Data Processing Addendum
This Data Processing Addendum, including its Schedules and Annexes (“DPA”), forms part of the Master Customer Agreement (“MCA” or “Agreement”)) to reflect the parties’ agreement with regard to the Processing of Customer Data, which may include Personal Data. In the event of a conflict between this DPA, the MCA or any Schedule, Annex or other addenda to the MCA, this DPA must prevail.
When Customer renews or purchases new Products or Services, the then-current DPA must apply and must not change during the applicable Term. When Motorola provides new features or supplements the Product or Service, Motorola may provide additional terms or make updates to this DPA that must apply to Customer’s use of those new features or supplements.
All capitalized terms not defined herein must have the meaning set forth in the Agreement.
“Customer Data” means data including images, text, videos, and audio, that are provided to Motorola by, through, or on behalf of Customer and its Authorized Users or their end users, through the use of the Products and Services. Customer Data does not include Customer Contact Data, Service Use Data, other than that portion comprised of Personal Information, or Third Party Data.
“Customer Contact Data” means data Motorola collects from Customer, its Authorized Users, and their end users for business contact purposes, including without limitation marketing, advertising, licensing, and sales purposes.
“Data Protection Laws” means all data protection laws and regulations applicable to a Party with respect to the Processing of Personal Data under the Agreement.
“Data Subjects” means the identified or identifiable person to whom Personal Data relates.
“Metadata” means data that describes other data.
“Motorola Data” means data owned by Motorola and made available to Customer in connection with the Products and Services.
“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person transmitted to Motorola by, through, or on behalf of Customer and its Authorized Users or their end users as part of Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, copying, analyzing, caching, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Security Incident” means an incident leading to the accidental or unlawful destruction, loss, alteration or disclosure of, or access to Customer Data, which may include Personal Data, while processed by Motorola. .
“Service Use Data” means data generated about the use of the Products and Services through Customer’s use or Motorola’s support of the Products and Services, which may include Metadata, Personal Data, product performance and error information, activity logs, and date and time of use.
“Sub-processor” means other processors engaged by Motorola to Process Customer Data which may include Personal Data.
“Third Party Data” means information obtained by Motorola from publicly available sources or its third party content providers and made available to Customer through the Products or Services.
2. Processing of Customer Data
2.1. Roles of the Parties. The Parties agree that with regard to the Processing of Personal Data hereunder, Customer is the Controller and Motorola is the Processor who may engage Sub-processors pursuant to the requirements of Section 6 entitled “Sub-processors” below.
2.2. Motorola’s Processing of Customer Data. Motorola and Customer agree that Motorola may use and Process Customer Data, including the Personal Information embedded in Service Use Data, only in accordance with Customer’s documented instructions for the following purposes: (i) to perform Services and provide Products under the Agreement; (ii) analyze Customer Data to operate, maintain, manage, and improve Motorola products and services; and (iii) create new products and services. Customer agrees that its Agreement (including this DPA), along with the Product and Service Documentation and Customer’s use and configuration of features in the Products and Services, are Customer’s complete and final documented instructions to Motorola for the processing of Customer Data. Any additional or alternate instructions must be agreed to according to the process for amending Customer’s Agreement. Customer represents and warrants to Motorola that Customer’s instructions, including appointment of Motorola as a Processor or sub-processor, have been authorized by the relevant controller. Customer Data may be processed by Motorola at any of its global locations and/or disclosed to Subprocessors. It is Customer’s responsibility to notify Authorized Users of Motorola’s collection and use of Customer Data, and to obtain any required consents, provide all necessary notices, and meet any other applicable legal requirements with respect to such collection and use. Customer represents and warrants to Motorola that it has complied with the terms of this provision.
2.3. Details of Processing. The subject-matter of Processing of Personal Data by Motorola hereunder, the duration of the Processing, the categories of Data Subjects and types of Personal Data are set forth on Annex I to this DPA.
