=

Data Processing Agreement

PARTIES

User, on behalf of itself, its Affiliates, and its current and future affiliated offices (the "User") and Relevize, Inc. a Delaware corporation with an office at 55 Court Street, Boston, MA 02108 (the "Processor") (each a "Party" and collectively the "Parties").

BACKGROUND

(A) The Processor offers a technology platform to assist User in generating leads (the "Services") in accordance with the Terms of Service agreed to by the Parties (the "Agreement"). This Data Processing Addendum (the "DPA") forms part of the Agreement.

(B) To the extent that the Processor processes any personal data as a processor (as defined below) on behalf of the User (or, where applicable, the User Affiliate) in connection with the provision of the Services, where that personal data falls within the scope of the GDPR, the Parties have agreed that it shall do so on the terms of this DPA.

(C) To the extent that the Processor processes any personal information as a service provider (as defined below) on behalf of the User (or, where applicable, the User Affiliate) in connection with the provision of the Services, where that personal information falls within the scope of the CCPA, the Parties have agreed that it shall do so in accordance with the terms set out under Clause 3 of this DPA.

1. DEFINITIONS

1.1 Terms defined in the Agreement shall, unless otherwise defined in this DPA, have the same meanings when used in this DPA and the following capitalised terms used in this DPA shall be defined as follows:

"Adequate Jurisdiction" means the UK, EEA, or a country which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as set out in:

(a) with respect to personal data relating to data subjects in the EEA, a decision of the European Commission; and

(b) with respect to personal data relating to data subjects in the UK, the UK Data Protection Act 2018 or regulations made by the UK Secretary of State under the UK Data Protection Act 2018;

"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this DPA;

“CCPA Consumer” means a “consumer” as such term is defined in the CCPA;

"CCPA Personal Information" means the “personal information” (as defined in the CCPA) that the Processor Processes on behalf of the User and/or the User’s Affiliates in connection with the Processor’s provision of the Services;

"Data Processing Services" means the Processing of CCPA Personal Information for any purpose permitted by the CCPA, such as for a permitted "business purpose," as such term is defined in the CCPA, or for any other purpose expressly permitted by the CCPA;

"EEA" means the European Economic Area;

"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018;

“GDPR Personal Data” means the "personal data" (as defined in the GDPR) that the Processor Processes on behalf of the User and/or the User’s Affiliates in connection with the Processor’s provision of the Services;

"Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;

"Objection" has the meaning given in clause 7.3;

“Sell” and “Sale” have the meaning given in the CCPA;

"Standard Contractual Clauses" means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914;

"Sub-processor" means a processor appointed by the Processor to process User Personal Data;

"User Affiliate" means a subsidiary of the User or a holding company of the User or any other subsidiary of that holding company;

"User Personal Data" means the CCPA Personal Information and the GDPR Personal Data, as further described in Schedule 1; and

"UK Data Protection Laws" has the meaning given in clause 4.3(a).

1.2 The terms "personal data", "controller", "processor", "data subject", "process", "personal data breach" and "supervisory authority" shall have the same meaning as set out in the GDPR.

1.3 The terms “consumer,” “personal information,” and “service provider” shall have the same meaning as set out in the CCPA.

1.4 The terms "Agreement", "Services" and "DPA" have the meanings given to them in the Background.

2. INTERACTION WITH THE AGREEMENT

2.1 This DPA supplements the Agreement with respect to any processing of User Personal Data by the Processor on behalf of the User and any User Affiliate that agrees to this DPA and either:

(a) is party to the Agreement; or

(b) submits to the Processor an executed copy of this DPA.

2.2 The User warrants that, with respect to the User Affiliates, it is duly authorised to enter into this DPA for and on behalf of any such User Affiliates, and that, upon executing this DPA or a written amendment to its User Affiliates, each User Affiliate shall be bound by the terms of this DPA as if they were the User.

2.3 The User warrants that it is duly mandated by any User Affiliates on whose behalf the Processor processes User Personal Data in accordance with this DPA to:

(a) enforce the terms of this DPA on behalf of the User Affiliates, and to act on behalf of the User Affiliates in the administration and conduct of any claims arising in connection with this DPA; and

(b) receive and respond to any notices or communications under this DPA on behalf of the User Affiliates.

