ToC h2 (don't edit)ToC h3 (don't edit)
No items found.
Back to Legal

Starred Data Processing Agreement

1. CONTROLLER, {Customer Name}, {STATE DESCRIPTION} [corporation][limited liability company][general partnership][limited partnership][{OTHER ENTITY}] with offices located at {STREET ADDRESS}, {CITY}, {STATE} {ZIP CODE},{COUNTRY}

and

2. Starred Group A/S, a Danish corporation with offices located at Store Kongensgade 72C, 1264 Copenhagen, Denmark, registered with the Danish Chamber of Commerce under number 38623508, or, if Controller is located in the United States of America, Starred USA Inc., a Delaware corporation with offices located at 228 East 45th Street, Suite 9E, New York, New York 10017, USA. (hereinafter: Processor),

considering, that

  1. the Controller has access to personal data of various data subjects,
  2. parties have entered into a Master SaaS Agreement,
  3. definitions from the Master SaaS Agreement are used in this Data processing agreement,
  4. the Controller intends to have the Processor perform certain processing operations, for which the Controller determines purpose and means,
  5. the Processor is willing to do so, and further is willing to adhere to the obligations regarding security and other aspects of data processing legislation to the best of its abilities,
  6. the Parties, in consideration of the requirements of Article 28(3) GDPR, wish to lay down their rights and obligations in writing.

have agreed as follows:

1. Purposes of processing

1.1 Processor hereby agrees under the terms of this Data processing agreement to process personal data on behalf of the Controller. Processing shall be done solely for the purpose of delivering the Services: a SaaS based solutions for HR departments and recruiting teams to improve employee engagement and/or candidate experiences, and all purposes compatible therewith or as determined jointly.

1.2 The personal data to be processed by Processor for the purposes as set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data processing agreement. Processor shall not process the personal data for any other purpose unless with Controller's consent. Controller shall inform Processor of any processing purposes to the extent not already mentioned in this Data processing agreement. Processor however is permitted to use personal data for quality assurance purposes, and statistical research purposes regarding the quality of Processor's services.

1.3 All personal data processed on behalf of Controller shall remain the property of Controller and/or the data subjects in question.

2. Processor obligations

2.1 Upon first request Processor shall inform Controller about any measures taken to comply with its obligations under this Data processing agreement.

2.2 All obligations for Processor under this Data processing agreement shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees in the broadest sense of the term.

2.3 Processor shall inform Controller without delay if in its opinion an instruction of Controller would violate the applicable legislation

2.4 Processor shall provide reasonable assistance to Controller in the context of any data protection impact assessments to be made by Controller.

3. Transfer of personal data

3.1 Processor may process the personal data in any country within the European Union.

3.2 In addition Processor may transfer the personal data to a country outside the European Union, provided that country ensures an adequate level of protection of personal data and complies with other obligations imposed on it under this Data processing agreement and the GDPR, including the availability of appropriate safeguards and enforceable data subject rights and effective legal remedies for data subjects.

3.3 Processor reports to Controller the countries involved in Annex 3. Processor shall ensure that, considering the circumstances that apply to the transfer of personal data or any category of transfers, there is an adequate level of protection.

4. Allocation of responsibilities

4.1 Processor is solely responsible for the processing of personal data under this Data Processing Agreement in accordance with the instructions of Controller and under the explicit supervision of Controller. For any other processing of personal data, including but not limited to any collection of personal data by Controller, processing for purposes not reported to Processor, processing by third parties and/or for other purposes, the Processor does not accept any responsibility.

4.2 Controller represents and warrants that the content, usage and instructions to process the personal data as meant in this Data processing agreement are lawful and do not violate any right of any third party.

5. Subprocessor

5.1 Processor shall involve third parties in the processing under this Data processing agreement on the condition that such parties are reported in advance to the Controller; Controller may object to a specific third party if its involvement would reasonably be unacceptable to it. Controller hereby consents to the use of sub-processors mentioned in Annex 3 of this Data processing agreement.

