General terms and conditions of the service
SYMPOSIUM undertakes to Provide the Services in accordance with the stipulations of the Service Contract, employing a degree of professionalism and reasonable diligence; and in accordance with the applicable legal and regulatory framework.
SYMPOSIUM does not assume any commitment or give any guarantee that the Service will be free from errors or interruptions. Especially when the cause of such delay or interruption is beyond our control, including, but not limited to, the unavailability of the telecommunications network.
The CLIENT accepts that we may suspend the provision of the Services during maintenance and / or interruption periods foreseen or emergency. We will notify you with reasonable notice of anticipated service interruptions.
Our total liability to the CLIENT for all claims that arise in a calendar year regardless of whether such claims are of contractual, extra-contractual (including negligence) or any other type, in relation to the Service Contract will be limited in total. to an amount equal to 100% of the amounts actually paid for the license in the corresponding year.
In addition, as DATA PROTECTION MANAGER, you agree to:
- Treat personal data only following the instructions of the CONTROLLER contained in this contract. If by virtue of the fulfillment of legal obligations of an imperative nature, he must carry out any additional treatment, he will notify the CONTROLLER.
- Train and inform staff so that they know in an understandable way the security regulations that affect the development of their functions, as well as the consequences that could be incurred in case of non-compliance.
- Guarantee that the persons authorized to process personal data have committed to respecting confidentiality.
- If necessary, it will cooperate loyally with the CONTROLLER when it is necessary to carry out the impact assessment related to data protection provided for by article 35 RGPD.
- Assist the CONTROLLER, taking into account the nature of the treatment, through appropriate technical and organizational measures, whenever possible, so that he can comply with his obligation to respond to requests that have as their object the exercise of the rights of the interested parties. established in Chapter III of Regulation (EU) 2016/679.
- Make available to the CONTROLLER all the information necessary to demonstrate compliance with the obligations established in the contract.
- Guarantee the adequate keeping of the Activity Register of the treatment regulated by article 30.2 and in particular will ensure the proper documentation of the technical and organizational security measures.
- Notify the person in charge of any security incident that may be considered a violation of the security of personal data in accordance with the provisions of articles 33 and 34 RGPD. For this, the procedure described in Annex II of this contract will be followed.
- Notify the RESPONSIBLE of the treatments that derive from the duty of collaboration with the Security Forces and Bodies, judges and courts, and public authorities.
The CLIENT agrees to:
- Provide the SYMPOSIUM team with all the information and help necessary to start up the platform.
- Not to assign, lease or sell your access to the platform to a third party without the prior consent of SYMPOSIUM.
- Do not use the Services for fraudulent or illegal purposes, or allow others to do so.
- Do not use the Services for offensive, indecent, obscene, threatening or defamatory purposes, and do not allow others to do so.
- Comply with all applicable laws and regulations. In particular, the obligations established in the General Data Protection Regulation, as well as in the applicable current regulations or other related regulations.
- Follow our reasonable instructions regarding the Services at all times.
- Do not remove any copyright or proprietary notices that are included in the software or documentation that we provide to you.
- Regarding the DATA PROTECTION CONTROLLER, comply with the duty of transparency of article 13 of the RGPD in the cases and in the terms described.
- The CUSTOMER undertakes to indemnify us for all additional costs that we may incur due to any delay or omission of his in the fulfillment of his obligations or responsibilities contained in the Service Contract. We may bill you for recorded failures that are diagnosed as your responsibility or caused by the breach of any of your obligations or responsibilities.
SYMPOSIUM AS EVENT AGGREGATOR
The range of services offered by SYMPOSIUM also reaches the end user, understood as the people who sign up for events managed by the application and who consult information about it by any procedure.
Regarding the end users, SYMPOSIUM allows obtaining information on activities that are of interest to the user, subscribing alerts and receiving specific information in areas of interest to them.
The aggregation service seeks to provide an added value service to SYMPOSIUM clients insofar as it contributes to a greater dissemination of its events and its consequent increase in registrations and brand diffusion.
In the relationship with the aggregation service, SYMPOSIUM will act as RESPONSIBLE for the processing of personal data in the terms defined by article 4 of the General Data Protection Regulations that freely and independently of their relationship with the university subscribe to the service. SYMPOSIUM is committed to fully guaranteeing the rights of users and the exercise of them, and in particular those provided for by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data, Law 34/2002, of July 11, on services of the information society and electronic commerce and the regulations that additionally I will be of application.
