DATA PROCESSING ADDENDUM

This Data Processing Addendum (this “DPA”)  forms part of and is subject to the terms and conditions of the Service Agreement (as defined below) by and between the entity identified as the Customer under the Service Agreement and Traact, Inc. (“Vendor”). Customer and Vendor may be referred to herein together as the “Parties”, and each may be referred to herein as a “Party”. This DPA is hereby incorporated into, and subject to, the terms of the Service Agreement. In the event of a conflict between the terms of this DPA and the terms of the Service Agreement, the terms of this DPA shall control. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Customer and Vendor hereby agree as follows:

1. Definitions.  

1. “Applicable Laws” means, collectively, all now existing or hereinafter enacted or amended laws, rules, regulations, and/or sanctions programs applicable to a Party’s performance hereunder and/or obligations with respect to data protection.
2. “CCPA” means the California Consumer Privacy Act of 2018 (Title 1.81.5 of the Civil Code of the State of California), together with all effective regulations adopted thereunder (in each case, as amended from time to time).
3. “Customer Data” means all information, data, content and other materials, in any form or medium, that is submitted, posted, collected, transmitted or otherwise provided by or on behalf of Customer through the Services.
4. “Customer Personal Data” means Customer Data that is Personal Data processed by Vendor on behalf of Customer in the provision of the Services under the Service Agreement.
5. “Controller” means (i) under and in the context of European Data Protection Law, the data “controller” (as defined by GDPR), (ii) under and in the context of CCPA, the “business” or “third party” (each, as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “controller”, “business”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.
6. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (and each successor regulation, directive or other text of the foregoing, in each case as amended from time to time).
7. “European Data Protection Law” means each of EU GDPR, UK GDPR, and the Federal Data Protection Act of 19 June 1992 (Switzerland) (as the same may be superseded by the Swiss Data Protection Act 2020 and as amended from time to time).
8. “GDPR” means, as applicable, (i) the EU GDPR and/or (ii) the UK GDPR.
9. “Personal Data” means any information that constitutes (a) “personal information” (as defined by, and in the context of, CCPA), (b) “personal data” (as defined by, and in the context of, European Data Protection Law), and/or (c) “personal data,” “personal information,” or other term denoting a substantially similar definition and obligations under, and in the context of, any other Applicable Laws.
10. “Process” means any operation or set of computer operations performed on Personal Data, including, but not limited to, collection, recording, organization, structuring, storage, access, adaptation, alteration, retrieval, consultation, use, transfer, transmit, sale, rental, disclosure, dissemination, making available, alignment, combination, deletion, erasure, or destruction.
11. “Processor” means (i) under and in the context of European Data Protection Law, the data “processor” (as defined by GDPR), (ii) under and in the context of CCPA, a “service provider” (as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “processor”, “service provider”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.
12. “Security Incident” means (i) any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Personal Data or (ii) any other event that constitutes a “security breach”, “personal data breach”, or substantially similar term with respect to Customer Personal Data under an Applicable Laws.
13. “Service Agreement” means, collectively, the agreements and/or terms of service (including, as applicable, each of the Statements of Work/SOWs/Orders/Order Forms and exhibits thereunder) between Client and Vendor “Services” means, collectively, the products and/or services provided by Vendor to Customer under the Service Agreement.
14. “Sub-Processor” means a contractor, subcontractor, consultant, third-party service provider, or agent engaged by Vendor for further Processing of Customer Personal Data.
15. “UK GDPR” has the meaning ascribed thereto in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018 (as amended from time to time).

2. Data Processing Obligations.  

1. General.  

1. Each Party shall comply with its obligations relating to Personal Data under this DPA and under Applicable Laws at its own cost. With respect to Customer Personal Data, (i) Customer is a Controller and (ii) Vendor is a Processor that Processes Customer Personal Data only upon the instructions of Customer, including, without limitation, in accordance with the applicable Service Agreement, this DPA, and any other documented instructions provided by Customer. Notwithstanding the foregoing, Vendor may Process Customer Personal Data as required by Applicable Laws. Schedule I sets forth specific details regarding Vendor’s processing of Customer Personal Data.
2. With regard to Vendor employees and contractors engaged in Processing Customer Personal Data, Vendor shall ensure that such employees and contractors are informed of the confidential nature of the Customer Personal Data and are subject to appropriate confidentiality obligations sufficient to comply with the terms of the Service Agreement and this DPA.
3. Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtains the Customer Personal Data, including, without limitation, obtaining appropriate consent to collect the Customer Personal Data and share such data with Vendor in accordance with Applicable Laws.

