Last modified: April 2024
This Data Processing Addendum, including the Annex incorporated herein by reference (“DPA”) supplements the Video Security & Access Control Channel Partner Agreement between Motorola Solutions, Inc., on behalf of itself and its Affiliates (collectively “Motorola”) and ________ (“Customer”) entered into ____________ as it has been modified, amended and supplemented thereto (collectively, the “Agreement”). Unless otherwise defined herein, all capitalized terms shall have the meaning set forth in the Agreement. Customer and Motorola are hereafter referred to collectively as the “Parties,” or individually as a “Party.”
In the event of a conflict between this DPA, the Agreement or any schedule, annex or other addenda to the Agreement, this DPA will prevail with respect to the handling of Customer and end user data, including but not limited to personally identifiable information.
1. Definitions.
All capitalized terms not defined herein must have the meaning set forth in the Agreement.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Customer Contact Data” means contact information Motorola collects from Customer, including but not limited to contact information for Customer’s End Users and their Users, for business contact purposes, including without limitation marketing, advertising, licensing, and sales purposes.
“Data Protection Laws” means all data protection laws and regulations applicable to a Party with respect to the Processing of data accessible as a result of the Agreement and the use or provision of the Products and Services.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means EU General Data Protection Regulation 2016/679.
“Metadata” means data that describes other data.
“Personal Data” means any information relating to an identified or identifiable natural person processed by Motorola at the direction of Customer and Customer’s End Users and their Users as part of Customer Data, Customer Contact Data, End User Data, and Service Use Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as accessing, collecting, recording, copying, analyzing, caching, organizing, restructuring, storing, adapting, altering, retrieving, consulting, using, transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
“Processor” means the Party engaged in Processing data on behalf of the Controller.
“End User Data” means data including but not limited to images, text, videos, and audio, that are provided to Motorola by, through, or on behalf of Customer’s end user and their authorized users, through the use of the Products and Services. End User Data does not include Service Use Data, other than that portion comprised of Personal Data.
“Customer Data” means data related to Customer and made available to Motorola in connection with their business relationship or through use of Products and Services.
“Security Incident” means an incident leading to the accidental or unlawful destruction, loss, alteration or disclosure of, or access to Customer Data or End User Data, which may include Personal Data, while processed by Motorola.
“Service Use Data” means data generated about the use of the Products and Services through Customer end users’ use of or Motorola’s support of the Products and Services, which may include metadata (data about data), Personal Data, product performance and error information, activity logs, and date and time of use.
“Sub-processor” means other Processors engaged by Motorola to Process Customer Data or End User Data which may include Personal Data, as outlined on the following website: https://www.motorolasolutions.com/en_us/about/trust-center/privacy/data-sub-processors.html.
2. Processing of Customer Data and End User Data PERSONAL DATA
3. Service Use Data. Customer understands and agrees that Motorola may collect and use Service Use Data (which shall be anonymized and sanitized to exclude Personal Data) for its own purposes, provided that such purposes are compliant with applicable Data Protection Laws. Service Use Data may be processed by Motorola at any of its global locations and/or disclosed to Sub-processors.
4. Motorola as a Controller or Joint Controller. In all instances where Motorola acts as a Controller it must comply with the applicable provisions of the Privacy Statement at: https://www.avigilon.com/privacy as each may be updated from time to time (the “Privacy Statement”). Motorola holds all Customer Contact Data as a Controller and must Process such Customer Contact Data in accordance with the Privacy Statement and the Agreement. Notwithstanding anything to the contrary, Motorola may use Customer Contact Data solely for purposes of fulfilling its obligations under the Agreement.
5. Sub-processors.
6. Data Subject Requests. Motorola must, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject, including without limitation requests for access to, correction, amendment, transport or deletion of such Data Subject’s Personal Data (“Data Subject Request”). If the Data Subject is Customer’s end user, Motorola will not respond to the Data Subject Request, and Customer authorizes Motorola to redirect the Data Subject Request to Customer for action. Customer will make a commercially reasonable effort to communicate the Data Subject Request to the applicable Customer end user in an effort to ensure that all such Data Subject Requests are handled by the applicable Customer end user in a timely manner and in compliance with Data Protection Laws. To the extent applicable, Motorola must provide Customer with commercially reasonable cooperation and assistance in relation to any Data Subject Request. Customer is responsible for any reasonable costs arising from Motorola’s provision of such assistance to Customer or Customer end users under this Section.
