group or category of individuals, from which individual identities have been removed, that is not linked or reasonably linkable to any individual or household, including via a device.

“Anonymization” shall have the meaning ascribed to it in the GDPR and shall also include “Deidentify” as defined in the CCPA and CPRA.

“CCPA” means the California Consumer Privacy Act of 2018, and its implementing regulations. “CPRA” means the California Privacy Rights Act of 2020, and its implementing regulations.

“Client Personal Data” means Personal Data Processed by the Eton as a Processor on behalf of Client or its Affiliate pursuant to the Services Agreement.

“Controller-to-Processor SCCs” means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010, as they may be amended or replaced from time to time.

“Data Controller” means the entity which determines the purposes and means of Processing Personal Data.

“Data Processor” se refiere a la entidad que trata los Datos Personales por cuenta del Responsable del Tratamiento.

“Data Protection Laws” means, as applicable to the parties, all applicable data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality, security or protection of Personal Data, and shall include the GDPR, the PDPA, the CCPA and the CPRA,

“Data Subject” means an identified or identifiable natural person to which the Personal Data pertains.

“Europe” or the “EU” means the European Economic Area plus Switzerland and the UK.

“GDPR” means collectively the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 as amended or replaced from time to time, and the UK Data Protection Act of 2018 (“UK GDPR” as it forms part of retained EU law (as defined in the European Union (Withdrawal) Act 2018)).

“PDPA” means the Personal Data Protection Act of 2012.

"Datos personales cualquier dato, información o registro que se procese en relación con el Contrato de Servicios (i) relativo a una persona física identificada o identificable, o (ii) que identifique, se refiera, describa, pueda razonablemente asociarse o pueda razonablemente vincularse, directa o indirectamente, con una persona física o un hogar en particular, independientemente del medio en el que se conserve.

“Personal Data Breach” means the (1) breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Client Personal Data Processed under the Services Agreement, or (2) similar incident involving Client Personal Data.

“Process,” “Processing” or “Processed” toda operación o conjunto de operaciones, efectuadas o no mediante procedimientos automatizados, relativas a Datos Personales o a conjuntos de Datos Personales, como la recogida, registro, organización, estructuración, conservación, adaptación o modificación, extracción, consulta, utilización, comunicación por transmisión, difusión o cualquier otra forma de habilitación de acceso, cotejo o interconexión, limitación, supresión o destrucción.

“Sell” tendrá el significado que se le atribuye en la CCPA.

“Sensitive Personal Data” tendrá el significado que se le atribuye en el GDPR, la PDPA y la CPRA.

“Standard Contractual Clauses” or “SCCs” means, as applicable, the Controller-to-Processor SCCs entered into between the parties.

“Supervisory Authority” means a government regulator or enforcement authority which has regulatory or enforcement authority with respect to the privacy, confidentiality, security or protection of Personal Data.

2. Nature of Data Processing

  1. 2.1 Processing Limitations. Eton will only Process Client Personal Data and Sensitive Personal Data in accordance with the processing schedule set out in Appendix 1 (Section A), on behalf of and in accordance with Client’s written instructions as set forth in, or pursuant to, the Services Agreement. Eton will treat Client Personal Data as confidential information and impose confidentiality obligations on all personnel who Process Client Personal Data. Eton will neither (i) Sell Client Personal Data or Sensitive Personal data; nor (ii) retain, use or disclose Client Personal Data (a) for any purpose other than for the specific purposes of performing under the Agreement, or (b) outside of the direct business relationship between Eton and Client (and its Affiliates).

    Si la ley aplicable exige que Eton (o, para evitar dudas, cualquier subprocesador) realice un Procesamiento que sea o pueda interpretarse como incoherente con las instrucciones del Cliente, Eton notificará de inmediato al Cliente dicha incoherencia antes de iniciar (o continuar) el Procesamiento, a menos que la ley prohíba la notificación.

  2. 2.2 Role of the Parties. As between Eton and Client (and its Affiliates), Client (or its Affiliate) is the Data Controller of Client Personal Data, and Eton is the Data Processor, which Processes Client Personal Data on Client’s (or its Affiliate’s) behalf and will have no ownership rights or interest in Client Personal Data. The Parties acknowledge and agree that (i) the Client Personal Data, that Client or its Affiliate discloses to Eton is provided to Eton for a business purpose, and Client does not Sell Personal Data to Eton in connection with the Agreement; and (ii) during the time the Client Personal Data and Sensitive Personal Data are Processed by Eton, Client (or its Affiliate) has no knowledge or reason to believe that Eton is unable to comply with the provisions of this DPA inform the Client (or its Affiliate) if they are unable to provide the services.