5.2 In any event, Processor shall ensure that all third parties are bound to at least the same obligations as agreed between Controller and Processor.

6. Security

6.1 Processor shall use reasonable efforts to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the processing operations involved, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed).

6.2 Processor shall implement at least the specific security measures as mentioned in Annex 2 to this Data processing agreement. Processor may adjust the security measures at any time unilaterally. Processor shall inform Controller of any adjustments online on: www.starred.com/legal/starred-security-and-data-protection.

6.3 Controller shall only provide personal data to Processor for processing if it has ensured that the required security measures have been taken. Controller is responsible for the parties' compliance with these security measures.

7. Notification and communication of data breach

7.1 Controller is responsible at all times for notification of any security breaches and/or personal data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed as described in Article 4 (12) of the GDPR) to the competent supervisory authority, and for communication of the same to data subjects. In order to enable Controller to comply with this legal requirement, Processor shall notify Controller within 24 hours after becoming aware of an actual security or personal data breach.

7.2 The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:

  1. describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. describe the likely consequences of the personal data breach;
  3. include the name and contact details of the contact person regarding privacy subjects;
  4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Processing requests from data subjects

8.1 In the event a data subject makes a request to exercise his or her legal rights under the GDPR (Articles 15-22) to Processor, Processor shall pass on such request to Controller, and Controller shall process the request. Processor may inform the data subject of this passing on.

9. Confidentiality obligations

9.1 All Confidential Information that Processor processes for Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties.

9.2 The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the information to third parties, the provision to third parties is reasonably necessary considering the nature of the assignment to Controller or the provision is legally required.

10. Audit

10.1 Controller has the right to have audits performed on Processor by an independent third party bound by confidentiality obligations to verify compliance with the Data processing agreement, and all issues reasonably connected thereto.

10.2 This audit may be performed once every year as well as in the event of a substantiated allegation of misuse of personal data.

10.3 Processor shall give its full cooperation to the audit and shall make available employees and all reasonably relevant information, including supporting data such as system logs.

10.4 The audit findings shall be assessed by the parties in joint consultation and may or may not be implemented by either party or jointly.

10.5 The costs of the audit shall be borne by Controller.

11. Liability

11.1 Parties explicitly agree that any liability arising in connection with personal data processing shall be as provided in the Master SaaS Agreement.

12. Term and termination

12.1 This Data processing agreement enters into force upon signature by the parties and on the date of the last signature.

12.2 This Data processing agreement is entered into for the duration of the cooperation between the parties.

12.3 Upon termination of the Data processing agreement, regardless of reason or manner, Processor shall - at the choice of Controller - destroy all personal data available to it.

12.4 Parties may change this Data processing agreement only with mutual consent.

13. Applicable law and competent venue

13.1 This Data processing agreement and its execution are subject to the laws of the Netherlands, or the laws of the United States in case Controller is located in the US.

13.2 Any disputes that may arise between the parties in connection with this Data processing agreement shall be brought to the competent court for the place of business of Processor.

Annex 1: Purpose of processing, data subjects, and categories of personal data

Purpose of processing:

Delivering a SaaS-based solutions for HR departments and/or recruiting teams to improve employee engagement and/or candidate experiences and thereby processing the Data

Data subjects of data processing:
Processor shall process personal data of the following data subjects:  (prospective) employees.

Categories of personal data of data subject:

  1. Email addresses
  2. First and last name
  3. IP address
  4. Candidate Experience and/or Employee Engagement information

Duration for which the data will be retained:

Personal data will be retained for the duration of the Agreement and then disposed of as set forth in Section 12.3 of the DPA, or earlier indicated by the data retention period managed by Controller via the Service.

Annex 2: Technical and organizational measures of the Processor

This overview outlines the Processor’s approach to security, and compliance, including details on technical and organizational measures regarding how Processor protects your data.

