NextDrive 資訊安全、個人資料保護增補條款 / NextDrive Products and Services Data Protection Addendum

發布日期:2024/08/30，版本號V001

1. 說明

雙方當事人同意本nextDrive產品與服務資訊安全、個人資料保護增補條款(以下稱「DPA」)，載有雙方當事人就產品與服務對客戶資料、專業服務資料及產品與服務相關資料之處理和安全性的義務。DPA於此併入產品條款及其他nextDrive合約內。雙方當事人亦同意除非另存在個別的專業服務合約，否則本DPA可規範nextDrive產品與服務中專業服務資料與個人資料保護的處理和安全性。

相關涉及nextDrive產品與服務資訊安全、個人資料保護處理的條款的客戶合約，如有相關牴觸之情形，PA條款即為補充約定，客戶可依PA條款主張權利。

nextDrive在本PA中對所有具現有客戶合約的客戶有所承諾。無論(1) 另行適用於任何指定之產品訂閱或使用權的產品條款為何，(2) 引用產品條款的任何其他合約如何規定，與客戶相關之該等承諾對nextDrive具有拘束力。

政府法規與規定

若任何國家/地區或管轄地中目前或未來有任何政府規定或義務可(1) 拘束nextDrive遵行任何當地並非一般適用於商業運作之規定，(2) 顯示出若nextDrive未經修改則很難繼續運作產品或專業服務之供應，及/或 (3) 造成nextDrive認為 PA 條款或產品或專業服務可能會與任何此等規定或義務相牴觸時，nextDrive得修改或終止產品或專業服務。

電子通知

nextDrive得以電子方式將產品與服務之相關資訊及通知提供給客戶，包括透過電子郵件、線上服務之入口網站，或透過nextDrive指定的網站提供。通知會在nextDrive可提供通知之日期送出。

2. 資料保護條款

法律遵循

nextDrive所提供產品與服務適用於中華民國(台灣)與日本國公布所有相關之法令規定，包括安全漏洞通知法律及資料保護規定。然而，nextDrive並無義務遵守任何適用於客戶或其產業，而非資訊技術服務提供者一般適用之法律或規定。nextDrive不會決定客戶之資料是否包含受任何特定法律或規定所拘束之資訊。

客戶使用產品與服務時，必須遵守客戶所在國家一切相關之法令規定，包括生物識別資料相關法律、通訊保密條款及資料保護規定。客戶應自行判斷決定產品與服務是否適合儲存和處理受任何特定法律或規定所拘束之資訊，以及產品與服務之使用方式是否符合客戶之法律和法規義務。客戶應自行負責回應第三人就客戶對產品與服務之使用所提出之要求，例如依照美國「千禧年數位著作權法」(Digital Millennium Copyright Act) 或其他相關法律之要求撤下內容。

資料安全措施與原則

nextDrive提供之所有產品與服務，適用之資料安全性標準，完全遵守並符合ISO 27001、ISO 27002、ISO 27017中所列要件。

nextDrive得隨時加入業界或政府標準。除非已不為業界採用且有後繼者取代 (若有)，否則nextDrive不會任意排除 ISO 27001、ISO27002、ISO 27017所列的任何標準或架構內容。

個人資料保護遵循特別說明

nextDrive提供之所有產品與服務，適用個人資料保護法規符合中華民國(台灣)與日本國所公布實施之個人資料保護法中的一切要求。

排除適用GDPR。

nextDrive提供之所有產品與服務，主要產品並非針對歐盟人民，亦並未針對歐盟境內提供相關服務，故排除適用GDPR。

資料加密

客戶與nextDrive之間透過公用網路傳輸的客戶資料與專業服務資料 (各包括其中的任何個人資料) 預設會受到加密。

nextDrive也會加密靜置儲存在線上服務中的客戶資料，以及靜置儲存的專業服務資料。

資料存取

nextDrive會採用最低權限存取機制來控制對客戶資料與專業服務資料 (含其中的任何個人資料) 的存取權。角色型存取控制的採用可確保基於適當目的而存取服務營運所需的客戶資料與專業服務資料，並經管理監督核准。且nextDrive 人員無法長期存取客戶資料，且所有必要的存取權限皆有時間限制。

客戶責任

客戶必須全權負責自行判定產品與服務的技術及組織措施是否符合客戶的需求，包括其依適用之資料保護規定應盡之安全義務。客戶認知並同意 (在考量最新技術、實施成本和處理其個人資料的性質、範圍、背景和目的，以及個人風險的情況下) nextDrive所實施和維護的安全措施與原則可提供與其個人資料相關風險適用的安全性等級。客戶應負責針對客戶所使用之相關帳號密碼實施及維護隱私權保護及安全措施。

