Contact us

IQAX

Data Protection Addendum

Issue Date: 28 May 2021
Revision Date: As of 24 March 2026
Revision No: 2

DATA PROTECTION ADDENDUM
IQAX APPLICATIONS

This Data Protection Addendum including its attachments (this “DPA”) forms part of your Agreement with IQAX governing your use and receipt of the Services. By placing an order or using the Services, you agree to this DPA. IQAX may amend this DPA from time to time in accordance with the Terms of Use. Any Special Terms shall prevail over this DPA to the extent of any inconsistency.

 

  1. APPLICATION
    1. This DPA applies in respect of all personal data Posted by, or on behalf of, you (including by Your Users) on the IQAX Platform or to IQAX in connection with the Agreement (including your use and receipt of the Services) (“Posted Personal Data”).
    2. You agree that you are an independent controller in respect of the Posted Personal Data or you have obtained authorisation from the relevant controller(s) to agree to the processing of the Posted Personal Data in connection with the Agreement. If you are not an independent controller in respect of the processing of the Posted Personal Data in connection with the Agreement, you agree to:
      1. inform IQAX of the identity and contact details of the relevant controller(s); and
      2. act for and on behalf of the relevant controller(s) as the single point of contact under this DPA and in respect of the rights and obligations of the relevant controller(s) under Applicable Data Protection Law.
    3. You appoint IQAX as a processor in respect of the processing of the Posted Personal Data in connection with the Agreement.
       
  2. PROCESSING
    1. Details of the types of Posted Personal Data, the categories of data subjects and the nature, purpose, subject matter and duration of the processing of the Posted Personal Data in connection with the Agreement are set out in Attachment A to this DPA.
    2. Subject to 2.3, IQAX shall process the Posted Personal Data only on your documented instructions, being those set out in Attachment A to this DPA or otherwise agreed in writing between you and IQAX.
    3. IQAX may process the Posted Personal Data for other purposes where it is legally required to do so by Applicable Law to which IQAX is subject, provided that, to the extent permitted by Applicable Law, IQAX informs you of that legal requirement and of the proposed processing before such processing takes place.
       
  3. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
    1. IQAX shall ensure that any person acting under its authority who has access to the Posted Personal Data is subject to an appropriate contractual or statutory obligation of confidentiality.
    2. IQAX shall take measures required by Applicable Data Protection Law, including implementing appropriate technical and organisational measures, to ensure a level of security appropriate to the risk in connection with the processing of the Posted Personal Data.
    3. You agree that the technical and organisational measures set out in Attachment A to this DPA are appropriate with regard to the processing of your Posted Personal Data in accordance with the Agreement.
       
  4. YOUR RESPONSIBILITIES
    1. You agree that:
      1. you shall comply with Applicable Data Protection Law and your obligations in this DPA in connection with the Agreement and your use and receipt of the Services;
      2. you are solely responsible for determining whether the Services are sufficient to enable you (and, if applicable, the relevant controller(s)) to comply with Applicable Data Protection Law, and you have assessed the Services and the Agreement (including the matters set out in Attachment A to this DPA) and have determined that they are so sufficient;
      3. you shall (and shall ensure that Your Users) only Post personal data to IQAX or to the IQAX Platform where the processing of that personal data in accordance with the Agreement (including this DPA) is lawful under Applicable Data Protection Law;
      4. you shall not (and shall ensure that Your Users do not) Post any personal data other than the types of personal data set out in Attachment A to this DPA or as otherwise agreed in writing to IQAX or to the IQAX Platform (in particular, no Special Category Personal Data is to be Posted to IQAX or to the IQAX Platform);
      5. you shall ensure that sufficient fair and transparent processing information as required by Applicable Data Protection Law, and covering the processing that will take place in connection with the Agreement, has been provided to all data subjects to whom the Posted Personal Data relates;
      6. you shall ensure that all instructions you give to IQAX in connection with the processing of the Posted Personal Data comply with Applicable Data Protection Laws;
      7. you shall promptly inform IQAX if at any time you suspect that any processing of Posted Personal Data under the Agreement would violate Applicable Data Protection Laws;
      8. you (and the relevant controller(s)) are solely responsible for responding to, and complying with, requests relating to the exercise of data subjects’ rights under Applicable Data Protection Law (provided that IQAX shall provide assistance under 5 below);
      9. you shall notify IQAX promptly and in any event within 24 hours upon becoming aware of any Data Breach in connection with the Agreement; and
      10. nothing in the Agreement relieves you (or the relevant controller(s)) of any responsibilities or liabilities you have under Applicable Data Protection Laws.
    2. You shall indemnify and keep indemnified IQAX against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs (including legal and professional advisor costs on a full indemnity basis), charges, amounts paid to data subjects and any other expenses (whether direct or indirect), arising out of or in connection with any breach by you of your obligations, or any failure by you to meet your responsibilities, under this DPA.
       