7. Data Transfers. Motorola agrees that it must not make transfers of Personal Data under this Agreement from one jurisdiction to another, or otherwise Process Personal Data unless all such actions are performed in compliance with this DPA and applicable Data Protection Laws. Motorola agrees to enter into appropriate agreements with its Sub-processors, which will permit Motorola to transfer Personal Data to its Sub-processors. Motorola agrees to amend as necessary the Agreement to permit transfer of Personal Data from Motorola to Customer’s end users. Motorola also agrees to assist the Customer in entering into agreements with its affiliates, Customer end users and Sub-processors if required by applicable Data Protection Laws for necessary transfers.
8. Security. Motorola must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing of Personal Data, taking into account the costs of implementation; the nature, scope, context, and purposes of the Processing; and the risk of varying likelihood and severity of harm to the Data Subjects. The appropriate technical and organizational measures implemented by Motorola are set forth in Annex I. In assessing the appropriate level of security, Motorola must weigh the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise Processed.
9. Security Incident Notification. If Motorola becomes aware of a Security Incident, then Motorola must (i) notify Customer, Customer end users, and Data Subjects, of the Security Incident without undue delay and, in any case, in compliance with timeframes dictated by applicable law, (ii) investigate the Security Incident and apprise Customer of the details of the Security Incident and (iii) take reasonable steps (but no less than legally required steps) to stop any ongoing loss of Personal Data due to the Security Incident to the extent in the control of Motorola or its Sub-processors. Notification of a Security Incident must not be construed as an acknowledgement or admission by Motorola of any fault or liability in connection with the Security Incident. Motorola must make reasonable efforts to assist Customer in fulfilling Customer’s obligations under Data Protection Laws to notify the relevant supervisory authority and Data Subjects about such incident.
10. Data Retention and Deletion. Except for anonymized Service Use Data, or as otherwise provided under the Agreement, Motorola must delete (in accordance with all applicable laws) all Customer Data and End User Data no later than ninety (90) days following termination or expiration of the Agreement or applicable order unless otherwise required to comply with applicable law.
11. Audit Rights
12. Regulation Specific Terms
13. Motorola Contact. If Customer believes that Motorola is not adhering to its privacy or security obligations hereunder, Customer must contact the Motorola Data Protection Officer at Motorola Solutions Connectivity, Inc., 500 W. Monroe, Chicago, IL USA 90661 – 3618 or at privacy1@motorolasolutions.com.
Motorola Solutions, Inc. Customer: [___________]
By: ______________________________ By: ______________________________
Name: ___________________________ Name: ____________________________
Title: _____________________________ Title: _____________________________
Date: ____________________________ Date: ____________________________
Schedule 1
Cross Border Transfer Mechanisms
1.1“Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
1.2 “UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.
2. Cross Border Data Transfer Mechanisms.
2.1 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses (https://commission.europa.eu/publications/sta), the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) Module Two (Controller to Processor) of the Standard Contractual Clauses will apply where Customer is the Controller and Motorola is the Processor.
(b) Module Three (Processor to Processor) of the Standard Contractual Clauses will apply where Customer is the Processor and Motorola is the Sub-Processor.
(c) For each Module, where applicable:
Module 2: Controller to Processor |
Module 3: Processor to Processor |
|
Clause 7 (Docking Clause) |
Intentionally Omitted |
Intentionally Omitted |
Clause 9 (Use of Sub-processors) |
Option 2: General Written Authorisation 30 business days |
Option 2: General Written Authorisation 30 business days |
Clause 11 (Redress) |
Intentionally Omitted |
Intentionally Omitted |
Clause 13 (Supervision) Option 1: Where the data exporter is established in an EU Member State Option 2: Where the data exporter is not established in an EU Member State and has appointed a representative Option 3: Where the data exporter is not established in an EU Member State without having to appoint a representative |
Option 1, Option 2 and/or Option 3 applies in accordance with whether the exporter(s) is/are established in an EU Member State and has/have appointed a representative. |
Option 1, Option 2 and/or Option 3 applies in accordance with whether the exporter(s) is/are established in an EU Member State and has/have appointed a representative. |
Clause 14 (Local laws and practices affecting compliance with the Clauses) |
Applicable |
Applicable |
Clause 15 (Obligations of the data importer in case of access by public authorities) |
Applicable |
Applicable |
Clause 17 (Governing law) |
Denmark |
Denmark |
Clause 18 (Choice of forum and jurisdiction) |
Denmark |
Demnark |
Appendix: Annex I: A |
Data Exporter and Data Importer: Motorola and Subprocessors, as applicable. Contact Details: Motorola: privacy1@motorolasolutions.com. The Data Exporter’s role is as set forth in the Agreement. The Data Importer’s role is as set forth in the Agreement. Signature and Date: By entering into the Agreement, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement. |
|
Appendix: Annex I: B |
