First: Definitions
Service Level Agreement: Clauses or particularities of the contract signed between the parties or included in these General Conditions that develop and stipulate the services in an objective manner in terms of level and quality that will be applicable.
Third-party applications / third-party software: Third-party applications that may interact with VÍNTEGRIS software.
Client: Any individual or legal entity, duly represented, that contracts the nebulaSUITE Services provided by VÍNTEGRIS. Unless otherwise agreed, the Client declares that they own the equipment on which the application is used or are authorized to use it. Furthermore, they declare that they have sufficient authority to bind the legal entity they represent to VÍNTEGRIS’s documentation and these General Terms and Conditions, such that the use and payment of these services will constitute sufficient proof of the execution of the contracts and of acting with sufficient authority to bind the company they represent.
Partner: A company that meets the requirements to participate as a reseller of VÍNTEGRIS solutions, acting on its own behalf, with its own organization and in direct relation to the customers who consume VÍNTEGRIS solutions and services.
General Conditions: This refers to the present general conditions, applicable in all cases to the Service, and its annexes.
Special Conditions: This refers to the specific conditions that stipulate, where applicable, the personalized details of the Service and the ancillary services agreed between VÍNTEGRIS and the Client.
Customer data: Data entered by the Customer that will be collected systematically and be individually accessible by VÍNTEGRIS.
Equipment: Computers, tablets, smartphones, and any other electronic machines capable of storing and processing information for the proper development of the software or those devices that interact with the VÍNTEGRIS service.
License: Rights granted by VÍNTEGRIS to the Client under the terms and conditions set out in the relevant contract, which include, among others, the limits on copying, installing, using, displaying and running the software.
Complementary Program: This refers to any software tool or component owned or licensed by VÍNTEGRIS, which VÍNTEGRIS makes available to you for download as part of the Cloud Services to facilitate your access, operation, and/or use of the Services Environment. It does not include separately licensed third-party technology.
Economic proposal: This includes the specifications of the service contracted by the Client, including the number of users who can access the contracted Services.
SaaS Service: Software as a Service. These are services provided via the internet by VÍNTEGRIS to the Client, in relation to the use of the contracted service, through the SaaS Services platform and within the cloud computing infrastructure.
Applicant: Natural person who, for the purposes of these General Conditions, acts on behalf of and represents the Client, and who REQUESTS from VÍNTEGRIS, the provision of the nebulaSUITE service.
User: Person authorized by the Client to use the VÍNTEGRIS Software.
VÍNTEGRIS : It is the company VÍNTEGRIS, SLU, with registered office at Calle Pallars 99, floor 3, office 33, 08018 Barcelona, Spain, and CIF B-62913926, and registered in the Mercantile Registry of Barcelona.
The Applicant, a natural person who for the purposes of these General Conditions acts in the name and on behalf of the Client, REQUESTS from VÍNTEGRIS, the provision of the nebulaSUITE service. nebulaSUITE includes the following services:
Service Name | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
nebulaUSERS | User management service | |||||||||
nebulaID | Identification issuance service | |||||||||
nebulaCERT | Centralized certificate management service | |||||||||
nebulaACCESS | Multi-factor dynamic authentication service | |||||||||
nebulaSIGN | Signature portal service
| |||||||||
nebulaSNE | Electronic notification management service | |||||||||
nebulaDISCOVER | Digital certificate discovery service
| |||||||||
The services indicated are provided by VÍNTEGRIS in SaaS mode after their selection by the Client or licensee, using various computer applications owned by VÍNTEGRIS located on a technological platform to which the Client will have access, once the relevant usage licenses have been granted.
These General Terms and Conditions for the Contracting of Services (“General Terms”), without prejudice to the documents listed in Clause Six, regulate the use of all nebulaSUITE services.
The “General Terms and Conditions” applicable to each Client are the latest version that the Client accepts and signs at the time of initial subscription/renewal. If no version is available, the General Terms and Conditions published on the website and in effect at the time of subscription/renewal will apply.
This version of the “General Conditions” will be applicable and valid during the contracted or renewed subscription period (12 months by default).
VÍNTEGRIS reserves the right to modify the General Conditions periodically and at its sole discretion, with these updated Conditions being applicable at the next renewal of the Client’s subscription, taking into account what is indicated in the previous paragraph and with the exception of the indications described in clause Eighteen.
The Client accepts and undertakes to make proper use of the nebulaSUITE services, in accordance with all applicable laws of the European Union and Spain, as well as with the corresponding regulations, rules, notices, criteria, reports and technical standards that may be appropriate (collectively referred to as “Laws”), and in accordance with the rules of good faith, public order and contained in the General Conditions, without prejudice to the order of precedence established in clause Twenty-Sixth.
These General Terms and Conditions are implemented in accordance with the Law, their own agreements, and the Confidential Practice Statement (CPS) in force at the time of the provision of each service, which can be found updated at the internet address https://www.vincasign.net/
For the contracting of the Service, the Applicant must sign the acceptance sheet included in the economic proposal, where the acceptance of the Particular Conditions and General Conditions attached in the economic proposal is declared.
Once the corresponding documentation has been signed, VÍNTEGRIS will give the Client access to the Platform.
The completion of the subscription process is subject to verification of the information provided by VÍNTEGRIS. Once the subscription is finalized, VÍNTEGRIS will send the customer a Purchase Confirmation Letter via email containing the subscription details. Additionally, except in the case of renewals, VÍNTEGRIS will send the customer a document called “Welcome Info (WI)” via email, which will include instructions for accessing the platform, the subscription validity period, the User ID for access, and the customer’s email address where the password reset link will be sent.
It is important to note that the subscription start and end dates (validity period) will be those indicated in the “Welcome Info (WI)” document. The start date will coincide with the activation date of the environment and the date from which the subscription is contracted, and the end date will be the maximum contracted date. These dates will be used to determine the subscription’s expiration and renewal.
The password set by the user is unique, personal, and non-transferable. The Client is obligated to use their passwords and other credentials diligently and keep them secret. Consequently, the Client is responsible for the proper safekeeping and confidentiality of any identifiers and/or passwords and agrees not to transfer their use to third parties, whether temporarily or permanently, nor to allow access to them by unauthorized persons. The Client will be responsible for the use of the Services by any unauthorized third party who uses a password due to the User’s negligence or loss of said password. Therefore, the Client is obligated to immediately notify VÍNTEGRIS of any event that could lead to the misuse of identifiers and/or passwords, such as theft, loss, or unauthorized access, so that they can be immediately canceled. Until such events are reported, VÍNTEGRIS will be exempt from any liability that may arise from the misuse of identifiers or passwords by unauthorized third parties.
It is recommended to change this password periodically and not use the same one for multiple services.
The Applicant, at the time of requesting nebulaSUITE services and in accordance with current legislation, has been informed of the precise instructions for the use of the services, the limitations of use and the way in which VÍNTEGRIS limits its possible liability, as well as the sufficient authorization of VÍNTEGRIS, and the relevant dispute resolution procedures, and accepts them expressly and without reservation, for the purposes of what is indicated in articles 5 and 7 of Law 7/1998, of April 13, on general conditions of contracting.
The nebulaSUITE services are specifically governed by the following service documentation, which is fully incorporated into the contract: 1) The Economic Proposal and any Special Conditions included therein. 2) These General Conditions. 3) Annex I “Specific Terms of the nebulaSUITE Services”. 4) Annex II “Service Level Agreements (SLAs)”. 5) Annex III “Data Processing Agreement (DPA)”.
The Client shall pay the amount corresponding to the services referred to in these General Terms and Conditions in accordance with the price list approved by VÍNTEGRIS at any given time, the current value of which is indicated in the Economic Proposal approved by both parties prior to the commencement of nebulaSUITE services. Notwithstanding any information that may appear in the price list, the price that the Client must pay is that which appears in the Economic Proposal.
