CodeTwo Terms and Privacy
Terms and Conditions of Sales and Services
Published: 2018-05-02 (see previous versions)
- These Terms and Conditions of Sales and Services (“Terms”) describe how you can conclude a contract with us (CodeTwo sp. z o.o. sp.k.) and regulate how we provide our services to our customers (“Customer” or simply you). Anyone who is interested in using our services can become our Customer, as long as he/she agrees to observe these Terms.
- CodeTwo sp. z o.o. sp. k. (“CodeTwo” or simply we or us) is a limited partnership established under the laws of the Republic of Poland. Our EU VAT ID number is PL6112622141. We are entered in the register of entrepreneurs under KRS number 438398 and our registration records are kept by the District Court for Wrocław- Fabryczna in Wrocław, Poland. You can find our full contact details here.
- We provide the following services (“Services”) based on these Terms:
- we grant free licenses for our software (“Freeware”);
- we grant commercial (paid) licenses for our software (“Software”);
- we provide technical support for Software if you decide to purchase a contract for these services (“Support Contract”).
- We provide Services through our websites which include: www.codetwo.com, www.codetwo.de and www.codetwo.pl, and all their subdomains (“Websites”).
- The detailed scope, period, conditions, the financial terms and the method in which we grant license for our Freeware and Software are defined in End User License Agreement (“License Agreement”) and in our current price-lists. You can view these documents on our Websites before you decide to use our Services.
- Our Services are designed mainly to support business activities of our clients. If you want to purchase our Services in connection with your business or professional activities, you will be able to do so directly from us and using our Websites.
- If you want to purchase our Services as a consumer you can do so through our distributor – share-it! Digital River GmbH (“Digital River”). We will not be a party to a purchase agreement which you conclude with Digital River. In such case, points 14 – 20 and 40 – 50 of these Terms will not apply. Sales made through Digital River are governed by separate rules which will be made available to you during the purchasing process on Digital River websites.
General licensing conditions
- We do not sell our software. We only grant licenses to use it.
- We do not deliver physical mediums with a copy of our Freeware or Software but we make it available for you on our Websites. Depending on the type of the Freeware or Software, in order to use it, you must either download installation files from our Websites or access it through our Websites. You may be asked to create an account on our Websites before you access our Freeware or Software.
- Freeware is a computer software available in its fully functional version for free and without temporal restrictions on the use of the software.
- You can only use Freeware and Software after you accept these Terms and confirm that you have read and understood our License Agreement. The license for Freeware and Software is granted (the License Agreement concluded) in accordance with the provisions of the License Agreement.
Updates and upgrades
- If you use Freeware and Software, you are entitled to use upgrades which we issue for specific Freeware and Software versions. Usually, you will have to download files containing updates from our Websites and install them on your own in accordance with the License Agreement. Freeware and Software which are accessed through our Websites may be updated automatically by us.
- Unless an upgrade of a specific version of the Software to a higher version is explicitly marked as free of charge, it will require payment in accordance with the price-list of this Software.
- Some types of our Software are available in trial versions. If you have never purchased a license for a given type of Software, you can access or download trial versions of our Software from our Websites for free. You can then test the Software over a trial period in order to familiarize yourself with the Software and check its features. The trial period for each type of Software is specified in the price-list on the Software’s website.
- During the Software testing phase, the use of individual features of Software may be limited, including, in particular, the data volume and the number of workstations or users supported by the Software.
- Depending on the type of Software, in order to use the trial version, you must either download installation files from our Websites or access it through our Websites. You may be asked to create an account on our Websites before you access our Software.
- You can only use trial versions of Software after you accept these Terms and confirm that you have read and understood our License Agreement.
- The license for trial period is granted (the License Agreement concluded) in accordance with the provisions of the License Agreement. After the lapse of the trial period you will be required to enter a Product License Key, activate Software on our Websites or use any other option which is currently available to renew a license in accordance with the License Agreement and the price-lists.
- Our Software will automatically notify you of the need to buy or extend the license or stop using the software before the expiry of the trial period. You must not use our Software if you decide not to purchase Software after trial.
