77383463 info@imbra.co.bw
Docs FAQs Contact Support Careers

imbra Data Processing Agreement (iDPA)

Summery

This Data Processing Agreement (this “Agreement”) is incorporated into and made a part of the most recent Terms & Conditions in effect between imbra and a legal entity that has purchased Services from imbra (“Customer”). "Terms & Conditions" shall mean the terms and conditions, network services agreement, master services agreement and/or other similar agreement or terms (including, as applicable, the imbra Terms & Conditions set forth here) governing the purchase of imbra offerings signed by and between Customer, or its Affiliate(s) (as defined in the Terms & Conditions), and imbra, or its applicable Affiliate(s), as the same may be or have been amended by the parties from time to time. If the provisions of this Agreement and the Terms & Conditions conflict, including any previously executed or incorporated data protection agreement or privacy terms and conditions, then the provisions of this Agreement shall control. Except for any changes made by this Agreement, the Terms & Conditions remain unchanged and in full force and effect.

Please read the Terms of Service carefully before using any Service. By using or continuing to use a Service, you accept and consent to the rights, obligations, and practices described in this iMSA.

1. Definitions 

Unless otherwise defined herein, all capitalized terms used in this Agreement shall have the meanings assigned to such terms in the Terms & Conditions.

  1. Agreement Personal Data .
    1. means all Personal Data that imbra processes on behalf of Customer as a Data Processor as specified in Schedule 1.
  2. Authorized SubProcessor .
    1. means any third party appointed by imbra in accordance with this Agreement to process Agreement Personal Data on behalf of and as instructed by the Customer. For the avoidance of doubt, suppliers to imbra that provide bandwidth connectivity and/or colocation services for imbra owned and controlled servers globally, where such providers have no access to communications or any data located on imbra servers (i.e., such suppliers acting as “mere conduits”), shall not be considered Authorized Sub-Processors.
  3. Cross-Border Transfer Mechanism .
    1. means applicable legal mechanisms required for the transfer of Personal Data from a Data Controller or Data Processor in a given jurisdiction to another Data Controller or Data Processor operating in a separate jurisdiction where applicable Data Protection Laws require a legal mechanism for cross-border transfer. Such mechanisms include, by way of example and without limitation, adequacy decisions, binding corporate rules, the EU standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be updated or replaced from time to time.
  4. Data Protection Laws .
    1. means all applicable laws (including decisions and guidance by relevant Supervisory Authorities) relating to data protection, the processing of personal data, and privacy applicable to imbra and the Customer in respect of the processing of Agreement Personal Data to provide the Services, including such laws, by way of example and without limitation, the General Data Protection Regulation, the Botswana Consumer Privacy Act, and the Personal Information Protection and Electronic Documents Act.
  5. “Data Controller, “Data Exporter”, “Data Importer”, “Data Processor” “Data Subject”, “Personal Data”, and “Personal Data Breach” .
    1. shall each have the definitions and meanings ascribed to them by the applicable Data Protection Laws, and shall include any equivalent or corresponding terms applied by such applicable Data Protection Laws (e.g., “Business” instead of “Data Controller” and “Service Provider” instead of “Data Processor” under the Botswana Consumer Privacy Act, or “organization” or “agency” under the Botswana Privacy Principles).
  6. Supervisory Authority .
    1. means the government agency, department or other competent organization given authority over the processing of Personal Data relevant to this Agreement.

2. Data Processing 

  1. 2.1 Compliance with Law Customer and imbra each shall comply with their respective obligations as Data Controller and Data Processor, as applicable, under the Data Protection Laws.
  2. 2.2 Data Processor Terms.

    The parties agree and acknowledge that (i) imbra, (and any relevant Affiliates, if applicable), when providing the Services to Customer, will be acting as a Data Processor in respect of the processing by or for it of Agreement Personal Data and, (ii) Customer hereby authorizes imbra to process Agreement Personal Data as a Data Processor (on its and its Affiliates’ behalf, if applicable) for the purposes of providing the Services only.