  3. 2.3 Anonymize or Aggregate Data. Eton may not Anonymize Client Personal Data and Sensitive Personal Data as part of its performance under the Services Agreement or for any other purpose, unless it receives Client’s prior written consent for such activities. If such consent is provided by Client, such Anonymization or Aggregation, as the case may be, can be performed only to the extent such activity meets the applicable standard required under the applicable Data Protection Laws. Eton may aggregate Client Personal Data and Sensitive Data as part of its performance under the Services Agreement to show statistics of performance of financial data.

3. Compliance with Applicable Law

Las Partes deberán cumplir la legislación en materia de protección de datos. El presente APD no pretende reducir el nivel de protección aplicable a cada interesado. En caso de conflicto entre el APD y el Contrato de Servicios, prevalecerán los términos del APD. En caso de conflicto entre el presente APD y las leyes de protección de datos, prevalecerán las disposiciones de las leyes de protección de datos aplicables. De conformidad con la Sección 5 a continuación, Eton cumplirá con los estándares y requisitos de la industria que se apliquen a Eton y se relacionen con la privacidad, confidencialidad, seguridad, protección o almacenamiento electrónico de los Datos Personales del Cliente. Si Eton considera que alguna instrucción del Cliente viola o podría resultar en un Procesamiento que viole la ley aplicable, Eton lo notificará de inmediato al Cliente.

4. Sub-Processors

  1. 4.1 Appointment of Sub-Processors. Eton will not subcontract any of its rights or obligations under the Agreement without Client’s prior written consent. Unless otherwise agreed upon in the Services Agreement, Client hereby consents to Eton’s use of its Affiliates as sub-processors and any other third parties as sub-processors if such third parties are specifically identified in the Services Agreement (including any applicable statement of work or order form). Eton shall provide Client with written notice of any intended changes to the authorized sub-processors and Client shall promptly notify Eton in writing of any objection to such changes which is reasonable and related to data protection. Where Eton, with the consent of Client which such consent will not be withheld except due to an objection as described above, subcontracts its obligations under the Services Agreement to a sub-processor that has been deemed capable of safeguarding Client Personal Data, Eton will only do so by way of a written agreement with such sub-processor that imposes privacy, confidentiality, security and data protection obligations on the sub- processor at least equivalent to those that are set out in this DPA, including the obligation to impose these obligations on any further sub-processor.

  2. 4.2 Liability. Eton will remain liable to Client for (i) its obligations under the Agreement even if such obligations are delegated to a sub-processor, including the proper and timely performance of services, and (ii) the acts or omissions of any person or entity to which Eton delegates any such obligation.

5. Security

  1. 5.1 Security Program. Teniendo en cuenta el estado de la técnica, los costes de implementación y la naturaleza, el alcance, el contexto y los fines del Tratamiento, así como el riesgo de probabilidad y gravedad variables para los derechos y libertades de los interesados, Eton mantendrá o hará que se mantenga un programa de seguridad de la información razonable y adecuado que cumpla con las Leyes de Protección de Datos y esté diseñado para garantizar razonablemente la confidencialidad, integridad, disponibilidad y resistencia de todos los Datos Personales del Cliente.

  2. 5.2 Security Measures. Eton shall maintain reasonable and appropriate administrative, physical, technical (including electronic), and organizational security measures including, as appropriate: (i) encryption and pseudonymization; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures. Eton represents and warrants it has implemented the administrative, physical, technical and organizational security measures described in the attached Appendix 2 to protect Client Personal Data. Eton agrees to store Client Personal Data pursuant to the Services Agreement in the United States and further acknowledges that it shall not combine the Personal Data with the Personal Data of its Affiliates.

  3. 5.3 Access to Client Personal Data. Eton will ensure that Client Personal Data is only available to Eton personnel who have a legitimate business need to access the Client Personal Data, who are bound by legally enforceable confidentiality obligations, who have received training on applicable data protection policies and procedures, and who will only Process Client Personal Data in accordance with Client’s instructions. If Eton is unable to Process pursuant to Client instructions during the course of Processing Client Personal Data, Eton will promptly inform the Client.