The prices of the services contracted by the Client are found in the Economic Proposal, as well as the details of the services and technologies contracted by the Client.
In the event that the Client contracts the services through a VÍNTEGRIS partner, VÍNTEGRIS will invoice the partner for the corresponding amount indicated in the Economic Proposal approved by both parties prior to the start of the nebulaSUITE services.
The Partner will pay the corresponding amount according to the payment terms established in the Economic Proposal.
In these cases, VÍNTEGRIS will not be responsible for the commitments that the Partner has acquired directly with the Client, it will only respond according to the services agreed and contracted by the Partner for the Client.
VÍNTEGRIS reserves the right to increase the prices of its product subscriptions, which may be due, among other things , to increased costs to compensate for newly added features, costs of new procedures and certifications imposed by regulations, or the expansion of new services included in the subscriptions. If VÍNTEGRIS anticipates such an increase, it will notify the customer 60 days in advance of the renewal date of the affected subscriptions, and the customer may then decide whether to renew or terminate their subscriptions.
The payment method and billing milestones are outlined in the Economic Proposal.
All payments will be made in euros (€), unless otherwise stated in the Economic Proposal.
VÍNTEGRIS will invoice the Client as follows:
If the Client contracts the services through a VÍNTEGRIS Partner, the billing and payment policies indicated above will apply directly to the Partner.
If the Client fails to make full or partial payment of the amounts owed within one month of the agreed invoice due date, VÍNTEGRIS may, after giving the Client prior notice, temporarily suspend the service. The service restriction will affect the services for which payment is overdue and may also affect other dependent services. Temporary suspension does not exempt the Client from the obligation to continue making the corresponding fixed periodic payments.
VÍNTEGRIS may also suspend or cancel the provision of the Service in the event that:
A delay in payment for a period exceeding 2 months or the temporary suspension of the contract on two occasions due to late payment of any of the contracted services, will entitle VÍNTEGRIS to the definitive interruption of all contracted services and the corresponding termination of the contract, after notifying the Client 10 business days in advance, indicating the date on which it will take place.
The policies regarding the suspension and cancellation of services due to non-payment will also apply to cases where the contract was made through VÍNTEGRIS partners, and the billing and payment were delegated to them, and they failed to make the payment.
The Partner may request that VÍNTEGRIS deactivate each active Subscription separately, and depending on the Solution, the Client will have limited or no access to it. VÍNTEGRIS will not be liable to the Client in any way for the Partner’s deactivation of the Client’s Subscription.
Except for clauses 9, 10, 11, 12, and 19, these General Terms and Conditions shall remain in effect for the duration of the service provided and shall be specified in the WI document or, failing that, in the purchase confirmation. The remaining clauses shall remain in effect until the legally established periods expire in each case, or, if no such periods are established, until any legal actions that VÍNTEGRIS may take against the Client or third parties are time-barred or expire.
The Services under this Contract will be provided during the Service Period defined in the WI document or failing that in the purchase confirmation, unless suspended or terminated early in accordance with these General Conditions or the Economic Proposal.
Early termination without just cause. The Customer may choose to cancel their subscription early, at any time, but will not receive any refund of previously paid fees and must immediately pay all outstanding fees due until the end of the Subscription Term. In this case, the service will remain active until the initially defined expiration date, unless the Customer expressly instructs us to deactivate the account.
Early termination for justified cause. Either party may terminate the provision of the Services for just cause as follows: (i) by giving the other party thirty (30) days’ prior notice that a material breach has occurred, provided that such breach has not been remedied by the end of that period. In this case, VÍNTEGRIS reserves the right to deactivate the Customer’s SaaS Service and terminate the license to use the software related to the Services; all of this without prejudice to any right of access in relation to personal data, as provided in clause 17 of these General Terms and Conditions.
Also, VÍNTEGRIS may terminate the provision of the Services for justified cause with thirty (30) days’ prior notice if VÍNTEGRIS determines that the Client is acting (or has acted) in a manner that reflects negatively on VÍNTEGRIS or affects VÍNTEGRIS or its prospects or clients.
In any of the aforementioned cases, if VÍNTEGRIS declares the termination of services due to infringement or improper conduct by the Client, the Client will not receive any refund of previously paid fees and must immediately pay all unpaid fees owed until the end of the Subscription Period.
Except for these reasons, the Service may not be terminated before the end of the Subscription Term.
Termination within the subscription period. If the Customer wishes to not renew the subscription service, they must notify at least one month in advance of the current subscription date; otherwise, the customer may be required to pay cancellation fees and comply with the other conditions specified in this cancellation section.
If you cancel the Services, they will end on the final date of the current Service period or, if VÍNTEGRIS charges invoices to your account periodically, at the end of the period in which you canceled.
To cancel the Services you must contact your Commercial Manager or notify the address customercare@vintegris.com .
Please note that you will be required to pay all charges made to your billing account for the Services up to the subscription termination date.
Unless accompanied by a separate license agreement between VÍNTEGRIS and the customer, all software provided to you by VÍNTEGRIS as part of the Services is subject to these Terms:
Access to the Service is only permitted to those persons who have the password, under the responsibility of the Client, and the Service will be limited to the number of users that corresponds according to the Services contracted by the Client and as described in the Economic Proposal.
SaaS services are composed of elements from different contractual causes, on the one hand, those derived from the software license and on the other hand, those derived from its deployment in cloud infrastructure.
Regarding defective compliance resulting from VÍNTEGRIS software:
VÍNTEGRIS warrants that: (i) it will provide the Services in all material respects as described in these Terms and the Special Conditions; (ii) it will provide the Services professionally in accordance with these Terms and the Special Conditions; and (iii) it will not knowingly introduce any viruses or other forms of malicious code into the service.
To the extent permitted by law, VÍNTEGRIS Services are provided “as is” without any warranty or condition other than that set forth in the preceding paragraph.
If the Services provided to the Client are not provided in accordance with the above guarantee, the Client must notify VÍNTEGRIS in writing, describing the deficiency in the Services.
Within the first 5 days, VÍNTEGRIS will make a diagnosis of the technical reasons for the defective compliance in the provision of its services in accordance with these General Conditions and the Special Conditions.
If the service can be restored in less than 10 days, VÍNTEGRIS will make all commercially reasonable efforts to correct the situation, and will propose alternative technical measures to the customer to minimize any potential damage that may affect the customer.
If it is not possible to provide the services in accordance with the foregoing warranty within 15 days of notification of the defective performance, VÍNTEGRIS will propose alternative technical measures to the Client to minimize any potential damages that may affect the Client. Within sixty (60) days from the date of notification of non-performance, either party may terminate the Services by sending written notice to the other.
The return of prepaid amounts from the moment of breach of the guarantee will be the RESPONSIBILITY OF VÍNTEGRIS, making said amount the maximum compensation for damages that the Client may claim and demand from VÍNTEGRIS, provided that it is not attributable to gross negligence or willful misconduct by VÍNTEGRIS.
Regarding defective compliance resulting from the availability of the cloud infrastructure.
In this sense, Annex II, which details the terms of the Service Level Agreements (SLAs) offered by VÍNTEGRIS to its clients, forms an integral part of this contract.
Any liability on the part of VÍNTEGRIS for failure to comply with the level of service as set out in ANNEX II will only be granted if VÍNTEGRIS was responsible for the failure.
In particular, VÍNTEGRIS is not responsible for:
VÍNTEGRIS will only be liable if the material obligations of the Contract are intentionally breached or when required by applicable law.
Additionally, unless otherwise agreed in writing, VÍNTEGRIS will not be obligated to make any modifications to its systems or services to adapt them to operational requirements demanded by any regulatory or business need of the Client.
Neither party shall be liable for any indirect, incidental, special, punitive or consequential damages, or for any loss of profits, revenue (excluding fees due under this Agreement), data or use of data.
