DEFINITIONS
erwin, Inc. (“erwin”), acts only as a Data Processor in the following situations:
erwin acts in this capacity with respect to the Personal Information processed pursuant to the contract between the customer as a data controller and the service provider (erwin) as the processor.
In providing our services we do not own, control or direct the use of the Service Data stored or processed on our platform and do so only at the direction of our customers. In fact, we are largely unaware of what information is actually being stored on our platform and only access such information as authorized by our customers (Data Controllers) or as required by law.
The Data Controller retains the overall responsibility for the Service Data that is placed into any of the SaaS or BYOL hosting platforms. erwin, in its role of Data Processor will ensure it carries out its responsibilities, to ensure the data remains secure with technical and operational controls being in place.
erwin, Inc. as a Data Processor agrees to:
Customer as a Data Controller agrees:
From a privacy perspective, any information stored within the Service Data itself is at the control of the customer (the Data Controller of Service Data), with erwin acting as the Data Processor. Like many SaaS and BYOL hosting companies erwin operates a shared responsibility model in coordination with our customers (Data Controller(s)). It is the responsibility of our customer to ensure certain data types are not put into the erwin services for processing.
erwin limits the amount of personal information it processes, in its role of Data Processor, to just information that is needed for a user to be able to continue to access and use the service/system being provided, or to respond to a technical support request, as part of the contract. This means just a username and corporate email address, to allow a user record to be created and maintained within a SaaS or BYOL hosting system, or to send communication back from a ticket request opened.
Once this information is no longer needed with a SaaS or BYOL hosting environment, the user can be removed or anonymised, meaning that no personal information will remain, and the record will be changed to a non-identifiable number/string. Use of SAML2, allows the Data Controller to retain full control over this information, with log-in information being outsourced to the customers IDP.
Review the user information and Service Data shared with erwin and ensure that you shall not share any unneeded or sensitive (health related, SSN, driver’s license, credit card #, passport #, etc.) Personal Information.
We take our data responsibilities seriously, including compliance with data security and privacy regulations, such as the General Data Protection Regulation (GDPR). In accordance with GDPR, you have “the right to be forgotten” in terms of asking us to delete all information about you that currently resides in our systems. Where we do not need to keep information, in order to comply with any of our legal retention requirements going forwards, we will try to comply with these requests.
Where this Personal Information is processed within a SaaS/BYOL Hosting system, or within the technical support ticketing system, it will be for the purposes of system log-in or communication as part of delivering the contract. erwin, as a Data Processor, will forward all inquiries from individual service users directly received, on to the responsible Data Controller (requestors customer admin user), to ensure requests are carried out as part of their responsibilities to their end users. Removal requests will mean that the end user can no longer use these services.
If you want erwin to delete your information, please email us at privacy@erwin.com.
Customer SaaS and BYOL hosting environments are established in one of the AWS/Azure Data center regions, based on where the Customer chooses the base Service Data location to be; the customer Service Data subsequently remains in that region unless agreed between customer and erwin, but may be shifted among data centers within a region to ensure resiliency and availability of the services (if applicable).
Currently, the erwin production systems consist of
The Personal Information stored within the systems that offer these services is retained as part of the contract with the Data Controller purchasing the service from erwin. The personal data will be kept for the duration of the service contract/subscription, unless removed by the Data Controller beforehand. There may be an extension requested by the Data Controller, of up to 30 days after the end of a service contract/subscription, where the data can be restored, to aid in data export activities. After the 30-day extension, the data will be permanently removed from the system, but may remain in standard backup cycles for a total of 60 days.
erwin undertakes to implement the following general security principles:
Some of the technical security measures that erwin undertakes as part of its SaaS and BYOL Hosting services are:
Within the SaaS and BYOL Hosting service environments, erwin will not transfer, access or process any Personal Information outside the EU without the express consent of the Data Controller (Customer). All core Service Data resides within the Data Center region that is chosen by the Data Controller.
Notwithstanding, customers should review erwin’s Subprocessor list below, to ensure they are aware of where all data components are stored/processed for the different elements of the wider service ecosystem that may be in use, within the service being provided.