  4. 5.4 Personal Data Breach Response and Notification. Eton will promptly within 72 hours and, without undue delay, notify Client of any Personal Data breach of which Eton becomes aware sending written notice via email Eton will provide further notice as available which will summarize in reasonable detail the nature of the Personal Data Breach, including the categories and approximate numbers of Data Subjects affected; whether the Client Personal Data is lost, stolen or compromised, if known; Eton’s appraisal of the consequences of the Personal Data breach; the corrective action taken or to be taken by Eton; any internal point(s) of contact responsible for managing or responding to the breach; and Eton’s Data Protection Officer or equivalent under applicable Data Protection Laws, if any. Eton will promptly take all necessary and advisable corrective actions and will cooperate fully with Client in all reasonable and lawful efforts to prevent, mitigate, or rectify such Personal Data breach. If according to the Client’s assessment, a Personal Data breach affecting Client Personal Data should be disclosed or reported to a third party, including Data Subjects, Supervisory Authorities or governmental authorities, Eton will fully cooperate with and assist Client in such reporting or disclosure within 72 hours.

6. Audits/Inspections

Eton will make available to Client all information necessary to demonstrate compliance with the obligations of this DPA. Client will have the right to verify compliance by Eton and any sub-processor with the terms of this DPA with respect to the Processing of Client Personal Data or to appoint a third-party auditor (non-competitor of Eton) under reasonable obligations of confidentiality to verify the same on Client’s behalf. Eton will grant Client, or its agents, access to the extent necessary to accomplish the inspection and review of all data processing facilities, data files and other documentation in relation to the Processing of Client Personal Data per the Agreement. Eton agrees to provide reasonable assistance to Client in facilitating this inspection function. Client will provide Eton 30 days prior written notice of the intent to audit and will not make such a request more than once a calendar year (unless there has been a Personal Data Breach affecting Client Personal Data). In the event Eton does not have the right to audit (or enforce Client’s right to audit) any sub-processor, Eton shall instead make available for Client’s review copies of certifications or reports demonstrating such sub-processor’s compliance with prevailing data security standards applicable to the Processing of Client Personal Data. Notwithstanding any contrary provision in this DPA, the parties agree that the audits described in the applicable Controller-to-Processor SCCs shall be carried out in accordance with this Section.

7. Eton’s Cooperation Obligation

  1. 7.1 Cooperation. Eton will provide reasonable assistance to Client with (i) responding to Data Subjects’ requests to exercise their rights under Data Protection Laws; (ii) assistance with Client’s performance of a data protection impact assessment with respect to the Processing of Client Personal Data under this DPA; and (iii) requests or investigations of Client by a Supervisory Authority with respect to the Processing of Client’s Personal Data under the Agreement. Eton has the right to charge a reasonable fee for fulfilling its obligations under this Section as well as reimbursement for all costs and expenses incurred.

  2. 7.2 Third Party Access Requests and Complaints. Eton notificará de inmediato al Cliente, en un plazo de 72 horas, toda solicitud o queja de cualquier Autoridad de Supervisión, funcionario gubernamental, Sujeto de Datos o cualquier otro tercero en relación con los Datos Personales del Cliente o las obligaciones del Cliente en virtud de las Leyes de Protección de Datos. Eton notificará al Cliente de cualquier orden judicial, citación u otra solicitud similar a Eton en relación con cualquier Dato Personal del Cliente a más tardar cinco (5) días hábiles después de su recepción, a menos que lo prohíba la ley aplicable. Eton cumplirá con cualquier solicitud de retención del Cliente en relación con los Datos Personales del Cliente y proporcionará el apoyo necesario para que el Cliente pueda cumplir con las solicitudes de terceros si el Cliente no puede obtener razonablemente dicha información de otro modo.

8. Data Retention, Return and Deletion

  1. 8.1 Retention. Eton will not retain Client Personal Data any longer than is reasonably necessary to accomplish the intended purposes for which the Client Personal Data was Processed pursuant to the Agreement.

  2. 8.2 Return and Deletion. When Client Personal Data is no longer necessary for the purposes set forth in the applicable Services Agreement or promptly upon the expiration or termination of the Agreement, whichever is earlier, or at an earlier time as Client requests in writing, Eton will (i) return to Client, in the format and on the media requested by Client, all or, if specified by Client, any part of the Client Personal Data; and (ii) destroy all, or if specified by the Client, any part of the Client Personal Data in Eton’s possession or control; provided that: (a) in the event Client requests such return or destruction, to the extent Eton is precluded from or delayed in fulfilling its obligations under the Services Agreement without such Client Personal Data, such failure or delay shall not constitute a breach of those obligations; and (b) copies of such Client Personal Data may be retained to the extent they are electronically stored pursuant to Eton’s ordinary course back-up procedures (including, without limitation, those regarding electronic communication) so long as such Client Personal Data is kept confidential as otherwise required under this DPA. The foregoing obligations will also apply to Client Personal Data held by sub-processors to the extent permitted by Eton’s agreement with such sub-processors. Eton will provide a certification of destruction if requested. If applicable law does not permit Eton to comply with the return or destruction of Client Personal Data, Eton agrees such retained Client Personal Data shall remain with Eton’s possession subject to the terms of this DPA and shall return or destroy such Client Personal Data when permitted by applicable law.