稽核履約

nextDrive將就電腦、運算環境及用以處理客戶資料、專業服務資料及個人資料之實體資料中心進行安全稽核，內容如下：

l  標準或架構若可供稽核，則此等控管標準或架構至少每年需接受一次稽核。

l  各項適用之控管標準或架構，將以法定或公認機關之標準規範為稽核依據。

l  各項稽核將由適任且獨立之第三方安全稽核員執行，稽核員之挑選與費用由nextDrive負責。

各項稽核將產出一份稽核報告 (以下稱「nextDrive 稽核報告」)，nextDrive稽核報告屬 nextDrive的機密資訊，其中將清楚揭露稽核人員的任何重大發現。針對nextDrive 稽核報告所舉事項，nextDrive將立即改善至稽核員認可之程度。若客戶要求，nextDrive將為客戶提供該年度之 nextDrive稽核報告。nextDrive稽核報告將受保密及nextDrive與稽核員散布限制之拘束。

若nextDrive向客戶提供的稽核報告、文件或合規資訊無法合理滿足客戶在資料保護規定下的稽核要求，客戶可要求立即終止合約。

安全性事件通知

若nextDrive知悉任何安全性漏洞致使nextDrive處理時發生對客戶資料、專業服務資料或個人資料之意外或非法銷毀、損失、更改、未經授權之揭露或存取 (以下各稱「安全性事件」)，nextDrive將立即且無任何無故之延遲 (1) 通知客戶發生安全性事件；(2) 調查安全性事件，並將安全性事件之相關詳細資訊提供給客戶；(3) 採取合理措施減輕效應，並將安全性事件所引起之任何損害降至最低。

安全事件之通知將透過nextDrive所選取之任何方式 (包括透過電子郵件) 傳達給客戶。客戶應確保客戶就每個適用之產品與專業服務維護與nextDrive的正確連絡資訊應負起全部的責任。客戶應全權負責遵守客戶適用之事件通知法所規定義務，並履行與任何安全性事件相關的任何第三人通知義務。

nextDrive依本節規定通知或回應安全事件，並非表示nextDrive認知與安全事件相關之任何過失或賠償責任。

若客戶之帳戶或驗證憑證可能有任何不當使用之情況，或是任何相關於產品與服務之安全事件，客戶必須立即通知nextDrive。

資料傳輸及位置

nextDrive允許客戶從任何提供公用網路傳輸服務所需之客戶與專業服務資料，各項資料預設會受到加密。

nextDrive核心線上服務、靜置客戶資料與專業服務資料存放於AWS、Google或是Microsoft位於日本國境內各業者所屬的資料中心。

SLA 服務水準協議

nextDrive提供之所有產品與服務除另行約定外，其相關SLA皆比照AWS對其客戶所提供之服務水準協議中對於服務中斷、回復與平均中斷時間等的服務水準要求。

預先計劃的服務中斷

nextDrive提供之所有產品與服務如因定期檢查、維護、更新等預先計畫的原因導致服務中斷，nextDrive按照計劃將提前通知客戶。

除外事項

本服務水準協議不適用於符合以下條件(1)逾越我們可合理控制之因素所導致者，包括任何不可抗力事件或網際網路存取情形；(2) 基於您的任何作為或互動所致者；(3)因您的設備、軟體或其他技術所導致。

資料保留及刪除

儲存於個別線上服務之客戶資料及專業服務資料，得由客戶於訂閱或適用的專業服務協議期間內，隨時存取、擷取及刪除。

除免費試用版服務外，nextDrive會在客戶訂閱屆滿或終止之後，將仍存放在線上服務中的客戶資料於在有限功能之帳戶內繼續保留 90 天，以便客戶擷取資料。90 天保留期間結束後，nextDrive將停用客戶帳戶，並於額外 90 天內刪除客戶資料及存放在線上服務中的個人資料；但若中華民國(台灣)與日本國執法機關授權本公司保留此等資料，不在此限。

個人資料與專業服務資料，達成收集或移轉資料之商業目的後，nextDrive將刪除上述資料之所有副本，或若客戶要求亦可提早刪除。

依本節所述，nextDrive對客戶資料、專業服務資料或個人資料之刪除，將不負任何賠償責任。

處理者保密承諾

nextDrive將確保客戶資料、專業服務資料及個人資料之處理過程中，其受委託處理之人員將僅根據客戶的指示或本PA的規定處理此等資料，且即使雙方委託關係終止後，相關人員有義務維持此等資料之保密性及安全性。nextDrive應依照適用的資料保護規定及業界標準，為其可存取客戶資料、專業服務資料及個人資料的員工，定期提供強制性的資料隱私權及安全性訓練與認知。