The Categories of data subjects are described in Schedule [ ] (Details of Processing) of this Addendum. Sensitive Data transferred is described in Section [ ] of Schedule [ ] (Details of Processing) of this Addendum. The frequency of the transfer is a continuous basis for the duration of the Agreement or as may otherwise be specified in the Agreement, a Work Order or a Purchase Order. The nature of the processing is described in Section [ ] of this Addendum. The period for which the personal data will be retained is described in Section [ ] (Details of Processing) of this Addendum. |
|
Appendix: Annex I: C (Competent Supervisory Authority) |
Datatilsynet (Danish Data Protection Agency) |
Datatilsynet (Danish Data Protection Agency) |
Link to Sub-processor list (Optional) |
This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9(a), Option 1). However, MSI requires it to be filled out in either case, with a link to an online subprocessor list being sufficient. Controller shall inform, in writing, of any intended changes to the agreed list of sub-processors. The controller has authorised the use of the following sub-processors: 1. Name: … Address: … Contact person’s name, position and contact details: … Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): … |
|
Annex II |
Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the Standard Contractual Clauses. |
2.2 Data Transfers From Switzerland. For data transfers from Switzerland that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as set out in Section 2.1 of this Schedule 1, subject to the following modifications:
(i) references to “EU Member State” and “Member State” will be interpreted to include Switzerland, and
(ii) insofar as the transfer or onward transfers are subject to the Swiss Federal Act on Data Protection, as revised (FADP):
(1) references to “Regulation (EU) 2016/679” are to be interpreted as references to the FADP;
(2) the “competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
(3) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
(4) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
2.3 UK International Data Transfer Agreement. The parties agree that the UK IDTA will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK IDTA, the UK IDTA will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) In Table 1 of the UK IDTA, the parties’ details and key contact information is located in Section 2.1(d)(vi) of Schedule 3 of this Addendum.
(b) In Table 2 of the UK IDTA, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 2.1 of this Addendum.
(c) In Table 3 of the UK IDTA:
1. The list of Parties is located in Section 2.1(d)(vi) of Schedule 3 of this Addendum.
2. The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing) of this Addendum.
3. Annex II is located in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
(d) In Table 4 of the UK IDTA, both the Importer and the Exporter may end the UK IDTA in accordance with the terms of the UK IDTA.
SCHEDULE 2
ANNEX I
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. Motorola acknowledges that, depending on Customer’s or End Users’ use of the Online Service, Customer or End User may elect to include personal data from any of the following types of data subjects in the Customer or End User Data:
Employees, contractors, and temporary workers (current, former, prospective) of data exporter;
Dependents of the above;
Data exporter’s collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);
Users (e.g., customers, clients, visitors, etc.) and other data subjects that are users of data exporter’s services;
Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/or use communication tools such as apps and websites provided by the data exporter;
Stakeholders or individuals who passively interact with data exporter (e.g., because they are mentioned in documents or correspondence from or to the data exporter);
Minors; or
Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).
Categories of personal data transferred
Customer’s use of the Products and Services, Customer may elect to include personal data from any of the following categories in the Customer Data:
Basic personal data (for example place of birth, street name, and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth);
Authentication data (for example user name, password or PIN code, security question, audit trail);
Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);
Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver’s license number and vehicle registration data, IP addresses, employee number, student number, signature, unique identifier in tracking cookies or similar technology);
Pseudonymous identifiers;
Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior);
Commercial Information (for example history of purchases, special offers, subscription information, payment history);
Biometric Information (for example fingerprints and iris scans);
Location data (for example, Cell ID, geo-location network data). Location data derived from use of wifi access points);
Photos, video, and audio;
Internet activity (regarding the use of Motorola’s solutions and equipment);Device identification (for example IMEI-number, SIM card number, MAC address);
Profiling (for example based on apps installed, or profiles based on marketing preferences);
HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location, and organizations);
Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);
Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;
Special categories of data biometric data for the purpose of uniquely identifying a natural person); or
Any other personal data identified in Article 4 of the GDPR.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
To the extent that a solution sold under an Agreement requires the processing of sensitive personal information, it will be restricted to the minimum processing necessary for the solution functionality and be subject to technical security measures appropriate to the nature of the information.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Data may be transferred on a continuous basis during the term of the Agreement or MCA (as applicable), or other agreement to which this DPA applies.
