Last modified: February 9, 2026
Prior Versions: April 15, 2025
This Data Processing Agreement (“DPA”) forms part of the EnteliWeb Software as a Service (SaaS) Subscription Service Agreement, DIBT License Agreement, or other written or electronic agreement that expressly references this DPA (“Agreement“) between Delta Intelligent Building Technologies (Canada) Inc. (“DIBT”) and the Customer for building automation related software and solutions (“Services”). For the purposes of this DPA, the term “Customer” shall include Customer and Customer’s Affiliates if DIBT processes the Personal Data of Customer’s Affiliates. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.
1. DEFINITIONS
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity where “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq, and its implementing regulations, as may be amended from time to time.
“Customer’s” means the customer identified in the Agreement.
“Controller” means the entity which determines the purposes and means of the processing of Personal Data.
“Data Protection Laws” means any law or regulation concerning information privacy or security applicable to DIBT’s Processing of the Personal Data to provide Services under the Agreement, including to the extent applicable to the Processing, (i) EU GDPR, (ii) UK GDPR, (iii) the new Swiss Federal Act on Data Protection (“nFADP”), (iv) CCPA, (v) Canada’s federal, provincial and territorial laws for data protection, including Personal Information Protection and Electronic Documents Act (“PIPEDA”) and British Columbia’s Personal Information Protection Act (“PIPA”), (vi) The U.S. Department of Justice Rule “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons ” (“DOJ Rule”). The term Data Protection Laws excludes any laws that requires data to be hosted outside of Canada.
“Data Subject Request” means a request from a data subject to exercise the data subject’s right under applicable Data Privacy Laws, including, as applicable, rights to data rectification, data portability, access data, data erasure (“the right to be forgotten”), not to be subject to automated decision making, not to have Personal Data sold, to request for information, not to be discriminated against for exercising rights, restriction or objection to processing, and the applicable rights under CCPA §§ 1798.100(d), 1798.105, 1798.110, 1798.120, 1798.130(a)(2), 1798.140(y), 1798.145(g) and GDPR Art. 12-23.
“Government-Related Data” means 1) Any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in the DOJ Rule, (i) The worksite or duty station of Federal Government employees or contractors who occupy a national security position as that term is defined in 5 CFR 1400.102(a)(4); (ii) A military installation as that term is defined in 10 U.S.C. 2801(c)(4); or (iii) Facilities or locations that otherwise support the Federal Government’s national security, defense, intelligence, law enforcement, or foreign policy missions. (2) Any sensitive personal data, that is linked or linkable to current or recent former employees or contractors, or former senior officials, of the United States Government, including the military and intelligence community.
“Personal Data” means (i) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (ii) is defined as “Personal Information” or “Personal Data” by applicable Data Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).
“process” and its cognates mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means the entity which processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by the CCPA.
“Security Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the DIBT’s equipment or facilities.
“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“) and (ii) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”).
“Subprocessor” means any Processor engaged by DIBT to process Customer’s Personal Data.
“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection, which has authority and jurisdiction over the Customer.
“UK ICO” means the United Kingdom Information Commissioners Office.
“UK GDPR” means the United Kingdom Data Protection Act of 2018 and the United Kingdom General Data Protect Act and any successor legislation.
2. PROCESSING OF PERSONAL DATA
2.1 The parties agree that with respect to processing Personal Data that Customer is the Controller and DIBT is the Processor.
2.2 DIBT shall process Personal Data provided by the Customer in accordance with the requirements of the Data Protection Laws.
2.4 This DPA applies to all Personal Data that DIBT processes pursuant to the Agreement. DIBT will only process Customer’s Personal Data (i) in compliance with Customer’s instructions, (ii) for the purposes expressly set forth in the Agreement and this DPA, and (iii) in compliance with Data Protection Laws. DIBT will promptly inform Customer in writing if it cannot comply with the requirements of this DPA, in which case Customer may terminate the Agreement or take any other reasonable action, including suspending data processing operations. DIBT will not disclose Customer’s Personal Data to any third party except for Subprocessors authorized under this DPA and DIBT personnel.
2.5 The categories of Personal Data that the DIBT will process as part of the Service is determined and controlled by the Customer in its sole discretion.
2.6 DIBT will promptly inform Customer in writing if it cannot comply with the requirements of this DPA, in which case Customer may terminate the Agreement or take any other reasonable action, including suspending data processing operations. DIBT will not disclose Customer’s Personal Data to any third party Except for Subprocessors authorized under this DPA and DIBT personnel.
2.7 DIBT will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Customer’s express written permission. Except as is necessary to perform the Services, DIBT will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without Customer’s express authorization. DIBT will comply with any applicable restrictions under Data Protection Laws on combining the Personal Data with personal data that DIBT receives from, or on behalf of, another person or persons, or that DIBT collects from any interaction between it and any individual.