VÍNTEGRIS’s total liability for any damage arising out of, or in any way related to, this Agreement, whether contractual, extra-contractual, or otherwise, shall be limited to the amount of the fees paid to VÍNTEGRIS for the Services governed by the contract giving rise to the liability during the twelve (12) month period immediately preceding the event giving rise to such liability, less any refunds or credits received from VÍNTEGRIS under the contract, provided that it is not attributable to gross negligence or willful misconduct by VÍNTEGRIS.
The Client must:
Without prejudice to the provisions of clause NINTH, any computer program (Software) supplied, as well as all its documentation and/or information relating thereto, is the exclusive property of VÍNTEGRIS or, where applicable, of VÍNTEGRIS’s Software Providers.
All intellectual property and copyright rights over the Program, the documentation, as well as over any other work, program and/or product that may be delivered by VÍNTEGRIS to the Client in compliance with the applicable agreements according to Clause Six belong to VÍNTEGRIS or its Software Providers.
The Client shall refrain from deleting, modifying or otherwise altering the reservation of rights notices in favor of the licensor, as well as, among others, the name, logo or trademark that identifies the latter entity in all documentation provided on any medium in the context of the agreements applicable according to Clause Six.
By accepting these General Conditions, the Client authorizes VÍNTEGRIS to use its trademark(s) and logo(s) (hereinafter, the “Trademarks”) for the sole purpose of using them in commercial presentations to refer to the fact that it is a Client of VÍNTEGRIS.
To that effect, the Client authorizes VÍNTEGRIS to insert and communicate its Trademarks in all advertising and support materials as provided.
The Client authorizes the arrangement and configuration of its Trademarks so that they appear in the form and place appropriate to its image, without altering colors, shapes, symbols or graphics.
Thus, VÍNTEGRIS undertakes to (i) not alter, deface or mutilate the Trademark(s) in any way; (ii) not use the Trademark(s) in a way that harms the prestige or image of the Client; (iii) respect those reasonable indications transmitted by the Client in relation to the use of the Trademark(s) for its protection and maintenance of its distinctive strength, renown and homogeneity.
The use that VÍNTEGRIS makes of the Trademark(s) during the execution of the commercial agreement between both parties does not mean in any case that VÍNTEGRIS acquires any right over it/them.
The Client will always have the option to prohibit VÍNTEGRIS from using its trademarks as indicated in this clause. If the Client chooses this option, they must notify VÍNTEGRIS of their intention not to use its trademarks, as stipulated herein, in writing, either physically or electronically.
Upon termination of the commercial relationship between the Client and VÍNTEGRIS, the Client will immediately cease using the Trademark(s).
VÍNTEGRIS, as the Data Controller, in compliance with current data protection regulations, informs you of the collection and processing of personal data that it may process as a result of contracting the services included in these General Conditions:
The identification and contact information provided during the pre-contractual and contractual phases of this relationship will be processed for the purpose of managing the contracted service: providing the required information, managing incidents, administrative tasks, invoicing, and sending information related to the services provided by VINTEGRIS. The legal basis for this processing is the existing pre-contractual/contractual relationship between both parties and VINTEGRIS’s legitimate interest in maintaining relationships of any kind with the legal entity where the data subject provides their services.
Data may be communicated to public bodies in compliance with legal obligations.
The data retention period will be that established by applicable regulations and, where appropriate, the data will be kept for the time necessary to demonstrate the proper execution of the contract. Basic contact information may also be retained indefinitely for future marketing activities based on VINTEGRIS’s legitimate interest.
The interested party will inform VINTEGRIS of any changes that occur in the data provided, so that they can be kept up to date.
If the services contracted with VINTEGRIS include the issuance of VINTEGRIS certificates as a qualified trust service provider, the personal data provided will be processed for the purpose of issuing and, where applicable, revoking the certificate. The personal data processed corresponds to the identifying information of the certificate holders and the documents they provide that prove their identity, as well as any attributes that may be included in the certificate. In cases where the certificate so requires, data related to the holder’s position within the company and/or their status as a representative or authorized agent will be processed. Additionally, the contact information provided by the signatory (email address and mobile phone number), necessary for the certificate issuance process, will be processed.
The data may be communicated to competent bodies and auditors in compliance with current regulations
The legal basis for this processing is the existing contractual relationship between both parties and compliance with current regulations applicable to the provision of trust services.
The data retention period will be 15 years from the date the certificate expires in accordance with the applicable regulations.
Furthermore, based on Víntegris’ legitimate interest and in compliance with the requirements established in the regulations applicable to trusted service providers, the data collected for issuing the certificate may be processed for the purposes of conducting internal audits to verify the proper functioning of our processes and to monitor that the actions taken are correct. The data may be processed for these purposes for the time necessary to meet the audit requirements. Likewise, personal data necessary for the internal management of invoicing for issued certificates may be processed. The legal basis for this processing is the legitimate interest of the data controller in issuing invoices for the contracted certificates. The data retention period will be that established in the regulations applicable for accounting and tax purposes and for addressing claims arising from the issued invoices. The data may also be processed for statistical purposes based on the legitimate interest of the data controller.
Data related to nebulaID (Video identification)
When issuing certificates, the identity validation process is carried out using Nebula ID, the personal data collected in this process will be processed for the purpose of identifying and validating the identity of the applicant. The personal data processed are: identification data, image of identity documents, results of OCR processing of the identity documents provided, recorded video image as proof of life, including voice recording, audit record of the verification process and data related to the circumstances of the applicant and that have a relationship with the certificate (nationality, position or representation in the company…)
Although a facial recognition process is performed using biometric techniques, no biometric data is stored.
The video identification process and the personal data collected are those established in current regulations, which, along with the data subject’s consent obtained before the process begins, constitute the legal basis for processing the data. The data subject is informed of the possibility of verifying their identity through other means, such as in-person identity verification.
This data may be communicated to competent bodies and auditors in compliance with applicable regulations.
The data retention period is fifteen years from the expiration date of the issued certificate and five years when the validation process has failed and it is considered that there may be an attempt at fraud, counting from the date of its execution, in accordance with the provisions of current regulations.
Furthermore, based on Víntegris’ legitimate interest and in compliance with the requirements established in the regulations applicable to trusted service providers, the data collected for issuing the certificate may be processed for the purposes of conducting internal audits to verify the proper functioning of our processes and to monitor that the actions taken are correct. The data may be processed for these purposes for the time necessary to comply with the audit requirements. Likewise, personal data necessary for the internal management of invoicing for issued certificates may be processed. The legal basis for this processing is the legitimate interest of the data controller in issuing invoices for the contracted certificates. The data retention period will be that established in the regulations applicable for accounting and tax purposes and for addressing claims arising from the issued invoices. The data may also be processed for statistical purposes based on the legitimate interest of the data controller.
When, in any of the data processing activities indicated in this clause, data from third parties is provided, the client must inform the owner of this data beforehand of the terms contained herein.
At any time, the interested party may submit a request to exercise their rights recognized in the regulations on the protection of personal data, by means of a written and signed request, accompanied by a copy of their national identity document or equivalent document that proves their identity. Likewise, when acting through a representative, it will be necessary to prove the existence of said representation. Requests should be addressed to VÍNTEGRIS.
VÍNTEGRIS also reminds the interested party that they have the right to lodge a complaint with the relevant supervisory authority (Spanish Data Protection Agency).
Version Number | Effective date | Approved by (Name and position) | Approval Date | Description | Author (Name and position) | 1 | 28/02/2024 | Matthew Walsh, Chief Executive Officer | 28/02/2024 | Vintegris’ internal information and whistleblower protection system strategy | Noemí Cruz, Head of the Internal Information System |
|---|
At all times during the term of their subscription, the Customer will have the ability to access the Customer Data stored in the nebulaSUITE Service, as well as the ability to extract and delete it.