9. Transferencias internacionales de datos

  1. 9.1 Transfer Mechanism. Si los servicios y/o productos prestados por Eton en virtud del Acuerdo de Servicios implican una transferencia internacional de Datos Personales del Cliente regulada por las Leyes de Protección de Datos, dicha transferencia solo se producirá si (según proceda): (i) el país o territorio al que se va a realizar la transferencia se encuentra dentro del Espacio Económico Europeo o Suiza; (ii) la Comisión Europea o la Autoridad de Supervisión aplicable ha considerado que el país o territorio al que se transfieren los datos es adecuado a efectos de protección de datos; o (iii) Eton puede proporcionar las salvaguardas adecuadas de conformidad con las Leyes de Protección de Datos aplicables. Dichas salvaguardias adecuadas pueden incluir, entre otras, la aplicación de normas corporativas vinculantes, el tratamiento de forma coherente con el sistema de normas de privacidad transfronterizas de la APEC, o la adhesión a un mecanismo de certificación, un mecanismo contractual o un código de conducta que haya sido aprobado por la autoridad de control aplicable.

  2. 9.2 Standard Contractual Clauses. Si ninguno de los mecanismos anteriores de la Sección 9.1 se aplica a la transferencia de Datos Personales fuera de Europa, la transferencia de Datos Personales del Cliente estará sujeta a la versión de la UE sin cambios de los CEC aplicables de Responsable a Encargado del Tratamiento, respectivamente. Los CEC se considerarán incorporados por referencia al presente documento (la firma del presente APD se considerará una firma de los CEC aplicables). A los efectos de los CEC: (i) el Cliente se considerará el exportador de datos y Eton el importador de datos. Cualquier referencia a la Directiva 95/46/CE en los CCE se entenderá como una referencia a las disposiciones apropiadas del GDPR, la Ley de Protección de Datos del Reino Unido de 2018 o la Ley Federal de Protección de Datos de Suiza de 1992, siempre que sea posible y aplicable. Nada en este DPA se interpretará como que prevalece sobre cualquier cláusula conflictiva de los CEC, a menos que una disposición dentro de este DPA proporcione salvaguardas adicionales por encima de las contenidas en la cláusula conflictiva de los CEC, en cuyo caso la disposición de este DPA se considerará complementaria y adicional y no en conflicto con dicha cláusula de los CEC. Eton reconoce que ha tenido la oportunidad de revisar los CEC aplicables.

  3. 9.3 Controller-to-Processor SCCS. A los efectos de los CEC entre responsables y encargados del tratamiento: (i) la legislación aplicable en virtud de la cláusula 9 será la legislación de la jurisdicción en la que se encuentre el exportador de datos; (ii) se considerará que la cláusula de indemnización ilustrativa de los CEC entre responsables y encargados del tratamiento no es de aplicación en virtud de la presente sección; y (iii) salvo que las partes acuerden otra cosa, los apéndices 1 (sección A) y 2 del presente APD serán de aplicación y se considerarán apéndices 1 y 2 de los CEC entre responsables y encargados del tratamiento.

  4. 9.4 Alternative Data Transfer Mechanisms. Transfer mechanisms, other than those outlined in Section 9.1 – 9.3 above that are approved under Data Protection Laws can be relied upon if applicable. The parties agree to use reasonable efforts to put these alternative mechanisms in place, where required, and to amend this DPA as necessary to ensure compliant transfer mechanisms should there be a change in Data Protection Law. In particular, if the SCCs are amended, replaced, or repealed by the European Commission or under Data Protection Laws, the parties will work together in good faith to enter into any updated version of the SCCs or negotiate in good faith a solution to enable an international transfer of Personal Data to be conducted in compliance Data Protection Laws.