      2.2.1 imbra is authorised to engage, use or permit an Authorized Sub-Processor for the Processing of Agreement Personal Data provided that:

      1. imbra undertakes reasonable due diligence on them in advance to ensure appropriate safeguards for Agreement Personal Data and respective individual rights in accordance with applicable Data Protection Laws;
      2. imbra shall provide Customer with advance written notice of any intended changes to any Authorized Sub-Processor, allowing Customer sufficient opportunity to object; and
      3. The Authorized Sub-Processor’s activities must be specified in accordance with the obligations set out in this Section 2.2.

      Without prejudice to this Section 2.2.1, imbra shall remain responsible for all acts or omissions of the Authorized Sub-Processor as if they were its own. Customer hereby approves the Authorized SubProcessors that imbra uses to provide the Services, listed at https://www.akamai.com/content/dam/site/en/documents/akamai/akamai-processors.pdf. Further, to the extent that any Data Protection Laws would deem an imbra Affiliate, by sole virtue of its ownership of imbra servers used to provide the Services, to be a sub-processor for purposes of this Agreement, Customer hereby authorizes imbra’s use of such imbra Affiliates as Authorized Sub-Processors.

      2.2.2 imbra shall (and procure that any Authorized Sub-Processor shall):

      1. process Agreement Personal Data only on documented instructions from Customer, including those set forth in the Terms & Conditions, this Agreement, technical specifications provided for administration of the Services, and configuration settings set in any of imbra’s customer portals provided for administration of the Services;
      2. without prejudice to Section 2.2.2(a), ensure that Agreement Personal Data will only be used by imbra as set forth in this Agreement or the Terms & Conditions;
      3. ensure that any persons authorized to process Agreement Personal Data:
        1. have committed themselves to appropriate confidentiality obligations in relation to Agreement Personal Data or are under an appropriate statutory obligation of confidentiality;
        2. access and process Agreement Personal Data solely on written documented instructions from Customer; and
        3. are appropriately reliable, qualified and trained in relation to their processing of Agreement Personal Data;
      4. implement technical and organizational measures at a minimum to the standard set out in Schedule 2 to ensure a level of security appropriate to the risk presented by processing Agreement Personal Data, including as appropriate:
        1. the pseudonymisation and encryption of Personal Data;
        2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
        3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
        4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
      5. notify Customer without undue delay (and in any event no later than 48 hours) after becoming aware of a Personal Data Breach as set forth in Section 4;
      6. assist Customer in:
        1. responding to requests for exercising the Data Subject's rights under the Data Protection Laws, by appropriate technical and organizational measures, insofar as this is reasonably possible, provided that imbra shall not be required to store or process any data for the purpose of reidentifying an individual when such information is not normally processed or stored by imbra;
        2. responding to any requests or other communications from the Customer as Data Controller relating to the processing of Agreement Personal Data under this Agreement;
        3. taking measures to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
        4. conducting mandatory privacy impact assessments of any processing operations and consulting with any applicable Supervisory Authority or appropriate persons accordingly;
      7. at the choice of Customer and where appropriate, to the extent that Agreement Personal Data is stored by imbra, securely delete or return all Agreement Personal Data to Customer after the end of the provision of relevant Services relating to processing, and securely delete any remaining copies and certify when this exercise has been completed;
      8. make available to Customer all information necessary to comply with its obligations to do so under Data Protection Laws;
      9. immediately inform Customer if imbra is of the opinion that an instruction of Customer regarding the processing of Agreement Personal Data violates applicable Data Protection Laws; and
      10. not sell, rent, disclose, release, transfer, make available or otherwise communicate, Agreement Personal Data to a third party for monetary or other valuable consideration.
  3. 2.3 Cross-Border Transfers
    1. 2.3.1 The Customer hereby acknowledges and accepts that imbra transfers Agreement Personal Data for service operation purposes to countries outside the jurisdiction the Customer operates in to Authorized Sub-Processors. Where Agreement Personal Data is transferred to a country that is not considered to have an adequate data protection level under Data Protection Laws, imbra ensures that the data transfers comply with Data Protection Laws, e.g., by having in place at least one effective Cross-Border Transfer Mechanism(s) and having performed data transfer risk assessments. Details of imbra’s data transfers, the data transfer mechanism(s) in place and assessments performed are available in imbra’s Privacy Trust Center in the Cross-Border Data Transfer section, at: https://www.akamai.com/legal/compliance/privacy-trust-center.
    2. 2.3.2 Where Customer is acting on behalf an affiliate located outside the jurisdiction the Customer operates in and that affiliate acts as data exporter and imbra Technologies, Inc. and its Authorized SubProcessors act as data importers for any Personal Data transferred by imbra as part of its service operation, imbra offers to agree on EU Standard Contractual Clauses with the Customer on behalf of the data exporting affiliate. The respective EU Standard Contractual Clauses are available for Customer to download in the Cross-Border Data Transfer Section in imbra’s Privacy Trust Center: https://www.akamai.com/legal/compliance/privacy-trust-center.