2.4. Disclosure of Processed Data. Motorola must not disclose Customer Data to any third party except to Motorola’s suppliers and channel partners as necessary to provide the products and services unless permitted under this Agreement, authorized by Customer or required by law. In the event a government or supervisory authority demands access to Customer Data, to the extent allowable by law, Motorola must provide Customer with notice of receipt of the demand to provide sufficient time for Customer to seek appropriate relief in the relevant jurisdiction. In all circumstances, Motorola retains the right to comply with applicable law.
2.5. Customer’s Obligations. Customer is solely responsible for its compliance with all Data Protection Laws and establishing and maintaining its own policies and procedures to ensure such compliance. Customer must not use the Products and Services in a manner that would violate applicable Data Protection Laws. Customer must have sole responsibility for (i) the lawfulness of any transfer of Personal Data to Motorola, (ii) the accuracy, quality, and legality of Personal Data provided to Motorola; (iii) the means by which Customer acquired Personal Data, and (iv) the provision of any required notices to, and obtaining any necessary acknowledgements, authorizations or consents from Data Subjects. Customer takes full responsibility to keep the amount of Personal Data provided to Motorola to the minimum necessary for Motorola to perform in accordance with the Agreement. Customer must be solely responsible for its compliance with applicable Data Protection Laws.
2.6. Customer Indemnity. Customer will defend, indemnify, and hold Motorola and its subcontractors, subsidiaries and other affiliates harmless from and against any and all damages, losses, liabilities, and expenses (including reasonable fees and expenses of attorneys) arising from any actual or threatened third-party claim, demand, action, or proceeding arising from or related to Customer’s failure to comply with its obligations under this Agreement and/or applicable Data Protection Laws. Motorola will give Customer prompt, written notice of any claim subject to the foregoing indemnity. Motorola will, at its own expense, cooperate with Customer in its defense or settlement of the claim.
3. Service Use Data. Except to the extent that it is Personal Information, Customer understands and agrees that Motorola may collect and use Service Use Data for its own purposes, provided that such purposes are compliant with applicable Data Protection Laws. Service Use Data may be processed by Motorola at any of its global locations and/or disclosed to Subprocessors.
4. Third-Party Data and Motorola Data. Motorola Data and Third Party Data may be available to Customer through the Products and Services. Customer and its Authorized Users may use the Motorola Data and Third Party Data as permitted by Motorola and the applicable third-party data provider, as described in the Agreement or applicable Addendum. Unless expressly permitted in the Agreement or applicable Addendum, Customer must not, and must ensure its Authorized Users must not: (a) use the Motorola Data or Third-Party Data for any purpose other than Customer’s internal business purposes or disclose the data to third parties; (b) “white label” such data or otherwise misrepresent its source or ownership, or resell, distribute, sublicense, or commercially exploit the data in any manner; (c) use such data in violation of applicable laws ; (d) use such data for activities or purposes where reliance upon the data could lead to death, injury, or property damage; (e) remove, obscure, alter, or falsify any marks or proprietary rights notices indicating the source, origin, or ownership of the data; or (f) modify such data or combine it with Customer Data or other data or use the data to build databases. Additional restrictions may be set forth in the Agreement or applicable Addendum. Any rights granted to Customer or Authorized Users with respect to Motorola Data or Third-Party Data must immediately terminate upon termination or expiration of the applicable Addendum, Ordering Document, or the MCA. Further, Motorola or the applicable Third Party Data provider may suspend, change, or terminate Customer’s or any Authorized User’s access to Motorola Data or Third-Party Data if Motorola or such Third Party Data provider believes Customer’s or the Authorized User’s use of the data violates the Agreement, applicable law or by Motorola’s agreement with the applicable Third Party Data provider. Upon termination of Customer’s rights to use of any Motorola Data or Third-Party Data, Customer and all Authorized Users must immediately discontinue use of such data, delete all copies of such data, and certify such deletion to Motorola. Notwithstanding any provision of the Agreement to the contrary, Motorola has no liability for Third-Party Data or Motorola Data available through the Products and Services. Motorola and its Third Party Data providers reserve all rights in and to Motorola Data and Third-Party Data not expressly granted in an Addendum or Ordering Document.
