The following describes Critical Start’s GDPR compliance for any organization (“Customer”) that has purchased or
is planning to purchase Critical Start’s professional or managed security services. Critical Start, Inc. (“Critical
Start”) is a Texas based corporation with headquarters at 6100 Tennyson Parkway, Suite 250, Plano, Texas 75024.
EU General Data Protection Regulation (GDPR) Compliance for Customer
This section describes Critical Start’s compliance with EU General Data Protection Regulation (GDPR). For purposes of GDPR and this section, the following definitions apply:
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Customer is the Controller for Personal Data.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. Critical Start is the Processor of Personal Data.
“Consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
“Customer” means any organization that has purchased or is planning to purchase Critical Start, Inc. professional or managed security services.
The Customer understands that Critical Start will collect, store, and process machine data, system logs, and security events that contain Personal Data for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted Personal Data, and the security of the related services offered by, or accessible via, those networks and systems. Critical Start will use Personal Data only to the extent strictly necessary and proportionate for ensuring network and information security.
The Customer certifies that the collection of machine data, system logs, and security events that may contain Personal Data is a Legitimate Interest as defined in GDPR Article 6.1.(f) – Lawfulness of Processing.
The Customer is responsible for ensuring that all machine data, system logs, and security events forwarded to Critical Start that contain Personal Data have the consent of the Data Subject or that the consent of the Data Subject is not required in accordance with GDPR.
If Critical Start is required to take action on the Personal Data of a Data Subject that is exercising his or her rights accorded by GDPR, then the Customer will bear all costs associated with Critical Start complying with such request.
Customer shall, at its expense, defend, indemnify and hold Critical Start harmless from and against all losses, costs, damages, and expenses arising from third party claims, fines, liabilities and suits arising out of or relating to Critical Start providing Processing services of Personal Data for Data Subjects protected by GDPR. Critical Start agrees to provide reasonable cooperation to Customer, at Customer’s expense, in responding to Customer’s compliance with GDPR.
Critical Start agrees to process Personal Data in a manner that ensures appropriate security and confidentiality of the Personal Data, including for preventing unauthorized access to or use of Personal Data and the equipment used for the processing.