The Client will have access to the application’s audit logs for a period of 12 months. VÍNTEGRIS will continue to safeguard these logs for longer periods in cases where applicable legislation so requires, but they will no longer be accessible to the Client through the platform.
VÍNTEGRIS will retain Customer Data still stored on the nebulaSUITE Services in a limited-functionality account for sixty (60) days following the expiration or termination of the Customer’s subscription, allowing the Customer to retrieve the data. After the sixty (60) day retention period, VÍNTEGRIS will deactivate the Customer’s account and delete the Customer Data and Personal Data within an additional ninety (90) days, unless applicable law requires VÍNTEGRIS to retain such data.
In cases where for any reason the Client does not have any access to their account, VÍNTEGRIS will provide alternative mechanisms so that the Client’s Data can be extracted.
VÍNTEGRIS will not incur any liability for deleting Customer Data or Personal Data, as described in this section.
VINTEGRIS guarantees in the provision of its services compliance with the security measures established in the regulations eIDAS, NIS 2, ENS (High) and in the standards ISO 27001, ISO 27017, ISO 27018 and ISO 27701 as accredited by our certifications in these regulations and security standards.
While VINTEGRIS is responsible for implementing security measures, certain security measures depend on the Client’s management of them. To guarantee information security, the Client agrees to:
The Client undertakes to conduct a periodic review of the users with access to the tenant and their access rights.
The user will be responsible for the actions carried out with their identifier, and therefore should not allow the use of their user by third parties.
Users are responsible for maintaining the confidentiality of their passwords. If they believe their password has been compromised, they must change it as soon as possible and report any unauthorized use of their account.
VINTEGRIS will not be liable for any security incident affecting the information contained in the Client’s tenant when the cause of this incident originates from a breach of the obligations established in this clause
VÍNTEGRIS reserves the right to modify the terms and conditions of these General Terms and Conditions and/or any included Annexes related to the Service at any time. These modifications will apply to the next renewal of each Client’s subscription. If the Client does not accept these new General Terms and Conditions, they must notify VÍNTEGRIS that they will not be renewing their subscription.
In the event that these General Terms and Conditions are amended for regulatory and/or legal reasons, and these changes affect the use of nebulaSUITE services or the Client’s legal rights under our Services, VÍNTEGRIS will notify the Client before the effective date via email to the address associated with their account. These updated Terms and Conditions will take effect no sooner than 30 days after the date we send the notification.
If the Client does not accept the changes implemented by VÍNTEGRIS, VÍNTEGRIS will enter into a negotiation process with the Client to try to resolve the dispute. Should the Client ultimately reject these changes, their account will be canceled. Where applicable, VÍNTEGRIS will offer the Client a prorated refund based on the amounts already paid for the Services and the date of account cancellation.
The clauses of these General Conditions are independent of each other, which is why, if any clause is considered invalid or unenforceable, the remaining clauses will continue to apply, unless expressly agreed otherwise by the parties.
It is expressly stated that a copy in electronic format (by making it available on the website) of all the documentation referred to in these General Conditions has been delivered, as well as a copy of the same together with the Economic Proposal.
All notices between the parties shall be in writing and delivered personally or by any other means that certifies receipt by the notified party. For the purpose of notifications, VÍNTEGRIS establishes the following email address: administracion@vintegris.com
Any change of address by one of the parties must be notified to the other immediately and by a means that guarantees receipt of the message.
In all matters not covered by these general terms and conditions, the agreement shall be governed by Spanish civil and commercial law. The competent jurisdiction is that indicated in Law 1/2000, of January 7, on Civil Procedure. In the event of any disagreement between the parties regarding the interpretation or performance of these General Terms and Conditions, the parties shall attempt to resolve the matter amicably beforehand, in accordance with the procedure established by VÍNTEGRIS for this purpose.
If the parties cannot reach an agreement in this regard, either of them may submit the dispute to civil jurisdiction, subject to the Courts of the registered office of VÍNTEGRIS, except when the applicable legislation establishes different mandatory rules.
In the event that VÍNTEGRIS decides to cease its operations, all reasonable efforts will be made to notify the Client as far in advance as possible and to provide mechanisms for the recovery of their personal data and audit records.
VÍNTEGRIS will not be in default or in delay of its obligations to the extent that its performance is delayed or impeded by causes beyond its control, including, without limitation, acts beyond its will, such as: acts of the Client; governmental restrictions (including the denial or cancellation of any export, import or other license); acts of third parties not under the control of VÍNTEGRIS; acts of any governmental body; pandemics; war, hostility, insurrection, sabotage or armed conflict; embargo, fire, flood, strike or any other labor disturbance; interruption or delay in transportation; unavailability or interruption or delay of telecommunications or third-party services; virus or hacker attacks; errors in third-party software (including, without limitation, e-commerce software, payment systems, chat, statistics or free scripts); as well as the inability to obtain raw materials, supplies or energy or the equipment necessary for the provision of the Services.
VÍNTEGRIS will use reasonable efforts to mitigate the effects of a force majeure event.
If such an event persists for more than 30 days, either party may cancel the pending Services by written notice.
This clause does not relieve the parties of the obligation to take reasonable steps to follow their normal disaster recovery procedures or their obligation to pay for the Services.
Specific Terms of Service nebulaSUITE
1.1. Collection of personal data. Creating new user accounts involves collecting the following personal information: first name, last name, user ID, email address, and telephone number (optional). This information is processed in accordance with clause sixteen of the nebulaSUITE General Terms and Conditions.
1.2. Integration with corporate user repositories. Personal information imported into nebulaUSERS from corporate repositories is used and stored in the same way as information collected directly. Under no circumstances is information retrieved from the client’s corporate systems that could compromise user security, such as passwords.
1.3. Distribution of proprietary software. All client software and/or documentation published on the nebulaUSERS portal follows the licensing and usage model detailed in clause eight of the nebulaSUITE General Terms and Conditions.
N/A
3.1. Issuance of qualified certificates. To configure and activate the functionality for issuing qualified certificates from the VÍNTEGRIS certification authority in any of its modalities, a specific contract between VÍNTEGRIS and the client is required.
3.2. Service Options. nebulaID is a product that allows the creation of verified digital identities through identity validation processes that have the same legal standing as legal personhood. Depending on the nature of these validation processes, the product can be used in the following ways.
The unattended remote video identification modality is offered following the requirements established by current legislation on digital identification, as established by Order ETD/465/2021, of May 6, which regulates the methods of remote identification by video for the issuance of qualified electronic certificates.
This modality internally makes use of both VÍNTEGRIS’ own technology and that of other technology providers.
3.3. Definition of identification process states and consumption metrics. The following details the different states of the identification processes in the unattended remote video identification mode.
The following describes the different consumption metrics associated with the identification processes carried out in the Video Identification modality as described in this section.
The processes contracted by the client will therefore be accounted for as follows:
If VÍNTEGRIS and the client do not agree on a specific PCMA, it will be assumed to be 20%.
3.4. Service Level Agreements (SLA) for the VÍNTEGRIS Registry Operator service.
The use of nebulaID in its unattended remote video identification mode requires the manual review of biometric evidence by a registration operator, whose availability directly conditions the response time between the completion of the process by the requesting user and the moment in which the user’s identity is validated and the issuance of the qualified electronic certificate or any other subsequent process can proceed.
This response time is regulated by a Service Level Agreement (SLA) between the client and VÍNTEGRIS, which governs the limits under which each request is handled. This SLA is defined as follows.
VÍNTEGRIS does not guarantee any SLA that has not been clearly stated in a prior agreement between the two parties. This includes response times from the registry office, conversion rates for the video identification process, and availability of the video identification service.