3. 安全措施

針對核心線上服務及專業服務資料中的客戶資料，nextDrive已實施並將維護下列安全措施，包含ISO27001、ISO27002、ISO27017條文規範中的各項安全規範要求與措施，並嚴格遵守中華民國(台灣)與日本國所公布實施之個人資料保護法中的一切要求。

4. 如何聯絡nextDrive

若客戶相信nextDrive未遵守其隱私權或安全性承諾，則客戶得以下列方式連絡nextDrive，nextDrive將儘速作出回應。

Email: connect@nextdrive.io

Release Date: 2024/08/30, Version No.: V001

1. Introduction

Both parties agree to this nextDrive Product and Service Information Security and Personal Data Protection Addendum (hereinafter referred to as the "DPA"), which outlines the obligations of both parties regarding the processing and security of customer data, professional service data, and data related to products and services. The DPA is hereby incorporated into the product terms and any other nextDrive agreements. Both parties also agree that, unless otherwise stipulated in a separate professional services agreement, this DPA governs the handling and security of professional service data and personal data protection within nextDrive's products and services.

In the event of any conflict with customer agreements related to nextDrive's product and service information security and personal data protection handling, the DPA terms shall serve as supplemental provisions, and customers may assert their rights under the DPA terms.

nextDrive is committed to all customers with existing customer agreements under this DPA. Regardless of (1) any other applicable product terms for a specific product subscription or usage rights, or (2) the provisions of any other agreements referencing the product terms, these commitments related to the customer are binding on nextDrive.

Government Regulations and Requirements

If any government regulations or obligations in any current or future country/region or jurisdiction (1) compel nextDrive to comply with any local regulations that are not generally applicable to commercial operations, (2) indicate that it would be difficult for nextDrive to continue providing products or professional services without modification, and/or (3) cause nextDrive to believe that the DPA terms, products, or professional services may conflict with any such regulations or obligations, nextDrive may modify or terminate the products or professional services.

Electronic Notifications

nextDrive may provide relevant product and service information and notifications to customers electronically, including via email, online service portals, or through nextDrive's designated website. Notifications will be sent on the date nextDrive is able to provide the notice.

2. Data Protection Provisions

Compliance with Laws

The products and services provided by nextDrive are subject to all relevant laws and regulations of the Republic of China (Taiwan) and Japan, including security breach notification laws and data protection regulations. However, nextDrive is not obligated to comply with any laws or regulations that apply specifically to customers or their industries, rather than generally to IT service providers. nextDrive will not determine whether customer data contains information subject to any specific law or regulation.

Customers must comply with all relevant laws and regulations of the countries where they operate when using the products and services, including biometric data-related laws, communication confidentiality provisions, and data protection regulations. Customers are responsible for determining whether the products and services are suitable for storing and processing data subject to any specific laws or regulations, as well as ensuring that their use of the products and services complies with their legal and regulatory obligations. Customers are also responsible for responding to third-party requests related to their use of the products and services, such as content removal requests under the U.S. Digital Millennium Copyright Act (DMCA) or other applicable laws.

Data Security Measures and Principles

All products and services provided by nextDrive adhere to data security standards that fully comply with the requirements outlined in ISO 27001, ISO 27002, and ISO 27017. nextDrive may adopt industry or government standards at any time. Unless no longer adopted by the industry and replaced by successors (if any), nextDrive will not exclude any standards or framework content listed in ISO 27001, ISO 27002, and ISO 27017.

Special Notice on Personal Data Protection

All products and services provided by nextDrive comply with the Personal Data Protection Laws implemented by the Republic of China (Taiwan) and Japan. Exclusion of GDPR. The primary products and services provided by nextDrive are not intended for EU citizens and are not offered within the EU, hence the exclusion of GDPR applicability.

Data Encryption

Customer data and professional service data (including any personal data therein) transmitted over public networks between the customer and nextDrive are encrypted by default. nextDrive will also encrypt customer data at rest stored in online services, as well as professional service data stored at rest.

Data Access

nextDrive will enforce a least-privilege access mechanism to control access to customer data and professional service data (including any personal data therein). Role-based access control will ensure that access to customer data and professional service data required for service operations is authorized and managed for appropriate purposes. Additionally, nextDrive personnel will not have long-term access to customer data, and all necessary access rights are time-limited.

Customer Responsibilities

Customers are fully responsible for determining whether the technical and organizational measures of the products and services meet their needs, including their security obligations under applicable data protection regulations. Customers acknowledge and agree that (considering the state of the art, implementation costs, the nature, scope, context, and purposes of processing their personal data, as well as the risks to individuals) the security measures and principles implemented and maintained by nextDrive provide an appropriate level of security for the risks associated with their personal data. Customers are responsible for implementing and maintaining privacy protection and security measures for the accounts and passwords they use.