- In exceptional circumstances, if your organization requires a longer trial period, we may, at our own discretion, grant temporary Product License Keys for some of our Software.
- Our Software is offered either with time unlimited or limited license term (“Subscription”). The type of the license and its term is specified in the price-list or the Software’s website.
- After the lapse of the limited license period you will be required to enter a Product License Key, activate Software on our Websites or use any other option which is currently available to renew a license in accordance with the License Agreement and the price-lists.
- Our Software will usually automatically notify you of the need to buy or extend the license or stop using the software before the expiry of the license term. You must not use our Software after license term expires.
- Support Contracts are available exclusively for Software, only during the license validity term (i.e. when you have an active Product License Key or when Software is activated on your account on our Websites), and only when you have a valid Support Contract.
- Support Contracts are available only for selected products, clearly marked on our Websites. Support Contracts are either paid separately or included in the price of the Software.
- We provide services under the Support Contracts to:
- anyone who uses Software in his/her own name, or
- anyone who uses the Software in the name or on behalf of the Customer’s organization, or
- anyone who has been authorized by or who acts in the name or on behalf of the Customer’s organization, even if such person does not use such Software himself/herself.
- If you want to purchase a Support Contract you must place an order and conclude an agreement with us. Such agreement is concluded based on these Terms and in line with price-lists available on our Websites. The price for the Support Contract is calculated for the specific version of Software. Upon purchase of the Support Contract for a more recent version of the Software different prices may apply.
- We are entitled to suspend the provision of our services under the Support Contract in case the full amount for the Software license or for the Support Contract was not paid and until this amount is paid in full.
Provision of services under Support Contracts
Provisions of this section describe how we provide our services under Support Contracts. These provisions will apply only if you purchase a Support Contract along with a license for the Software or if a Support Contract is included in your license. We also provide Services under Support Contracts to all Customers who use trial versions and to Customers who use temporary license keys for our Software if such temporary licenses include the Support Contract.
- Support Contracts have a limited character and relate only to maintenance and use of our Software. If you have a valid Support Contract or use a trial version of our Software, we will answer your questions relating to features of our Software and help you resolve other technical problems that you report to us and which occur when you use our Software.
- Your Support Contract will always relate to only one, specific type of our Software that you bought it for. We will not provide our services under Support Contracts for Software which falls outside of the scope of your Support Contract.
- Although we do our best to resolve the issues that you report to us, we do not guarantee that we will be able to help you in each and every case. Particularly, we do not guarantee that services provided under a Support Contract will always satisfy your requirements or expectations or that in result of our services our Software will be free of operational errors and irregularities, or that our services will lead to the elimination of all such errors and irregularities.
- We provide our services under Support Contracts through email (“Email Support”) and through means of real-time communications such as telephone or an online session (“Live Support”). To make use of Email Support you should contact us using this contact form. To make use of Live Support please refer to our website to see what forms of contact are currently available. In principle, Live Support is available round-the-clock on business days.
- In order to use our services under Support Contracts, you will either have to use your phone or email. These services are provided by external network operators. Standard rates as set by network operators will apply to all phone calls made to our contact numbers.
- As we are not a network operator, we cannot always ensure an uninterrupted access to communications networks and we shall not be held liable for any interruptions in phone calls or electronic communications resulting from reasons beyond our control or reasons which could have not been avoided without incurring additional costs. In particular, this applies to interruptions and disruptions in the proper functioning of external telecommunication connections and equipment.
- We reserve the exclusive right to choose the tools and methods of providing our services under Support Contracts to you. We will choose these tools and methods based on the type of the issue that you report to us. You cannot demand that we implement other methods or tools to provide our services under Support Contract to you.
- Once you decide to contact us with your issue, we will register your question or problem and open a ticket (“Ticket”). We do not impose any limits on the number of tickets allocated to you, therefore if you contact us with another issue, usually, a new ticket will be created.