4.1. Use of Qualified Certificates. It is the client’s responsibility to use their qualified digital certificates in accordance with the terms stipulated by the issuing trusted service provider. The conditions of use for the certificates are detailed in the “acceptance sheet” or contract signed by the certificate holder upon delivery, and such use must comply with applicable law, including any laws regulating signature authentication and signature delegation. VÍNTEGRIS will not be liable for the consequences of a breach of contract between the certificate holder and the issuing certification authority, or for any misuse of a certificate and its associated private key by the holder.
5.1. Signature formats. nebulaSIGN allows you to generate the most common signature formats, including CAdES, PAdES, and XAdES in their various forms. Detailed information on the different recognized signature formats can be found on the e-government portal: http://firmaelectronica.gob.es/Home/Ciudadanos/Formatos-Firma.html
N/A
7.1 Collection of personal data. During the registration process, the following personal information is collected: name, surname, company, and email address. This information is processed in accordance with the provisions of clause sixteen of the nebulaSUITE General Terms and Conditions.
Service Level Agreements (SLAs)
This Service Level Agreement (“SLA”) for nebulaSUITE Services is a policy that governs the use of nebulaSUITE and applies independently to each service. In the event of a conflict between the terms of this SLA and the General Terms and Conditions, the terms and conditions of this SLA shall apply, but only to the extent of such conflict. Terms used herein and not defined herein shall have the meanings set forth in the General Terms and Conditions.
VÍNTEGRIS provides the CLIENT with a technical support team made up of engineers with extensive experience in the field of information systems security, digital certificates and electronic signatures, with sufficient experience and training to offer a personalized and high-quality support service.
The support service is available through different usage modalities by the CLIENT: Standard Support, Plus Support and Plus Support 24×7.
STANDARD SUPPORT
Included by default and at no additional cost with all nebulaSUITE service subscriptions.
Standard Support is available during the active subscription period, provided that the subscription is up to date with payments.
Standard Support does not include, under any circumstances:
Procedure to follow to report an incident:
When reporting a new incident, the customer must provide VÍNTEGRIS with the following information through the Support Portal ( https://vintegris.zendesk.com/ ):
The CLIENT user responsible for creating an incident will be available to respond to requests for information, testing, or direct collaboration that support engineers may need for the diagnosis of the incident.
If within a period of 5 working days the CLIENT does not provide the data or test results required by the support engineers, or does not respond to any other requirement, the incident will be marked as completed, although the option to reopen it will be given if necessary.
The response time, depending on the severity of the incident opened in Standard Support, is as follows:
Severity | Incident Type (1) | Max. Response Time (2) | Contact Method | Severity 3 | Isolated incidents with low impact.
Product issues that affect Test, Trial or Pre-Production environments. | 2 business days | Support portal with tracking via the portal and email.
|
|---|---|---|---|
Severity 2 | Product incidents that do not affect a production environment or that do not have a great impact or urgency.
Product issues that prevent users from using the product sporadically or individually. | 1 business day | Support portal with tracking via the portal and email. |
Severity 1 | Critical Incidents, which affect the Production environment with great impact or urgency.
Product issue that prevents the product’s main functions from being performed on all workstations or by all users (major impact). | 4 working hours | Support portal with tracking via the portal and email. |
(1) Incident type: When incidents created by the CLIENT do not fit the description corresponding to their severity according to this table, the support team may change the severity level accordingly at their discretion.
(2) Maximum response time: This is the maximum time established during which VÍNTEGRIS support staff will contact the CLIENT, to collect data regarding the product incident and assign staff for its analysis and resolution.
PLUS SUPPORT
Available only through specific subscription by the CLIENT. Plus Support can be purchased provided there is an active and up-to-date nebulaSUITE subscription.
SUPPORT PLUS is a service offered specifically by Víntegris to certain CLIENTS at Víntegris’ discretion. The Support Plus service must always be within the contracted nebulaSUITE subscription period.
To contract this service, you need to contact Víntegris.
(3) Plus Support requests will be handled under the same SLA as standard support. The resolution time for these requests will vary depending on their nature and will be managed through a ticket. The procedure for registering an incident covered by standard support is the same as described above for this support modality.
(4) Refer to the relevant section for detailed information on tasks and services included and excluded in each of the listed categories
Available only through specific subscription by the CLIENT. 24×7 Plus Support can be purchased provided there is an active and up-to-date nebulaSUITE subscription.
SUPPORT PLUS is a service offered specifically by Víntegris to certain CLIENTS at Víntegris’ discretion. The 24×7 Support Plus service must always be within the contracted nebulaSUITE subscription period.
Severity | Incident Type (1) | Max. Response Time (2) | Contact Method |
|---|---|---|---|
Severity 1 | Critical Incidents, which affect the production environment with a high impact or urgency.
Product incidents that prevent the main functions of the product from being carried out on all workstations or users (major impact). | 2 hours | By telephone through a previously designated CLIENT contact person. |
(5) It is recommended to use the telephone Hotline only outside normal working hours, since the usual channels already allow the management of critical incidents during this period.
To contract this service, it is necessary to contact Víntegris.
Through the Plus Support service, VÍNTEGRIS provides a help and collaboration service to its customers that goes beyond the Standard Support included by default with each nebulaSUITE subscription or any of its components.
It is aimed at those customers who make intensive, functional or frequent use of nebulaSUITE in organizations, primarily through:
nebulaSUITE administrators
This service is not intended to be a managed service that replaces the work that each of the aforementioned groups performs in the CLIENT’s organization, but rather an assistance tool to resolve doubts or carry out actions for which, due to their specialized nature or simply lack of knowledge, they are not initially qualified.
Therefore, unless otherwise determined by the support team, all service actions provided through Plus Support will require the active collaboration of at least the person requesting the service, and the tasks necessary for their execution will be carried out through direct interaction between the support staff and this person.
Similarly, although the actions carried out with applicants will, as far as possible, have an educational character so that the requesting user can improve their training in the use of our technology, Support Plus is not a training service, nor is it a tool to create specific documentation for the CLIENT’s users.
All service actions within the Support Plus framework will be limited by nebulaSUITE’s technical capabilities at the time the specific service is provided. You will be notified promptly if a request cannot be fulfilled because it exceeds these capabilities or falls outside the functional scope of our solution.
On-premise components requiring specific actions must use officially supported versions; if not, the CLIENT will be coordinated to update them.
Resolution of extended usage or operation questions that are not covered by Standard Support.
To directly support the CLIENT in specific service operation tasks in their corporate environments, even if they are not caused by incidents or malfunctions of nebulaSUITE or any of its components.
Among others, the following types of actions are included:
Provide direct support for updating and configuring on-premise service components:
Provide support for the development of integrated applications using the nebulaSUITE REST API
It helps users and operators in the processes of requesting, approving and issuing Víntegris certificates
To ensure the availability of the Plus Support service for all customers, there are logical limits to its use. These limitations are detailed in the customer’s specific terms and conditions.
VÍNTEGRIS provides software maintenance and update services, consisting of a new version of the software that eliminates existing errors in the current version or software improvements.
VÍNTEGRIS reserves the right to suspend, totally or partially, the contracted service if it notices, detects and/or verifies in its maintenance work any alteration that slows down or leads to a detriment in the provision of the service or the rights of clients or third parties; also if a risk or vulnerability to the security of the Service is detected.
VÍNTEGRIS reserves the right to unilaterally update or improve its solutions without incurring any additional costs on the current subscription, without prejudice to the negotiation of the subscription renewal.
The Client agrees to provide VÍNTEGRIS, without being asked, with all the information necessary for the correct evaluation and execution of the corresponding service request to check and know the possible causes relating to the conditions of its operating system and other elements that may affect navigation.
Furthermore, the Client is obliged to install the updates made available by VÍNTEGRIS and to use only the most current version of the software or the one immediately prior to it.