2.4 The Parties agree that any notice or communication sent by the Processor to the User shall satisfy any obligation to send such notice or communication to a User Affiliate.

2.5 Without prejudice to the generality of clause 5 of the Standard Contractual Clauses, in the event of any conflict between the Agreement, this DPA and the Standard Contractual Clauses, the following order of precedence shall apply:

(a) The Standard Contractual Clauses (or, with respect to transfers of User Personal Data subject to the UK GDPR, the Standard Contractual Clauses as amended by clause 4.3).

(b) The main body of this DPA.

(c) The Agreement.

3. CALIFORNIA CONSUMER PRIVACY ACT

3.1 If the User or User Affiliates provide to the Processor any User Personal Data that is CCPA Personal Information, then the Processor will:

(a) Act as a “service provider” as that term is defined in the CCPA with regard to such personal information;

(b) Retain, use and disclose such personal information solely for the purpose of performing the Services or as otherwise permitted under the CCPA; including account information (email address, name, and password), identifiers (IP addresses, unique device identifiers, etc.), and cookies;

(c) Not sell User Personal Data to another business or third party.  Notwithstanding the foregoing, disclosures to a third party in the context of a merger, acquisition, bankruptcy, or other transaction shall be permitted in accordance with the terms of the DPA; and

(d) Provide reasonable assistance to the User in responding to requests pursuant to the CCPA from consumers with regard to their personal information.

3.2 Processor certifies that it understands the foregoing obligations and shall comply with them for as long as Processor Processes User Personal Data.

4. STANDARD CONTRACTUAL CLAUSES

4.1 Subject to clause 4.3, the Standard Contractual Clauses shall apply to any transfers of User Personal Data falling within the scope of the GDPR from the User (as data exporter) to the Processor (as data importer).

4.2 For the purposes of the Standard Contractual Clauses:

(a) Annex I.A (List of Parties) shall be deemed to incorporate the information in the Agreement;

(b) Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Schedule 1;

(c) Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority identified in Section 12; and

(d) Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Schedule 3.

4.3 With respect to any transfers of User Personal Data falling within the scope of the UK GDPR from the User (as data exporter) to the Processor (as data importer):

(a) neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018 (together, the "UK Data Protection Laws");

(b) the Standard Contractual Clauses are deemed to be amended to the extent necessary so they operate:

(i) for transfers made by the Controller to the Processor, to the extent that UK Data Protection Laws apply to the Controller's processing when making that transfer; and

(ii) to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR; and

(c) the amendments referred to in clause 3.3(b) include (without limitation) the following:

(i) references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;

(ii) references to Regulation (EU) 2018/1725 are removed;

(iii) references to the "Union", "EU" and "EU Member State" are all replaced with the "UK";

(iv) the "competent supervisory authority" shall be the Information Commissioner;

(v) clause 17 of the Standard Contractual Clauses is replaced with the following:

"These Clauses are governed by the laws of England and Wales";

(vi) clause 18 of the Standard Contractual Clauses is replaced with the following:

"Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts"; and

(vii) any footnotes to the Standard Contractual Clauses are deleted in their entirety.

5. INSTRUCTIONS FOR DATA PROCESSING

5.1 The Parties agree that, for the purposes of clause 8.1(a) of the Standard Contractual Clauses, the Agreement and this DPA shall be the User's instructions for the processing of User Personal Data.

5.2 To the extent that any of the User's instructions require processing of User Personal Data in a manner that falls outside the scope of the Services, the Processor may:

(a) make the performance of any such instructions subject to the payment by the User of any costs and expenses incurred by the Processor or such additional charges as the Processor may reasonably determine; or

(b) terminate the Agreement and the Services.

5.3 Notwithstanding clause 8.1 of the Standard Contractual Clauses, the Processor may process User Personal Data to the extent required by applicable law in the UK, the EEA or a Member State, in each case to which the Processor is subject, in which case the Processor shall, to the extent permitted by such applicable law, inform the User of that legal requirement before processing that User Personal Data.