- We will only close your ticket after we give you a final answer to your question, after we solve your problem or once we determine that your problem cannot be solved and explain it to you. We may reopen your ticket in the future if it becomes necessary to undertake further actions relating to your question or problem.
- We will make every effort (but we do not guarantee) to contact you on the next business day following the day on which you reported your issue to us at the latest. This does not mean that we will be able to resolve your issue within that time.
Purchasing Software and Support Contracts
- You can place orders for Software and Support Contracts online on our Websites. You can only place an order in another way (e.g. via a phone) if we mutually agree that this is possible.
- If you place an order for Software online on our Websites, your order may exclusively apply to one type of Software that you select. You can place any number of orders for licenses for any number of our Software. If you place an order through our Website you may only order a type of license which was defined in the price-list of a given Software. If you want to place an order of a broader scope than this defined in the price-list you must contact us first.
- You can place any number of orders for Support Contracts for any number of our Software. If you place an order through our Website one order may refer to Support Contract solely for one selected type of Software, for one specific version of that Software which was defined in the price-list of a given Software.
- To place an order online, you have to fill in and submit the order form which is available on our Website. You can select the Software that you are interested in and the scope of the ordered license within the order form. You are solely responsible for completeness and accuracy of data that you provide in the order form.
- Before you submit your order, you must accept these Terms and the price of the license and/ or Support Contract displayed on the order form as well as confirm that you have read the License Agreement.
- You will receive an order confirmation immediately after placing an order online. It will be sent to the email address indicated in the order and will include the order number, details required for making the payment for the placed order (if the payment was not made electronically while placing the order) and any other necessary information.
- We will make our Software or services under a Support Contract available to you within 2 business days following the date of crediting our bank account with a full payment for your order. In order to make our Services available to you we will either send you a Product License Key to the email address indicated in your order or activate the software online specifically for your user account.
- If a price-list of a given Software clearly states that the license for our Software or Support Contract can be also purchased using a purchase order (PO) with deferred payment (or by using another method agreed with you individually) our Software or services under Support Contract will be available to you before you make the payment for the order. We have the right to immediately suspend provision of our service to you in case the full amount for the Software or Support Contract has not been paid on time and until this amount is fully paid.
- If you did not pay for your previous order we can suspend execution of any subsequent order (e.g. suspend our Services) that you make with us, until our bank account is credited with the amount due for this order.
- Some of our Software offered with Subscription has an automatic license renewal mechanism. This means that you will only be asked to give the payment details and accept these Terms once when purchasing the Software for the first time. No additional action or consents will be required in order for Subscription to renew. Subscription will renew automatically by charging your credit card unless you edit or cancel the subscription prior to its renewal.
- A legally binding agreement involving payment obligation is concluded when you complete and approve the order form on our Websites.
Return of a license – the right to rescind an agreement
- You can return a license (rescind an agreement) for some of our Software without the need to provide reasons therefor within 30 days from its purchase. This right applies only to Software which is clearly marked as covered by such right. Support Contracts are not covered by the right to rescind unless they form a part of an order for a license for our Software which is covered by the right to rescind an agreement.
- In order to return a license, you must fill-in and submit an online return form which is available on our Websites. Use the same identification details as those given in the order and specify either the number of the order that you want to return or the number of VAT invoice which documents that order. We may not be able to process your return in case you give us different identification details.
- If you want to exercise your right to rescind an agreement, you must complete the return form on the 30th day after purchase at the latest. If you fill it out later, withdrawal from the contract will not be effective.
- If your Software is covered by the right to rescind an agreement and if you filled in the return form correctly and in a due time you will receive a confirmation from us. We will return your payment to the account from which the payment has been made within 30 days after you receive the confirmation.
- These Terms exclude our liability under an implied warranty for defects.
- These Terms exclude our contractual liability, to the full extent, for any damage resulting from failure to perform the agreement or improper performance thereof, except for liability for any damage caused intentionally.
- You can file complaints regarding our services by completing and approving the refund/return form online which is available here.
- We will consider your complaint within 14 days of its receipt. We will notify you of how the complaint was handled by sending an email to the address indicated in the complaint.