2. Standard Contractual Clauses.  If Vendor Processes Customer Personal Data relating to an EEA, United Kingdom, or Switzerland data subject (including, without limitation, the transfer of such Customer Personal Data from the EEA, United Kingdom, or Switzerland to a third country not providing an adequate level of protection) outside of the EEA, United Kingdom, and Switzerland, the Processing will be further governed by Schedule II to this DPA (together with all Appendices and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “Personal Data SCCs”), which is incorporated by reference into this DPA solely with respect to Customer Personal Data relating to EEA, United Kingdom and/or Switzerland data subjects.  If there is any conflict between (x) the terms and conditions of either this DPA or the Service Agreement, on the one hand, and (y) the terms and conditions of the Personal Data SCCs, on the other hand, then, with respect to Customer Personal Data relating to an EEA, United Kingdom and/or Switzerland data subject(s), the terms and conditions of the Personal Data SCCs will prevail and control.  Vendor may only transfer Customer Personal Data relating to an EEA, United Kingdom, or Switzerland data subject outside the EEA, United Kingdom, and Switzerland in compliance with Applicable Laws and the Personal Data SCCs.
3. CCPA.  With respect to Customer Personal Data relating to a California “consumer” or “household” (each as defined by CCPA) (“CCPA Personal Data”):

1. Customer will be disclosing such CCPA Personal Data under the Service Agreement to Vendor for a “business purpose” (as defined by CCPA), and Vendor shall Process such CCPA Personal Data solely on behalf of Customer and only as necessary to perform such business purpose for Customer; and

2. Except as expressly permitted by the CCPA or its regulations, Vendor shall not: (i) “sell” or “share” (each as defined by the CCPA) CCPA Personal Data; (ii) retain, use, or disclose CCPA Personal Data (x) for any purpose (including a “commercial purpose” (as defined by CCPA)) other than for the business purpose(s) identified in Section 2.3(a), or (y) outside of the direct business relationship between Vendor and Customer; or (iii) combine the Customer Personal Data with Personal Data that Vendor collects or receives from another source (except in the performance of any “business purpose”);

4. Changes in Applicable Laws.  If, due to any change in Applicable Laws, a Party reasonably believes that (a) Vendor ceases to be able to provide the Services in whole or in part (e.g., with respect to a particular jurisdiction) and/or Customer ceases to be able to use the Services in whole or in part under the then-current terms and conditions of the Service Agreement and this DPA, each Party may terminate the Service Agreement (in whole or, if reasonably practicable, in part).

3. Security.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor will implement and maintain appropriate technical and organizational measures to ensure a level of security for the Customer Personal Data appropriate to the risks. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed. Such measures will include reasonable administrative, physical, and technical security controls (including those required by Applicable Laws) that prevent the collection, use, disclosure, or access to Customer Personal Data that the Service Agreement does not expressly authorize, including maintaining a comprehensive information security program that safeguards Customer Personal Data. These security measures include the measures set forth in Schedule III.
4. Supplementary Measures and Safeguards.

1. Assistance. Vendor shall assist Customer to ensure compliance with Applicable Laws in connection with the Processing of Customer Personal Data.  
2. Orders. Vendor shall notify Customer in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Customer Personal Data. Customer shall have the right to defend such action in lieu of and/or on behalf of Vendor. Customer may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with Customer in such defense.

5. Notifications.

1. Security Incidents.  Vendor will provide Customer with written notice promptly after discovering a Security Incident (including those affecting Vendor or its Sub-Processors), including any known information that Customer is required by Applicable Laws to provide to an applicable regulatory agency or to the individuals whose Personal Data was involved in the Security Incident.
2. Data Subject Requests.  Vendor shall (i) promptly notify Customer about any request under Applicable Law(s) with respect to Customer Personal Data received from or on behalf of the applicable data subject and (ii) cooperate as required by Applicable Law(s) with Customer’s reasonable requests in connection with data subject requests with respect to Customer Personal Data.  Vendor shall assist Customer, through appropriate technical and organizational measures, to fulfill its obligations with respect to requests of data subjects seeking to exercise rights under Applicable Law with respect to Customer Personal Data.