6. USER WARRANTIES AND UNDERTAKINGS

6.1 The User represents and warrants that:

(a) it has provided all applicable notices to data subjects and, to the extent required, obtained consent from data subjects in each case as required for the lawful processing of User Personal Data in accordance with the Agreement and this DPA; and

(b) without prejudice to the generality of clause 8 of the Standard Contractual Clauses (as applicable), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 3 are:

(i) appropriate to ensure the security of the User Personal Data, including protection against a personal data breach; and

(ii) otherwise consistent with the User's obligations under Article 32 of the GDPR.

7. SUBPROCESSORS

7.1 The Parties agree that, for the purposes of clause 9 of the Standard Contractual Clauses:

(a) the User gives the Processor general authorisation to engage sub-processors from an agreed list in accordance with Option 2 of clause 9 of the Standard Contractual Clauses; and

(b) Schedule 2 sets out the list of sub-processors agreed by the Parties.

7.2 The Processor shall provide the User with 30 days' notice of any proposed changes to the sub-processors it uses to process User Personal Data (including any addition or replacement of any sub-processors), including any information reasonably necessary to enable the User to assess the sub-processor and exercise its right to object.

7.3 If the User objects to the Processor's use of a new sub-processor (including when exercising its right to object under clause 9(a) of the Standard Contractual Clauses), it shall provide the Processor with:

(a) written notice of the objection within 5 days after the Processor has provided notice to the User as described in clause 7.2; and

(b) documentary evidence that reasonably shows that the sub-processor does not or cannot comply with the requirements in this DPA (including the Standard Contractual Clauses),

(an "Objection").

7.4 In the event of an Objection, the Processor will use reasonable endeavours to make available to the User a change in the Services, or will recommend a commercially reasonable change to the Services to prevent the applicable sub-processor from processing the User Personal Data.

7.5 If the Processor is unable to make available such a change in accordance with clause 7.4 within a reasonable period of time, which shall not exceed 30 days, either Party may terminate the Agreement by providing not less than 10 days’ written notice to the other Party. During such notice period, the Processor may suspend the affected portion of the Services.

8. SECURITY AND AUDITS

8.1 The Processor may, by written notice to the User, vary the security measures set out in Schedule 3, including (where applicable) following any review by the Processor of such measures in accordance with clause 8.6 of the Standard Contractual Clauses, provided that such variation does not reduce the overall level of protection afforded to the User Personal Data by the Processor under this DPA.

8.2 With respect to any audits conducted under clauses 8.9(c) and (d) of the Standard Contractual Clauses, the Parties agree that Processor shall provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by User related to Processor’s processing of User Personal Data necessary to confirm Processor’s compliance with this DPA.  Such responses shall be subject to the confidentiality provisions of the Agreement or a confidentiality agreement in such form as the Processor may request.

8.3 In some circumstances, User may contact Processor to request a physical audit of Processor’s activities covered by this DPA.  A physical audit may be conducted by User (or, where applicable, a third-party independent auditor appointed by the User) when:

(a) The information provided in Processor’s written responses in accordance with clause 8.2 is not sufficient to demonstrate compliance with the obligations set out in this DPA;

(b) User has received notice from Processor of a personal data breach; or

(c) Such an audit is required by User’s competent supervisory authority or the GDPR.  

8.4 With respect to any audits conducted under clause 8.3, the Parties agree that:

(a) all such audits shall be conducted:

(i) on reasonable written notice to the Processor;

(ii) only during the Processor's normal business hours; and

(iii) in a manner that does not disrupt the Processor's business; and

(b) the User (or, where applicable, a third party independent auditor appointed by the User) shall:

(i) enter into a confidentiality agreement with the Processor prior to conducting the audit in such form as the Processor may request; and

(ii) ensure that its personnel comply with the Processor's and any sub-processor's policies and procedures when attending the Processor's or sub-processor's premises, as notified to the User by the Processor or sub-processor.

9. COSTS

9.1 The User shall pay to the Processor on demand all costs and expenses incurred by the Processor in connection with:

(a) implementing any changes to the Services under clause 7.4;

(b) facilitating and contributing to any audits of the Processor under or clauses 8.9(c) and (d) of the Standard Contractual Clauses;

(c) facilitating and contributing to any audits of the Processor conducted by a supervisory authority;

(d) responding to queries or requests for information from the User relating to the processing of User Personal Data under clauses 8.9(a), 8.9(c) or 8.9(e) of the Standard Contractual Clauses;

(e) any assistance provided by the Processor to the User with its fulfilment of its obligations to respond to data subjects' requests for the exercise of their rights under the GDPR; and

(f) any assistance provided by the Processor to the User with any data protection impact assessments or prior consultation with any supervisory authority of the User.