Contents:

  1. Product security
  1. Hardware and infrastructure
  2. Systems and operations
  3. Application and access
  4. Transmission and storage
  1. People
  2. Process
  3. Application
  4. Certifications
  1. ISO 27001

Product security

For an overview of key security features and practices that protect your data within Processor, see below.

Hardware and infrastructure

  • AWS Geo-dispersed, ISO 27001-certified, and SOC-audited data centers, located across multiple regions in the EU: in Ireland (AWS: eu-west-1), in Frankfurt, Germany (AWS: eu-central-1)
  • Secure data replication and encrypted archival.
  • Annual Business Continuity Planning (BCP) and Disaster Recovery (DR) testing.
  • Professional, commercial-grade firewalls, border routers, and network management systems.

Systems and operations

  • Centralized, logical access management system.
  • Two-factor authentication, encrypted VPN access.
  • Denial of Service (DDoS) mitigation.
  • Active intrusion detection and prevention.
  • Anti-malware software integration that automatically alerts Starred’s incident response team if potentially harmful code is detected.
  • Third-party penetration testing.

Applications and access

  • Formal code reviews and vulnerability mitigation by third parties.
  • Application-level Advanced Encryption Standard (AES) 256-bit encryption.
  • Key management and encryption program.
  • Malware protection.
  • Configurable security features.
  • Multi-factor authentication provides an additional level of assurance that only those authorized to access Starred can access.
  • Role-based authorization enables you to designate access to specific individuals.

Transmission and storage

  • Data encrypted in accordance with industry best-practice standards. Starred supports full encryption in transit. No non-encrypted data leaves our data center. All our monitoring and backend systems either send local traffic over the VPC, or they use transport-level encryption when communicating with the rest of the internet. All data is encrypted at rest on our AWS EBS disks. Backups sent to our private S3 buckets are encrypted using 4,096 bit GPG keys.
  • Access and transfer of data to/from Starred via HTTPS.
  • Digital certificate technology.
  • Customer-configurable data retention capability.

People

Information security at Starred is everyone’s job. We invest in training and awareness to ensure that information security stays top of mind for all of our employees.

  • Starred conducts background checks for all prospective employees. Before they join our staff, Starred will verify an individual's education and previous employment, and perform reference checks. The extent of these background checks is dependent on the desired position.
  • Starred employs a Security Officer who is part of our software engineering and operations division. This professional is tasked with developing security review processes, building security infrastructure and implementing Starred’s security policies. Starred actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.
  • All Starred employees undergo information security and privacy training as part of the onboarding process and receive ongoing training throughout their Starred careers, at least annually. During onboarding, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure.
  • Training for engineers to ensure coding is done securely, with regular security audits of the code base.

Process

Starred’s business processes, including internal policies, software development and application monitoring, take into consideration the security of our customer data.

  • On-premise security policies, such as badge access, manned public entrances and physical access controls.
  • Only a small group of Starred employees have access to customer data. For Starred employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
  • Active monitoring and alerting. Our infrastructure and services are monitored in a variety of ways, including: system and application metadata to a centralised logging service for analysis and alerting, tailored to our systems, AWS alerting of events such as instance scaling and spikes in traffic/changes in application performance, AWS Cloudwatch alerting for infrastructure and application level monitoring.
  • Security reviews within the Starred Software Development Life Cycle (SDLC), including the planning, design, implementation testing, shipping and response phases.
  • Formal code reviews and vulnerability mitigation by third parties for applications and access security.
  • Annually reviewed Business Continuity Policy, and Disaster Recovery Plan.
  • We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security officer logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority.

Application

Starred’s secure application encompasses hardware and infrastructure, systems and operations, applications and access, and transmission and storage.