  5. 9.5 International Transfer of Client Personal Data from Eton to Third Parties. Eton will not transfer Client Personal Data, internally or to sub-processors, from any jurisdiction that restricts the international transfer of Personal Data to areas outside that jurisdiction without prior approval of Client and only after taking steps, on an ongoing basis, to ensure such transfer complies with Data Protection Laws. If Eton discovers or reasonably believes any Client Personal Data has been or is being Processed in a jurisdiction without the implementation of a necessary data transfer agreement, Eton will promptly put such transfer agreement and provide prompt notice to Client.

  6. 9.6 Transfer of personal data outside Singapore: Eton will not transfer Client Personal Data to a place outside Singapore without the Client’s prior written consent. The Client provides consent, Eton will provide a written undertaking to the Client that the Client Personal Data transferred outside Singapore will be protected at a standard that is comparable to that under the PDPA. If Eton transfers Client Personal Data to any third party or sub-processor, then Eton shall procure the same written undertaking from such third party or sub-processor.

  7. 9.7 International Transfer Assessments. Eton llevará a cabo y mantendrá durante toda la vigencia del APD una evaluación de la transferencia internacional de datos que demuestre su cumplimiento de los términos del presente APD y, en su caso, de los CCE, en relación con las operaciones específicas de Tratamiento, incluidas las realizadas por sus Afiliados y subencargados, el/los Sujeto(s) de los Datos y las categorías de Datos Personales del Cliente Tratados en virtud del presente APD, y pondrá dicha evaluación a disposición del Cliente a petición de éste. Eton confirma que supervisará en todo momento su capacidad para llevar a cabo transferencias internacionales de Datos Personales del Cliente y mantendrá su evaluación de transferencias internacionales de datos. Eton cooperará con el Cliente y le prestará asistencia razonable en relación con la presentación de dicha evaluación a una Autoridad de Supervisión.

  8. 9.8 Costs related to International Transfers of Personal Data to Third Countries. Salvo disposición en contrario, cada parte asumirá los costes ocasionados por las acciones o medidas que adopte en virtud de la presente Sección.

10. Miscellaneous

  1. 10.1 Standard of Protection. La presente DPA sustituye a cualquier disposición del Acuerdo de Servicios en la medida en que dicha disposición esté relacionada con la privacidad, confidencialidad, seguridad o protección de los Datos Personales; no obstante, en caso de conflicto entre la presente DPA y el Acuerdo de Servicios, Eton cumplirá con las obligaciones que proporcionen una mayor protección de los Datos Personales del Cliente.

  2. 10.2 Governing Law. This DPA and all claims or causes of action (whether in contract or tort) that may be based upon, arise out of or in any way relates to this DPA, will be governed by and construed in accordance with the laws identified in the Services Agreement, except to the extent that Data Protection Laws require otherwise. In such event, and to the extent so required, this DPA will be governed in accordance with such Data Protection Laws and, if applicable, be subject to the jurisdiction of the relevant data exporter that exported the Personal Data.

  3. 10.3 Changes in Data Protection Law. Eton will enter into any further agreement reasonably requested by Client for purposes of compliance with Data Protection Laws. In case of any conflict between this DPA and any such further privacy, confidentiality, security or data protection written agreement, such further written agreement shall prevail with regard to the Processing of Personal Data to which it applies.

  4. 10.4 Entire Agreement/Amendments. This DPA comprises the entire agreement between Client and Eton with respect to the subject matter hereof, and there are no other agreements, understandings, conditions, or representations, oral or written, expressed or implied, relating to the subject matter hereof, that are not merged into this DPA or superseded by it. No amendment to this DPA will be valid unless made in writing and signed by authorized representatives of all parties.

  5. 10.5 Third Party Beneficiaries. En la medida en que este APD beneficie y/o esté relacionado con las Filiales del Cliente, dichas Filiales serán terceros beneficiarios de este APD a todos los efectos, incluyendo, sin limitación, la aplicación de las disposiciones del mismo.

  6. 10.6 Counterparts/Electronic Signature. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. This DPA or any counterpart may be exchanged electronically or stored electronically as a photocopy (such as in .pdf format). The parties agree that such electronically exchanged or stored copies will be enforceable as original documents. The parties hereby consent to the use of electronic and/or digital signatures for the execution of this DPA and further agree the use of electronic and/or digital signatures will be binding, enforceable and admissible into evidence in any dispute regarding this DPA.

El Cliente y Eton, cada uno a través de su representante debidamente autorizado, aceptan los términos y condiciones de este APD a partir de la Fecha de Entrada en Vigor.

