Data Processor Policy
Quark Data Processor (Service Provider) Policy
Last Updated: April 12, 2022
- A “Customer” refers to a potential, past, or current customer.
- A “Data Controller” refers to the person (or business) who determines the purposes for which, and the way in which, Personal Information is processed.
- A “Data Processor” refers to a person or organization who deals with Personal Information as instructed by a Data Controller for specific Processing purposes involved with services or products offered.
- “Data Processing Agreement” (DPA) refers to a legally binding document that states the rights and obligations of each party concerning the protection of Personal Information
- A “Data Subject” is any individual who may be a customer, prospective customer, or anyone who works for Quark under a contract of employment. This also includes anyone who can be identified, directly or indirectly, by reference to an identifier defined under “Personal Information” in the ‘Definitions’ section of this policy.
- “Due Diligence” is an investigation, audit, or review performed to confirm the facts of a matter under consideration.
- “Personal Information” is defined as any information relating to an identified or identifiable natural person. It can reference, but is not limited to, the following identifiers: a name, an identification number, location data, an online identifier.
- “Processing” of Personal Information may include “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and any may be by automated or manual means.”
- “Service Data” means a subset of confidential information comprised of electronic data, communications or other materials submitted to and stored within a service by the Customer or end -users in connection with the Customers use of such service, which may include, without limitation, Personal Information.
- A “Sub-processor” refers to any person or entity (including any third party and any Quark Subcontractor) contracted with Quark, or with any Quark affiliate, to perform services involving the Processing of Personal Information on behalf of Quark.
- “Sensitive Personal Information” is a specific set of special categories of information that must be treated with extra security. It can reference, but is not limited to, the following categories: health-related data, sexual orientation, religion-related information.
Quark as a Data Processor
Quark is more than likely just one of many of your Data Processors. Quark acts only as a Data Processor in the following situations:
- As a Software-as-a-Service (SaaS) application provider
- As a cloud hosting services provider
- As a provider of purchased software, where Personal Information is sent back to Quark for a needed Processing activity
- As a provider of product technical support via its ticketing system
- As a provider of product licensing to ensure the ongoing access to its products
Quark acts in this capacity with respect to the Personal Information processed pursuant to the contract between the customer as a Data Controller and the service provider (Quark) as the Data Processor.
In providing our services we do not own, control, or direct the use of the Service Data stored or processed on our platform and do so only at the direction of our customers. We only access such information as authorized by our customers (Data Controllers) or as required by law.
This means the Data Controller retains the overall responsibility for the types of Service Data that is placed into any of the SaaS or cloud hosting platforms. Quark, in its role of Data Processor, will ensure it carries out its responsibilities to ensure the data remains secure with technical and operational controls being in place.
Quark, as a Data Processor agrees, to:
- Comply with the requirements of any master services agreement that is in place between the parties, in the provision of services to the Data Controller;
- Process and use the Service Data only to the extent strictly necessary to perform its obligations or as otherwise provided under the master services agreement;
- Only disclose the data to the Data Processor’s employees and personnel that have a need to access the data, while the Data Processor shall ensure that all such employees and personnel are bound by a confidentiality agreement;
- Promptly inform the Data Controller about any security breach that impacts their Service Data or Personal Information; and
- Implement and maintain adequate and appropriate technical and organizational measures to:
- Protect the security, confidentiality, integrity, and availability of the Service Data;
- Protect against unauthorized or unlawful Processing of the Service Data and against accidental loss, destruction or the making vulnerable to damage; and
- Comply with its obligations under any applicable data protection law, and shall take such steps as are requested to enable the Data Controller to comply with the Data Controller’s obligations under any applicable data protection law.
Customer as a Data Controller
Data Sharing and Minimization
Like many SaaS and cloud hosting companies, Quark operates a shared responsibility model in coordination with our customers (Data Controller(s)). It is the responsibility of our customer to ensure certain data types are not put into the Quark SaaS services for Processing. For example, Quark’s content automation and intelligence services are not designed as HR, medical or financial systems and so we would not expect personal health data, or confidential payment details to be included within the Service Data.