  • Commercial-grade data centers across regions, so that critical customer data remain available in the event of any business disruption.
  • Secure, near real-time data replication.
  • Physically and logically separated networks for systems and operations. Currently, we have networks for management, staging, and production. There are peering links between management and the other two, for the purposes of management services having access to those environments, but not between staging and production.
  • We utilise EC2 Security Groups to control access between subnets, networks, and the internet. By default, no access between machines is given, ports are only opened between them when necessary.
  • Our VPN is protected with multi-factor authentication. The first (the “possession factor”) is a revocable certificate, attached to a username. The second is (the “knowledge factor”) is a (very) strong password for that certificate. And the third (the “inherence factor”) is an OTP token, regenerated every minute.
  • Malware protection.
  • Commercial-grade firewalls and border routers to resist/detect IP-based and denial-of-service attacks.
  • Digital certificate technology
  • Two-factor encrypted VPN access

Certifications

ISO 27001

Starred is certified at the highest level of global information security assurance available today, ISO 27001, which provides customers assurance that Starred meets stringent international standards on security.

Annex 3: Sub-processors

Sub-processors

The information below is provided to illustrate Starred’s engagement process for sub-processors, and to provide a sub-processor list. Starred uses certain sub-processors to support the delivery of the Starred services.

What is a sub-processor?

A sub-processor is a data processor who, on behalf of Starred, processes personal data.

Starred uses certain infrastructure sub-processors to host its applications and other service-specific sub-processors to provide specific functionality within the Starred services. Starred processes personal data in countries within the European Union whenever possible to keep data transfer to a minimum. If Starred processes personal data outside the European Union it is with due regard for the applicable privacy laws, which are governed by Standard Contractual Clauses (SCCs). The SCCs are a set of terms that have been approved by the European Commission which allow data to be safely transferred.

List of Sub-processors

Please find the list of sub-processors, their role, and the location of processing below.

Amazon Web Service, Inc. | Data hosting | EEA (Ireland, Germany)

Mailgun Technologies, Inc. | Email service provider | EEA (Germany)

New Relic, Inc. | Performance Monitoring | EEA (Belgium, Germany)

Looker Data Sciences, Inc. | Data Reporting and Visualization | EEA (Netherlands)

Back to Legal
Quick links

Last updated on:

September 24, 2024

Starred Data Processing Agreement

Details

1. CONTROLLER, {Customer Name}, {STATE DESCRIPTION} [corporation][limited liability company][general partnership][limited partnership][{OTHER ENTITY}] with offices located at {STREET ADDRESS}, {CITY}, {STATE} {ZIP CODE},{COUNTRY}

and

2. Starred Group A/S, a Danish corporation with offices located at Store Kongensgade 72C, 1264 Copenhagen, Denmark, registered with the Danish Chamber of Commerce under number 38623508, or, if Controller is located in the United States of America, Starred USA Inc., a Delaware corporation with offices located at 228 East 45th Street, Suite 9E, New York, New York 10017, USA. (hereinafter: Processor),

considering, that

  1. the Controller has access to personal data of various data subjects,
  2. parties have entered into a Master SaaS Agreement,
  3. definitions from the Master SaaS Agreement are used in this Data processing agreement,
  4. the Controller intends to have the Processor perform certain processing operations, for which the Controller determines purpose and means,
  5. the Processor is willing to do so, and further is willing to adhere to the obligations regarding security and other aspects of data processing legislation to the best of its abilities,
  6. the Parties, in consideration of the requirements of Article 28(3) GDPR, wish to lay down their rights and obligations in writing.

have agreed as follows:

1. Purposes of processing

1.1 Processor hereby agrees under the terms of this Data processing agreement to process personal data on behalf of the Controller. Processing shall be done solely for the purpose of delivering the Services: a SaaS based solutions for HR departments and recruiting teams to improve employee engagement and/or candidate experiences, and all purposes compatible therewith or as determined jointly.

1.2 The personal data to be processed by Processor for the purposes as set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data processing agreement. Processor shall not process the personal data for any other purpose unless with Controller's consent. Controller shall inform Processor of any processing purposes to the extent not already mentioned in this Data processing agreement. Processor however is permitted to use personal data for quality assurance purposes, and statistical research purposes regarding the quality of Processor's services.