10. LIABILITY

10.1 Subject to clause 10.2, any exclusions or limitations of liability set out in the Agreement shall apply to any losses suffered by either Party (whether in contract, tort (including negligence) or for restitution, or for breach of statutory duty or misrepresentation or otherwise) under this DPA as if this DPA was incorporated into, and formed a part of the Agreement.

10.2 Nothing in this DPA or the Agreement shall limit or exclude any liability of either Party to data subjects or not-for-profit bodies, organisations or associations under the conditions set out in Article 80(1) of the GDPR under the Standard Contractual Clauses.

10.3 The User shall indemnify the Processor against any amounts paid by the Processor to a data subject or not-for-profit body, organisation or association under the conditions set out in Article 80(1) of the GDPR in connection with any claim brought under the Standard Contractual Clauses, to the extent such amounts would not have been paid had the limitations and exclusions in the Agreement applied to such claims.

11. DURATION AND TERMINATION

11.1 The Processor shall, within 30 days of the date of termination or expiry of the Agreement:

(a) if requested to do so by the User within that period, return a complete copy of all User Personal Data by secure file transfer in such a format as notified by the User to the Processor; and

(b) other than any User Personal Data retained by the Processor after termination of the Agreement in accordance with clauses 8.5 and 16(d) of the Standard Contractual Clauses, delete and use all reasonable efforts to procure the deletion of all other copies of User Personal Data processed by the Processor or any sub-processors.

12. MODIFICATIONS

12.1 The Processor may modify or supplement this DPA, by notice to User:

(a) if required to do so by a supervisory authority or other government or regulatory entity;

(b) if necessary to comply with applicable law;

(c) to implement amended standard contractual clauses laid down by the European Commission or, where applicable, the UK Secretary of State; or

(d) to adhere to a code of conduct or certification mechanism approved or certified pursuant to Art. 40, 42 and 43 of the GDPR.

12.2 The User shall notify the Processor if it does not agree to a modification, in which case the Processor may terminate this DPA and the Agreement by giving to the User two (2) weeks' prior written notice, whereby in the case of an objection not based on non-compliance of the modifications with applicable data protection law, the Processor shall remain entitled to claim its agreed remuneration until the term end.

13. LAW AND JURISDICTION

13.1 Notwithstanding the provisions of the Agreement, this DPA and the Standard Contractual Clauses shall (to the extent permitted under applicable law) be governed by, and construed in accordance with:

(a) where the User is established in the EEA, the law of the Member State in which the User is established, provided such Member State law allows for third-party beneficiary rights;

(b) where the User is established in the UK, the law of England and Wales;

(c) where the User is established other than in the UK or EEA, the law of the Member State in which the User has appointed its representative under Article 27 of the GDPR; or

(d) otherwise, the law of the Republic of Ireland.

13.2 Notwithstanding the provisions of the Agreement, to the extent that the CCPA applies to the processing of User Personal Data, this DPA shall be governed by, and construed in accordance with the laws of the state of California, United States of America (“USA”), excluding its conflicts of law provisions.

13.3 Notwithstanding the provisions of the Agreement, the Parties submit themselves to the jurisdiction of the following courts:

(a) where the User is established in the EEA, the courts of the Member State in which the User is established;

(b) where the User is established in the UK, the courts of England and Wales;

(c) where the User is established other than in the UK or EEA, the courts of the Member State in which the User has appointed its representative under Article 27 of the GDPR; or

(d) otherwise, the courts of the Republic of Ireland.

13.4 Notwithstanding the provisions of the Agreement, as regards to this DPA, to the extent that the CCPA applies to the processing of User Personal Data, the Parties submit themselves to the personal jurisdiction of the courts located within the city and county of San Francisco, California, USA to resolve any dispute or claim arising from such processing

14. THIRD PARTY RIGHTS

Other than the right of data subjects or not-for-profit bodies, organisations or associations under the conditions set out in Article 80(1) of the GDPR to bring claims under the Standard Contractual Clauses (as applicable), a person who is not a party to this DPA may not enforce any of its terms.