5. Motorola as a Controller or Joint Controller. In all instances where Motorola acts as a Controller it must comply with the applicable provisions of the Motorola Privacy Statement at https://www.motorolasolutions.com/en_us/about/privacy-policy.html#privacystatement as each may be updated from time to time. Motorola holds all Customer Contact Data as a Controller and must Process such Customer Contact Data in accordance with the Motorola Privacy Statement. In instances where Motorola is acting as a Joint Controller with Customer, the Parties must enter into a separate addendum to the Agreement to allocate the respective roles as joint controllers.
6.1. Use of Sub-processors. Customer agrees that Motorola may engage Sub-processors who in turn may engage Sub-processors to Process Personal Data in accordance with the DPA. A current list of Sub-processors is set forth at Annex III. When engaging Sub-processors, Motorola must enter into agreements with the Sub-processors to bind them to obligations which are substantially similar or more stringent than those set out in this DPA.
6.2. Changes to Sub-processing. The Customer hereby consents to Motorola engaging Sub-processors to process Customer Data provided that: (i) Motorola must use its reasonable endeavours to provide at least 10 days' prior notice of the addition or removal of any Sub-processor, which may be given by posting details of such addition or removal at a URL provided to Customer in Annex III; (ii) Motorola imposes data protection terms on any Sub-processor it appoints that protect the Customer Data to the same standard provided for by this Addendum; and (iii) Motorola remains fully liable for any breach of this clause that is caused by an act, error or omission of its Sub-processor(s). The Customer may object to Motorola’s appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Motorola will either appoint or replace the Sub-processor or, if in Motorola’s discretion this is not feasible, the Customer may suspend or terminate this Agreement.
6.3. Data Subject Requests. Motorola must, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject, including without limitation requests for access to, correction, amendment, transport or deletion of such Data Subject’s Personal Data and, to the extent applicable, Motorola must provide Customer with commercially reasonable cooperation and assistance in relation to any complaint, notice, or communication from a Data Subject. Customer must respond to and resolve promptly all requests from Data Subjects which Motorola provides to Customer. Customer must be responsible for any reasonable costs arising from Motorola’s provision of such assistance under this Section.
7. Data Transfers Motorola agrees that it must not make transfers of Personal Data under this Agreement from one jurisdiction to another unless such transfers are performed in compliance with this Addendum and applicable Data Protection Laws. Motorola agrees to enter into appropriate agreements with its affiliates and Sub-processors, which will permit Motorola to transfer Personal Data to its affiliates and Sub-processors. Motorola agrees to amend as necessary its agreement with Customer to permit transfer of Personal Data from Motorola to Customer. Motorola also agrees to assist the Customer in entering into agreements with its affiliates and Sub-processors if required by applicable Data Protection Laws for necessary transfers.
8. Security. Motorola must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing of Personal Data, taking into account the costs of implementation; the nature, scope, context, and purposes of the Processing; and the risk of varying likelihood and severity of harm to the data subjects. The appropriate technical and organizational measures implemented by Motorola are set forth in Annex III. In assessing the appropriate level of security, Motorola must weigh the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise Processed.
9. Security Incident Notification. If Motorola becomes aware of a Security Incident, then Motorola must (i) notify Customer of the Security Incident without undue delay, (ii) investigate the Security Incident and apprise Customer of the details of the Security Incident and (iii) take commercially reasonable steps to stop any ongoing loss of Personal Data due to the Security Incident if in the control of Motorola. Notification of a Security Incident must not be construed as an acknowledgement or admission by Motorola of any fault or liability in connection with the Security Incident. Motorola must make reasonable efforts to assist Customer in fulfilling Customer’s obligations under Data Protection Laws to notify the relevant supervisory authority and Data Subjects about such incident.
10. Data Retention and Deletion. Except for anonymized Customer Data, as described above, or as otherwise provided under the Agreement, Motorola must delete all Customer Data no later than ninety (90) days following termination or expiration of the MCA or the applicable Addendum or Ordering Document unless otherwise required to comply with applicable law.