1.3 All personal data processed on behalf of Controller shall remain the property of Controller and/or the data subjects in question.

2. Processor obligations

2.1 Upon first request Processor shall inform Controller about any measures taken to comply with its obligations under this Data processing agreement.

2.2 All obligations for Processor under this Data processing agreement shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees in the broadest sense of the term.

2.3 Processor shall inform Controller without delay if in its opinion an instruction of Controller would violate the applicable legislation

2.4 Processor shall provide reasonable assistance to Controller in the context of any data protection impact assessments to be made by Controller.

3. Transfer of personal data

3.1 Processor may process the personal data in any country within the European Union.

3.2 In addition Processor may transfer the personal data to a country outside the European Union, provided that country ensures an adequate level of protection of personal data and complies with other obligations imposed on it under this Data processing agreement and the GDPR, including the availability of appropriate safeguards and enforceable data subject rights and effective legal remedies for data subjects.

3.3 Processor reports to Controller the countries involved in Annex 3. Processor shall ensure that, considering the circumstances that apply to the transfer of personal data or any category of transfers, there is an adequate level of protection.

4. Allocation of responsibilities

4.1 Processor is solely responsible for the processing of personal data under this Data Processing Agreement in accordance with the instructions of Controller and under the explicit supervision of Controller. For any other processing of personal data, including but not limited to any collection of personal data by Controller, processing for purposes not reported to Processor, processing by third parties and/or for other purposes, the Processor does not accept any responsibility.

4.2 Controller represents and warrants that the content, usage and instructions to process the personal data as meant in this Data processing agreement are lawful and do not violate any right of any third party.

5. Subprocessor

5.1 Processor shall involve third parties in the processing under this Data processing agreement on the condition that such parties are reported in advance to the Controller; Controller may object to a specific third party if its involvement would reasonably be unacceptable to it. Controller hereby consents to the use of sub-processors mentioned in Annex 3 of this Data processing agreement.

5.2 In any event, Processor shall ensure that all third parties are bound to at least the same obligations as agreed between Controller and Processor.

6. Security

6.1 Processor shall use reasonable efforts to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the processing operations involved, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed).

6.2 Processor shall implement at least the specific security measures as mentioned in Annex 2 to this Data processing agreement. Processor may adjust the security measures at any time unilaterally. Processor shall inform Controller of any adjustments online on: www.starred.com/legal/starred-security-and-data-protection.

6.3 Controller shall only provide personal data to Processor for processing if it has ensured that the required security measures have been taken. Controller is responsible for the parties' compliance with these security measures.

7. Notification and communication of data breach

7.1 Controller is responsible at all times for notification of any security breaches and/or personal data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed as described in Article 4 (12) of the GDPR) to the competent supervisory authority, and for communication of the same to data subjects. In order to enable Controller to comply with this legal requirement, Processor shall notify Controller within 24 hours after becoming aware of an actual security or personal data breach.

7.2 The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:

  1. describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. describe the likely consequences of the personal data breach;
  3. include the name and contact details of the contact person regarding privacy subjects;
  4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Processing requests from data subjects

8.1 In the event a data subject makes a request to exercise his or her legal rights under the GDPR (Articles 15-22) to Processor, Processor shall pass on such request to Controller, and Controller shall process the request. Processor may inform the data subject of this passing on.

9. Confidentiality obligations

9.1 All Confidential Information that Processor processes for Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties.

9.2 The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the information to third parties, the provision to third parties is reasonably necessary considering the nature of the assignment to Controller or the provision is legally required.

10. Audit

10.1 Controller has the right to have audits performed on Processor by an independent third party bound by confidentiality obligations to verify compliance with the Data processing agreement, and all issues reasonably connected thereto.

10.2 This audit may be performed once every year as well as in the event of a substantiated allegation of misuse of personal data.