- If you purchased and paid for our Software or Support Contract and did not receive an email containing a Product License Key or other information necessary to start using our Services or an invoice within the time provided in the Terms we will immediately send the relevant correspondence again once you notify us.
Personal data processing
This section applies only if you decide to purchase a license for CodeTwo Email Signatures for Office 365 – a centrally managed, server-sided email signatures management software consisting of a web-based admin panel and associated services, such as CodeTwo Email Azure Service, hosted on Microsoft Azure at a location of your choice.
This section does not apply to any other types of Software.
- You, as the data controller, acknowledge and understand that:
- making use of CodeTwo Email Signatures for Office 365 requires that some Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant (“Customer Data”) are synchronized with CodeTwo Email Signatures for Office 365;
- making use of CodeTwo Email Signatures for Office 365 requires that emails sent from your Office 365 tenant (“Customer Emails”) are relayed through CodeTwo Email Signatures for Office 365;
- by confirming that you have read and understood these Terms you will enter into a Data Processing Agreement with us. You will receive a pre-signed copy of these Terms along with your order confirmation to the email address that you have provided to us in the order form.
- You, as the data controller, confirm that:
- these Terms along with your use and configuration of CodeTwo Email Signatures for Office 365 are your complete and final instructions to us for the processing of Customer Data. We will immediately inform you, if in our opinion your instructions may infringe the GDPR or other data protection laws;
- Customer Data was and will be obtained in accordance with applicable laws, including the GDPR and that all required consents (if necessary) from people whose personal data are processed using CodeTwo Email Signatures for Office 365 were collected and all information duties fulfilled.
- We, as a data processor, undertake:
- to only process Customer Data and relay Customer Emails through CodeTwo Email Signatures for Office 365 to make it possible for you to make use of CodeTwo Email Signatures for Office 365, solely on the basis and under the conditions specified in these Terms and applicable provisions of law;
- not to record, register, store, back up, or physically access the content of Customer Emails.
Scope of personal data and categories of data subjects
- Customer Data encompasses the following categories of personal data: names, email addresses, company contact details and job titles of people who have accounts in your Office 365 tenant. These people are those who will be concerned by this agreement.
- We use Microsoft Azure to provide services in connection with CodeTwo Email Signatures for Office 365 to you This means that Customer Data will be processed in Microsoft Azure datacenters in a location of your choice. You can find a list of currently available locations here (https://www.codetwo.com/email-signatures/how-it-works).
- Microsoft Azure datacenters are managed by Microsoft Corporation and its affiliates. Microsoft Corporation uses subcontractors to provide its Microsoft Azure services. You can find the list of subcontractors in Microsoft Online Services Terms which are available here (https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx?mstLocPickShow=True).
- You can find detailed terms and conditions of services provided by Microsoft Corporation and its affiliates in Microsoft Online Services Terms and Service Level Agreements for Microsoft Online Services which are available here (https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx?mstLocPickShow=True). These documents describe Microsoft’s obligations regarding security of data and measures that were implemented in Microsoft datacenters to protect the confidentiality of Customer Data. You can also find information about Microsoft’s Azure security in Azure Trust Centre, here (https://www.microsoft.com/en-us/trustcenter/cloudservices/azure).
- We confirm that we have entered into an agreement based on EU Standard Contractual Clauses with Microsoft Corporation. The aim of this agreement is to ensure that a level of protection of personal data similar to this ensured by us is maintained when Customer Data is transferred to Microsoft Azure datacenters, including those located outside of the European Economic Area (EEA).
- You acknowledge and agree that we may use Microsoft Corporation, its affiliates and subcontractors, as described above, as subprocessors to provide services associated with CodeTwo Email Signatures for Office 365 to you. These entities may be engaged only within the limits and for the purpose of providing services associated with CodeTwo Email Signatures for Office 365 to you. The standard of personal data protection applicable to these subprocessors is at least equal to the protection standard provided by us.