11. Audit Rights
11.1 Periodic Audit. Motorola will allow Customer to perform an audit of reasonable scope and duration of Motorola operations relevant to the Products and Services purchased under the Agreement, at Customer’s sole expense, for verification of compliance with the technical and organizational measures set forth in Annex II if (i) Motorola notifies Customer of a Security Incident that results in actual compromise to the Products and/or Services purchased; or (ii) if Customer reasonably believes Motorola is not in compliance with its security commitments under this DPA, or (iii) if such audit is legally required by the Data Protection Laws. Any audit must be conducted in accordance with the procedures set forth in Section 11.3 of this DPA and may not be conducted more than one time per year. If any such audit requires access to confidential information of Motorola’s other customers, suppliers or agents, such portion of the audit may only be conducted by Customer’s nationally recognized independent third party auditors in accordance with the procedures set forth in Section 11.3 of this DPA. Unless mandated by GDPR or otherwise mandated by law or court order, no audits are allowed within a data center for security and compliance reasons. Motorola must, in no circumstances, provide Customer with the ability to audit any portion of its software, products, and services which would be reasonably expected to compromise the confidentiality of any third party’s information or Personal Data.
11.2 Satisfaction of Audit Request. Upon receipt of a written request to audit, and subject to Customer’s agreement, Motorola may satisfy such audit request by providing Customer with a confidential copy of a Motorola’s applicable most recent third party security review performed by a nationally recognized independent third party auditor, such as a SOC2 Type II report or ISO 27001 certification, in order that Customer may reasonably verify Motorola’s compliance with national standards.
11.3 Audit Process. Customer must provide at least sixty days (60) days prior written notice to Motorola of a request to conduct the audit described in Section 11.1. All audits must be conducted during normal business hours, at applicable locations or remotely, as designated by Motorola. Audit locations, if not remote will generally be those location(s) where Customer Data is accessed, or Processed. The audit must not unreasonably interfere with Motorola’s day to day operations. An audit must be conducted at Customer’s sole cost and expense and subject to the terms of the confidentiality obligations set forth in the Agreement. Before the commencement of any such audit, Motorola and Customer must mutually agree upon the time, and duration of the audit. Motorola must provide reasonable cooperation with the audit, including providing the appointed auditor a right to review, but not copy, Motorola security information or materials provided such auditor has executed an appropriate non-disclosure agreement. Motorola’s policy is to share methodology and executive summary information, not raw data or private information. Customer must, at no charge, provide to Motorola a full copy of all findings of the audit.
12. Regulation Specific Terms
12.1. HIPAA Business Associate. If Customer is a “covered entity” or a “business associate” and includes "protected health information" in Customer Data as those terms are defined in 45 CFR § 160.103, execution of the MCA includes execution of the Motorola HIPAA Business Associate Agreement Addendum (“BAA”). Customer may opt out of the BAA by sending the following information to Motorola in a written notice under the terms of the Customer’s Agreement.
12.2. FERPA. If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), apply, Motorola acknowledges that for the purposes of the DPA, Motorola is a “school official” with “legitimate educational interests” in the Customer Data, as those terms have been defined under FERPA and its implementing regulations, and Motorola agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials. Customer understands that Motorola may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer must be responsible for obtaining any parental consent for any end user’s use of the Online Service that may be required by applicable law and to convey notification on behalf of Motorola to students (or, with respect to a student under 18 years of age and not in attendance at a post-secondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data in Motorola’s possession as may be required under applicable law
12.3. CJIS. Motorola agrees to support the Customer’s obligation to comply with the Federal Bureau of Investigation Criminal Justice Information Services (CJIS) Security Policy and must comply with the terms of the CJIS Security Addendum for the Term of this Agreement and such CJIS Security Addendum is incorporated herein by reference. Customer hereby consents to allow Motorola “screened” personnel as defined by the CJIS Security Policy to serve as an authorized “escort” within the meaning of CJIS Security Policy for escorting unscreened Motorola personnel that require access to unencrypted Criminal Justice Information for purposes of Tier 3 support (e.g. troubleshooting or development resources). In the event Customer requires access to Service Use Data for its compliance with the CJIS Security Policy, Motorola must make such access available following Customer’s request. Notwithstanding the foregoing, in the event the MCA or applicable Ordering Document terminates, Motorola must carry out deletion of Customer Data in compliance with Section 10 herein and may likewise delete Service Use Data within the time frame specified therein. To the extent Customer objects to deletion of its Customer Data or Service Use Data and seeks retention for a longer period, it must provide written notice to Motorola prior to expiration of the 30 day period for data retention to arrange return of the Customer Data and retention of the Service Use Data for a specified longer period of time.