VÍNTEGRIS will not be responsible for actions arising from or damages caused by the operation of the Platform if it does not meet the CLIENT’s expectations or when they may be due to problems caused by the CLIENT’s own systems and assets.
Unless otherwise specified in the particular clauses of each service, VÍNTEGRIS Cloud services are available 24 hours a day, 7 days a week.
VÍNTEGRIS will make all commercially reasonable efforts to ensure service availability with an Average Service Availability (ASA) of at least 99.5%, excluding justified downtime. VÍNTEGRIS will monitor service availability automatically 24 hours a day, 7 days a week.
In the event of a planned service outage due to a platform update, VÍNTEGRIS will notify its customers in advance, indicating the reason for the service interruption, the date, time frame, and affected services. Therefore, it is the customer’s responsibility to keep their contact information updated for notifications throughout the duration of the Services.
Product updates do not occur on a fixed schedule. Should an update affect the availability of the Service, we will notify you, as described in the previous section.
The Service Commitment does not apply to any unavailability, suspension, or termination of any of the services, or any other performance issues: (i) resulting from a suspension; (ii) caused by factors beyond VÍNTEGRIS’s reasonable control, including any force majeure event or internet access or related problems beyond its demarcation point; (iii) resulting from any action or omission by the Client or a third party; (iv) resulting from Client personnel, software, or any other technology and/or equipment, software, or technology of a third party (other than third-party equipment that is under VÍNTEGRIS’s direct control); (v) resulting from a suspension and termination of the Client’s right to use the services pursuant to the service agreement; (vi) affecting testing, development, pre-production, or commercial environments.
(Data Processing Agreement VÍNTEGRIS 2022-ES.Rev.1.3_rev)
This Data Processing Agreement (“DPA”) is an agreement between the applicant and the entity they represent (“Client”) and Víntegris, SL (“VÍNTEGRIS”) and sets out the obligations of both parties with respect to the processing and security of the personal data for which the Client is responsible in connection with the use of nebulaSUITE Services.
This ATD supplements the nebulaSUITE Service Terms and Conditions available at https://old.vintegris.com/es/nebulasuite-service-terms/ or any other agreement between the Client and VÍNTEGRIS governing the Client’s use of nebulaSUITE Services provided by VÍNTEGRIS when Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) applies to the use of these services.
Excluded from this agreement are the processing of personal data that VÍNTEGRIS may carry out as Data Controller, in the contracting of services related to its status as a trusted service provider and whose processing of personal data is established in clause sixteen.
For the purpose of this ATD:
“Applicable data protection law” means the laws and regulations applicable where data processing takes place, which apply to the terms of this Data Protection Agreement and which may change over time. This includes both Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and applicable local laws where the processing takes place.
‘Controller’ or ‘Controller of processing’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law;
“Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“Interested party” means a person who is the subject of the personal data; “ATD”, “this ATD”, “this ATD agreement” is this Data Processing Agreement;
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Supervisory authority” means an independent public authority established by a Member State which is responsible for supervising the processing of personal data in order to protect the fundamental rights and freedoms of natural persons with regard to the processing of their data;
“Customer Data” refers to all personal data (including personal data collected in digital certificates) that authorized Customer personnel enter into the databases and hosting systems of each service, as well as any data that may be generated and stored through the use of nebulaSUITE services. The Customer is responsible for the processing of this personal data.
“Services” and “nebulaSUITE Services” are Software as a Service (SaaS) services. These are services provided by VÍNTEGRIS to the Client via the internet, in relation to the use of the contracted service, through the nebulaSUITE platform and within the cloud computing infrastructure;
“Subprocessors” means any natural or legal person, public authority, agency, or other body engaged by a data processor to perform some or all of the services that are the subject of a data processing agreement. Any subcontracting of services arising from a data processing agreement is authorized by the data controller. In the data processing agreement governed by this ATD, subprocessors are the data processors that Microsoft uses to process Customer Data, Professional Services Data, and Personal Data, as described in Article 28 of the GDPR.
In the event of any conflict between this set of clauses and the provisions of related agreements between the parties that were in force at the time this set of clauses was agreed or began to be applied, this set of clauses shall prevail.
Annex II specifies the details of the processing operations and, in particular, the categories of personal data and the purposes for which the personal data are processed on behalf of the controller.
6.1. Instructions
The controller shall instruct the processor to process personal data in the manner reasonably necessary for the processor to carry out the processing in accordance with this ATD and in accordance with Regulation (EU) 2016/679.
The processor shall process personal data only on documented instructions from the controller, in accordance with the terms of service set out in the nebulaSUITE General Terms of Service, unless required to do so by Union or Member State law to which the processor is subject. In such a case, the processor shall inform the controller of that legal requirement prior to processing, unless such law prohibits it for important reasons of public interest. The controller may also give further instructions at any time during the processing of personal data. Such instructions must always be documented.
The controller shall refrain from providing instructions that do not comply with applicable laws, including Regulation (EU) 2016/679 and, if such instructions are given, the processor has the right to refuse to carry them out.
The processor shall immediately inform the controller if, in the processor’s opinion, the instructions given by the controller infringe Regulation (EU) 2016/679, Regulation (EU) 2018/1725 or applicable provisions of Union or Member State law relating to data protection.
The processor will not disclose any personal data to a third party under any circumstances other than at the specific written request of the controller, unless such disclosure is necessary to comply with the obligations of the Service Agreement or is required under Union or Member State law to which the processor is subject.
6.2. Limitation of purpose
The processor will process personal data only for the specific processing purposes indicated in Annex II, except when following additional instructions from the controller.
6.3. Duration of personal data processing
The processing by the processor will only take place during the period specified in Annex II.
6.4. Treatment safety
a) The information system that supports the services provided by Vintegris is certified in the National Security Scheme (HIGH category) and in the ISO 27001, 27017, 27018 and 27701 standards. Vintegris will make the corresponding certificates of these standards available to the Client when required.
b) The technical and organizational security measures applied to the processing of data subject to the provision of the service are those established in the standards set out in section (a).
c) The data controller considers the security measures implemented by Vintegris to be adequate.
d) The processor shall only grant access to the personal data processed to members of its staff to the extent that it is strictly necessary for the execution, management and monitoring of the contract.
(e) The processor shall ensure that persons authorized to process the personal data received have undertaken to respect confidentiality or are subject to a statutory obligation of confidentiality. The processor shall keep all documented records of compliance with the confidentiality obligation available to the controller.
f) The data controller must ensure that all persons authorized to process personal data receive the necessary training in personal data protection.
6.5. Sensitive data
If the data processing carried out by Vintegris, as the data processor, affects sensitive data, the data controller will be solely responsible for complying with the requirements established in current data protection regulations in order to process this data.
6.6. Documentation and compliance
a) The parties must be able to demonstrate compliance with the terms and conditions of this ATD.
b) The processor shall promptly and appropriately resolve the controller’s queries related to the processing in accordance with this clause.
c) The processor shall designate in Annex I a contact point within its authorized organization to respond to inquiries related to the processing of Personal Data and shall cooperate with the controller, the Data Subject and the Supervisory Authority with regard to all such inquiries within a reasonable time.
d) The processor shall make available to the controller all the information necessary to demonstrate compliance with the obligations set out in this specification and which derive directly from Regulation (EU) 2016/679.
(e) At the request of the controller, the processor shall permit and assist in the performance of audits of the processing activities covered by this document, at reasonable intervals or if there are indications of non-compliance. In deciding whether to conduct an audit, the controller may take into account relevant certifications held by the processor attesting to compliance with its obligations as verified by an independent third party.
These audits will be requested with reasonable notice and will be conducted during the data controller’s business hours. The request may be subject to any necessary consent or approval from a supervisory authority within the data controller’s country.