6. Sub-Processors.

1. Vendor shall not have Customer Personal Data Processed by a Sub-Processor unless such Sub-Processor is bound by a written agreement with Vendor that includes data protection obligations at least as protective as those contained in this DPA and the Service Agreement and that meet the requirements of Applicable Laws. Vendor is and shall remain fully liable to Customer for any failure by any Sub-Processor to fulfill Vendor’s data protection obligations under Applicable Laws.
2. Vendor’s list of all Sub-Processors who access Customer Personal Data is available at Annex III to Exhibit A of Schedule II (the “Sub-Processor List”). Customer authorizes and instructs Vendor to engage the Sub-Processors listed in the Sub-Processor List. Vendor will notify Customer of any changes to the Sub-Processors listed on the Sub-Processor List and grant Customer the opportunity to object to such change. Upon Customer’s request, Vendor will provide all information necessary to demonstrate that the Sub-Processors will meet all requirements pursuant to Section 6.1. If Customer objects to any Sub-Processor, Vendor can choose to either not engage the Sub-Processor or to terminate the Service Agreement with thirty (30) days’ prior written notice.

7. Deletion. Vendor shall, at the choice of Customer: (i) delete or return all Customer Data to Customer after such Customer Data is no longer necessary for the provision of the Services, and (ii) delete existing copies of such Customer Data.
8. Documentation; Audit.  

1. Vendor shall, upon Customer’s request, provide Customer (a) comprehensive documentation of Vendor’s technical and organizational security measures, (b) any and all third-party audits and certifications available with respect to such security measures, and (c) all other information reasonably necessary to demonstrate compliance with the Vendor’s obligations under this DPA and/or under Applicable Laws. Where (a) – (c) of this section are not sufficient for compliance with Applicable Laws, then upon reasonable notice and appropriate confidentiality agreements, Vendor shall cooperate with assessments, audits, or other steps performed by or on behalf of Customer at Customer’s sole expense and in a manner that is minimally disruptive to Vendor’s business that are necessary to confirm that Vendor is processing Customer Personal Data in a manner consistent with this DPA.

9. Term; Termination.  This DPA shall remain in effect until (a) the Service Agreement has terminated and (b) all obligations that Vendor has under the Service Agreement and under Applicable Laws with respect to Customer Personal Data, and all rights that Customer has under the Service Agreement and under Applicable Laws with respect to Customer Personal Data, have terminated.  Notwithstanding termination of this DPA, any provisions hereof that by their nature are intended to survive, shall survive termination.
10. Limitation of Liability. NOTWITHSTANDING ANYTHING STATED IN THE AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER VENDOR NOR CUSTOMER SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA) ARISING OUT OF OR IN CONNECTION WITH THIS DPA, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY AND WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL EITHER PARTY’S CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THIS DPA EXCEED THE SUM OF THE FEES PAID OR PAYABLE BY CUSTOMER TO VENDOR UNDER THE AGREEMENT DURING THE ONE YEAR PERIOD IMMEDIATELY PRECEDING THE DATE THE CLAIM FOR SUCH DAMAGES AROSE, EXCEPT TO THE EXTENT SUCH LIMITATION IS NOT PERMITTED BY APPLICABLE LAW. THE FOREGOING LIMITATIONS OF LIABILITY SHALL NOT APPLY TO LIABILITY ARISING FROM WILLFUL MISCONDUCT OR BREACHES OF APPLICABLE LAW.
11. Miscellaneous.

1. Any notice made pursuant to this DPA will be in writing and will be deemed delivered on (a) the date of delivery if delivered personally, (b) five (5) calendar days (or upon written confirmed receipt) after mailing if duly deposited in registered or certified mail or express commercial carrier, or (c) one (1) calendar day (or upon written confirmed receipt) after being sent by email, addressed to Customer at the address or email address on record with Vendor, or addressed to Vendor at the address or email address designated below, or to such other address or email address as may be hereafter designated by either Party:

        

        By email to: dpo@traact.com

        By mail to:

        Traact, Inc.