To offer these services for SaaS and BYOL Hosting, erwin uses certain Subprocessors to provide key components of the service and wider ecosystem, as explained in the table below.
erwin undertakes a due diligence process by which it evaluates the security, privacy and confidentiality practices of approved Subprocessors that potentially may have access to process information within the service, in order to carry our activities on erwins’ behalf. This is done annually, as part of erwin’s ISO27001 and data protection activities.
erwin requires its Subprocessors to satisfy obligations as those equivalently required for erwin (as a Data Processor), with its end customers. These requirements are set forth in a Data Processing Agreement (DPA), including but not limited to the requirements to:
erwin makes use of a few Subprocessors to supply the infrastructure used to host Service Data submitted to the SaaS and BYOL Hosting services offered. The following table describes the Subprocessors engaged in the storage and delivery of SaaS and BYOL Hosting services.
Entity Name | Entity Type | Entity Country |
Amazon Web Services, Inc. | Cloud Service Provider and associated services | Headquartered in United States
(This is not the location of Service Data processing activities – Primary processing location is chosen by the customer) |
Microsoft Azure | Cloud Service Provider and associated services | Headquartered in United States
(This is not the location of Service Data processing activities – Primary processing location is chosen by the customer) |
erwin works with certain third parties to provide specific functionality within the wider services ecosystem. These providers are the Subprocessors set forth below. To provide the relevant functionality, these Subprocessors do not directly access Service Data that the Customer places into the service, but they may have access to surrounding Personal Data, which is processed in order to be able to deliver their function.
Entity Name | Purpose | Applicable Services | Entity Country |
Zendesk | erwin uses Zendesk for its SaaS support and ticketing system. erwin customers and their end users create accounts directly in the system, with an email address and username.
The Zendesk system processes end users’ information as needed, only to allow communication back and forth on bug tickets, enhancement requests and answer any other questions raised with the erwin support team. The only information Zendesk has access to for this purpose is end-user name and corporate email address. |
Technical Product Support | United States |
Nalpeiron | erwin uses Nalpeiron for its SaaS, web-based licensing system of the erwin DM product. (Not for all licensing)
The Nalpeiron system processes end users’ information as needed, only to allow communication back and forth from licensed software to its entitlement service, providing ongoing entitlement to identified users. The only information Nalpeiron has access to for this purpose is the corporate email addressed entered by End-Users. |
erwin Data Modeler Product Licensing | United States |
LogicMonitor | LogicMonitor primarily processes IT systems health, status and performance data from information technology systems used within Hosting (BYOL) and SaaS environments. | Hosting (BYOL) Service, for erwin Data Modeler and erwin Data Intelligence | United States |
Trend Micro Cloud One – Workload Security | Trend Micro offers a variety of data security products and services, including anti-virus, anti-malware and other software and cloud products around IDS/IPS.
Data categories may include IP addresses, URL strings and various other unstructured or structured information, which could include personal data. |
Hosting (BYOL) Service, for erwin Data Modeler and erwin Data Intelligence | United States |
erwin will notify customers via this policy of the appointment of any new Subprocessor or changes to any existing Subprocessor, that will materially affect the processing of Personal Information involved within erwin activities, where it assumes the role of Data Processor (the delivery of SaaS or BYOL Hosting services and technical support) within its wider ecosystem.
The customer may object to the appointment of or; any change in the sub-processor where it has reasonable grounds for doing so and in such circumstances, erwin shall be entitled to address the objection through one of the following options at its sole discretion:
A Personal Information breach refers to a protection breach that results in the loss, destruction, alteration, unauthorised disclosure of, or access to, personal data. All Service Data breaches/incidents will be reported in accordance with corporate IT security policies and immediately notified to the appropriate internal stakeholder and escalated to the Executive Leadership Team. Where a breach is likely to have a significant detrimental effect on individuals it will be reported to the responsible Data Controllers within 48 hours of breach confirmation and impacted data identification.
erwin SaaS and BYOL Hosting environments and processes are annually audited to the ISO27001 standard, by an independent third party. erwin also performs continual due diligence activities on its infrastructure suppliers, AWS and MS Azure, including the physical and environmental security of hardware and data centers, so its customers can take advantage of the rich array of certifications they possess.
Version 1.1. Effective from 8 December 2020.
Previous Versions:
Version 1