START DATE, EFFECTIVE PERIOD AND EARLY TERMINATION.
- Start date and period of validity of the service: see start date of the Service Contract.
- The Contract will be automatically renewed unless some of the parties specify otherwise with a period of 60 days before the end of the contract.
Termination: In the event of non-compliance by either Party, the
complying party may unilaterally terminate this Contract by prior
written notification to the non-compliant party when it occurs in any of
the following circumstances:
- serious or continued breach of the obligations established in this Contract;
- in the event of any of the causes provided by law.
- It will be cause for termination of this contract without any compensation those cases in which, after ten calendar days after having required collaboration with the DATA CONTROLLER, the MANAGER does not collaborate properly.
- The refusal of the CONTROLLER to authorize the outsourcing of the service that fails to comply with the provisions of clause 8.
In the event that the cause of the resolution is a serious or repeated breach by any of the parties of its obligations, the party that has not fulfilled its obligations must be granted a period of no less than fifteen (15) business days to restore the situation. to its correct state in accordance with the provisions of the contract and the applicable laws and regulations, except as provided in letter (c) of the previous paragraph.
The Client is obliged to pay the prices stipulated, incorporated or indicated in the form “Contract and Term and General Conditions of Service”.
Unless otherwise indicated in the Contract form, prices will be in euros and will not include any applicable tax levied on operations, consumption or value added tax.
The parties assume and accept that all the taxes that the present could generate, will be paid in accordance with the provisions of the Laws, Regulations and other provisions applicable to that effect. The indicated price rates will be reviewed annually to adapt them to the new functionalities that are being incorporated into the SYMPOSIUM platform.
In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data , as well as in Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights and other development regulations, the parties undertake to comply with the obligations that are legally enforceable by the current regulations of Data Protection.
The CLIENT will inform all the persons concerned by the provisions of this section of the condition of SYMPOSIUM as recipient of the Data, as well as that SYMPOSIUM may incorporate into its information systems both the data of the persons signing this contract, as well as the data relating to the CLIENT’s personnel whose treatment is necessary for the management of this contract and the adequate provision of the service. In the Annex to this contract, the detailed description of the personal data processing to be carried out in the provision of services and the specific obligations in terms of security is specified.
SUBCONTRACTING OF SERVICES and INTERNATIONAL DATA TRANSFERS.
Customer authorizes SYMPOSIUM outsourcing to Amazon Web Services Spain S.L. . the infrastructure services, that is, virtual servers and the database services and distributed storage in which the instances for the CLIENT and the Symposium website run. They have ISO 27017 on Security Controls for Cloud services.
If the MANAGER needs to change the subcontracted company, the CONTROLLER authorizes to contract with: MICROSOFT, GOOGLE, IBM
Notification of the changes produced will be made when it becomes known, without undue delay.
In the event that SYMPOSIUM wishes to incorporate a new subcontractor not mentioned, it will inform the CONTROLLER at least 15 calendar days in advance, thus giving the controller the opportunity to oppose said changes.
In any case, SYMPOSIUM guarantees that the same data protection obligations as those stipulated in this contract will be agreed with the subcontractor in charge, through a contract.
Those treatments that constitute an international transfer of personal data are authorized for the purposes of Regulation (EU) 2016/679, provided that the following circumstances occur:
- That it is an essential treatment for the provision of the contracted service or the fulfillment of a legal obligation.
- That compliance with the provisions of Regulation (EU) 2016/679 is guaranteed.
SECURITY MEASURES and NOTIFICATION OF SECURITY VIOLATIONS
SYMPOSIUM, as the MANAGER of ensuring compliance with the objectives of confidentiality, integrity, availability and resilience of the information, will adopt the security measures described in Annex II to this contract.
In the event of a security breach, the MANAGER will notify the person in charge of the treatment, without undue delay, and within a maximum period of 72 hours from its knowledge together with all the relevant information for the documentation and communication of the incident, in accordance with what is established in Annex II of this contract. Only in the event that there is no probability that said violation of security constitutes a risk to the rights and freedoms of natural persons, the notification will not be necessary.
