Marzipan Data Processing Addendum

Capitalised terms not otherwise defined herein have the meanings assigned to them in the DPA.

This Annex A addresses the technical and organisational measures, including practical safeguards and technical security measures, that Marzipan maintains to (a) secure the Customer Data against accidental or unlawful loss, access or disclosure; (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Services, including the Customer’s Marzipan account; and (c) minimise security risks, including through risk assessment and regular testing. Marzipan will designate one or more employees to be accountable for and respond to any questions on the information security practises and measures described below.

1. Shared Responsibility Model

   Marzipan operates cloud-based applications on marzipan.co, labls.co, labls.io respectively whose infrastructure and associated data are hosted on servers operated by the cloud service providers (1) UpCloud Oy ("UpCloud") at its DE-FRA1 data centre in Frankfurt, Germany and (2) Hetzner Online GmbH ("Hetzner Online") at its data centres in Nuremberg and Falkenstein, Germany. This means that the Marzipan Service is delivered via the internet according to a Software as a Service ("SaaA") model.

   As of between UpCloud and Hetzner Online, UpCloud hosts the live production version of the Marzipan applications and their associated data, and provides the computing power that allows the Customer to access the Services without the need to physically install a copy of either applications. For its part, Hetzner Online provides Marzipan with a dedicated server on which Marzipan hosts staging (i.e. test) versions of the applications for the purposes of testing new code, features and updates in a controlled environment before making them live.

   The SaaS model establishes a division of labour with regard to implementing the technical and organisational safeguards needed to protect the Customer Data. As the data controller, Marzipan is responsible for designing the access management tools and network security tools according to which Customer Data is stored in the cloud - security in the cloud. As cloud service providers and data processors, UpCloud and Hetzner Online are responsible as applicable for maintaining the security of the underlying cloud environment and physical servers in which the Customer Data in stored, including implementing technical and physical measures to protect against unauthorised access of its data centres and network architecture- security of the cloud.

   In more detailed terms, this means that Marzipan is responsible for managing the security of the Marzipan application software (including updates and security patches to Marzipan and Labls applications), as well as the configuration of any security-related features that UpCloud and Hetzner Online provide as part of their cloud service offerings. In turn, UpCloud and Hetzner Online operate, manage and control (as applicable) the components from the Marzipan application system and virtualisation layer down to the physical security of the facilities in which the Marzipan application service operates and its associated data is stored.

   We call this a ‘Shared Responsibility Model,’ as it means that in addition to implementing substantial technical and organisational measures of our own, we rely on the extensive security mechanisms of UpCloud and Hetzner Online.

   Further information on the physical, network and system security measures that UpCloud and Hetzner Online deploy respectively to safeguard their data centres and the data stored within them can be found here for UpCloud and here for Hetzner.

2. UpCloud and Hetzner Online Servers

   UpCloud

   According to Article 28(3)(c) UK GDPR, Marzipan is required to choose a cloud computing processor that provides sufficient guarantees of its ability to meet the data security measures outlined in Article 32 UK GDPR.¹

   We have selected UpCloud to be our principal hosting provider, infrastructure partner and cloud computing processor for the production versions of the Marzipan and Labls applications based on a careful selection process, considering legal, organisation and technical measures. We chose UpCloud because their IT architecture and infrastructure has been certified as being designed and managed in accordance with industry-leading best practises and security standards including:

   • ISO 9001 Quality management
   • ISO 14001 Environmental management
   • ISO 22301 Security and resilience
   • ISO 27001 Information security management
   • ISO 50001 Energy management
   • SOC 2 Type II Data security and privacy
   • PCI-DSS Information security

   To ensure compliance with the 'Schrems II' ruling by the Court of Justice of the EU (CJEU) in July 2020, all Customer Data hosted with UpCloud is hosted at UpCloud's DE-FRA1 data centre in Frankfurt, Germany.

