INTRODUCTION AND DEFINITIONS
We are providing this Disclosure Notice (“Notice”) because you (a) have a business relationship with Harmonic (as defined below) as Harmonic’s client (‘Client Relationship”); or (b) are employed by or retained by Harmonic as employee, independent contractor or vendor (“Employment/Vendor Relationship”).
In this Notice certain other defined terms appear, whose meaning is as follows:
(i) Business Relationship means any of a Client Relationship, or Employment/Vendor Relationship (as the context so admits);
(ii) the “Business Relationship Contract” shall mean:
- In the case of a Client Relationship, the services agreement (howsoever called) (for example, administration agreement) between Harmonic and its client; and
- In the case of an Employment/Vendor Relationship, the employment contract, professional services agreement or vendor agreement (howsoever called) between Harmonic and its employee, independent contractor, or vendor;
(iii) “Cloud” means the service whose key characteristics are as described in Annex A, which is the de-facto standard published by the US National Institute of Standards and Technology (NIST);
(iv) “Harmonic” means the relevant Harmonic Group operating entity which has the Business Relationship with you.
(v) “Infrastructure-as-a-Service” (“IaaS”) means the service model whose key characteristics are as described in Annex A, which is the de-facto standard published by NIST;
(vi) “Platform-as-a-Service” (“PaaS”), means the service model whose key characteristics are as described in Annex A, which is the de-facto standard published by NIST; and
(vii) “Software-as-a-Service” (“SaaS”), means the service model whose key characteristics are as described in Annex A, which is the de-facto standard published by NIST.
For ease of reference, current operating entities of Harmonic Group and their locations are as follows:
CLOUD MIGRATION INITIATIVE
- Harmonic Fund Services (Cayman Islands)
- Harmonic Consulting Ltd. (Cayman Islands)
- Wavelength Financial Technology Ltd (Cayman Islands)
- Harmonic Corporate Services Limited (Cayman Islands)
- Ancova Limited (Cayman Islands)
- Harmonic Fund Services Canada Inc. (Toronto)
- Harmonic SA (Geneva)
- Harmonic Fund Services Ireland Limited (Dublin)
- Harmonic Consulting Ireland Limited (Dublin)
- Harmonic Fund Services Luxembourg S.A. (Luxembourg)
- Harmonic Fund Services (Shanghai) Co., Ltd. (Shanghai)
Harmonic Group shall move to a Cloud computing model for the delivery of some of its IT services beginning in Q1 2019. Harmonic Group has taken this decision because it is confident that Cloud offers the cost-effectiveness, agility and security necessary to support Harmonic Group’s businesses over the immediate and longer terms.
This Notice outlines key details of this new Cloud initiative in the context of your Business Relationship with Harmonic.
HARMONIC GROUP CLOUD POLICY
Harmonic Group has developed a Cloud policy requiring a thorough review of any Cloud service including a detailed risk assessment prior to consideration for usage. The result of that assessment for this initiative has concluded the planned migration to Cloud services as described in this Notice will meet or exceed the overall current state of security and confidentiality controls in place within Harmonic Group.
CLOUD SERVICE MODEL AND DEPLOYMENT MODEL
There are various service models and deployment models relating to Cloud as published by NIST. Those Cloud service models are Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS), all as defined above. All three of those service models will be adopted by Harmonic Group as part of the Cloud computing migration initiative described in this Notice. The general strategy for the selection of each model is to use SaaS as a first choice where practical, then use PaaS as a second choice where practical, and lastly use IaaS only where a move to a Cloud service is beneficial, but neither SaaS nor PaaS are deemed practical.
Harmonic Group has long operated a highly virtualized environment in a “private” Cloud deployment model. That “private” Cloud model will remain, but as part of this Cloud migration initiative, Harmonic Group will also be introducing “public” and “hybrid” Cloud deployment models to its overall technology infrastructure.
CLOUD SERVICE PROVIDERS
Microsoft Corporation (“Microsoft”) of One Microsoft Way, Redmond, Washington, 98052, USA shall be the first Cloud services provider engaged to provide Cloud services to Harmonic Group. Microsoft is not related to or affiliated with Harmonic Group in any way and is not an agent or delegate of any Affiliate of Harmonic Group. You should note that the data shall be stored or processed by Microsoft on servers located in Canada, Ireland, and the Netherlands.
