Annex 2

1. Technical and organizational measures

ABBYY and the Client agree that the technical and organizational measures are an integral and an effective part of this DPA. This applies subject to the provision that these technical and organizational measures may be adopted to the newest developments from time to time. ABBYY will inform without any further delay the Client about any changes of its security guidelines.

General practices. ABBYY has implemented and will maintain for the Services appropriate technical and organizational measures, internal controls, and information security measures as provided by Data Protection Law (including pursuant to Article 32 of the GDPR) to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Client is wholly responsible for implementing and maintaining security within any interface and Client’s Services\Application provided by Client, or on Client’s behalf.

a. Service. For the Service, ABBYY has implemented and will maintain the following:

  1. Security roles and responsibilities. ABBYY personnel authorized to Process the Personal Data are subject to confidentiality obligations.
  2. Asset handling. ABBYY restricts access to Personal Data. ABBYY imposes restrictions on printing Personal Data and has procedures for disposing of printed materials that contain Personal Data.
  3. Logging and Reporting. ABBYY will use logging and reporting systems allowing to check whether data have been entered, changed, or removed (deleted).

b. Human resources security.

  1. Security training. ABBYY informs its personnel about relevant security procedures and their respective roles. ABBYY also informs its personnel of possible consequences of breaching the security rules and procedures. ABBYY will only use anonymous data in training.
  2. Physical access to facilities. ABBYY limits access to facilities where information systems that Process Personal Data are located.
  3. Protection from disruptions. ABBYY uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
  4. Component disposal. ABBYY uses industry standard processes to delete Personal Data when it is no longer needed.

c. Communications and operations management.

  1. Data recovery procedures. The Service includes replication features that facilitate recovery of Personal Data in the event a particular machine or cluster fails.
  2. On an ongoing basis, ABBYY maintains multiple copies of Personal Data from which Personal Data can be recovered. ABBYY does not preserve state or data within a virtual machine, which will be restored to its original state.
  3. ABBYY has anti-malware controls to help avoid malicious software gaining unauthorized access to Personal Data, including malicious software originating from public networks.

d. Domain: access control.

  1. ABBYY maintains a record of security privileges of individuals having access to Personal Data.
  2. ABBYY maintains and updates a record of personnel authorized to access ABBYY systems that contain Personal Data.
  3. ABBYY identifies those personnel who may grant, alter or cancel authorized access to data and resources.
  4. Technical support personnel are only permitted to have access to Personal Data when needed.
  5. ABBYY restricts access to Personal Data to only those individuals who require such access to perform their job function.
  6. ABBYY uses industry standard practices to identify and authenticate users who attempt to access information systems. Where authentication mechanisms are based on passwords, ABBYY requires that the passwords are renewed regularly. Where authentication mechanisms are based on passwords, ABBYY requires the password to be at least eight characters long. ABBYY ensures that de-activated or expired identifiers are not granted to other individuals.

e. Audits and job control.

  1. ABBYY will select Subcontractors according to the standards of confidentiality set forth in this DPA.
  2. ABBYY will monitor by way of regular reviews the performance and fulfillment of this DPA.
  3. ABBYY will make available to Client all information necessary to demonstrate compliance with Data Protection Law (including the obligations laid down in Article 28 of the GDPR) and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client. Client audit will be limited in time to a maximum of 5 business days and scope as reasonably agreed in advance between the Parties. Reasonable advance notice of at least thirty days is required, unless Data Protection Law requires earlier audit. Client and ABBYY will each bear their own expenses for conducting the audit. However, in case of excessive or unreasonably burdensome audit, Client should reimburse ABBYY for any such audit in accordance with Section 5 of this DPA.