  5. ASSISTANCE AND REQUESTS FROM DATA SUBJECTS
    1. You (and the relevant controller(s)) shall be solely responsible for responding to, and complying with, requests relating to the exercise of data subjects’ rights under Applicable Data Protection Law, and IQAX shall direct any such requests it receives to you.
    2. IQAX shall, taking into account the nature of the processing, assist you by appropriate technical and organisational measures in fulfilling its obligations to assist you to respond to requests relating to the exercise of data subjects’ rights under Applicable Data Protection Law.
    3. IQAX shall promptly provide to you such assistance as you may from time to time reasonably require to enable you to comply with any security, breach notification, breach communication, documentation, data protection impact assessment, prior consultation, record keeping and audit responsibilities to which you are subject under Applicable Data Protection Law. If there is a Data Breach, IQAX shall notify you without undue delay after becoming aware of such Data Breach where such notification is required by Applicable Data Protection Law.
    4. You shall reimburse IQAX promptly on demand for any and all reasonable additional expenses IQAX may incur in providing you with assistance under 5.1 to 5.3.
       
  6. SUB-PROCESSORS
    1. Subject to 6.2, IQAX shall have:
      1. specific authorisation to engage the additional processors set out in Attachment A to this DPA to process the Posted Personal Data; and
      2. general authorisation to engage additional or replacement processors to process the Posted Personal Data by amending the relevant list (and thereby the Agreement) and providing you with an opportunity to object to such amendments in accordance with 6.3,

      each additional processor being a “Sub-Processor”.

    2. IQAX shall ensure that each Sub-Processor is bound by contractual obligations with regard to its processing of Posted Personal Data that are no less onerous than those set out in this DPA (including guarantees to implement appropriate technical and organisational security measures). IQAX shall remain fully liable to you (to the extent set out in the Agreement) where a Sub-Processor fails to perform its obligations with regard to the processing of Posted Personal Data.
    3. IQAX will provide you an up-to-date list of the Sub-Processors it has engaged upon receiving written request from you; and notify you for any new Sub-Processors within 7 days (or such timeframe otherwise mutually agreed) prior to such new Sub-Processor(s) to process the Personal Data. If you have a reasonable basis to object to IQAX’s use of new Sub-Processors, you shall notify IQAX promptly in writing within 14 days after receiving the new list of Sub-Processors. The parties will seek a commercially reasonable resolution in good faith and if the parties are unable to reach a resolution, you may terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the use of such new Sub-Processor(s) you object to.
       