Multiple services of Microsoft will be leveraged by Harmonic Group including (but not limited to) Office365 and Azure.
The accreditations of Microsoft include (but are not limited to):
- SOC1 Type 2
- SOC2 Type 2
- ISO 27001
- ISO 27017
- ISO 27018
A full list of accreditations and audits can be found at https://www.microsoft.com/en-us/trustcenter/guidance/risk-assessment
Microsoft is an industry leader in data security, privacy, and compliance controls in Cloud environments. To review details of measures taken by Microsoft in those areas please visit https://www.microsoft.com/en-us/trustcenter/default.aspx.
You should note that, in addition to Microsoft, as part of Harmonic’s new Cloud initiative, Harmonic may engage other Cloud service providers in addition to or instead of Microsoft. In this Notice Microsoft and any other such Cloud services provider is referred to as a “CSP”.
PRIVACY CONSIDERATIONS AND GDPR
Data protection legislation and regulations apply to Cloud in the same way as any other technology where data is concerned. Accordingly, data (which for the avoidance of doubt shall include data relating to investors in a fund client for which client Harmonic performs administrator and/or registrar and transfer agent services pursuant to a Client Relationship) will be transferred to a CSP and be used and retained by the CSP in accordance with all relevant laws and regulations.
We refer to the Harmonic Group Disclosure Notice dated 24 April 2018 Regarding Compliance with EU General Data Protection Regulation (“GDPR”), which has already been sent to you and which is also available on Harmonic Group’s website under the “Legal” tab (“GDPR Disclosure Notice”). In respect of any data transferred by Harmonic Group to a CSP (to be held in the Cloud) which is Personal Data as defined in the GDPR, the GDPR will continue to apply to the transfer of such Personal Data to the CSP and the use and retention of that Personal Data by the CSP. You should note that for the purposes of the GDPR Microsoft is, and it is expected that any other CSP will be, a “Permitted Processor” of Harmonic, as such term is defined in the GDPR Disclosure Notice and your Business Relationship Contract (as amended). The continuation of your Business Relationship with Harmonic shall constitute your agreement to Harmonic’s transfer of your Personal Data to a CSP (being, for the avoidance of doubt, Microsoft and any other CSP engaged in addition to or instead of Microsoft) for use and retention as described in this Notice.
GETTING IN TOUCH
Harmonic Group has designated a Group-wide Cloud Officer to whom all Cloud-related queries (“Cloud Queries”) may be directed. The contact email for Cloud Queries is:
ANNEX A – NIST DEFINITIONS COMMONLY USED IN CLOUD COMPUTING
CLOUD – KEY CHARACTERISTICS
A data owner can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
Broad network access.
Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogenous thin or thick client platforms (eg mobile phones, tablets, laptops and workstations).
The provider’s computing resources are pooled to serve multiple data owners using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to data owner demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (eg country, state or data centre). Examples of resources include storage, processing, memory and network bandwidth.
Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the data owner, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time
Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (eg storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for both the provider and data owner of the utilized service.
INFRASTRUCTURE AS A SERVICE (IAAS) - KEY CHARACTERISTICS
The capability provided to the data owner is to provision processing, storage, networks and other fundamental computing resources where the data owner is able to deploy and run arbitrary software, which can include operating systems and applications. The data owner does not manage or control the underlying Cloud infrastructure but has control over operating systems, storage and deployed applications; and possibly limited control of select networking components (eg host firewalls).
PLATFORM AS A SERVICE (PAAS) - KEY CHARACTERISTICS
The capability provided to the data owner is to deploy onto the Cloud infrastructure data owner-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The data owner does not manage or control the underlying Cloud infrastructure including network, servers, operating systems or storage, but has control over the deployed applications and possibly configuration settlings for the application-hosted environment.
SOFTWARE AS A SERVICE (SAAS) - KEY CHARACTERISTICS
The capability provided to the data owner is to use the provider’s applications running on a Cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (eg web-based email) or a program interface. The data owner does not manage or control the underlying Cloud infrastructure including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user specific application configuration settings.
ADDITIONAL LEGAL AND REGULATORY DISCLOSURES
For additional legal/regulatory disclosures, please consult: http://harmonicfundservices.com/legal/