        2100 Geng Road, Suite 210,

        Palo Alto, CA, 94303 – USA

        dpo@traact.com

2. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Service Agreement, unless required otherwise by Applicable Laws.
3. Neither Party may assign or transfer any part of this DPA without the written consent of the other Party; provided, however, that this DPA, collectively with the Service Agreement, may be assigned without the other Party’s written consent by either Party to a person or entity who acquires, by sale, merger or otherwise, all or substantially all of such assigning Party’s assets, stock or business.  Subject to the foregoing, this DPA shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns.  Any attempted assignment in violation of this Section 10.3 shall be void and of no effect.
4. The Parties may execute this DPA in counterparts (including, without limitation, DocuSign and/or other electronic signature, PDF, and other electronic copies), which taken together shall constitute one instrument.

---

SCHEDULE I

Details of Customer Personal Data

Nature and Purpose of Processing

To provide the Services pursuant to the Service Agreement.

Categories of Personal Data Subject to Processing

• First and last name, phone number, address, email addresses, and position of Customer’s authorized users, including, without limitation, Customer’s employees, contractors, and agents (collectively, the “Authorized Users”)
• Any other category of Personal Data that is included within the data, information, and materials Customer, or third parties on behalf of Customer, submits to the Services

Categories of Data Subjects Whose Personal Data is Transferred

• Authorized Users
• Any other category of Data Subjects whose Personal Data is contained or embedded within the data, information, and materials Customer, or third parties on behalf of Customer, submits to the Services

Frequency of transfer

Continuous basis for the duration of the Services pursuant to the Service Agreement

Duration of Processing

For the duration of the Services pursuant to the Service Agreement.

Period for which Personal Data will be retained

As long as necessary to provide the Services pursuant to the Service Agreement.

SCHEDULE II

EU SCCs

1. Definitions

1. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in this Schedule II.
2. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Service Agreement Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in this Schedule II.

2. With respect to Customer Personal Data transferred from the European Economic Area, the EU SCCs will apply and form part of this Schedule II, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:

1. Because Customer is a Controller and Vendor is a Processor of the Customer Personal Data, Module 2 applies.
2. Clause 7 (the optional docking clause) is not included.
3. Under Clause 11 (Redress), the optional dispute resolution body language is not included.
4. Under Clause 17 (Governing law), the Parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).  The Parties select the law of Ireland.
5. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.
6. Annexes I, II and III of the EU SCCs are set forth in Exhibit A to this Schedule II.
7. By entering into this DPA, the Parties are deemed to be signing the EU SCCs.

3. With respect to Customer Personal Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this Schedule II and take precedence over the rest of this Schedule II as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:

1. Table 1 of the UK SCCs:

1. The Parties’ details are the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Exhibit A. 
2. The Key Contacts are the contacts set forth in Exhibit A.

2. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 are the EU SCCs as executed by the Parties pursuant to this Schedule II.
3. Table 3 of the UK SCCs: Annex 1A, 1B, II and III are set forth in Exhibit A.
4. Table 4 of the UK SCCs: Either party may terminate the Service Agreement as set forth in Section 19 of the UK SCCs.
5. By entering into the DPA, the Parties are deemed to be signing the UK SCCs and their applicable Tables and Appendix Information.

4. With respect to Customer Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection (“FADP”):

1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
2. The term “member state” in the EU SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
3. References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
4. Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

---

EXHIBIT A TO SCHEDULE II

ANNEX I

A.   LIST OF PARTIES

Data exporter(s): 

Name: Entity identified as “Customer” in the DPA.

Address: See the Service Agreement.

Contact person’s name, position and contact details: See the Service Agreement.

Activities relevant to the data transferred under these Clauses: To receive the Services (as defined in the DPA).

Role (controller/processor): Controller.

Data importer(s): 

Name: Traact, Inc. (“Vendor”)

Address: 2100 Geng Road, Suite 210, Palo Alto, CA, 94303

Contact person’s name, position and contact details:

Name: Helio Noronha

Role: Data Protection Officer

Address: 11264 Listening Dr, Orlando, FL 32832

Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA).

Role (controller/processor): Processor.

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

See Schedule I

Categories of personal data transferred

See Schedule I

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Vendor does not require any special categories of data in order to provide the Services and does not intentionally collect or process such data in connection with the provision of the Services.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

See Schedule I

Nature of the processing

See Schedule I

Purpose(s) of the data transfer and further processing

See Schedule I

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

See Schedule I

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

To provide the Services pursuant to the Service Agreement.