2.8 Customer agrees and consents to DIBT’s use of pseudonymized data that may be generated by DIBT under this Agreement. DIBT shall implement appropriate technical safeguards, including encryption and anonymization tools, to ensure that Personal Data is removed or obscured. The data shall not be transferred, sold or otherwise monetized. The data will be used solely for the purposes of internal research, analysis, and improving deliverables. Any use of the pseudonymized data beyond the scope of this Agreement, including commercial resale, is prohibited.
3. CONFIDENTIALITY. All DIBT personnel and any Subprocessors are required to comply with the confidentiality obligations related to Customer’s Personal Data that are stated in the Agreement, including after the end of their respective employment, contract or assignment. The Parties shall inform all of its employees, agents and/ or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
4. Standard Contractual Clauses.To the extent any Personal Data of European Economic Area (“EEA”) or United Kingdom (“UK”), or Swiss data subjects is processed, the Standard Contractual Clauses (“SCC”) as modified below shall apply. For the avoidance of doubt, with respect to transfers of EEA, UK and Swiss Personal Data for processing by DIBT in a jurisdiction other than a European Union (“EU”) member state, DIBT agrees to comply with applicable Data Protection Laws in connection with that cross-border transfer of data (e.g., Art. 46 of the GDPR).
4.1 DIBT will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where DIBT engages in an onward transfer of Personal Data, DIBT shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
4.2 To the extent legally required, by entering into this DPA, Customer and DIBT are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 4.4 and 4.4, below) will be deemed completed as follows:
i. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to DIBT (as a processor);
ii. Clause 7 (the optional docking clause) is included;
iii Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of Subprocessors is set forth in Schedule B of this DPA and DIBT shall update that list and provide a notice to Customer in advance of any intended additions or replacements of Subprocessors as provided in Section 6.
iv Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
v Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland;
vi. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Dublin, Ireland;
vii. Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this DPA;
viii. Under Annex I(C) (Competent supervisory authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
ix. Annex II (Technical and organizational measures) is completed with Schedule A of this DPA; and
x. Annex III (List of Subprocessors) is not applicable as the parties have chosen General Authorization under Clause 9, however a list of DIBT’s Subprocessors is available in Schedule B.
4.3 With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
i. Table 1 of the UK SCCs:
ii. The parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer.
iii. The Key Contacts shall be the contacts set forth in Schedule A.
iv. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the parties.
v. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedules A and B below.
vi. Table 4 of the UK SCCs: Either party may end this DPA as set out in Section 19 of the UK SCCs.
vii. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
4.4 For transfers of Personal Data that are subject to the nFADP, the EU SCCs form part of this DPA as set forth in this Section 7(b), but with the following differences to the extent required by the nFADP (as modified the “Swiss SCC”): (1) references to the GDPR in the EU SCCs are to be understood as references to the nFADP insofar as the data transfers are subject exclusively to the nFADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the nFADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the nFADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the nFADP and GDPR apply, respectively).
4.5 Additional Safeguards for the Transfer and Processing of Personal Data from the EEA, Switzerland, and the United Kingdom. To the extent that DIBT Processes Personal Data of Data Subjects located in or subject to the applicable Data Protection Laws of the EEA, Switzerland, or the United Kingdom, DIBT agrees to the following safeguards to protect such data to an equivalent level as applicable Data Protection Laws:
i. DIBT and Customer shall encrypt all transfers of the Personal Data between them, and DIBT shall encrypt any onward transfers it makes of such Personal Data, to prevent the acquisition of such data by third parties.
ii. DIBT will use all reasonably available legal mechanisms to challenge any demands for Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
iii. DIBT will promptly notify Customer of any government demands for Customer’s Personal Data, unless prohibited under applicable law. To the extent DIBT is prohibited by law from providing such notification, DIBT shall: (i) review each request on a case-by-case basis; (ii) use best efforts to request that the confidentiality requirement be waived to enable DIBT to notify Customer and/or the appropriate Supervisory Authority competent for You; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
iv. Upon Customer’s request, DIBT shall provide a transparency report indicating the types of binding legal demands for the Personal Data it has received, if any, including national security orders and directives.
v. DIBT will promptly notify Customer if DIBT can no longer comply with the applicable clauses in this Section. DIBT shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Customer’s other rights and remedies with respect to a breach of the Agreement.
5. DataSubject Requests. DIBT will, to the extent legally permitted, promptly notify Customer if DIBT receives a Data Subject Request relating to a data subject’s Personal Data that is being processed for Customer and assist Customer through appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to third party requests.