12.4. CCPA. If Motorola is Processing Personal Data within the scope of the California Consumer Protection Act (“CCPA”), Customer acknowledges that Motorola is a “Service Provider” within the meaning of CCPA. Motorola must process Customer Data and Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in this DPA and as permitted under the CCPA, including under any “sale” exemption. In no event will Motorola sell any such data. If CCPA applies, Personal Data must also include any data identified with the CCPA definition of personal data.
13. Motorola Contact. If Customer believes that Motorola is not adhering to its privacy or security obligations hereunder, Customer must contact the Motorola Data Protection Officer at Motorola Solutions, Inc., 500 W. Monroe, Chicago, IL USA 90661-3618 or at firstname.lastname@example.org.
A. LIST OF PARTIES
- Data exporter(s): Customer
Role (controller/processor): Controller
- Data importer(s): Motorola Solutions, Inc.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. Motorola acknowledges that, depending on Customer’s use of the Online Service, Customer may elect to include personal data from any of the following types of data subjects in the Customer Data:
● Employees, contractors, and temporary workers (current, former, prospective) of data exporter;
● Dependents of the above;
● Data exporter's collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);
● Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of data exporter's services;
● Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/or use communication tools such as apps and websites provided by the data exporter;
● Stakeholders or individuals who passively interact with data exporter (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the data exporter);
● Minors; or
● Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).
Categories of personal data transferred
Customer’s use of the Products and Services, Customer may elect to include personal data from any of the following categories in the Customer Data:
● Basic personal data (for example place of birth, street name, and house number (address), Agreemental code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;
● Authentication data (for example user name, password or PIN code, security question, audit trail);
● Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);
● Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology);
● Pseudonymous identifiers;
● Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);
● Commercial Information (for example history of purchases, special offers, subscription information, payment history);
● Biometric Information (for example DNA, fingerprints and iris scans);
● Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points);
● Photos, video, and audio;
● Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);
● Device identification (for example IMEI-number, SIM card number, MAC address);
● Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);
● HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location, and organizations);
● Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);
● Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);
● Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;
● Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or
● Any other personal data identified under applicable law or regulation.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Data may be transferred on a continuous basis during the term of the MCA or other agreement to which this DPA applies.
Nature of the processing
The nature, scope and purpose of processing personal data is to carry out performance of Motorola’s obligations with respect to provision of the Products and Services purchased under the MCA and applicable Ordering Documents. The data importer utilizes a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors utilize such facilities
Purpose(s) of the data transfer and further processing
The nature, scope and purpose of processing personal data is to carry out performance of Motorola’s obligations with respect to provision of the Products and Services purchased under the MCA and applicable Ordering Documents. The data importer utilizes a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors utilize such facilities
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Data retention is governed by Section 10 of this Data Processing Addendum
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Transfers to sub-processors will only be for carrying out the performance of Motorola’s obligations with respect to provision of the Products and Services purchased under the MCA and applicable Ordering Documents. The data importer utilizes a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors utilize such facilities. In accordance with the DPA, the data exporter agrees the data importer may hire other companies to provide limited services on data importer’s behalf, such as providing customer support. Any such sub-processors must be permitted to obtain Customer Data only to deliver the services the data importer has retained them to provide, and they are prohibited from using Customer Data for any other purpose.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
[Examples of possible measures:
Measures of pseudonymisation and encryption of personal data
Where technically feasible and when not impacting services provided:
● We minimize the data we collect to information we believe is necessary to communicate, provide, and support products and services and information necessary to comply with legal obligations.