   UpCloud

   Marzipan has chosen Hetzner Online as a reliable partner to provide it with additional dedicated server space. Hetzner Online is certified in accordance with DIN ISO/IEC 27001 standards. Furthermore, the internationally recognised standard for information security certifies that Hetzner Online has established and implemented an appropriate Information Security Management System ("ISMS").

   Hetzner Online utilises the ISMS in its infrastructure and operations at both German data centre locations in which Marzipan leases dedicated server space, namely the Nuremberg and Falkenstein data centre parks. FOX certification, a third-party certification authority, has audited and certified Hetzner Online’s data centre parks’ ISMS processes.

3. Encryption

   An essential core element of Marzipan’s security measures is encryption of data both in rest and in transit. All external network communication between customers and the Marzipan application over public networks using Transport Layer Security ("TLS") 1.2 or higher. Customer Data stored on Marzipan’s UpCloud and Hetzner Online servers are encrypted using AES 256 or higher.

   Marzipan uses the UpCloud’s and Hetzner Online’s respective encryption service to encrypt Customer Data.

   The UpCloud encryption system is designed so that no one, including Marzipan or UpCloud staff, can access the plaintext encryption keys. UpCloud uses hardware security modules ("HMS") that have been or are currently validated in accordance with FIPS 140-2 to protect the conflict of the plaintext keys used to encrypt the Customer Data. All cryptographic keys are automatically rotated once a year.

   Hetzner Online’s full-disk encryption uses AES 256 encryption algorithms and mandatory authentication processes to encrypt all software and hardware-based drives that are stored on its dedicated servers. This minimises the risk of data loss and unauthorised access to Customer Data.

   Marzipan’s systems use transport encryption whenever data needs to be transferred over an insecure or public network. The web-interface and all APIs connected to the Marzipan application are only accessible via HTTPs connections, and client systems must use at least TLS 1.2 to access the Marzipan system.

4. Restriction of server locations to the EEA/EU

   Marzipan stores data exclusively in the EEA, namely at UpCloud’ data centres in Frankfurt, Germany and Hetzner Online’s data centres in Nuremberg and Falkenstein, Germany.

   This is to best ensure that customer data cannot be used or disclosed without authorisation, particularly in light of the European Court of Justice’s Schrems II judgement of 16 July 2020, and data protection experts’ concerns regarding the advent of data surrender laws in the United States and other non-EEA justifications.

5. Logging/Audit Trail

   Marzipan uses logging in its UpCloud environments for several areas. These include:

   • System events;
   • Error logging;
   • User activity;
   • Logins and requests to database systems;
   • Other security-related events/audit logging.

6. Monitoring

   Marzipan uses various monitoring tools to ensure maximum availability and performance of the Marzipan systems and application. These monitor at least the following parameters:

   Availability

   • Accessibility of the application
   • Accessibility of backend systems and services

   Resources

   • CPU utilisation
   • Utilisation of network interfaces
   • Utilisation of persistent and volatile interfaces

   Performance

   • Application response times
   • Response times of back-end systems
   • Query times for MySQL database content

   Security

   • DS performance
   • Update status of systems

   Monitoring

   • Error logs
   • Access logs

   In addition to this automated monitoring, Marzipan employees monitor relevant online media and blogs (including the OWASP updated referenced above) to be able to react to them promptly.

7. Access Control

   Marzipan assigns its employees and contractors with different levels of access control for its systems and services on UpCloud and Hetzner Online’s servers. These are managed through UpCloud’ and Hetzner Online’s respective Identity and Access Management (IAM) systems, which enable a fine granulation of access to different services.

   The overriding principle for Marzipan when assigning rights to its personnel is "need-to-know." In practice, this means that Marzipan staff are only given access to those functions they need to perform their jobs. Access to bank-end systems is only possible via secure and authenticated connections. Public release of back-end systems is prohibited. Only a strictly limited number of Marzipan personnel have access to the system that stores customer data. This direct access is exclusively for error analysis and is monitored.