  7. CROSS-BORDER PERSONAL DATA TRANSFERS
    1. By placing an order or using the Services, you and IQAX agree that the Standard Contractual Clauses shall be deemed incorporated into this DPA and the Agreement as follows, which shall apply, subject to 7.2, to the extent that Posted Personal Data is:
      1. exported from the European Economic Area to a jurisdiction outside the European Economic Area that is not the subject of a valid adequacy decision for the purposes of Chapter V of the GDPR (and any onwards transfers to such jurisdictions); or
      2. exported from the United Kingdom to a jurisdiction outside the United Kingdom that is not the subject of a valid adequacy decision for the purposes of Chapter V of the UK GDPR (and any onward transfers to such jurisdictions).
    2. In the case of Posted Personal Data referred to in 7.1(A), to the extent that any transfer of Posted Personal Data is protected by the GDPR and processed in accordance with 2, the EU SCCs shall apply and be completed as follows:
      1. Module Two or Module Three will apply (as the case may be).
      2. For Clause 7 thereof, the optional docking clause with apply;
      3. For Clause 9(a) thereof, Option 2 will apply, and the time period for prior notice of Sub-Processor change is set out in Clause 6 hereof;
      4. For Clause 11 thereof, the optional language will not apply;
      5. For Clause 17 thereof, Option 1 will apply, and the EU SCCs will be governed by Irish law;
      6. For Clause 18(b) thereof, the courts shall be courts of Ireland;
      7. Annex I thereof shall be deemed completed with the information set out in Attachment A to this DPA hereof; and
      8. Annex II thereof shall be deemed completed with the information set out in Part 5 of Attachment A to this DPA hereof.
    3. In the case of Posted Personal Data referred to in 7.1(B), to the extent that any transfer of Personal Data is protected by the UK Data Protection Law and processed in accordance with 2, the UK SCCs shall apply and be completed as follows (for the purpose of this Clause, the definitions and references of the UK SCCs are adopted unless otherwise specified):
      1. For Table 1 of Part 1, where Clause 2 hereof is applicable, you shall be the “Exporter” and IQAX shall be the “Importer”;
      2. For Table 2 and Table 3 of Part 1, the EU SCCs as modified pursuant to Clause 7.2 above will apply mutatis mutandis;
      3. For Table 4 of Part 1, the Importer may end the Addendum as set out in Section 19 of those Mandatory Clause; and
      4. For Part 2, Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
    4. To the extent permitted by Applicable Law, the provisions of the Standard Contractual Clauses shall apply subject to the exclusions and limitations of liability in the Agreement.
    5. Where you are not the sole controller in respect of any Posted Personal Data of the type referred to in 7.1(A) or 7.1(B), you agree that:
      1. you enter into an agreement on terms equivalent to the EU SCCs or UK SCCs (as applicable) for and on behalf of the relevant controller(s): or
      2. you shall, prior to Posting the Posted Personal Data, procure that the relevant controller(s) execute(s) an agreement on terms equivalent to the EU SCCs or UK SCCs (as applicable) as the data exporter with IQAX as the data importer.
    6. To enable IQAX to engage Sub-Processors in respect of any Posted Personal Data of the type referred to in 7.1(A) or 7.1(B), you agree (or shall procure that the relevant controller(s) agree) that IQAX may enter into agreements on terms equivalent to the EU SCCs or UK SCCs (as applicable) with IQAX’s Sub-Processors as data importers, as agent acting on behalf of you (or the relevant controller(s)) as data exporter.
       
  8. INFORMATION AND AUDITS
    1. Subject to 8.2 and 8.4, IQAX shall make available to you (on request) all reasonable information necessary to demonstrate its compliance with this DPA and shall allow for and contribute to audits and inspections conducted by you (or the relevant controller(s)) or another auditor specified by you.
    2. You shall ensure that all requests for information or to exercise a right of audit or inspection under 8.1 are reasonable and are provided to IQAX in writing with no fewer than 60 days’ notice. Any such audit or inspection shall be strictly limited to auditing IQAX’s compliance with this DPA and shall be undertaken at your sole expense, during working hours and subject to any reasonable conditions IQAX may impose to prevent disruption IQAX’s operations and business. You shall ensure that a written report is produced with the findings of any audit or inspection and that a copy of this report is promptly provided to IQAX. Any information obtained or received shall only be used or disclosed to the extent strictly necessary to assess IQAX’s compliance with this DPA and not for any other purpose.
    3. IQAX shall immediately inform you if, in its opinion, an instruction from you with regard to 8.1 infringes Applicable Data Protection Laws.
    4. You shall reimburse IQAX promptly on demand for any and all reasonable expenses IQAX may incur in connection with any request for information or any audit or inspection under 8.1 to 8.3. The indemnity in 4.2 shall apply in respect of any breach by you (or your personnel or auditors) of the conditions in 8.2.
       
  9. RETURN OR DELETION OF POSTED PERSONAL DATA
    1. Within 120 days following the termination of the Agreement, IQAX shall (at your discretion) either return to you the Posted Personal Data or delete the Posted Personal Data, unless such Posted Personal Data is required to be retained under Applicable Data Protection Law. Some Posted Personal Data may remain in system backups until the expiry of those backups no later than 120 days following termination of the Agreement.
       
  10. UPDATES
    1. IQAX may amend this DPA from time to time in accordance with the Terms of Use. These amendments may include changes to the data protection particulars, including the technical and organisational security measures detailed in Attachment A. You may object to any amendments, and if your objection is rejected, terminate the Agreement, in accordance with the process set out in the Terms of Use.
       