15. GENERAL

15.1 Written Communications. Applicable laws may require that some of the information or communications that the Parties send to each other should be in writing. The Parties agree, for the purposes of this DPA, that communication between them will mainly be electronic and that the Parties will contact each other by e-mail. For contractual purposes, the Parties agree to this electronic means of communication and the Parties acknowledge that all contracts, notices, information and other communications provided by one Party to the other electronically comply with any legal requirement that such communications be in writing.

15.2 Notices. Any notices given by one Party to the other will be served if validly served in accordance with the Agreement, and will be deemed received in accordance with the relevant provisions in the Agreement.

15.3 Rights and remedies. Except as expressly provided in the Agreement, the rights and remedies provided under the Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

15.4 No partnership or agency. Nothing in the DPA is intended to, or shall be deemed to, establish any partnership or joint venture between any of the Parties, constitute any Party the agent of another Party, or authorise any Party to make or enter into any commitments for or on behalf of any other Party. Each Party confirms it is acting on its own behalf and not for the benefit of any other person.

15.5 Transfer of rights and obligations. Neither Party shall transfer, assign or otherwise deal in the DPA, or any of its rights and obligations under this DPA, other than to an assignee of that Party's rights and obligations under the Agreement.

15.6 Waiver. No forbearance or delay by either Party in enforcing its rights shall prejudice or restrict the rights of that Party, and no waiver of any such rights or any breach of any contractual terms shall be deemed to be a waiver of any other right or of any later breach.

15.7 Variation. No variation of this DPA shall be effective unless it is in writing and signed by the Parties (or their authorised representatives).

15.8 Severability. If any provision of the DPA is judged to be illegal or unenforceable, the continuation in full force and effect of the remainder of the provisions of the DPA shall not be prejudiced.

SCHEDULE 1

DETAILS OF PROCESSING

1. Categories of data subjects

The categories of data subjects whose personal data are transferred: employees, Users, potential Users, and business partners and their employees.

2. Categories of personal data

The transferred categories of personal data are: account information (name, email address, phone number, job title, employer name, time zone, city and state, password), identifiers (IP addresses, unique device identifiers, etc.), lead generation content (name, email address, phone number, job title, employer name, time zone, city and state), User generated content (lead advertisements), and cookies.

3. Special categories of personal data (if applicable)

The transferred personal data includes the following special categories of data:

None

4. Frequency of the transfer

The frequency of the transfer is performed on a continuous basis.

5. Subject matter of the processing

The subject matter of the processing is providing of lead generation services to User.

6. Nature of the processing

The nature of the processing is collection, recording, organization, storage, retrieval, dissemination or otherwise making available, erasure, and destruction.

7. Purpose(s) of the data transfer and further processing

The purpose/s of the data transfer and further processing is/are cloud storage and lead generation services.

8. Duration

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period as set out in clause 11 of the DPA.

9. Sub-processor (if applicable)

For transfers to sub-processors, specify subject matter, nature and duration of the processing: as set out in Schedule 2.

SCHEDULE 2

SUBPROCESSORS

No

Name of the sub-processor

Description of processing (including subject matter, nature and duration of the processing as well as a clear delimitation of responsibilities in case several sub-processors are authorised) (as referenced in Annex I B. and Annex III of the Appendix of the SCC)

Specific technical and organisational measures to be taken by the sub-processor to be able to provide assistance to User (as referenced in Annex II of the Appendix of the SCC)

1

Google Cloud Platform

All Relevize applications & databases are hosted in Google Cloud Platform.

Availability, integrity & resilience; equipment testing & security; disaster recovery training; encryption (at rest and in transit; access controls; incident management; vulnerability management; 2-step verification; login monitoring; data loss prevention; endpoint management; identity-aware proxy (IAP); VPC service controls

2

Zoominfo

Enriching leads data for our Users.

Two-factor authentication; password encryption and policy; static and dynamic code analysis; automated and manual penetration testing; HTTPS encryption; layered security; web application firewalls; data backup; access management and control; security information event management; cloud audit and architecture review; system audits; vendor risk assessments; third part certifications

3

Sendgrid

Used to send transactional emails from our apps to our users.