Copies and disclosure of data
- We will not create copies or duplicates of any data without your knowledge, except for backup copies concerning the following types of data:
- CodeTwo Email Signatures for Office 365 settings and configuration details;
- Customer Data (i.e. some Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant, as described in 60(a.)).
- These backup copies are necessary to ensure smooth functioning of services associated with CodeTwo Email Signatures for Office 365. All backup copies are automatically created by Microsoft Azure and stored on Microsoft Azure in a location that you chose when associating your Office 365 tenant with the CodeTwo Email Signatures for Office 365. We will not use these backup copies outside of Microsoft Azure environment or for any other purposes than those specified above.
- We will not create backup copies of any other types of data than those specified in point 69 above. We will not create backup copies of Customer Emails.
- We will not disclose Customer Data to law enforcement unless required by law. If law enforcement contacts us with a request for Customer Data, we will attempt to redirect the law enforcement agency directly to you. If compelled to disclose Customer Data to law enforcement, we will promptly notify you and provide a copy of the demand unless we are legally prohibited from doing so.
- We will always refuse all requests to disclose Customer Emails to law enforcement as we do not record, register, store, back up, or physically access the content of Customer Emails.
Assistance in fulfillment of the rights of data subjects
- We will help you fulfill your duty to respond to the requests of data subjects, particularly in relation to the right to be forgotten, the right to data portability, the right to restriction of data processing or the right to object to data processing provided that you inform us immediately of any requests from data subjects that require our assistance. In any event, you should inform us of any requests that you received no later than 3 (three) business days from its receipt. You can do it using this form (https://www.codetwo.com/form/security-officer/).
- We have the right to refuse your request if it is forwarded to us later than 3 (three) business days from its receipt by you and if the request is difficult or impossible to fulfill. A request may be difficult or impossible to fulfill especially when it is too complex, evidently unjustified, excessive or impossible to fulfill because of technical limitations.
- We will confirm the receipt of your request within 3 (three) business days from its receipt. Within the next 3 (three) business days we will let you know if we are able to assist you and we will inform you of the expected deadline to fulfill your request. In any event, the deadline may not be shorter than 2 (two) weeks.
- If we receive a request from your data subject to exercise one or more of its rights under the GDPR, we will redirect the data subject to make its request directly to you.
- Considering the risk of violation of the rights and freedoms of individuals and the state of technical knowledge, implementation costs, scope, nature, context and purposes of processing personal data, we declare that in accordance with art. 32 of the GDPR, we have implemented appropriate technical and organizational measures to secure the processing of Customer Data. These measures are described in Appendix 1 to these Terms.
- We undertake to protect Customer Data from unauthorized access, unauthorized removal, damage or destruction and we will take all necessary steps to keep personal data confidential and to protect it in accordance with the provisions of the GDPR.
- We declare that all our employees who are authorized to process personal data are bound by confidentiality and undergo regular training regarding data protection provisions relevant to their work.
- We regularly monitor all internal processes and the technical and organizational measures to ensure that processing is in accordance with the requirements of applicable data protection laws and the protection of the rights of the data subject.
- We are entitled to implement alternative, suitable measures than those described in this section above and in Appendix 1 to these Terms, especially due to technical advances and developments. Such measures must not fall below the security level of those described above. We will provide you with an up-to-date version of Appendix 1 anytime you request us to do so during the term of your license for CodeTwo Email Signatures for Office 365.
- We will notify you without undue delay after becoming aware of a personal data breach. Such notice will, at a minimum:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal records concerned;
- communicate the name and contact where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by you to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Period of processing and return of data
- You acknowledge and understand that we will start the processing of Customer Data after your Office 365 tenant is associated with CodeTwo Email Signatures for Office 365.
- We will process personal data that you entrust to us for the duration of your license for CodeTwo Email Signatures for Office 365.
- If your license is terminated or expires, we will erase Customer Data from CodeTwo Email Signatures for Office 365 within 180 days after you cancel your subscription with us, unless the law requires that this data is processed for a longer period.