Accordingly, your company must abide by a set of core principles regarding the handling of the Personal Information. The Customer, as Data Controller, agrees to:
- Comply with its obligations as Data Controller under applicable data protection law(s) in respect of its Processing of Personal Information and any Processing instructions that it subsequently issues to Quark;
- Minimize the Personal Information that is sent to Quark for Processing to only what is needed for effective, ongoing use of the service;
- Provide notice and obtain (or shall obtain) all consents and rights necessary under applicable data protection law(s) for Quark to process the Personal Information of Data Controller’s end users, entered into Quark services;
- Not use the Quark services to process Sensitive Personal Information without Quark’s explicit and prior written consent.
Recommendation: Review the user information shared with Quark and ensure you are not sharing any unneeded or Sensitive Personal Information.
What Personal Information might we store and for how long?
Quark, in its role of Data Processor, limits the amount of direct Personal Information it processes (not including Service Data processed by the application software itself, as part of the function being purchased) to only information that is needed for:
- A user to be able to login and continue to access and use the service/system being purchased;
- Ensuring license usage is valid;
- Access control functions to work correctly;
- Display within the application, as part of document attributes;
- The use of in-application analytics, exposed to the customer end users themselves;
- Audit trail and activity recording to work correctly;
- Notifications to Service users, of recipients opening documents shared; and
- Responding to a technical support request, as part of the contract.
This means that mostly just a username and corporate email address is processed, with an IP address sometimes also utilized. This Personal Information will be stored in the system until the user is removed, or the contract is terminated, in which case the data will be erased 30 days after the end of contract and be totally removed after the 60-day backup cycle has completed.
Note: Customer admin users have full control over user creation and removal, so this falls under the Data Controller’s responsibilities. Use of SAML2, allows the Data Controller to use SSO to ensure the accuracy of this information, with log-in information being outsourced to the customers IDP.
Privacy Inquiries and Individual Requests
In accordance with GDPR, users have “the right to be forgotten” in terms of asking Quark to delete all information about them that currently resides in our systems. Where we do not need to keep information, to comply with any of our legal retention requirements going forward, we will try to comply with these requests.
Where this Personal Information is processed within a SaaS product, a cloud hosting system, or the technical support ticketing system, it will be for the purposes of delivering a contract with a Data Controller. Quark, as a Data Processor, will forward all inquiries from individual service end users directly received to the responsible Data Controller (requestors customer admin user) to ensure requests are carried out as part of their responsibilities to their end users. Removal requests will mean that the end user can no longer use these services.
If you want Quark to delete your information, please email us at email@example.com.
All Service Data will be kept in the system for the duration of the service subscription, unless removed by the Customer beforehand. Up to 30 days after the end of a subscription, the Service Data will be securely stored and the customer can request for it to be temporarily restored and made available to aid only in data export activities. After the 30-day retention, the data will be permanently removed from the system but may remain in standard backup cycles for a total of 60 days post subscription end.
Technical Measures for Data Security
Quark implements the following general security principles:
- Ensuring the continuous confidentiality, integrity, availability and resilience of Processing systems and services. Key highlights include:
- Support for encryption (in transit and at rest)
- Annual penetration testing
- Segregation of remote cloud and SaaS systems from the Quark internal network, requiring VPN access and MFA
- Product features to control access to Service Data on the Quark platforms, including RBAC and SSO
- Network security and security groups
- Product features to support data transfer, such as CSV and XML export and file download
- Ways of restoring the availability of Personal Information and access to it within appropriate timeframes in the event of a physical or technical incident.
All Customer Service Data resides within the data center region that is chosen by the Data Controller. Within the SaaS and cloud hosting service environments, Quark will not transfer, access, or process any Personal Information outside the EU without the consent of the Data Controller (Customer).
If the Data Controller chooses or requests for their primary data center region to be outside of the EU and completes the purchase, this will be considered consent. This can be covered by a Data Processing Agreement and any other necessary protection mechanisms, during contractual discussion.
Notwithstanding, customers should review Quark’s Sub-processor list to ensure they are aware of where all data components are stored/processed for the different elements of the wider service ecosystem that may be in use for the service being provided.
A Personal Information breach refers to a protection breach that results in the loss, destruction, alteration, unauthorized disclosure of, or access to, Personal Information. All Service Data breaches/incidents will be reported, in accordance with corporate IT security policies and immediately notified, to the appropriate internal stakeholder and escalated to the Quark Executive Leadership Team. Where a breach is likely to have a significant detrimental effect on individuals, it will be reported to the responsible Data Controller admin contacts within 48 hours of breach confirmation and impacted data identification.