Architecture and data segregation; physical security; access controls; change management; encryption (at rest and in-transit); vulnerability management; penetration testing; security incident management; resilience and service continuity; backups and recovery

4

Nylas

Connecting to our users Google Workspace and Office 365 accounts to provide email drip campaigns & calendar booking links.

Please refer to https://www.nylas.com/blog/gdpr-at-nylas-privacy-data-security-and-trust/

5

Backblaze

Offsite backup provider.

Systems and services security; business continuity and disaster recover; risk management; access controls; encryption; physical security; event logging; system configuration; security governance & management; data quality

6

Mixpanel

User-level use data, for tracking things like pageviews and actions that our users take on the platform.

Encryption; access controls; network transport and storage; firewalls; system logging; infrastructure and physical security; operational security; third-party audits; security monitoring

7

Hubspot

Used for managing email drip campaigns for select Users.

Encryption (at rest and in-transit); network and perimeter protection; logical tenant separation; firewall; DDoS protections; vulnerability scans; penetration testing; security education and awareness training; 24/7 monitoring; incident response; vendor risk management; third-party audits and reports

8

Sentry

Error and exception monitoring for our server side and client side apps.

Encryption (at rest and in-transit); data retention policies; data removal policies; PII scrubbing; two-factor authentication; single-sign on implementation; email security; audit of user logs; secure application development; malware protection; risk management procedures; periodic technical and non-technical assessments; business continuity & disaster recovery; security training; third-party audits and certifications

9

Cloudflare

CDN, firewall provider, domain registrar.

Encryption (at rest and in-transit); code review; validation checks; intrusion detection; distributed data centres; access controls; physical security; disaster recovery and business continuity plans and procedures; backups; incident management; third-party audits and reports; penetration testing; firewalls; audit logging, monitoring, and tracking of data transmissions

10

Stripe

Payment processor for User’s media spends & platform fees.

Encryption (at rest and in-transit); HTTPS for all services using TLS

11

Auth0

Authentication & authorization provider for Relevize.com SSO, SAML, and 2FA enforcement.

Encryption (at rest and in-transit); security training and certification; background checks; incident management; disaster recovery and business continuity; access controls; network controls; vulnerability management; patch management; penetration tests; vulnerability scans; software development program and policies; malware controls; network controls; intrusion detection; data segregation; data centre security; event logging and monitoring; third-party audits and certifications; secure deletion;

SCHEDULE 3

TECHNICAL AND ORGANISATIONAL MEASURES

Company maintains technical and organisational measures as concretely described in the following to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

1. PSEUDONYMIZATION AND ENCRYPTION, ART. 32 PARA 1 POINT A GDPR

Pseudonymisation contains measures that enable one to process personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures. Encryption contains measures that enable one to convert clearly legible information into an illegible string by means of a cryptographic process.

  • Stored data is always encrypted where appropriate, including any backup copies of the data.
  • All data used for testing & development is sanitized prior to export to testing systems
  • Passwords are hashed & salted
2. THE ABILITY TO ENSURE THE ONGOING CONFIDENTIALITY, INTEGRITY, AVAILABILITY AND RESILIENCE OF PROCESSING SYSTEMS AND SERVICES, ART. 32 PARA 1 POINT B GDPR

Confidentiality and integrity are ensured by the secure processing of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Confidentiality
Physical access control

Measures that prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used.

  • Physical access control systems
  • Definition of authorizes persons and Management and documentation of individual authorizations
  • Regulation of Visitors and external staff
  • Monitoring of all facilities housing IT systems
  • Logging of physical access
  • Secure equipment & data controls
  • Physical media security
  • Required VPN for untrusted WiFi networks
System/Electronic access control

Measures that prevent data processing systems from being used without authorization.

  • User Authentication by simple authentication methods (using username/password)
  • 2 factor authentication for employee access to systems
  • Secure transmission of credentials using networks (using TSL and SSL)
  • Automatic account locking
  • Password complexity requirements
  • Definition of authorized persons
  • Managing means of authentication
  • Access control to infrastructure that is hosted by cloud service provider
  • Access provisioning tracking process
  • MDM for all employee mobile & computers enforcing security standards
  • Advanced MDM monitoring for all engineering team members devices
Internal Access Control

Measures that ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage.