- After termination or expiration of your license, we will not perform any operations on Customer Data, except for storing it within CodeTwo Email Signatures for Office 365, unless we are required to do otherwise by law.
Auditing rights of the Customer
- If you need any additional information regarding how we process and protect Customer Data and fulfill obligations arising out of the GDPR you can contact us at any time using this form (https://www.codetwo.com/form/security-officer/).
- You can also verify security measures implemented by Microsoft Corporation and its affiliates by referencing to their Online Services Terms.
- Starting from June 2018, once every year we will undergo a data security audit regarding the way we process and secure Customer Data. Each audit will result in generation of an audit report (“CodeTwo Security Audit Report”). These audits will be conducted by external auditors. CodeTwo Security Audit Report will clearly disclose any material findings by the auditor. We will promptly remediate issues raised in any CodeTwo Audit Report to the satisfaction of the auditor.
- If you request us to do so, we will provide you with a summary of the latest CodeTwo Security Audit Report so that you can verify our compliance with the security obligations under these Terms. This report will be subject to non-disclosure and distribution limitations of CodeTwo and the auditor. You may be requested to sign an additional Non-Disclosure Agreement with us prior to making the summary available to you.
Control and audits
- You should inform us without undue delay of any control or audit performed by competent supervisory authorities if it relates to Customer Data.
- We will inform you immediately of any inspections and measures conducted by the supervisory authorities if they relate to CodeTwo Email Signatures for Office 365 or Customer Data.
- Our Websites and all of their contents are copyright protected.
- You may share your comments, ideas or feature requests regarding our Websites, Software or Services with us. By doing so, you grant us permission to use and incorporate it without further compensation or approval.
- You must not use our Websites, Software or Services to provide unlawful content.
- You must not use our Websites, Software or Services to send SPAM or any other type of illegal mass correspondence. You may not crack, hack, dismantle or reverse-engineer our Software. We reserve the right to suspend your mail-flow or suspend or delete your license or account without the right to any refund if you breach these prohibitions.
- Unless you specify otherwise while purchasing our Software or Support Contract, by accepting these Terms you grant us the right to use your organization’s logotype on our website for marketing purposes free of charge. If you do not want us to use your organization’s logotype, you can always let us know about it using this form.
- We recommend that you use the latest Internet Explorer, Microsoft Edge, Firefox, Safari, Opera, or Google Chrome to view our Websites and to use our services. You may experience problems if you use different or older web browsers.
- We abide by the highest ethical standards while providing our services to you. In particular, we take every reasonable effort to ensure that there is no human trafficking or modern slavery in CodeTwo and in the business of our suppliers and subcontractors. We also make sure that neither CodeTwo nor our suppliers and subcontractors are involved in other unethical business practices, i.e. bribery and corruption.
- Any amendment to these Terms shall carry the date of its entry into force. Entry into force of an amendment to the Terms can occur only after its publication on the CodeTwo’s Websites. Amendments to the Terms apply solely to orders placed following the date of their entry into force.
- These Terms should be interpreted and construed in accordance with the laws of the Republic of Poland (a member state of the European Union) without the regard for any conflict of rules laws. All disputes arising out of these Terms should be brought in front of the competent courts of the Republic of Poland.
Appendix 1 - Summary of security measures implemented by CodeTwo
This document describes security measures that we have implemented to ensure that Customer Data is processed in accordance with the law and the DPA. This document is regularly updated to reflect changes made in our security and data privacy compliance program.
- General organizational measures
- Data Security Officer and Compliance Program. We have appointed at least one Data Security Officer who is responsible for coordinating, monitoring and improving our security and data privacy compliance program (“Compliance Program”). Compliance Program defines clear roles and responsibilities of our personnel. Data Security Officer is responsible for coordinating, monitoring and improving the Compliance Program;
- External Audits. Starting from June 2018, once every year we will undergo a data security audit with regard to the way we process and secure Customer Data. These audits will be conducted by external auditors.
- Confidentiality. Our entire personnel are subject to confidentiality obligations and may only access personal data subject to a prior, written authorization issued by CodeTwo.