Nature of the processing
The nature, scope and purpose of processing personal data is to carry out performance of Motorola’s obligations with respect to provision of the Products and Services purchased under the Agreement or MCA (as applicable) and applicable Ordering Documents. The data importer utilizes a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors utilize such facilities, as long as in accordance with the applicable legal obligations of the data exporter.
Purpose(s) of the data transfer and further processing
The nature, scope and purpose of processing personal data is to carry out performance of Motorola’s obligations with respect to provision of the Products and Services purchased under the Agreement or MCA (as applicable) and applicable Ordering Documents. The data importer utilizes a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors utilize such facilities, as long as in accordance with the applicable legal obligations of the data exporter.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Data retention is governed by Section 10 of this Data Processing Addendum
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Transfers to sub-processors will only be for carrying out the performance of Motorola’s obligations with respect to provision of the Products and Services purchased under the Agreement or MCA (as applicable) and applicable Ordering Documents. The duration of the processing will be for the term of the Agreement or MCA (as applicable). The data importer utilizes a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors utilize such facilities , as long as in accordance with the applicable legal obligations of the data exporter.
SCHEDULE 3
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Measures of pseudonymization and encryption of personal data
Where technically feasible and when not impacting services provided:
Motorola minimizes the data it collects to information it believes is necessary to communicate, provide, and support products and services and information necessary to comply with legal obligations.
Motorola encrypts in transit and at rest.
Motorola pseudonymizes and limits administrative accounts that have access to reverse pseudonymization.
In order to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services, Motorola Solutions Information Protection policy mandates the institutionalization of information protection throughout solution development and operational lifecycles. Motorola maintains dedicated security teams for its internal information security and its products and services. Its security practices and policies are integral to its business and mandatory for all Motorola employees and contractors The Motorola Chief Information Security Officer maintains responsibility and executive oversight for such policies, including formal governance, revision management, personnel education and compliance. Motorola generally aligns to the NIST Cybersecurity Framework as well as ISO 27001.
Some of the system configuration is under the control of the customer.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Security Incident Procedures Motorola maintains a global incident response plan to address any physical or technical incident in an expeditious manner. Motorola maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data. For each security breach that is a Security Incident, notification will be made in accordance with the Security Incident Notification section of this DPA.
Business Continuity and Disaster Preparedness Motorola maintains business continuity and disaster preparedness plans for critical functions and systems within Motorola’s control that support the Products and Services purchased under the Agreement in order to avoid services disruptions and minimize recovery risks.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Motorola periodically evaluates its processes and systems to ensure continued compliance with obligations imposed by law, regulation or contract with respect to the confidentiality, integrity, availability, and security of Customer Data and End User Data, including personal information. Motorola documents the results of these evaluations and any remediation activities taken in response to such evaluations. Motorola periodically has third party assessments performed against applicable industry standards, such as ISO 27001, 27017, 27018 and 27701.
Measures for user identification and authorization
Identification and Authentication. Motorola uses industry standard practices to identify and authenticate users who attempt to access Motorola information systems. Where authentication mechanisms are based on passwords, Motorola requires that the passwords are at least eight characters long and are changed regularly. Motorola uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
Access Policy and Administration. Motorola maintains a record of security privileges of individuals having access to Customer Data and End User Data including personal information. Motorola maintains appropriate processes for requesting, approving and administering accounts and access privileges in connection with the processing of data. Only authorized personnel may grant, alter or cancel authorized access to data and resources. Where an individual has access to systems containing Customer Data and End User Data, the individuals are assigned separate, unique identifiers. Motorola deactivates authentication credentials on a periodic basis.
Measures for the protection of data during transmission
Data is generally encrypted during transmission within the Motorola managed environments. Encryption in transit is also generally required of any sub-processors. Further, protection of data in transit is also achieved through the access controls, physical and environmental security, and personnel security described throughout this Annex I.
Measures for the protection of data during storage
Data is generally encrypted during storage within the Motorola managed environments. Encryption in storage is also generally required of any sub-processors. Further, protection of data in storage is also achieved through the access controls, physical and environmental security, and personnel security described throughout this Annex I.
Measures for ensuring physical security of locations at which personal data are processed
Motorola maintains appropriate physical and environment security controls to prevent unauthorized access to Customer Data and End User Data, including personal information. This includes appropriate physical entry controls to Motorola facilities such as card-controlled entry points, and a staffed reception desk to protect against unauthorized entry. Access to controlled areas within a facility will be limited by job role and subject to authorized approval. Use of an access badge to enter a controlled area will be logged and such logs will be retained in accordance with Motorola policy. Motorola revokes personnel access to Motorola facilities and controlled areas upon separation of employment in accordance with Motorola policies. Motorola policies impose industry standard workstation, device and media controls designed to further protect Customer Data and End User Data, including personal information.