  11. INCONSISTENT DATA PROTECTION LAWS
    1. There may be circumstances in which Applicable Data Protection Laws in different jurisdictions conflict or are inconsistent or incompatible or in which complying with a lawful request from a governmental authority in one jurisdiction may breach Applicable Data Protection Laws in another jurisdiction, in connection with the processing of Personal Data in the use of Services (inconsistent data protection laws).
    2. If you become aware of any problem of inconsistent data protection laws you shall cease to use the Services and notify IQAX of the problem. IQAX shall take into consideration the necessity to comply with the Applicable Data Protection Laws to the extent practicable and liaise with relevant supervisory authorities and/or other relevant governmental authorities to identify practical and constructive solution. Nonetheless, to the extent that no practical solution to the problem of inconsistent data protection laws can be found, IQAX may elect to withdraw some or all Services from one or more of the jurisdictions from which the inconsistent data protection laws arise.
       
  12. IQAX DATA PROTECTION CONTACT
    1. IQAX can be contacted in respect of any privacy and data protection matters at:
      • Customer Services
      • IQAX Limited
      • Units 501 to 503 and 505 to 509, 5/F, Lakeside 1, No. 8 Science Park West Avenue, Phase 2, Hong Kong Science Park, Sha Tin, New Territories, Hong Kong
      • Direct: +852-2209-2029
      • E-mail: customerservices@iqax.com
         
  13. DEFINITIONS
    1. In this DPA, the following definitions shall apply:
    “Applicable Data Protection Law” means all Applicable Law from time to time relating to the processing of personal data and privacy including (to the extent applicable):
    • (A) the GDPR;
    • (B) the UK GDPR;
    • (C) the UK Data Protection Act 2018;
    • (D) the UK Data (Use and Access) Act 2025; and
    • (E) the e-Privacy Directive and any implementing legislation;
    “Data Breach” means any accidental, unlawful or unauthorised destruction, loss, alteration, disclosure of, or access to, the Posted Personal Data or any unauthorised or unlawful transmission, storage or other processing of the Posted Personal Data;
    “GDPR” the General Data Protection Regulation (EU) 2016/679 of the European Parliament;
    “Posted Personal Data” has the meaning given to it in 1.1;
    “Privacy Policy” means IQAX’s privacy policy as updated from time to time, which can be found here: https://www.iqax.com/pss.htm;
    “Standard Contractual Clauses” (i) the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); or (ii) the applicable standard data protection clauses issued by the Information Commissioner of the United Kingdom under section 119A(1) of Data Protection Act 2018 as per the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as of 21 March 2022 (“UK SCCs”), as the case may be, and as may be amended or replaced from time to time by a competent authority under the relevant Applicable Data Protection Law(s), to the extent that they relate to an international transfer of Personal Data;
    “Special Category Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data or biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (or other sensitive personal data as may be specified by Applicable Data Protection Law);
    “Sub-Processor” has the meaning given to it in 6.1;
    “Supervisory Authority” an authority established in accordance with Article 51 of the GDPR or any other equivalent authority established under the Applicable Data Protection Law, the Minister responsible for information and communication technologies policy and innovation or any other authority or official appointed and/or delegated with responsibility for the oversight or enforcement of the Applicable Data Protection Law;
    “UK Data Protection Law” all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom including the Data Protection Act 2018 and the UK GDPR as amended and supplemented by the UK Data (Use and Access) Act 2025; and
    “UK GDPR” means the GDPR as it forms part of retained EU law (as defined in the European Union (Withdrawal) Act 2018).
    1. Except as otherwise defined above, definitions set out in the Terms of Use apply to this DPA.
    2. Terms and expressions used in this DPA that are not otherwise defined shall have the meanings assigned to them in Applicable Data Protection Law at the relevant time (including “controller”, “processor”, “data subject”, “personal data” and “process” (and its variants)).

ATTACHMENT A
DATA PROCESSING PARTICULARS

  1. LIST OF PARTIES
    • Data Importer
      • Name: IQAX Limited
      • Address: 31/F Harbour Centre, 25 Harbour Road, Wanchai, Hong Kong
      • Contact person’s name, position and contact details: As provided for in the Service Contract/Service Form
      • Activities relevant to the data transferred under these Clauses: See Part 3 below
      • Signature and date: Please refer to the Service Contract/Service Form
      • Role (controller/processor): Data Processor
    • Data Exporter
      • Name: Your name as identified in the Service Contract/Service Form
      • Address: As provided for in the Service Contract/Service Form
      • Contact person’s name, position and contact details: As provided for in the Service Contract/Service Form
      • Activities relevant to the data transferred under these Clauses: See Part 3 below
      • Signature and date: Please refer to the Service Contract/Service Form
      • Role (controller/processor): Data Controller
         