  • Automatic and manual locking
  • Access right management including authorization concept, implementation of access restrictions, implementation of the "need-to-know" principle, managing of individual access rights.
  • Quarterly audits of key account access holders
  • VPN/SSH key limited access to in-VPC key data systems
  • Use of service accounts (where possible) to limit permissions scopes of system users
  • Maintenance of an up to date list of employees and their roles
Isolation/Separation Control

Measures to ensure that data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately.

  • 100% Google Cloud infrastructure
  • Network separation via VPC and strict firewalls
  • Internet Traffic Control restricts incoming traffic from specific sources (CDN)
  • Document procedures and applications for the separation
  • Centralized Network traffic logging & alerting
Job Control

Measures that ensure that, in the case of commissioned processing of personal data, the data are processed strictly corresponding the instructions of the principal.

  • Training and confidentiality agreements for internal staff and external staff
  • Data loss prevention software with centralized alerting
  • MDM for all employees with ability to enforce encryption, password requirements, and perform remote wipe for lost or stolen devices
Integrity
Data Transmission Control

Measures ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.

  • Secure transmission between client and server and to external systems by using industry-standard encryption
  • All network communication within a single VPC.
  • Logging of transmissions of data from IT system that stores or processes personal data
  • Fully encrypted backup pipeline
Data Input Control

Measures that ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed.

  • Logging authentication and monitored logical system access
  • Logging of data access including, but not limited to access, modification, entry and deletion of data
  • Documentation of data entry rights and partially logging security related entries.
Availability and Resilience of Processing Systems and Services

Availability includes measures that ensure that personal data is protected from accidental destruction or loss due to internal or external influences. Resilience of processing systems and services includes measures that ensure the ability to withstand attacks or to quickly restore systems to working order after an attack.

  • Backups encrypted onsite using AES Backups encrypted onsite using AES-256-CTR-Poly1305-AES before transfer to offsite.
  • Offsite backup: 99.999999999% durability.
  • Critical databases configured with high-availability automatic failover and 15 minute resolution rolling backups.
3. THE ABILITY TO RESTORE THE AVAILABILITY AND ACCESS TO PERSONAL DATA IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT, ART. 32 PARA 1 POINT C GDPR

Organizational measures that ensure the possibility to quickly restore the system or data in the event of a physical or technical incident.

  • Business Impact Analysis to generate disaster plans including:
  • Critical timescales (RTO/RPO) associated with each support business service/process
  • Conditions and responsibilities for declaring a disaster
  • Critical timescales (RTO/RPO) associated with each support business service/process
  • A detailed success plan describing the flow of responsibilities when normal staff is unavailable to perform their duties
  • A priority list of services to be recovered including security services (monitoring, anti-virus, etc.)
  • A schedule of key tasks and an assigned responsible party
  • Procedures to be followed for completing key tasks (e.g. emergency recovery, post recovery, fail back and resumption)
  • Anticipated Information Security risks and plans to mitigate these risks throughout the duration of the declared disaster
4. A PROCESS FOR REGULARLY TESTING, ASSESSING AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANIZATIONAL MEASURES FOR ENSURING THE SECURITY OF THE PROCESSING, ART. 32 PARA 1 POINT D GDPR

Organizational measures that ensure the regular review and assessment of technical and organizational measures.

  • Testing of emergency site safe-mode
  • Documentation of interfaces and personal data fields
  • Incident response plans annually tested in tabletop exercise
  • Quarterly Identity and Access review
  • 3rd party pentest of site & service
5. DESCRIPTION OF THE SPECIFIC TECHNICAL AND ORGANISATIONAL MEASURES TO BE TAKEN BY THE TO ASSIST WITH THE FULFILMENT OF DATA SUBJECT REQUESTS (CLAUSE 10 (B) SCC)

In order to for the data importer / Company to assist the data exporter / User with fulfilling its obligations to respond to data subjects’ requests in accordance with Clause 10 (b) SCC, the Parties will set out the appropriate technical and organisational measures in the following, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required:

  • API for creating RTBF requests
  • Whistleblower portal: https://relevize.com/whistleblower