6. SECURITY. DIBT will implement appropriate technical and organizational safeguards designed to protect Personal Data (i) from unauthorized or unlawful processing, (ii) against accidental or unlawful disclosure, alteration or loss, and/or (iii) unauthorized disclosure or access, including as applicable Art. 32 of the GDPR. DIBT will comply with strict internal controls in line with industry best practices. DIBT will implement security controls in the form of mandatory policies and procedures for all DIBT’s employees who have access to Customer’s Personal Data to follow.These measures shall include as appropriate:
(a) measures to ensure that the Personal Data can be accessed only by authorized employees;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and flexibility of processing systems and services;
(c) the ability to restore access to Personal Data in a timely manner;
(d) a process for regularly identifying vulnerabilities, as well as testing; and
(e) assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data.
7. Audits.
7.1 Supervisory Authority or Government Required Audit. If a law, such as CCPA, or Supervisory Authority requires an audit of the data processing facilities from which DIBT processes Customer’s Personal Data in order to ascertain or monitor Customer’s compliance with Data Protection Laws, DIBT will cooperate with or conduct such audit in accordance to the law. Customer are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time DIBT expends for any such audit, in addition to the rates for services performed by DIBT.
7.2 Customer’s Audits. On request, DIBT will provide to Customer each year a report on the standards applicable to the services under the Agreement (each such report, a “Report”). If a Report does not provide, in Customer’s reasonable judgment, sufficient information to confirm DIBT’s compliance with the terms of this DPA, then Customer or an accredited third-party audit firm agreed to by both Customer and DIBT may audit DIBT’s compliance with the terms of this DPA during regular business hours, with reasonable advance notice to DIBT and subject to reasonable confidentiality procedures. Customer are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time DIBT expends for any such audit, in addition to the rates for services performed by DIBT. Before the commencement of any such audit, Customer and DIBT shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify DIBT with information regarding any non-compliance discovered during the course of an audit. Except to the extent required by applicable law, Customer may not audit DIBT more than once annually.
8. SUB-PROCESSORS. DIBT may engage third-party Subprocessors in connection with the provision of the Services provided that, before the Subprocessor first processes Personal Data, DIBT: (a) enters into a written agreement with the Subprocessor on terms at least as protective as those set out in this DPA, and (b) carries out adequate due diligence to ensure the Subprocessor is capable of providing at least the same level of protection for Personal Data required by this DPA. DIBT shall provide Customer with a current list of the Subprocessors that DIBT has engaged in connection with the provision of Services at https://www.DeltaControls.com/legal/subprocessors. DIBT shall remain fully liable to Customer for the performance of its obligations under this DPA even where a Subprocessor carries out the Services or any part of the Services on DIBT’s behalf.
Customer grants DIBT general written authorization to engage Processors in connection with the provision of the Services. DIBT shall provide to Customer written notice of any change to the list of Subprocessors at least thirty (30) days prior to the date the change takes effect. If Customer reasonably object to the use of a new Subprocessor within thirty days of the notice date, then the parties shall use good faith and best efforts to find a reasonable replacement in a mutually agreeable manner.
9. NOTICE OF INVESTIGATION, COMPLAINT OR SUBPOENA. DIBT will promptly inform Customer if it (a) receives any notice or inquiry from a Supervisory Authority relating to the processing of Customer’s Personal Data, (b) any complaint by a data subject regarding the processing of Customer’s Personal Data, and (c) any legally binding request for disclosure of Customer’s Personal Data by a law enforcement authority unless DIBT is prohibited by applicable law to inform Customer. On request, DIBT will cooperate with the Supervisory Authority and promptly provide Customer with all information in DIBT’s possession or control in relation to the processing of the Personal Data under this DPA. Upon request, DIBT will provide Customer with assistance in the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
10. SECURITY BREACH
10.1. When the DIBT becomes aware of a Security Breach that impacts the Processing of the Personal Data that is the subject of the Subscription Service, it shall promptly notify the Customer about the Security Breach, which will be within 48 hours of discovery. DIBT will promptly provide Customer with relevant information in its possession or control in relation to the Security Breach, including a description of the nature of the Security Breach; the categories and approximate number of data subjects concerned and the records of Personal Data affected; the name and contact details of DIBT’s point of contact from whom further information can be obtained; a description of the expected consequences of the Security Breach and the measures taken or proposed to be taken by DIBT to address the Security Breach; and with all reasonable assistance and cooperation as is necessary in order for Customer to seek to mitigate the effects of the Security Breach and comply with its own obligations under the Data Protection Laws with respect to the Security Breach. Except as may be required by applicable law, DIBT will not make any public announcement or notify any data subject about the Security Breach unless expressly authorized by Customer.
10.2. The DIBT shall at all times have in place written procedures which enable it to promptly respond to the Customer about a Security Breach and support the Customer in the event that the Customer needs to notify under applicable Data Protection Laws.