Compliance Audits

nextDrive will conduct security audits on the computer and computing environments and physical data centers used to process customer data, professional service data, and personal data, as follows:

·     If standards or frameworks are available for audit, these control standards or frameworks must be audited at least once a year.

·     Applicable control standards or frameworks will be audited based on statutory or recognized agency standards.

·     All audits will be conducted by qualified and independent third-party security auditors, selected and funded by nextDrive. Each audit will produce an audit report (hereinafter referred to as the "nextDrive Audit Report"). The nextDrive Audit Report is confidential to nextDrive and will clearly disclose any significant findings by the auditors. nextDrive will immediately address any issues raised in the nextDrive Audit Report to the auditors' satisfaction. Upon customer request, nextDrive will provide the customer with the nextDrive Audit Report for that year. The nextDrive Audit Report will be subject to confidentiality and distribution restrictions imposed by nextDrive and the auditors. If the audit report, documentation, or compliance information provided by nextDrive does not reasonably satisfy the customer's audit requirements under data protection regulations, the customer may request immediate contract termination.

Security Incident Notification

If nextDrive becomes aware of any security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to customer data, professional service data, or personal data (each referred to as a "Security Incident") during processing by nextDrive, nextDrive will, without undue delay, (1) notify the customer of the Security Incident; (2) investigate the Security Incident and provide relevant details to the customer; (3) take reasonable measures to mitigate the effects and minimize any damage caused by the Security Incident. Security Incident notifications will be communicated to the customer by any means selected by nextDrive (including via email). The customer is fully responsible for maintaining accurate contact information with nextDrive for each applicable product and professional service. The customer is also fully responsible for complying with its obligations under applicable incident notification laws and fulfilling any third-party notification obligations related to any Security Incident. nextDrive's notification or response to a Security Incident under this section does not constitute an acknowledgment by nextDrive of any fault or liability in connection with the Security Incident. If the customer becomes aware of any improper use of its accounts or authentication credentials or any related Security Incident involving products and services, the customer must immediately notify nextDrive.

Data Transfer and Location

nextDrive allows customers to transfer customer and professional service data necessary for providing public network transmission services, with all such data encrypted by default. nextDrive's core online services, customer data at rest, and professional service data are stored in data centers operated by AWS, Google, or Microsoft within Japan's borders.

SLA (Service Level Agreement)

Unless otherwise agreed upon, all products and services provided by nextDrive are subject to the SLA standards that align with those provided by AWS to its customers, covering service disruptions, recovery, and average downtime.

·     Planned Service Interruptions: If any planned service interruptions occur due to regular inspections, maintenance, updates, etc., nextDrive will notify customers in advance according to the plan.

·     Exclusions: This SLA does not apply to the following conditions:

1. Factors beyond our reasonable control, including any force majeure event or Internet access issues;

2. Any actions or interactions attributable to you;

3. Any issues caused by your equipment, software, or other technologies.

Data Retention and Deletion

Customer data and professional service data stored in individual online services can be accessed, retrieved, and deleted by the customer at any time during the subscription or applicable professional service agreement period. Except for free trial services, nextDrive will retain customer data still stored in online services within a limited functionality account for 90 days after the customer's subscription expires or is terminated, allowing the customer to retrieve the data. After the 90-day retention period, nextDrive will disable the customer's account and delete the customer data and personal data stored in online services within an additional 90 days, unless law enforcement agencies in the Republic of China (Taiwan) and Japan authorize nextDrive to retain such data. Personal and professional service data will be deleted after achieving the commercial purpose for which the data was collected or transferred, or earlier upon the customer's request. nextDrive will not be liable for any damages resulting from the deletion of customer data, professional service data, or personal data as described in this section.

Processor Confidentiality Commitment

nextDrive will ensure that, during the processing of customer data, professional services data, and personal data, the personnel entrusted with such processing will only handle this data according to the customer’s instructions or as specified in this PA. Even after the termination of the contractual relationship between the parties, these personnel are obligated to maintain the confidentiality and security of such data. nextDrive will provide regular, mandatory training and awareness programs on data privacy and security for employees who have access to customer data, professional services data, and personal data, in accordance with applicable data protection regulations and industry standards.

3. Security Measures

For customer data within core online services and professional services data, nextDrive has implemented and will maintain the following security measures, which include the security requirements and measures outlined in the ISO 27001, ISO 27002, and ISO 27017 standards, and strictly adhere to all requirements of the Personal Data Protection Acts implemented in the Republic of China (Taiwan) and Japan.

4. How to Contact nextDrive

If the customer believes that nextDrive has not complied with its privacy or security commitments, the customer may contact nextDrive via the following methods, and nextDrive will respond as promptly as possible.

Email: connect@nextdrive.io