The cost of the audit, when performed by a third party designated by the Client, will be borne entirely by the Client. If the audit is performed by third parties contracted by the Client, there must be no conflict of interest with Vintegris. Audits must be limited exclusively to the Client’s services and information, and access to third-party information is prohibited. The Processor’s procedures and regulations are for internal use only and are confidential; therefore, copies of these documents may not be made during audits, except for those sections agreed upon with Vintegris.
6.7. Appeal to sub-managers
6.8. International transfers
The data controller guarantees and undertakes that:
a) The person in charge shall promptly notify the controller of any requests received from the interested party. The person in charge shall not respond to such requests himself unless authorized to do so by the controller.
b) The processor shall collaborate with the controller in fulfilling its obligations related to the management of requests for the exercise of rights of interested parties, forwarding to it as soon as possible any requests it may receive and, where appropriate, providing it with the necessary information or carrying out, when requested by the controller, the actions necessary to comply with the exercise of these rights.
(c) In addition to the processor’s obligation to assist the controller under clause 8(b), the processor shall also assist the controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to the processor:
d) The parties shall set out in Annex III appropriate technical and organizational measures that require the processor to assist the controller in applying this clause, as well as the purpose and scope of the assistance required.
In the event of a personal data security breach, the processor shall notify the controller within a maximum period of 36 hours of the possible security incident affecting the personal data owned by the controller and shall collaborate with the controller in the management of the incident until its resolution, as well as in the preparation of the reports necessary for the supervisory authority.
This Data Protection Agreement (DPA) shall be governed by and construed in accordance with the laws and regulations of the EU country where the data processing takes place. The parties to this agreement submit to the exclusive jurisdiction of the place where the data processing occurs for all purposes of this DPA.
Name: The Client who contracts nebulaSUITE services under the agreed General Conditions of Service
Address: As specified in the nebulaSUITE service agreement or contract signed between both parties
Reference department/employee: As specified in the nebulaSUITE service agreement or contract signed between both parties
Name, position and contact details of the contact person: As specified in the agreement or contract between both parties
Date of accession: Date the nebulaSUITE service provision contract or agreement signed by both parties comes into effect
Name: VÍNTEGRIS, SL
Address: Calle Pallars, 99, Floor 3, Office 33, 08018 Barcelona, Spain
Reference department/employee: As specified in the nebulaSUITE service agreement or contract signed between both parties.
Contact details of the contact person: incidentesRGPD@old.vintegris.com
Date of accession: Date the nebulaSUITE service provision contract or agreement signed by both parties comes into effect
Personal data will be processed for the purpose of providing the nebulaSuite services described in ANNEX I of the General Terms and Conditions that are contracted by the Client.
Services contracted by the Client that are related to services provided by Vintegris in its capacity as a qualified trusted service provider are excluded.
In relation to the provision of trust services, a processing assignment will only be considered to exist when the Client is a Qualified Trust Service Provider (QTSP) and contracts the services of Vintegris as its delegated RA.
Categories of data subjects whose personal data is processed
Depending on the services contracted:
Depending on the services contracted:
Depending on the services contracted:
Depending on the services contracted:
VINTEGRIS applies the necessary technical and organizational security measures to ensure an adequate level of information security in order to protect the confidentiality of personal data, as well as to protect it against accidental or unlawful destruction or accidental loss, alteration, disclosure or unauthorized access, taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.
These measures are implemented within the framework of an Information Security Management System that has ISO 27001, 27701 and 27018 certifications, as well as certifications from the National Security Scheme (ENS), in the HIGH category, and compliance with eIDAS and NIS2 regulations as qualified trust service providers.
On the other hand, the Client is responsible for the implementation and maintenance of the security and personal data protection measures relevant as a user of the Services in those aspects that are under their control.
Consequently, VÍNTEGRIS confirms that it has implemented the measures listed below that apply to the processing it carries out on behalf of the controller.
SECURITY CONTROLS IMPLEMENTED
Organizational policies | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
Security policy | There is an information security and personal data protection policy published and known to all staff and collaborators
| |||||||||
Security Officer | VÍNTEGRIS has appointed a Chief Information Security Officer (“CISO”) as responsible for coordinating and overseeing security rules and procedures
| |||||||||
Roles and responsibilities in security | Information security roles and responsibilities are appropriately defined and assigned within the organization.
VÍNTEGRIS staff who manage Services containing Customer Data are subject to confidentiality obligations and information security and personal data protection regulations | |||||||||
Risk management program | Within the framework of the Information Security Management System, there is a plan for the assessment and treatment of information security risks, and it is reviewed periodically.
| |||||||||
Continuous assessment | VÍNTEGRIS performs a periodic verification and evaluation of the effectiveness of the technical and organizational measures implemented to protect information security in processing systems, work centers and users who use them.
This evaluation and review is carried out under the criteria of industry security standards and the policies and procedures determined by the Information Security Management System | |||||||||
Supplier security policy | There is a formal process that allows for the assessment of compliance with the information security requirements that must be met by suppliers who process personal information and data.
Information is only granted to suppliers when there is a legitimate need that justifies this access. | |||||||||
Staff and collaborators | ||||||||||
Confidentiality agreement | All staff and collaborators with access to information and personal data have signed a commitment regarding:
| |||||||||
Internal information security regulations | There are regulations regarding information security, personal data protection, and the use of computer resources that all staff and collaborators have committed to complying with. | |||||||||
Information security training | All staff and collaborators with access to information and personal data have received appropriate training regarding information security and the protection of personal data.
| |||||||||
Guidelines for using information systems | Information security regulations establish the acceptable use standards for information systems and equipment that personnel are responsible for.
| |||||||||
Prohibition of using corporate equipment for personal purposes | It has been established that the use for private purposes of those computers and devices intended for the processing of corporate information and personal data is not permitted.
Access to corporate information from personal devices is also prohibited. | |||||||||
Workplace safety | ||||||||||
Unattended equipment | A mechanism has been established so that when a computer is left unattended, the screen is locked or the session is closed.
| |||||||||
Document custody | Regulations have been established to ensure that no paper documents or information media are left unattended in the workplace at any time.
| |||||||||
Secure destruction of information | Mechanisms have been established to facilitate the secure destruction of confidential information on paper or other electronic media.
| |||||||||
Secure remote workspace | A policy has been established to ensure that teleworking can be carried out safely. | |||||||||
Mobile device security | A policy has been established to protect the use of mobile devices and the information they may contain. | |||||||||
Incident and security breach management | ||||||||||
Incident management procedure | A procedure has been defined for recording and resolving incidents that affect information security and personal data. | |||||||||
Access to the systems | ||||||||||
Access control policy | VÍNTEGRIS maintains an access control policy that determines the security privileges of individuals who have access to information | |||||||||
Access authorization | There is a formal process for managing the authorization, creation, deletion, and modification of user access to the systems | |||||||||
Individual accounts | Each person uses an individual and non-transferable user account. | |||||||||
Minimum privilege | VÍNTEGRIS has defined and applies a minimum access policy by default, which ensures that staff and collaborators only have access to the information they require to perform their job duties | |||||||||
Accounts with privileged access | For system administration and configuration tasks, named access accounts with privileged rights are used, which are different from and segregated from the accounts used for ordinary system use. | |||||||||
Authentication | VÍNTEGRIS uses industry-standard practices to identify and authenticate users attempting to access information systems.
Two-factor authentication systems are used to access more exposed networks or for system administration. All systems include controls to prevent repeated attempts to gain access to information systems using an invalid password. Use of MFA. | |||||||||
Password security | The existence of password policies (or equivalent mechanisms) for access to systems and applications will be guaranteed, which must meet at least the following requirements:
| |||||||||
Password confidentiality | There are regulations in place to ensure the confidentiality of passwords, preventing them from being exposed or shared with third parties.