Apéndice 1 Calendario de tratamiento

Los siguientes Datos Personales del Cliente podrán transferirse y tratarse para los fines que se indican a continuación. Si procede, el presente Apéndice formará parte de los CEC, que se considerarán firmados por las partes en el momento de la firma del Contrato de Servicios. Si procede, la Sección A siguiente formará parte de los CEC de Responsable a Encargado del Tratamiento.

Data exporter: El exportador de datos se refiere individual y colectivamente al Cliente y a sus Afiliadas (tal y como se definen en el Acuerdo de Servicios aplicable), establecidas en el Espacio Económico Europeo (EEE), Suiza y el Reino Unido.

Data importer: El importador de datos es Eton si está establecido fuera del EEE, Suiza y el Reino Unido. Eton también se considerará importador de datos cuando los Datos Personales se transfieran desde el EEE o Suiza al Reino Unido.

Sección A (Tratamiento de los datos personales de los clientes)

Subject-matter: El exportador de datos puede transferir Datos Personales del Cliente al importador de datos en relación con el servicio y/o producto proporcionado por Eton en virtud del Acuerdo de Servicios.

Duration of the Processing: Durante la vigencia del Contrato de Servicios.

Data subjects: The Client Personal Data transferred may concern the following categories of Data Subjects (please specify):

  • Terceros vendedores y proveedores, incluidos asesores, consultores, expertos profesionales y contactos de marketing (que sean personas físicas) y sus empleados.
  • En una declaración de trabajo, orden de compra u orden de pedido en el marco del Contrato de Servicios podrán indicarse otros sujetos de datos.

Categories of data: The Client Personal Data transferred may concern the following categories of data (or a subset of) (please specify):

  • Nombres e información de contacto (incluida la dirección particular y profesional)
  • Información financiera y de identificación oficial
  • Información bancaria
  • Las categorías de datos adicionales pueden indicarse en una declaración de trabajo, orden de compra u orden de pedido en virtud del Contrato de Servicios.

Special categories of data (if appropriate): The Client Personal Data transferred may concern the following special categories of data (please specify):

  • No se espera ninguno.

Nature, purpose of the Processing and Processing operations: The Client Personal Data transferred will be subject to the following basic processing activities (please specify):

El importador de datos procesará los datos personales del cliente del exportador de datos según lo establecido en el acuerdo de servicios en relación con la prestación de sus servicios y/o productos. Esto puede incluir cualquier operación como la transferencia de datos y cualquier recopilación, registro, organización, estructuración, almacenamiento, adaptación o alteración, recuperación, consulta, uso, divulgación por transmisión, difusión o cualquier otra forma de puesta a disposición, alineación o combinación, restricción, borrado o destrucción de Datos Personales del Cliente (por medios automatizados o no).

Anexo 2

Medidas de seguridad

A continuación se detallan las medidas de seguridad administrativas, físicas, técnicas y organizativas de Eton con respecto al Tratamiento de Datos Personales. Si procede, este Apéndice forma parte de las Cláusulas Contractuales Tipo y se consideran firmadas por las partes en el momento de la firma del Acuerdo de Servicios.

Eton ha implementado múltiples capas de control alineadas con SSAE SOC 2 Tipo 2 para proteger los Activos de Información.

Personas

  • Concienciación e higiene en materia de ciberseguridad
  • Verificación de antecedentes (penales, educativos, laborales, crediticios, etc.)
  • Manual del empleado
  • Boletines y correos electrónicos para reforzar la concienciación sobre ciberseguridad.

Proceso

  • Política y procedimientos de seguridad de la información
  • Política de uso aceptable
  • Procedimiento disciplinario en caso de infracción
  • Política de gestión de cambios
  • Política de respuesta a incidentes
  • Prácticas BCP y DR
  • Política de gestión de terceros (proveedores)
  • Política de clasificación de datos
  • Acceso a los datos según el principio de mínimos privilegios:
  • Necesidades
  • Derecho a saber
  • Política de escritorio despejado.

Técnico

  • Controles de acceso físico
  • Controles de acceso basados en roles con definición granular de roles.
  • Cifrado de datos en reposo, en proceso y en tránsito
  • Cifrado de portátiles mediante el cifrado de Windows Bit Locker.
  • Todos los accesos remotos a través de VPN
  • Protección de red multicapa mediante routers, servidores proxy, cortafuegos L7 y WAF.
  • Sistema de detección de intrusos 
  • Supervisión de registros, detección de incidentes y respuesta
  • Política de endurecimiento de dispositivos.
  • Copia de seguridad y recuperación
  • Centro de seguridad Azure
  • Bóveda de claves Azure
  • Gestión de parches
  • Motor antimalware y antivirus