10.3 Processor shall give its full cooperation to the audit and shall make available employees and all reasonably relevant information, including supporting data such as system logs.

10.4 The audit findings shall be assessed by the parties in joint consultation and may or may not be implemented by either party or jointly.

10.5 The costs of the audit shall be borne by Controller.

11. Liability

11.1 Parties explicitly agree that any liability arising in connection with personal data processing shall be as provided in the Master SaaS Agreement.

12. Term and termination

12.1 This Data processing agreement enters into force upon signature by the parties and on the date of the last signature.

12.2 This Data processing agreement is entered into for the duration of the cooperation between the parties.

12.3 Upon termination of the Data processing agreement, regardless of reason or manner, Processor shall - at the choice of Controller - destroy all personal data available to it.

12.4 Parties may change this Data processing agreement only with mutual consent.

13. Applicable law and competent venue

13.1 This Data processing agreement and its execution are subject to the laws of the Netherlands, or the laws of the United States in case Controller is located in the US.

13.2 Any disputes that may arise between the parties in connection with this Data processing agreement shall be brought to the competent court for the place of business of Processor.

Annex 1: Purpose of processing, data subjects, and categories of personal data

Purpose of processing:

Delivering a SaaS-based solutions for HR departments and/or recruiting teams to improve employee engagement and/or candidate experiences and thereby processing the Data

Data subjects of data processing:
Processor shall process personal data of the following data subjects:  (prospective) employees.

Categories of personal data of data subject:

  1. Email addresses
  2. First and last name
  3. IP address
  4. Candidate Experience and/or Employee Engagement information

Duration for which the data will be retained:

Personal data will be retained for the duration of the Agreement and then disposed of as set forth in Section 12.3 of the DPA, or earlier indicated by the data retention period managed by Controller via the Service.

Annex 2: Technical and organizational measures of the Processor

This overview outlines the Processor’s approach to security, and compliance, including details on technical and organizational measures regarding how Processor protects your data.

Contents:

  1. Product security
  1. Hardware and infrastructure
  2. Systems and operations
  3. Application and access
  4. Transmission and storage
  1. People
  2. Process
  3. Application
  4. Certifications
  1. ISO 27001

Product security

For an overview of key security features and practices that protect your data within Processor, see below.

Hardware and infrastructure

  • AWS Geo-dispersed, ISO 27001-certified, and SOC-audited data centers, located across multiple regions in the EU: in Ireland (AWS: eu-west-1), in Frankfurt, Germany (AWS: eu-central-1)
  • Secure data replication and encrypted archival.
  • Annual Business Continuity Planning (BCP) and Disaster Recovery (DR) testing.
  • Professional, commercial-grade firewalls, border routers, and network management systems.

Systems and operations

  • Centralized, logical access management system.
  • Two-factor authentication, encrypted VPN access.
  • Denial of Service (DDoS) mitigation.
  • Active intrusion detection and prevention.
  • Anti-malware software integration that automatically alerts Starred’s incident response team if potentially harmful code is detected.
  • Third-party penetration testing.

Applications and access

  • Formal code reviews and vulnerability mitigation by third parties.
  • Application-level Advanced Encryption Standard (AES) 256-bit encryption.
  • Key management and encryption program.
  • Malware protection.
  • Configurable security features.
  • Multi-factor authentication provides an additional level of assurance that only those authorized to access Starred can access.
  • Role-based authorization enables you to designate access to specific individuals.

Transmission and storage

  • Data encrypted in accordance with industry best-practice standards. Starred supports full encryption in transit. No non-encrypted data leaves our data center. All our monitoring and backend systems either send local traffic over the VPC, or they use transport-level encryption when communicating with the rest of the internet. All data is encrypted at rest on our AWS EBS disks. Backups sent to our private S3 buckets are encrypted using 4,096 bit GPG keys.
  • Access and transfer of data to/from Starred via HTTPS.
  • Digital certificate technology.
  • Customer-configurable data retention capability.