Measures for ensuring personnel security
Access to Customer Data and End User Data. Motorola maintains processes for authorizing and supervising its employees, and contractors with respect to monitoring access to Customer Data and End User Data. Motorola requires its employees, contractors and agents who have, or may be expected to have, access to Customer Data and End User Data to comply with the provisions of the Agreement, including this Annex and any other applicable agreements binding upon Motorola.
Security and Privacy Awareness. Motorola must ensure that its employees and contractors remain aware of industry standard security and privacy practices, and their responsibilities for protecting Customer and End User Data. This must include, but not be limited to, protection against malicious software, password protection, and management, and use of workstations and computer system accounts. Motorola requires periodic Information security training, privacy training, and business ethics training for all employees and contract resources
Sanction Policy. Motorola maintains a sanction policy to address violations of Motorola’s internal security requirements as well as those imposed by law, regulation, or contract.
Background Checks. Motorola follows its standard mandatory employment verification requirements for all new hires. In accordance with Motorola internal policy, these requirements must be periodically reviewed and include, but may not be limited to, criminal background checks, proof of identity validation and any additional checks as deemed necessary by Motorola.
Measures for ensuring events logging
Motorola maintains policies requiring continuous monitoring and event logging on all production information resources. Application audit trail logs must be captured on all production Motorola information resources. Audit trail logs of production Motorola information resources are regularly reviewed and appropriate remedial actions are taken when necessary.
Measures for ensuring system configuration, including default configuration
Motorola on-site systems are provided with a default secure configuration that may require end user input to complete the secure configuration. For example, some default configurations must be changed by the end user to maintain a secure system (e.g., default usernames and passwords, connecting to active directory, etc.). This completion of the default secure configuration is dependent on the end user input for transitioning from the default secure configuration to a secure configuration.
Measures for internal IT and IT security governance and management
The Motorola Solutions Enterprise Information Security organization is structured as follows: Governance/ Risk/ Compliance, Threat Intelligence & Vulnerability Management, Detection, Protection, and Response. Motorola assesses organization’s effectiveness annually via external assessors who report and share the assessment findings with Motorola Audit Services who tracks any identified remediations. For more information, please see the Motorola Trust Center at https://www.motorolasolutions.com/en_us/about/trust-center/security.html
Measures for certification/assurance of processes and products
Motorola performs internal Secure Application Review and Secure Design Review security audits and Production Readiness Review security readiness reviews prior to service release. Where appropriate, privacy assessments are performed for Motorola’s products and services. A risk register is created as a result of internal audits with assignments tasked to appropriate personnel. Security audits are performed annually with additional audits as needed. Additional privacy assessments, including updated data maps, occur when material changes are made to the products or services. Further, Motorola Solution has achieved AICPA SOC2 Type 2 reporting and ISO/IEC 27001:2013 certification for many of its development and support operations.
Measures for ensuring data minimization
Motorola policies require processing of all personal information in accordance with applicable law, including when that law requires data minimization. Further, Motorola conducts privacy assessments of its products and services and evaluates if those products and services support the principles of processing, such as data minimization.
Measures for ensuring data quality
Motorola policies require processing of all personal information in accordance with applicable law, including when that law requires ensuring the quality and accuracy of data. Further, Motorola conducts privacy assessments of its products and services and evaluates if those products and services support the principles of processing, such as ensuring data quality.
Measures for ensuring limited data retention
Motorola maintains a data retention policy that provides a retention schedule outlining storage periods for personal data. The schedule is based on business needs and provides sufficient information to identify all records and to implement disposal decisions in line with the schedule. The policy is periodically reviewed and updated.
Measures for ensuring accountability
To ensure compliance with the principle of accountability, Motorola maintains a Privacy Program which generally aligns its activities to both the Nymity Privacy Management and Accountability Framework and NIST Privacy Framework. The Privacy Program is audited annually by Motorola Solutions Audit Services.
Measures for allowing data portability and ensuring erasure
When subject to a data subject request to move, copy or transfer their personal data, Motorola will provide personal data to the Controller in a structured, commonly used and machine readable format. Where possible and if the Controller requests it, Motorola can directly transmit the personal information to another organization.
For transfers to Sub-processors,
If, in the course of providing Products and Services under the Agreement, Motorola transfers information containing Personal Data to third parties, prior to said transfer Motorola shall ensure said third parties will be subjected to a security assessment and bound by obligations substantially similar, but at least as stringent, as those included in this DPA.
Our video security experts can help you implement the right security system for your business.