INTERNATIONAL DATA TRANSFER PROCEDURE

The International Data Transfer Procedure was published and entered into force on: 26.05.2024.

This International Data Transfer Procedure (hereinafter referred to as the “Procedure”) describes the methods and means of transferring personal data to Third Countries and International Organizations.

References to the words "we", "our" or "us" (or similar terms) refer to the company Bis-Soft.

References to the words "you", "your" (or similar terms) refer to Employees and Counterparties, depending on the context of this Procedure.

In its activities related to the collection, processing, storage, and security of personal data, Bis-Soft makes every effort to comply with the rules and requirements established by the General Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016), commonly known as the GDPR.

1. DEFINITIONS

1.1. Personal Data means any information that directly or indirectly allows identifying the Customer/User. For example, name, surname, phone number, IP address.

1.2. Statistical Data any information directly or indirectly related to the Customer/User, but is in the public domain. For example company name, and legal address.

1.3. Data is a common name for Personal and Statistical data.

1.4. Services are an algorithm of actions that the Company performs to provide access to the Software, based on the contract concluded between the Company and the Customer.

1.5. Software is a collection of information processing system programs and software documents provided by the Company to Customers as part of the provision of Services.

1.6. InteractionFQM web platform (hereinafter referred to as the "Platform") is the Software located on the Site and presented in physical form as a combination of data and commands intended to provide Services to Customers.

1.7. Company's website (hereinafter referred to as the "Site") means a web page or a group of web pages on the Internet located at: https://interactionfqm.com/ and https://admin.interactionfqm.com/manager/main/list on which the Platform is hosted.

1.8. Сompany "Bis-Soft" (hereinafter referred to as the "Company" or hereinafter referred to as the "Bis-Soft") is a legal entity owned by:"BIS-SOFT" LLC, that allows the implementation of the Customer's business goals in the region by providing him with access to the Platform within the scope of the provision of Services.

1.9. Customer is an individual or legal entity that receives Services from the Company including to obtain data about its User.

1.10. User any legal entity or individual whose personal and statistical data the Customer receives through the use of the Platform.

1.11. Third Party means a natural or legal person, government agency, institution or body besides the Company or the Customer/User, the Controller or the Processor.

1.12. Controller means any natural or legal person, government agency, institution, or other body that independently determines the purposes and means of personal data processing.

1.13. Processor is a natural or legal person, government agency, institution, or other body that processes Personal Data on behalf of and behalf of the Controller.

1.14. Agreement is a document in written or electronic form concluded between the Company and the Customer, and which regulates the Company's granting of license rights to use the Software and/or access to the Platform's functions.

1.15. Server – specialized equipment designed for storing information and serving users and databases.

1.16. Security System – a set of organizational and technical measures aimed at ensuring the information security of the Data.

1.17. International Organization – an organization and its subordinate bodies operating under public international law, or any other body established by an agreement between two or more countries or based on such an agreement.

1.18. Third Country – a country that is not a member of the European Economic Area (EEA). The EEA includes the member states of the European Union and the European Free Trade Association.

1.19. Pseudonymization – the processing of Personal Data in such a way that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

1.20. Encryption – the algorithmic and reversible transformation of Personal Data into a character sequence in order to ensure their security.

1.21. European Commission – the executive body of the European Union responsible for proposing legislation, implementing decisions of the European Parliament and the Council, ensuring compliance with EU treaties and legal acts, and managing the day-to-day operations of the EU.

2. GENERAL PROVISIONS

2.1. The transfer of personal data that does not comply with the General Data Protection Regulation includes transfers to a Third Country and/or an International Organization.

2.2. By Personal Data, we mean the transfer of Users’ Personal Data to a Third Country and/or an International Organization.

2.3. Prior to the transfer of Personal Data, the Company assesses the security and level of protection associated with such transfer.

2.4. In the course of providing the Services, the Company acts as a processor of personal data, while IT Dynamic Systems GmbH acts as the controller of personal data, in accordance with the definitions set forth in Article 4 of the GDPR. The Company processes personal data solely on the basis of a documented instruction from IT Dynamic Systems GmbH, in accordance with Article 28 of the GDPR, and does not use such data for its own purposes.

3. LAWFULNESS OF PERSONAL DATA TRANSFER

3.1. The transfer of Personal Data is carried out by the Controller or by the Processor on behalf of the Controller, in accordance with Article 44 of the General Data Protection Regulation (GDPR).

3.2. The transfer of Personal Data to a Third Country or an International Organization is permitted if the Third Country or International Organization ensures an adequate level of protection of Personal Data. If the Third Country or International Organization does not ensure such a level of protection, a decision on the adequacy of protection is to be adopted by the European Commission, pursuant to Article 45 of the GDPR.