RETURN OF DATA AFTER THE PROVISION OF SERVICES
Once the services have been provided and within a period of 10 business days, the MANAGER will return to the person in charge the personal data and, if applicable, the supports where they appear. Likewise, it will delete all the data and copies existing in the computer equipment, being able to keep a copy, with the data duly blocked, while responsibilities for the execution of the service may be derived.
The MANAGER must provide a document certifying the deletion of the information, indicating, if necessary, the existence of said copy. The return procedure will be adjusted to what is described in section e) of Annex I to this Contract.
In the event that it is necessary to proceed to send any communication to the parties as a result of compliance with the obligations established in this Contract, they will be made on behalf of each party and will be addressed to the place and contact persons identified in this Contract.
If a Court or Court of justice or any competent authority declares any stipulation of this Contract null or ineffective, the rest of the Contract will maintain its full validity and effectiveness, except in the event that said stipulation was of a substantial nature for the Contract such that the economic, legal and commercial objectives pursued by the parties will be frustrated.
Legislation and Jurisdiction
This Contract will be governed and interpreted in accordance with Spanish law and both parties, waiving any other jurisdiction that may correspond to them, irrevocably and unconditionally submit to the exclusive jurisdiction of the jurisdiction of the Courts and Tribunals of Barcelona capital to resolve all conflict or issue arising out of or related to this Agreement.
DATA PROTECTION AND INFORMATION SECURITY
Detailed description of the treatments.
Data that are provided or accessed by the person in charge of the treatment.
The data processing planned to be carried out, related to the development of the services object of the provision, are the following: collection, structuring, modification, consultation and deletion.
For the execution of the activities derived from the provision of services, the MANAGER will process the information that the CONTROLLER defines in each event generated in SYMPOSIUM. By default they will be the following:
- For every user registered on the platform, the full name is requested, as well as their email.
- In the case of a paid registration: full name of the company or individual responsible for paying the registration; CIF / NIF / NIE or identification document for foreigners and postal address.
- In the case of scientific documentation, the name of the author or co-author will be related to the scientific publication through its ORCID code.
The application allows the integration of other fields which will be defined by the CONTROLLER and, where appropriate, will have the obligation to notify the MANAGER.
The MANAGER usually verifies the conformation of each event. However, in any case, when the CONTROLLER uses or expands the range of personal data, and such require the adoption of additional specific measures, they must specifically notify it. As for the categories of interested parties that will be affected by the data processing carried out by the MANAGER, they are the following: Clients and users; Contact persons; Teachers; Research staff; and legal representatives .; Associates or members.
Mode of delivery or access to data.
The delivery of information to the MANAGER, such as access to personal data, will vary depending on the place where the provision of services takes place.
If the data processing is carried out in the facilities or systems of the person in charge, the MANAGER must establish sufficient technical and organizational security measures to control access and guarantee the confidentiality, integrity and availability and resilience of the information processed.
In the event that the MANAGER carries out the data processing with remote access to the controller’s systems or with access to data only in the controller’s systems, the MANAGER must carry out the security measures set out in Annex II, in accordance with what is regulated in article 28 of the RGPD. In any case, both the CONTROLLER and the MANAGER in the processing and sending of personal information by logical and physical means, must establish the appropriate technical and organizational security measures to prevent unauthorized access, loss, theft or modification of the information processed, thus protecting the confidentiality, integrity, availability and resilience of the systems and the information being processed.
Information systems affected according to the Registry of Treatment Activities.
The personal data that are integrated into the information systems of the MANAGER accessed by virtue of this contract, are in the file called:
USERS: Without prejudice to the obligations of the MANAGER regarding the registration of the treatment activities, it will correspond to the CONTROLLER to comply with the obligations established in article 30.1 of the General Data Protection Regulation.
Return of the data.
Once the services have been provided, the MANAGER will return to the person in charge the personal data and, if applicable, the supports where they appear. Likewise, it will delete all the existing data and copies in the informational equipment, being able to keep a copy, with the data duly blocked, while responsibilities for the execution of the service may arise.
Thus, within a period of 10 working days after the end of the provision of services, the MANAGER must provide a certificate certifying the deletion of the information and in the event that its conservation is necessary, because it is regulated by the applicable legislation, must indicate in it.
Notwithstanding the foregoing, and prior communication from the RESPONSIBLE once the provision has been completed, the MANAGER may be required to:
- The delivery of the information to another person in charge of the treatment and, if applicable, the supports where they appear. After delivery, all existing data and copies on the information equipment will be deleted, and a copy may be kept, with the data duly blocked, as long as responsibilities for the execution of the service may arise. Likewise, 10 working days will be available for the delivery of the certificate accrediting the deletion in the established terms.