People

Information security at Starred is everyone’s job. We invest in training and awareness to ensure that information security stays top of mind for all of our employees.

  • Starred conducts background checks for all prospective employees. Before they join our staff, Starred will verify an individual's education and previous employment, and perform reference checks. The extent of these background checks is dependent on the desired position.
  • Starred employs a Security Officer who is part of our software engineering and operations division. This professional is tasked with developing security review processes, building security infrastructure and implementing Starred’s security policies. Starred actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.
  • All Starred employees undergo information security and privacy training as part of the onboarding process and receive ongoing training throughout their Starred careers, at least annually. During onboarding, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure.
  • Training for engineers to ensure coding is done securely, with regular security audits of the code base.

Process

Starred’s business processes, including internal policies, software development and application monitoring, take into consideration the security of our customer data.

  • On-premise security policies, such as badge access, manned public entrances and physical access controls.
  • Only a small group of Starred employees have access to customer data. For Starred employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
  • Active monitoring and alerting. Our infrastructure and services are monitored in a variety of ways, including: system and application metadata to a centralised logging service for analysis and alerting, tailored to our systems, AWS alerting of events such as instance scaling and spikes in traffic/changes in application performance, AWS Cloudwatch alerting for infrastructure and application level monitoring.
  • Security reviews within the Starred Software Development Life Cycle (SDLC), including the planning, design, implementation testing, shipping and response phases.
  • Formal code reviews and vulnerability mitigation by third parties for applications and access security.
  • Annually reviewed Business Continuity Policy, and Disaster Recovery Plan.
  • We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security officer logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority.

Application

Starred’s secure application encompasses hardware and infrastructure, systems and operations, applications and access, and transmission and storage.

  • Commercial-grade data centers across regions, so that critical customer data remain available in the event of any business disruption.
  • Secure, near real-time data replication.
  • Physically and logically separated networks for systems and operations. Currently, we have networks for management, staging, and production. There are peering links between management and the other two, for the purposes of management services having access to those environments, but not between staging and production.
  • We utilise EC2 Security Groups to control access between subnets, networks, and the internet. By default, no access between machines is given, ports are only opened between them when necessary.
  • Our VPN is protected with multi-factor authentication. The first (the “possession factor”) is a revocable certificate, attached to a username. The second is (the “knowledge factor”) is a (very) strong password for that certificate. And the third (the “inherence factor”) is an OTP token, regenerated every minute.
  • Malware protection.
  • Commercial-grade firewalls and border routers to resist/detect IP-based and denial-of-service attacks.
  • Digital certificate technology
  • Two-factor encrypted VPN access

Certifications

ISO 27001

Starred is certified at the highest level of global information security assurance available today, ISO 27001, which provides customers assurance that Starred meets stringent international standards on security.

Annex 3: Sub-processors

Sub-processors

The information below is provided to illustrate Starred’s engagement process for sub-processors, and to provide a sub-processor list. Starred uses certain sub-processors to support the delivery of the Starred services.

What is a sub-processor?

A sub-processor is a data processor who, on behalf of Starred, processes personal data.

Starred uses certain infrastructure sub-processors to host its applications and other service-specific sub-processors to provide specific functionality within the Starred services. Starred processes personal data in countries within the European Union whenever possible to keep data transfer to a minimum. If Starred processes personal data outside the European Union it is with due regard for the applicable privacy laws, which are governed by Standard Contractual Clauses (SCCs). The SCCs are a set of terms that have been approved by the European Commission which allow data to be safely transferred.

List of Sub-processors

Please find the list of sub-processors, their role, and the location of processing below.

Amazon Web Service, Inc. | Data hosting | EEA (Ireland, Germany)

Mailgun Technologies, Inc. | Email service provider | EEA (Germany)

New Relic, Inc. | Performance Monitoring | EEA (Belgium, Germany)

Looker Data Sciences, Inc. | Data Reporting and Visualization | EEA (Netherlands)