- Training and awareness
- Personnel Training. We conduct regular training sessions for our personnel on data protection rules and personnel roles within our Compliance Program. We also inform our personnel about possible consequences of non-compliance. These training sessions are conducted using anonymized data.
- Physical and Environmental Security
- Physical Access to Datacenters. Customer Data is processed within Microsoft Azure datacenters. Access to these datacenters is restricted only to identified Microsoft staff members. Our personnel may not physically access these centers.
- Physical Access to our Facilities. Only identified and authorized members of our personnel may access our facilities. Unauthorized personnel may not access these facilities.
- Monitoring of Facilities. Our facilities are constantly monitored by us and external security service to prevent unauthorized access. Visitors may only access a designated space of our facilities where no data is processed.
- Protection from Disruptions. We use a variety of industry-accepted solutions to protect against loss of data due to power supply failure, fire, natural disaster or line interference.
- Component Disposal. We use industry accepted solutions to delete Customer Data when it is no longer needed.
- Access Control
- Access Authorization. We maintain a record of personnel authorized to access our facilities and information systems. We have implemented a system of controls to make sure that no one can stop working for our organization without having their authentication credentials deactivated and all access rights revoked. Additionally, we conduct regular (at least once every 6 months) audits to make sure that authentication credentials that have not been used are deactivated. De-activated or expired identifiers are not granted to other or new members of our personnel. We maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- Limitation of Privileges. Only a small, selected group of personnel may grant, alter or cancel access privileges to our facilities and information systems. The scope of access rights granted to our personnel is limited strictly to assets necessary to perform their functions.
- Authentication of Users. We use industry accepted solutions, such as multifactor authentication, to identify and authenticate users who access our IT systems. Passwords are renewed regularly and must comply with minimum requirements imposed by our security policies. We use various best practices designed to maintain the confidentiality and integrity of passwords when they are assigned, distributed and stored.
- Monitoring. We monitor our information systems against all attempts of unauthorized access and use of expired or invalid credentials.
- Asset and Operations Management
- Endpoint Protection. All computing endpoints are encrypted and protected against malware.
- Backup Copies. We make regular copies of Services’ settings and configuration details and Customer Data (Azure Active Directory user attributes and group memberships of people who have accounts in your Office 365 tenant, as described in point 1.1 (a) of the DPA). We do not create backup copies of Customer Emails.
- Access to Backups. All backups are automatically created by Microsoft Azure and stored on Azure at a location that you chose when associating your Office 365 tenant with the Services. We have processes in place which ensure that access to backup copies is restricted to necessary minimum, that backups may not be used outside of Microsoft Azure’s environment and that no data can be restored without authorization of senior personnel members.
- Integrity and Confidentiality. Our personnel have to disable all sessions when leaving our facilities or leaving computers unattended. Only a small, selected group of our personnel who require remote access due to the character of their duties may carry mobile devices and use them outside of our premises. All mobile devices are password protected and have encrypted storage.
- Printing and Portable Data Carriers. We have procedures in place which guarantee that no data can be printed or copied to portable data carriers without our prior authorization. Members of our personnel are prohibited from using unauthorized portable data carriers within our premises.
- Network Controls. Only authorized devices may use our networks. We have controls in place which ensure that unauthorized devices may not be used within our network.
- Incident Management
- Malicious Software. We have anti-malware controls in place to help avoid malicious software gaining unauthorized access to Customer data and our information systems, including malicious software originating from public networks.
- Incident Record. We maintain a record of security incidents which include the date and time of the incident, the consequences of the breach and measures implemented to avoid similar situations in the future.
- Service Monitoring. We verify and monitor logs against irregularities and suspicious activity.
- Application Controls
- Documentation. We maintain documentation which describes architecture and features of CodeTwo Email Signatures for Office 365.
- Guidelines and Policies. We maintain guidelines and policies for developers which ensure that personal data processing principles such as privacy by design and privacy by default principles are observed while developing our applications.
- Code Review and Patch Management. We regularly review application codes for errors and issue patches or fixes.