- The destruction of the information processed after the provision of services. The MANAGER will have 10 business days to deliver the certificate proving the destruction. In the event that the preservation of the information is necessary, because it is regulated by the applicable legislation, it must be indicated therein.
Specific obligations regarding security.
Notification of security breaches.
The MANAGER will notify via email to the person responsible for the treatment, without undue delay, and within a maximum period of 72 hours from its knowledge together with all the relevant information for the documentation and communication of the incident.
Only in the event that there is no probability that said violation of security constitutes a risk to the rights and freedoms of natural persons, it will not be necessary to notify the Responsible Party.
The information to be included in the notification, if known, is the following:
- Description of the nature of the violation of the security of personal data, including, when possible, the categories and approximate number of affected interested parties, and the categories and approximate number of affected personal data records.
- The name and contact details of the data protection officer or other contact point where more information can be obtained.
- Description of the possible consequences of the violation of the security of personal data.
- Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay. In addition, the MANAGER must comply with the instructions that the person responsible for the treatment directs at all times regarding the notification and documentation associated with possible security incidents, in coherence with the protocols or procedures that have been adopted.
Security obligations of the person in charge of the treatment.
The MANAGER must:
- define the functions of users or user profiles with access to personal data and information systems and document them, if any, in the Document or Security Policy.
- define the control functions or authorizations delegated by the person in charge of the body or entity;
- train and inform staff so that they know in an understandable way the safety regulations that affect the development of their functions, as well as the consequences that could be incurred in case of non-compliance.
Security measures adopted.
In order to guarantee the confidentiality, integrity, availability and resilience of the information systems, the following security measures have been adopted:
- Password encryption.
- User passwords are hashed in the database, not being in plain text at any time and cannot be decrypted or discovered by a brute force attack after accessing the data.
- The algorithm used for the password hashing function is SHA2 which adds the necessary complexity to prevent collision access.
- Backup and fall prevention.
- The platform database is deployed in a Multi-AZ configuration, this generates an instance exactly the same as the one in use and that is replicated in an independent physical infrastructure, as well as in a different geographical availability zone (within Europe). Any maintenance or crash operation on the main database promotes the backup database as the main database as long as the operation or crash does not return the database to proper operation.
- In addition, a daily backup of the database is established, maintaining a 30-day history.
- The files derived from the management of events (scientific documentation, documents provided by the event organizers, files uploaded in response to custom data entry forms for the organization of events, etc.), an incremental backup is made with a daily periodicity maintaining a history of 7 days.
- The backup systems used are those of the Cloud service provider, providing resilient storage for them.
- The main platform is implemented for high availability, the responding servers are in a balanced cluster and with rules to manage the autoscaling of resources based on load increase criteria.
- The periodicity and history of the backup copies may be extended / improved as the platform and the infrastructure require it in the future.
- Limited access through internal and bastion network
- The platform’s file and database systems are only accessible from a bastion server, and only accessible from the platform’s administration network, not being accessible to any other network or the Internet.
- Access by the Symposium team is through username and password and asymmetric encryption keys.
- Monitoring, auditing and detection of attacks
- All the servers of the infrastructure are monitored in real time at the level of processes, use of resources and accesses. In addition, a series of service alerts are established that are automatically notified to the administrators of the platform to detect brute force attacks or anomalies in the system.
- A system of logging and auditing of protected access for the internal network of Symposium, centralizes the information of logs, and audits of all the services. This system analyzes by means of automatic Machine Learning rules, any anomalous behavior of the platform, as well as establishing control panels that analyze the use of the platform and of the multiple instances.
- The blog system allows alerting the development team of the same when part of the platform can generate an anomalous behavior, such as repeated failed login attempts, code errors, failures in sending mail or failures in accessing the systems of authentication of each University or Entity with instance in Symposium.
- Automatic and manual rules are also established to block subnets that are carrying out attacks detected by monitoring systems or by logging systems based on the alerts registered.
The security measures adopted will be subjected to a regular verification, evaluation and assessment process that determines the effectiveness of the technical and organizational measures implemented, thus guaranteeing the security of the treatment.
 The one indicated in the email box corresponding to the Data Protection Resp.