● We encrypt in transit and at rest.
● We pseudonymize and limit administrative accounts that have access to reverse pseudonymisation.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
In order to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services, Motorola Solutions Information Protection policy mandates the institutionalization of information protection throughout solution development and operational lifecycles. Motorola Solutions maintains dedicated security teams for its internal information security and its products and services. Its security practices and policies are integral to its business and mandatory for all Motorola Solutions employees and contractors The Motorola Chief Information Security Officer maintains responsibility and executive oversight for such policies, including formal governance, revision management, personnel education and compliance. Motorola Solutions generally aligns to the NIST Cybersecurity Framework as well as ISO 27001.
Some of the system configuration is under the control of the customer.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Security Incident Procedures Motorola Solutions maintains a global incident response plan to address any physical or technical incident in an expeditious manner. Motorola maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data. For each security breach that is a Security Incident, notification will be made in accordance with the Security Incident Notification section of this DPA.
Business Continuity and Disaster Preparedness Motorola maintains business continuity and disaster preparedness plans for critical functions and systems within Motorola’s control that support the Products and Services purchased under the Agreement in order to avoid services disruptions and minimize recovery risks.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Motorola periodically evaluates its processes and systems to ensure continued compliance with obligations imposed by law, regulation or contract with respect to the confidentiality, integrity, availability, and security of Customer Data, including personal information. Motorola documents the results of these evaluations and any remediation activities taken in response to such evaluations. Motorola periodically has third party assessments performed against applicable industry standards, such as ISO 27001, 27017, 27018 and 27701.
Measures for user identification and authorisation
Identification and Authentication. Motorola uses industry standard practices to identify and authenticate users who attempt to access Motorola information systems. Where authentication mechanisms are based on passwords, Motorola requires that the passwords are at least eight characters long and are changed regularly. Motorola uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
Access Policy and Administration.. Motorola maintains a record of security privileges of individuals having access to Customer Data. including personal information. Motorola maintains appropriate processes for requesting, approving and administering accounts and access privileges in connection with the Processing of Customer Data. Only authorized personnel may grant, alter or cancel authorized access to data and resources. Where an individual has access to systems containing Customer Data, the individuals are assigned separate, unique identifiers. Motorola deactivates authentication credentials on a periodic basis.
Measures for the protection of data during transmission
Data is generally encrypted during transmission within the Motorola managed environments. Encryption in transit is also generally required of any sub-processors. Further, protection of data in transit is also achieved through the access controls, physical and environmental security, and personnel security described throughout this Annex II.
Measures for the protection of data during storage
Data is generally encrypted during storage within the Motorola managed environments. Encryption in storage is also generally required of any sub-processors. Further, protection of data in storage is also achieved through the access controls, physical and environmental security, and personnel security described throughout this Annex II.
Measures for ensuring physical security of locations at which personal data are processed
Motorola maintains appropriate physical and environment security controls to prevent unauthorized access to Customer Data, including personal information. This includes appropriate physical entry controls to Motorola facilities such as card-controlled entry points, and a staffed reception desk to protect against unauthorized entry. Access to controlled areas within a facility will be limited by job role and subject to authorized approval. Use of an access badge to enter a controlled area will be logged and such logs will be retained in accordance with Motorola policy. Motorola revokes personnel access to Motorola facilities and controlled areas upon separation of employment in accordance with Motorola policies. Motorola policies impose industry standard workstation, device and media controls designed to further protect Customer Data, including personal information.
Measures for ensuring personnel security
Access to Customer Data. Motorola maintains processes for authorizing and supervising its employees, and contractors with respect to monitoring access to Customer Data. Motorola requires its employees, contractors and agents who have, or may be expected to have, access to Customer Data to comply with the provisions of the Agreement, including this Annex and any other applicable agreements binding upon Motorola.