11. RETURNING OR DESTRUCTION OF PERSONAL DATA
DIBT will destroy all Personal Data within sixty (60) days following either the expiration/termination of this Agreement or receipt of a destruction request from Customer and shall cause its Subprocessors to do the same unless Data Protection Laws prevent DIBT from destroying all or part of Customer’s Personal Data disclosed. For clarity, DIBT may continue to process Personal Data that has been de-identified and/or aggregated in a manner that does not identify individuals to improve DIBT’s systems and services and data without identifying Customer as the source of the data. DIBT will return and/or destroy Customer Data as provided in the Agreement.
12. DURATION AND TERMINATION
12.1. This Data Processing Agreement shall terminate on the same date as the termination or expiration date of the Service. DIBT shall process Personal Data until that termination date.
13. MISCELLANEOUS. Neither party will assign the DPA in whole or in part without the other party’s prior written consent (which consent will not be unreasonably denied, delayed or conditioned).. Any attempted assignment in violation of this restriction is void. The DPA shall bind and inure to the benefit of the parties, their respective successors and permitted assigns. If a conflict exists between any of the terms in the DPA and the Agreement, then this DPA will govern. The EU SCC, UK SCC and the Swiss SCC will control, where applicable, if there is a conflict between (i) the EU SCC, UK SCC or the Swiss SCC and (ii) the Agreement or the DPA. The parties may amend the DPA only in a written amendment signed by both parties. This DPA can be executed electronically and in counterparts, each of which is deemed to be an original and together comprise a single document. Each party represents and warrants that the individual binding a party under this DPA is authorized to do so.
SCHEDULE A: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS
ANNEX I
Part 1:
- LIST OF PARTIES
Data exporter(s):
The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in the underlying Software Licensing Agreement with DIBT or a reseller.
Data importer(s):
The importer (Processor) is DIBT and DIBT’s contact details are found on the website here https://www.deltacontrols.com/dpa._____ ____________
- DESCRIPTION OF TRANSFER
Countries where personal data may be transferred:
USA, Taiwan, China and/or Singapore
Categories of data subjects whose personal data is transferred:
- Customer’s personnel that use DIBT’s solution.
- Individuals that Customer decides to process their information in the building automation solutions.
Categories of personal data transferred:
- For Customer’s personnel that use DIBT’s SaaS solution: With respect to Customer’s personnel that access DIBT’s Services, DIBT may process name, email address, IP Address and/or other login credentials and contact details used to access the Service.
- For Individuals that Customer decides to process through the Services: In addition to the information listed above, DIBT may process biometric data if security related solutions that Customer elects identification to be based on such biometric data.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Fingerprint and any other biometric data that Customer elects to process through the Service.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
DIBT shall process Personal Data in order to provide the Services on a continuous basis pursuant to the terms of the Agreement.
Nature of the processing:
DIBT shall process Personal Data to provide the Services pursuant to the terms of the Agreement.
Purpose(s) of the data transfer and further processing:
The transfer is made for the purpose of providing Services to Customer pursuant to the Agreement.
Cross-Border transfer is made to Delta group entities for the purpose of internal business support. _____________________________
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
DIBT shall process Personal Data in its provision of Services for a term outlined in the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter, nature and duration of the processing of Personal Data by DIBT’s Subprocessors is the same as for DIBT, as outlined above.
- In Annex I.C of the EU SCC: The competent supervisory authority shall be the supervisory authority applicable to Customer in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative is established within the meaning of Article 27(1) of Regulation (EU) 2016/679 .
Part 2:
Mandatory Clauses
Mandatory Clauses are incorporated herein: “Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.”
Annex II
Data Importer will at a minimum institute the technical and organizational measures to ensure a level of security appropriate with the risk, as is required in Art. 32 of the GDPR. Data Importer will comply with strict internal controls in line with industry best practices, such as required by the CCPA. Data Importer will implement security controls in the form of mandatory policies and procedures for all Data Importer employees who have access to Data Exporter’s data to follow. Data Importer will have, where appropriate measures of pseudonymization and encryption of Personal Data; Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing; Measures for user identification and authorization; Measures for the protection of data during transmission; Measures for the protection of data during storage; Measures for ensuring physical security of locations at which Personal Data are processed; Measures for ensuring events logging; Measures for ensuring system configuration, including default configuration; Measures for internal IT and IT security governance and management; Measures for certification/assurance of processes and products; Measures for ensuring data minimization; Measures for ensuring data quality; Measures for ensuring limited data retention; Measures for ensuring accountability and measures for ensuring erasure.
Schedule B
List of Subprocessors
Subprocessor list available at: https://deltao365.sharepoint.com/sites/GDPR/Lists/Data%20repositories/Brief.aspx?FilterField1=Ownership&FilterValue1=Yes&FilterType1=Choice&viewid=5d1fb61c%2Df669%2D4156%2Da083%2Dbddf8b3fbcd6