Internally, all passwords are stored using irreversible encryption algorithms. | |||||||||
Access logs | A record of accesses and access attempts to the systems is maintained and monitored. | |||||||||
Information processing assets | ||||||||||
Asset inventory | An inventory is available of the systems and equipment used in the processing of information, with information on the person responsible for said equipment. | |||||||||
Safe disposal and reuse | Formal processes have been defined for the safe disposal and/or reuse of information processing equipment | |||||||||
Equipment maintenance | The systems and equipment used for information processing are properly maintained and updated. | |||||||||
Malware protection | The equipment used to process or store information has permanently active and updated anti-malware protection.
| |||||||||
Software update | All software used for data processing is properly updated and has no known serious vulnerabilities. | |||||||||
Bastion of the systems | System hardening measures have been implemented, including, but not limited to:
| |||||||||
Restriction on software installation by users | There are regulations or technical measures in place to prevent staff from installing unauthorized software on their work equipment, as well as to prevent the use of software that may violate the intellectual property of third parties. | |||||||||
Limitation of administrative privileges | Technical measures have been implemented to prevent users from modifying or disabling the security settings of the equipment.
| |||||||||
Restriction on use for personal purposes | There are regulations that prohibit the private use or use for personal purposes of corporate equipment
| |||||||||
Protection of information in transit and at rest | ||||||||||
perimeter protection of networks | There is perimeter protection of the network to protect it against attacks and unauthorized access to those systems where information and personal data are stored and/or processed. | |||||||||
Network segregation | The network has been configured so that there are segregated security zones according to the different security requirements that have been established. | |||||||||
Secure information transmission protocols | All traffic on the organization’s networks, especially when it runs wholly or partially over public networks, is encrypted using secure protocols with no known serious vulnerabilities (for example, at least TLS 1.2). | |||||||||
Secure remote access | For remote access to the organization’s network, for example, through virtual private networks (VPNs), secure protocols and authentication keys are used at the communication endpoints. | |||||||||
Encryption of information on transit media | Mechanisms exist to encrypt information on media and equipment in transit outside of regular processing facilities | |||||||||
Vulnerability analysis | Tests are periodically performed to verify that the networks are free of vulnerabilities and the necessary corrective measures are applied. | |||||||||
Segregation of Wi-Fi networks | The Wi-Fi networks for visitors are segregated so that access to the company’s internal networks is not possible. | |||||||||
Security of cloud provider services | In the case of using services from a cloud provider (IaaS, PaaS, SaaS,…) to process the information, it is guaranteed that the provider provides or allows the application of security measures at least equivalent to those required of the processor itself. | |||||||||
Audit records | Audit records of operations performed on data (access, modification, and deletion) are collected, maintained, and reviewed, especially when dealing with special category data. | |||||||||
Segregation of customer instances | Segmentation of services to different clients through a multi-tenant architecture. Logical segregation of users and data is provided. | |||||||||
Physical security of treatment spaces | ||||||||||
Physical security perimeter | A security perimeter exists to protect the premises and facilities where information is processed or stored. | |||||||||
Access limitation | Physical access controls have been implemented in the premises where information processing takes place to ensure that only authorized personnel have permitted access. | |||||||||
Physical access control | Specific entry controls have been established to limit access to strictly authorized personnel to secure areas where servers, network equipment, or document archives used for information processing and storage are located. | |||||||||
Protection against external and environmental threats | The necessary measures have been established to protect people, equipment and facilities in case of natural disasters, malicious attacks or incidents such as fire, floods, water leaks, air conditioning failures, etc. | |||||||||
Supply facilities | The necessary measures have been put in place to guarantee the continuity of the electricity supply
| |||||||||
Resilience of systems | ||||||||||
System availability | VÍNTEGRIS has established measures to guarantee the availability of the systems in accordance with the committed service levels
| |||||||||
Capacity monitoring and management | The performance of the systems is continuously monitored, with alert systems to immediately detect any incident.
System capacity is continuously monitored to ensure sufficient capacity is available for required services. | |||||||||
Redundancies | All of VÍNTEGRIS’ systems are redundant, internally on different servers and in different geographically distant data centers. | |||||||||
Backups | VÍNTEGRIS performs a backup stored on a separate medium from the regular processing equipment. This backup is performed as frequently as necessary to meet the agreed service levels.
Additionally, VÍNTEGRIS maintains a backup stored at a different location, geographically separate from its regular data processing facilities. This backup is performed as frequently as necessary to ensure the fulfillment of service levels in the event of a serious incident at the data processing facilities. | |||||||||
Monitoring backups | The correct execution of backups is continuously monitored.
| |||||||||
Recovery tests | Periodic tests are performed to recover and verify the information contained in the backups. | |||||||||
Business Continuity Plan | A “Business Continuity Plan” has been developed to allow for the recovery of system availability and data integrity in the event of a serious incident. | |||||||||
Recovery procedures | Specific protection and recovery procedures are in place against threats that compromise the integrity of information, such as ransomware attacks. | |||||||||
Privacy by design and by default | ||||||||||
Minimizing data collection | Only the data strictly necessary for the purpose for which it must be processed is collected. | |||||||||
Limitation of the data retention period | VÍNTEGRIS has established procedures to limit data retention and prevent its storage beyond the established timeframes. Temporary files created as a result of processing are deleted when they are no longer needed. | |||||||||
Limitation of purpose | VÍNTEGRIS has defined mechanisms to prevent the information processed on behalf of the controller from being used for purposes other than those established in this Data Processing Agreement (DPA). | |||||||||
Data pseudonymization and encryption | Pseudonymization and data encryption measures are applied, especially when the information processed includes special category or particularly sensitive data.
| |||||||||
Segregation of sensitive information | Access to the most sensitive information is segregated so that it can only be consulted and processed by specifically authorized personnel.
| |||||||||
Exercise of the rights of interested parties | ||||||||||
Response procedure | VÍNTEGRIS has defined a formal process to attend to and assist the responsible party in responding to requests to exercise the rights of interested parties.
| |||||||||
Communication of requests to exercise rights | VÍNTEGRIS has defined the channels to communicate requests to exercise the rights of interested parties to the data controller. | |||||||||
Treatment limitation | Mechanisms exist to limit the processing of data whenever required.
| |||||||||
ANNEX IV: List of sub-managers
Agreed list of sub-managers in accordance with Clause 6.7 (a) Depending on the services contracted.
Name of the assistant manager | Amazon Web Services Inc. |
Treatment description | IaaS and PaaS service provider |
Treatment location | European Union (Ireland, Frankfurt, Paris) |
Address and contact details | Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855, Luxembourg
Tel: +352 2789 0057 |
Guarantees provided | https://aws.amazon.com/compliance/gdpr-center/ |
– | |
Name of the assistant manager | AE Group S.à rl (AtlasEdge) |
Treatment description | Provider of the data centers where VÍNTEGRIS servers are located. AtlasEdge personnel do not have access to either the servers or the data contained therein. |
Treatment location | Spain (Barcelona and Madrid)
|
Address and contact details | Email: privacy@atlasedge.com
|
Guarantees provided | https://atlasedge.com/documents/AtlasEdge%20Procurement%20GTCs%20v01.09.21.pdf
https://atlasedge.com/wp-content/uploads/2021/10/AtlasEdge_Barcelona-DC_DataSheet.pdf
https://atlasedge.com/wp-content/uploads/2021/10/AtlasEdge_Madrid-DC_DataSheet.pdf
|
When Vintegris acts as the treatment manager for another trusted service provider:
Name of the assistant manager | VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, SL
|
Treatment description | Provider of the technological platform that supports the identity recognition process
|
Treatment location | Spain
|
Address and contact details | Email: partners@veridas.com |
Guarantees provided | Data Processor Agreement included in the License Agreement for use and distribution of platforms signed between Víntegris and Veridas
|
When Vintegris acts as the treatment manager for another trusted service provider:
Do you need more information?
Subscribe to our newsletter and discover the latest updates on cybersecurity, digital identity, and trusted business solutions.