Security and Privacy Awareness. Motorola must ensure that its employees and contractors remain aware of industry standard security and privacy practices, and their responsibilities for protecting Customer Data and Personal Data. This must include, but not be limited to, protection against malicious software, password protection, and management, and use of workstations and computer system accounts. Motorola requires periodic Information security training, privacy training, and business ethics training for all employees and contract resources
Sanction Policy. Motorola maintains a sanction policy to address violations of Motorola's internal security requirements as well as those imposed by law, regulation, or contract.
Background Checks. Motorola follows its standard mandatory employment verification requirements for all new hires. In accordance with Motorola internal policy, these requirements must be periodically reviewed and include, but may not be limited to, criminal background checks, proof of identity validation and any additional checks as deemed necessary by Motorola.
Measures for ensuring events logging
Motorola maintains policies requiring continuous monitoring and event logging on all production information resources. Application audit trail logs must be captured on all production Motorola information resources. Audit trail logs of production Motorola information resources are regularly reviewed and appropriate remedial actions are taken when necessary.
Measures for ensuring system configuration, including default configuration
Motorola on-site systems are provided with a default secure configuration that may require Customer input to complete the secure configuration. For example, some default configurations must be changed by the Customer to maintain a secure system (e.g., default usernames and passwords, connecting to active directory, etc.). This completion of the default secure configuration is dependent on the Customer input for transitioning from the default secure configuration to a secure configuration.
Measures for internal IT and IT security governance and management
The Motorola Solutions Enterprise Information Security organization is structured as follows: Governance/ Risk/ Compliance, Threat Intelligence & Vulnerability Management, Detection, Protection, and Response. Motorola assesses organization’s effectiveness annually via external assessors who report and share the assessment findings with Motorola Audit Services who tracks any identified remediations. For more information, please see the Motorola Trust Center at https://www.motorolasolutions.com/en_us/about/trust-center/security.html
Measures for certification/assurance of processes and products
Motorola performs internal Secure Application Review and Secure Design Review security audits and Production Readiness Review security readiness reviews prior to service release. Where appropriate, privacy assessments are performed for Motorola's products and services. A risk register is created as a result of internal audits with assignments tasked to appropriate personnel. Security audits are performed annually with additional audits as needed. Additional privacy assessments, including updated data maps, occur when material changes are made to the products or services. Further, Motorola Solution has achieved AICPA SOC2 Type 2 reporting and ISO/IEC 27001:2013 certification for many of its development and support operations.
Measures for ensuring data minimisation
Motorola Solutions policies require processing of all personal information in accordance with applicable law, including when that law requires data minimisation. Further, Motorola Solutions conducts privacy assessments of its products and services and evaluates if those products and services support the principles of processing, such as data minimisation.
Measures for ensuring data quality
Motorola Solutions policies require processing of all personal information in accordance with applicable law, including when that law requires ensuring the quality and accuracy of data. Further, Motorola Solutions conducts privacy assessments of its products and services and evaluates if those products and services support the principles of processing, such as ensuring data quality.
Measures for ensuring limited data retention
Motorola Solutions maintains a data retention policy that provides a retention schedule outlining storage periods for personal data. The schedule is based on business needs and provides sufficient information to identify all records and to implement disposal decisions in line with the schedule. The policy is periodically reviewed and updated.
Measures for ensuring accountability
To ensure compliance with the principle of accountability, Motorola Solutions maintains a Privacy Program which generally aligns its activities to both the Nymity Privacy Management and Accountability Framework and NIST Privacy Framework. The Privacy Program is audited annually by Motorola Solutions Audit Services.
Measures for allowing data portability and ensuring erasure
When subject to a data subject request to move, copy or transfer their personal data, Motorola Solutions will provide personal data to the Controller in a structured, commonly used and machine readable format. Where possible and if the Controller requests it, Motorola Solutions can directly transmit the personal information to another organization.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
If, in the course of providing products and services under the MCA, Motorola Solutions transfers information containing personal data to third parties, said third parties will be subjected to a security assessment and bound by obligations substantially similar, but at least as stringent, as those included in this DPA.
LIST OF SUB-PROCESSORS
This Annex must be completed n case of the specific authorisation of sub-processors The controller has authorised the use of the following sub-processors:
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): …