  2. DETAILS OF POSTED PERSONAL DATA
    1. The Posted Personal Data that will be processed in connection with the Agreement may include:
      1. name, title, role/job title and department, address, contact details (including mailing address, email address, phone number, fax number;
      2. digital identifiers such as usernames, hashed passwords, device or application IDs and IP addresses;
      3. digital usage information such as logs of access times and services and files accessed, created, modified or deleted.
    2. It is not envisaged that any Special Category Personal Data will be processed in connection with the Agreement.
    3. The categories of data subjects to which the Posted Personal Data relates are:
      1. users of the Services (including Your Users);
      2. personnel you identify as your directors, employees, representatives, contractors, affiliates and agents in relation to the Services;
      3. contacts at organisations in the shipping supply chain; and
      4. senders or recipients of shipments or consignments.
    4. The frequency of the transfer: Continuous, for the duration of the Agreement between the parties.
    5. Additional details of the personal data that that may be processed in connection with the Agreement are set out in the Privacy Policy.
    6. IQAX cannot control all of the personal data that you Post to the IQAX Platform or otherwise provide to IQAX. You agree not to Post personal data to IQAX or the IQAX Platform other than personal data of the type described above except with the prior written agreement of IQAX.
       
  3. DETAILS OF PROCESSING
    1. IQAX will process Posted Personal Data in connection with the Agreement for the purposes of:
      1. providing the Services to you and Your Users in accordance with the Agreement;
      2. setting up and managing/administering your account(s) and your agreement(s) with IQAX (including IQAX performing any of its obligations or exercise any of its rights under the Agreement); and
      3. IQAX’s legitimate business operations incidental to the provision of the Services under the Agreement (including monitoring, testing, modifying, improving the systems used, and services offered, by IQAX).
    2. The processing operations that will be undertaken by IQAX and its Sub-Processors include (each to the extent permitted by the Agreement):
      1. collecting the Posted Personal Data from you and Your Users including logging of digital identifiers and digital usage information;
      2. organising, structuring and storing the Posted Personal Data;
      3. protecting the Posted Personal Data by encryption/decryption, restricting access to it; maintaining backups of it and performing security and business continuity/recovery testing in relation to it;
      4. using the Posted Personal Data including checking, analysing, aggregating, combining and adapting it;
      5. hosting the Posted Personal Data and making it available to users of the IQAX Platform including you and Your Users;
      6. transferring and communicating (including importing/exporting) the Posted Personal Data between you (and the relevant controller(s)), IQAX and IQAX’s Sub-Processors and otherwise as required by the Agreement (for example, to assist with an audit or with your compliance with data subjects’ requests); and
      7. returning the Posted Personal Data to you or deleting/erasing/disabling access to it.
    3. The duration of the processing of the Posted Personal Data corresponds to the duration of the relevant Service(s) and for a limited period thereafter, unless otherwise stated in the Agreement.
    4. Posted Personal Data may be stored, hosted and processed in a number of jurisdictions by IQAX and its Sub-Processors in connection with the provision of the Services. These jurisdictions include Singapore, Hong Kong, the People’s Republic of China and the United States of America.
    5. Additional details of the processing of Posted Personal Data are set out in the Privacy Policy.
       
  4. SUB-PROCESSORS

    IQAX currently uses the Sub-Processors in connection with its provision of the Services as listed here: https://content.iqax.com/data-protection-addendum/sub-processor/data-processing-addendum.pdf
     

  5. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
    1. Except as detailed for specific Sub-Processors below, the following measures apply to all processing of Posted Personal Data in connection with the Agreement:
    Network security and encryption

    IQAX implements network security such as firewalls, content filtering, network segmentation, cloud security posture management, regular vulnerability scanning and API management.

    IQAX looks to maintain and protect the confidentiality, integrity and availability of Posted Personal Data using measures such as encryption, role base access control, redundancy copies and backups.

    Data transmission to and from the IQAX Platform is encrypted using encryption such as TLS 1.2. IQAX enables disk encryption for each system component or service that stores data. If a Service includes management of cryptographic keys, IQAX maintains procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access and use.

    Physical media intended for off-site storage, if any, such as media containing backup files, will be encrypted prior to transport.
    Access control/security policies

    IQAX implements measures designed to logically separate and prevent the Services from being exposed to, or accessed by, unauthorised persons.

    IQAX classifies Posted Personal Data and manages it according to IQAX’s access control and handling procedure.