3. Audits 

  1. imbra shall conduct periodic audits of its processing of Agreement Personal Data to ensure compliance with Data Protection Law. Upon request, imbra shall deliver to Customer relevant compliance documentation from such audit(s) and certain, selected policies, procedures and evidence that have been approved for distribution to customers.

    In addition, in the event that Customer reasonably believes that the relevant documentation provided by imbra warrants further examination to demonstrate compliance with Data Protection Laws and this Agreement, upon Customer’s request not less than thirty (30) days in advance, one (1) on-site audit per annual period during the Term may be conducted at a representative imbra facility involved in the delivery of Services, at reasonable times during business hours and at imbra’s then-current rates. The scope of such audit, including conditions of confidentiality, shall be mutually agreed prior to initiation of the audit.

4. Personal Data Breach 

  1. 4.1 imbra shall notify Customer without undue delay (and in any event within 48 hours), after becoming aware of a Personal Data Breach via e-mail to the 24/7 security contacts provided by Customer from time to time in the imbra Control Center. Such notice shall include a description of the nature of the Personal Data Breach and, where possible, other information as is required by applicable Data Protection Law(s); provided, that, where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  2. 4.2 imbra shall take all commercially reasonable measures and actions as are appropriate to remedy or mitigate the effects of the Personal Data Breach and shall keep Customer (and where applicable the Supervisory Authority) up to date about developments in connection with the Personal Data Breach.

5. imbra’s Processing of Service Operation Personal Data 

  1. During its service operation, imbra logs every access made to one of its servers. The logging ensures the application of security rules, the ability to block non-legitimate access attempts, creation, and improvement of imbra’s knowledge about cyberthreats and attacks and its knowledge about the state of its server network, as well as improvement of imbra Services. Further it enables imbra to collect the data required to troubleshoot, bill customers in accordance with their traffic, plan future capacity and deployment needs and create reports on the traffic on its server network.

  2. The logs created consist of data that is classified as Personal Data under certain Data Protection Laws, e.g., an end user’s IP address, browser and device data, URLs visited, a time stamp, and, where applicable depending on the Service used, authentication data, or content of communication, including attachments (“Service Operation Personal Data”).

    The Service Operation Personal Data is created locally on an imbra server or collected from the end user’s interaction with the Customer Content or use of Customer services or access of Customer’s corporate systems, transferred to imbra’s backend systems deployed remotely accessed by imbra’s global employee base based on the least privilege principle. Related data transfers are governed by data transfer mechanism(s) in place between the relevant imbra entities and made available to Customer upon request. Details of the processing of Service Operation Personal Data is described in imbra’s Privacy Statement, available at: https://www.akamai.com/legal/privacy-and-policies/privacy-statement, and in the “Overview of Processing Activities and Roles”, available in imbra’s Privacy Trust Center at:

    https://www.akamai.com/content/dam/site/en/documents/akamai/overview-of-akamai-personal-dataprocessing-activities-and-role.pdf.

    Where the processing of Service Operation Personal Data is considered under Data Protection Laws as processing for imbra’s own (service operation) purposes, imbra ensures Service Operation Personal Data is processed only as describe above and in compliance with Data Protection Laws, and Customer hereby acknowledges and agrees to the processing of Service Operation Personal Data by imbra as Data Controller.