3.3. In the absence of an adequacy decision pursuant to Article 45 of the GDPR, the Controller or Processor may transfer personal data to a Third Country or an International Organization only if the Controller or Processor provides appropriate safeguards and effective legal remedies for data subjects, as required by Article 46 of the GDPR.

3.4. If neither an adequacy decision under Article 45 nor appropriate safeguards under Article 46 of the GDPR are in place, the transfer of Personal Data to a Third Country or an International Organization may take place only under one of the following conditions, as set out in Article 49 of the GDPR:
  • 3.4.1. the Customer/User has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer in the absence of an adequacy decision and appropriate safeguards;
  • 3.4.2. the transfer is necessary for the performance of a contract between the Customer and the Company or the implementation of pre-contractual measures taken at the request of the Customer;
  • 3.4.3. the transfer is necessary for the provision of the Services;
  • 3.4.4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Controller and another natural or legal person;
  • 3.4.5. the transfer is necessary for important reasons of public interest;
  • 3.4.6. the transfer is necessary for the establishment, exercise or defence of legal claims;
  • 3.4.7. the transfer is necessary in order to protect the vital interests of the Customer or of other persons where the data subject is physically or legally incapable of giving consent;
  • 3.4.8. the transfer is made from a register which, according to Union or Member State law, is intended to provide information to the public.

4. METHODS OF ENSURING PERSONAL DATA SECURITY

4.1. When transferring Data to a Third Country and/or an International Organization, we apply Data Encryption and Pseudonymization methods.

4.2. Bis-Soft uses the following Server for Data storage: HP DL380 Series Server Group.

4.3. Data is transmitted via TLS 1.2 or 1.3 secured channels with automatic receiver-side encryption. Data deletion is performed using secure destruction protocols in accordance with NIST SP 800-88, including data overwriting and physical destruction of the storage medium, if necessary.

4.4. The Company carries out Data Encryption in accordance with Article 32 of the General Data Protection Regulation (GDPR).

4.5. The Company encrypts Data as follows: Locally stored encrypted Data. In this case, the Data is encrypted first and then stored in encrypted form on the Server.

4.6. The Company ensures Data Encryption both during transmission and at rest.

4.7. The Company uses advanced and up-to-date protection measures against DDoS attacks, minimizing the risk of Data loss and Service unavailability.

4.8. To protect against DDoS attacks, the Company implements:
  • 4.8.1. protection against all types of DDoS attacks (SYN Flood, UDP/ICMP Flood, HTTP/HTTPS attacks);
  • 4.8.2. secure IP address;
  • 4.8.3. cloud security using AWS Shield;
  • 4.8.4. traffic filtering via specialized hardware and software methods;
  • 4.8.5. use of Intrusion Prevention Systems (IPS);
  • 4.8.6. protection enabled from the Company’s Server level;
  • 4.8.7. use of OpenSSL for encryption of data in transit.

4.9. To provide additional protection from DDoS attacks, the Company utilizes content delivery services, web security services, and distributed domain name server (DNS) services.

5. SERVER

5.1. For the storage of Data, the Company uses a Server located in the data center SIM-NETWORKS address Netversor GmbH Greschbachstr. 29 76229 Karlsruhe.

5.2. Information about the data center’s infrastructure and guarantees is available at: https://www.sim-networks.com/ukr/impressum

5.3. Data is stored on the server of the data center SIM-NETWORKS in accordance with the General Data Protection Regulation (GDPR) and the internal documentation of the data center. The internal documentation of the data center is available at: https://www.sim-networks.com/ukr/service-agreement

5.4. The Company reserves the right to change the Server at any time by entering into an agreement with a company providing data storage services.

5.5. The Company also reserves the right to change the Server without providing additional notice to the Customer/User.

6. REASONS FOR THE TRANSFER OF PERSONAL DATA

6.1. The Company may transfer Data in the following cases:
  • 6.1.1. conclusion of an agreement with the Customer;
  • 6.1.2. storage of Data on the Server;
  • 6.1.3. use of security systems;
  • 6.1.4. in response to a lawful request by a supervisory, governmental, or law enforcement authority;
  • 6.1.5. to protect its interests in legal or pre-litigation proceedings.

7. CHANGES TO THE PROCEDURE

7.1. We reserve the right to periodically amend this Procedure in the event of changes to the methods and means of Personal Data transfer, security systems, Server, or applicable legal requirements.

7.2. We inform Customers of such changes via informational email notifications or by other means of communication.

7.3. If a Customer has opted out of receiving emails in which we inform about changes to the Procedure, they remain responsible for reviewing and staying informed about the latest version of this Procedure.

8. CONTACT INFORMATION

8.1. The Customer has the right to contact the Company’s support service at: ceo@bissoft.org in order to exercise their rights under this International Data Transfer Procedure, or in the event of a rights violation, to submit feedback or ask questions.