    If IQAX requires access to data to provide the Services, and if such access is managed by IQAX, IQAX will restrict access to the minimum level required. Such access, including administrative access to any underlying components (privileged access), will be individual, role-based, and subject to approval and regular validation by authorised IQAX personnel following principles of segregation of duties.

    IQAX implements measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner's separation or upon the request of authorised IQAX personnel, such as the account owner's manager.

    IQAX maintains, for a reasonable period of time, audit logs of system usage and activity.

    IQAX maintains and follows its standard employment verification requirements for all new hires (including hires by wholly-owned IQAX subsidiaries). In accordance with IQAX internal processes and procedures, these requirements will be periodically reviewed and include educational and professional qualifications check, previous employment, character reference, proof of identity validation (HKID, Passport Number etc.), and additional checks as deemed necessary by IQAX. IQAX is responsible for implementing these requirements in its hiring process as applicable and permitted under local law.

    IQAX maintains and follows IT security policies and practices to control IQAX employees accessing IT systems. Access requests are assessed based on role and granted on a need-to-know basis.
    Physical security measures

    IQAX uses cloud providers that adhere to ISO27001 compliant physical and environmental security controls to define a physical security perimeter and implement physical security controls securing offices, rooms, and facilities, against external and environmental threats, and to ensure these areas are secure.

    Aside from customer connections and certain services/web sites which are intended to be accessed via Internet, connections to IQAX Cloud Services networks are restricted.

    To the extent supported by native device and operating system functionality, IQAX will maintain computer protections including endpoint firewalls, full disk encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.

    IQAX may use wireless networking technology, including to provide maintenance and support for the Services and associated Components. Such wireless networks communication will be encrypted and require secure authentication and will not provide direct access to IQAX cloud services networks.
    Application security testing

    IQAX uses industry standard systems for application code vulnerability assessment and testing.
    API security

    IQAX uses industry standard systems to manage, control and protect its APIs from cybersecurity threats.

    IQAX will maintain a documented security architecture for Services as a whole. IQAX will separately review such security architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its network segmentation, isolation, and defence-in-depth standards prior to implementation.
    Threat detection and response

    IQAX uses industry standard systems for security vulnerability scanning and malicious activity monitoring, detection, blocking and forensics on its servers.

    IQAX maintains an appropriate level of DDOS protection for its online systems.

    IQAX maintains an inventory of information technology systems used by it in the provision of the Services. IQAX continuously monitors and manages the health, including capacity and availability of the Services and underlying components.

    IQAX uses multiple third party public cloud services and each cloud vendor provides monitoring of privileged access and maintains security information and event management to:

    1. identify unauthorised access; and
    2. record access attempts (including where the wrong password is used).

    IQAX monitors abnormal usage such as unauthorised access and aims to facilitate a timely and appropriate response to these kind of activities.

    Logs in which privileged access and activity are recorded are retained in compliance with IQAX policies and procedures. IQAX implements measures designed to protect against unauthorised access, modification, and accidental or deliberate destruction of such logs.
    Patches and updates

    IQAX takes steps to ensure that systems it uses to process Posted Personal Data are kept up to date with the latest patches for known security vulnerabilities.

    IQAX maintains policies and procedures designed to manage risks associated with the application of changes to the Services. Prior to implementation, changes to a Service, including its systems, networks, and underlying components, will be documented internally including recording a description of and reason for the change, implementation details and schedule, a risk statement addressing impact to the Services and IQAX’s clients, expected outcome, rollback plan, and documented approval by authorised personnel.
    Business continuity management

    IQAX maintains regular backups to ensure that the most important data on its systems can be recovered and systems can be restored in the event of a disaster, malware or ransomware attack or cyber security incident.
    ISO 27001 Compliance

    IQAX maintains up-to-date certification of compliance with ISO 27001 information security standards, provided that initial certification of compliance is due to take place by the end of 2021.
    1. Posted Personal Data processed by the Sub-Processors set out above is subject to the technical and organisational security measures as described here: https://content.iqax.com/data-protection-addendum/sub-processor/data-processing-addendum.pdf.
       
  6. COMPETENT SUPERVISORY AUTHORITY
    1. The competent supervisory authority(ies), in accordance with Clause 13 of the EU SCCs, refers to:
      1. The supervisory authority applicable to the data exporter in its EEA country of establishment;
      2. Where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR;
      3. Where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located; or
      4. Where the processing of Personal Data to which UK Data Protection Law applies, the Information Commissioner’s Office.