C.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.

---

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

See Schedule III

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

AWS

Logrocket

MixPanel

Microsoft Word

Cloudflare

Vercel

     

SCHEDULE III

Security Measures

1. General Security Measures

Vendor will comply with industry-standard security measures (including with respect to personnel, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, and incident response measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of personal data), as well as with all applicable data privacy and security laws, regulations and standards.  

2. Contact Information

Vendor’s security team can be reached at support@traact.com for any security questions. The customer team can be reached at support@traact.com.

3. Compliance

Vendor complies with the standards and practices described on the Vendor website: https://www.traact.com/privacy For additional information, contact support@traact.com.

4. Information Security Program

The objective of Vendor’s Information Security Program is to maintain the confidentiality, integrity and availability of its computer and data communication systems while meeting necessary legislative, industry, and contractual requirements. Vendor shall establish, implement, and maintain an information security program that includes technical and organizational security and physical measures as well as policies and procedures to protect customer data processed by Vendor against accidental loss; destruction or alteration; unauthorized disclosure or access; or unlawful destruction.

4.1 Secure Software Development

Vendor shall maintain policies and procedures to ensure that system, application, and infrastructure development is performed in a secure manner. This includes trained code review and testing of all Vendor applications, regular scanning for common security vulnerabilities, periodic penetration testing, multi-factor authentication, utilizing infrastructure-as-code and industry-recommended configurations for infrastructure.

4.2 Human Resources Security

Vendor shall maintain a policy that defines requirements around enforcing security measures as they relate to employment status changes. This includes performing background checks, acknowledging and complying with Vendor’s security policies, and utilizing onboarding and termination checklists for employees and third parties.

4.3 Data Classification & Protection

Vendor shall maintain policies and procedures for data classification and protection, along with requirements for the classification of data containing personal data in consideration of applicable laws, regulations, and contractual obligations. Vendor shall also maintain requirements on data encryption and rules for transmission of data along with requirements on how access to these data should be governed.

4.4 Network Security

Vendor shall maintain policies and procedures around the network infrastructure used to process customer data, establish and enforce safe network practices, and define service level agreements with internal and external network services.

4.5 Physical and Environmental Security

Vendor shall maintain policies and procedures for physical and environmental security and ensure that critical information services be protected from interception, interference, or damage.

4.6 Business Continuity and Disaster Recovery

Vendor shall maintain policies and procedures to ensure that Vendor may continue to perform business-critical functions in the face of an extraordinary event. This includes data center resiliency and disaster recovery procedures for business-critical data and processing functions.

5. Access Control

Vendor shall maintain access control measures designed to limit access to Vendor’s facilities, applications, systems, network devices, and operating systems to a limited number of personnel who have a business need for such access. Vendor shall ensure such access is removed when no longer required and shall conduct access reviews periodically.

6. Risk Assessments

Vendor has a documented risk management procedure and Secure Software Development Life Cycle process. Vendor performs risk assessments of its products and infrastructure on a regular basis, including review of the data classification policies and targeted reviews of highly sensitive data flows.

Vendor performs application testing for new products or feature changes that are launched as well as periodic reassessments of its network. Vendor leverages peer code review and regular vulnerability scanning which would ensure that viruses are not introduced in the code and detect such abuse. Vendor uses a combination of manual penetration testing and automated tools.

7. Third-Party Risk Assessments

Vendor conducts security due diligence on third-party service providers to assess and monitor risk. This assessment includes a review of scope of confidential information and personal data transferred to or processed by the service provider and the purpose of the work. Vendor will also conduct a risk assessment which may include the service provider’s organization and technical security measures, the sensitivity of any information processed by the service provider, storage limitations, and data deletion procedures and timelines.

8. Supplementary Measures

In addition to the general security measures set out above, Vendor maintains the following policies:

• Acceptable Use Policy
• Change Management Policy
• Employee Code of Conduct
• Configuration and Asset Management Policy
• Data Retention and Disposal Policy
• Encryption and Key Management Policy (industry-standard encryption of TLS 1.2 or higher)
• Internal Control Policy
• Vulnerability Management Policy