Data Processing Addendum
This Data Processing Addendum and its Annexes (“DPA”) is incorporated into and forms a part of the Software as a Service Agreement (the “Agreement”) entered into by and between Arceo Labs, Inc., doing business as Resilience (the “Company” or “Resilience”) with its principal place of business at 55 Second Street, Suite 1950, San Francisco, CA 94105, and the Client identified in the applicable SOF.
By executing a Software Order Form, Client accepts the terms and conditions contained in this DPA.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
In the course of providing the Software to Client pursuant to the Agreement, Company may Process Client Personal Data on behalf of Client. Company and Client agree to comply with the following provisions with respect to any Client Personal Data:
1. Definitions.
1.1. “Applicable Data Protection Laws” means the privacy, data protection, and data security laws and regulations of any jurisdiction directly applicable to Company’s Processing of Client Personal Data under the Agreement.
1.2. “Client Personal Data” means any Personal Data Processed by Company or its Sub-processors or on behalf of Client to provide the Software and perform its obligations under the Agreement.
1.3. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.4. “Data Subject” means the identified or identifiable natural person to whom Client Personal Data relates.
1.5. “Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a Data Subject. For the avoidance of doubt, Deidentified Data includes Resultant Data,
1.6. “Documented Instructions” has the meaning set forth in Section 3.2.1 below.
1.7. “European Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and the United Kingdom applicable to the processing of Personal Data under the Agreement (including, where applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (the “UK GDPR”); (iii) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances (“Swiss FADP”); (iv) the EU e-Privacy Directive (Directive 2002/58/EC); and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii), (iii), (iv).
1.8. “Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Laws.
1.9. “Personal Data Breach” means a breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data in Company’s possession, custody or control. For clarity, “Personal Data Breach” does not include unsuccessful attempts or activities that do not compromise the security of Personal Data (including, but not limited to, unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
1.10. “Personnel” means Company’s employees, agents, consultants, or contractors.
1.11. “Process” means any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
1.12. “Processor” means an entity or person that Processes Personal Data on behalf of the Controller.
1.13. “Restricted Transfer” means: (i) where the EU GDPR or Swiss FADP applies, a transfer of Personal Data from the European Economic Area or Switzerland (as applicable) to a country outside of the European Economic Area or Switzerland (as applicable) which is not subject to an adequacy determination by the European Commission or Swiss Federal Data Protection and Information Commissioner (as applicable); and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018. For the avoidance of doubt, a transfer of Personal Data to the United States pursuant to the Data Privacy Framework shall not be a Restricted Transfer.
1.14. “Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under Applicable Data Protection Laws.
1.15. “Service Provider” has the meaning set forth under the CCPA as defined below.
1.16. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR as to the European Commission Implementing Decision (EU) 2021-914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj and incorporated herein by reference.
1.17. “Sub-processor” means any Processor engaged by or on behalf of Company or its Affiliates to Process Client Personal Data in connection with fulfilling Company’s obligations with respect to providing the Software pursuant to the Agreement or this DPA.
1.18. “Third Countries” means all countries outside of the European Economic Area that have not been recognized by the European Commission (or the UK Secretary of State for transfers from the UK) as providing adequate protection for personal data.
1.19. “UK Addendum” means the International Data Transfer Addendum (Version B1.0) issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
1.20. “US State Data Protection Laws” means all state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Oregon Consumer Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.
2. Term and Scope.
2.1. Term of DPA. The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which Company ceases all Processing of Client Personal Data).
2.2. Scope of DPA.
2.2.1. This DPA applies generally to Company’s Processing of Client Personal Data under the Agreement.
2.2.2. For purposes of the Agreement, the parties acknowledge that, with respect to Client Personal Data, as between the parties, Client acts as the Controller (or a Processor processing Personal Data on behalf of a third-party Controller) and Company acts only as the Processor (or Sub-processor, as applicable).
2.2.2.1. If Client is a Processor, Client warrants to Company that Client’s instructions and actions with respect to Personal Data, including its appointment of Company as another Processor, and where applicable, concluding the SCCs (including as they may be amended in clause 9.3.3 below), have been (and will, for the duration of this DPA, continue to be) authorized by the relevant third-party controller.
2.2.3. The details of Company’s Processing of Client Personal Data are described in Annex I (Description of Processing) to the DPA.
3. Parties’ Responsibilities.
3.1. Each party is responsible for its own compliance with the Applicable Data Protection Laws.
3.2. Company Responsibilities.
3.2.1. Client Instructions. The parties agree that the Agreement (including all addenda thereto, this DPA (including all annexes thereto), and any Software Order Form), constitute Client’s documented instructions regarding Company’s processing of Client Personal Data (“Documented Instructions”). Additional Instructions outside the scope of the Documented Instructions (if any) will be binding on Company only pursuant to a written amendment to the Agreement signed by both parties.
3.2.2. With respect to all Client Personal Data it Processes in its role as a Processor (or Sub-processor), Company shall:
3.2.2.1. only process Client Personal Data for the purpose of providing the Software to Client and in accordance with: (i) the Documented Instructions and (ii) the requirements of the Applicable Data Protection Laws;
3.2.2.2. inform the Client if, in Company’s reasonable opinion, any instructions given to it by the Client in relation to the Processing of Client Personal Data under the Agreement infringes Applicable Data Protection Laws;
3.2.2.3. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of safety appropriate to the risks that are presented by the Processing of Client Personal Data, in particular, protection against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data; Such measures include, without limitation, the security measures set out in Annex II to this DPA. Client acknowledges that the Security Measures are subject to technical progress and development and that Company may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Software.
3.2.2.4. Will take reasonable steps to ensure that only authorized Personnel have access to the Client Personal Data and that any Persons whom it authorizes to have access to the Client Personal Data are under contractual or statutory obligations of confidentiality
3.2.2.5. To the extent that Company Processes Personal Data on behalf of Client within the scope of the CCPA, the following shall also apply:
3.2.2.5.1. When processing California Client Personal Data in accordance with Client’s instructions, the parties acknowledge and agree that Client shall be a “Business” and Company shall be a “Service Provider” for purposes of the CCPA;
3.2.2.5.2. Company will not train, use or disclose such California Client Personal Data for any purposes other than the purposes set out in the Agreement and this DPA and as permitted under the CCPA;
3.2.2.5.3. Company will not “Sell” or “Share” any such California Client Personal Data, as those terms are defined in the CCPA; and
3.2.2.5.4. Company will not Process California Client Personal Data outside the direct business relationship between the parties, unless required by applicable law.
3.3. Client Responsibilities.
3.3.1. Client shall be responsible for complying with Applicable Data Protection Laws when making decisions and issuing instructions for the Processing of Client Personal Data, including securing all permissions, consents, or authorizations that may be required;
3.3.2. Client shall not submit, store, or send any Sensitive Data to Company for Processing, and will not permit or authorize any of Client’s employees, agents, contractors, or Data Subjects to submit, store or send any Sensitive Data to Company for Processing. Client acknowledges that Company does not request or require Sensitive Data as part of providing the Software;
3.3.3. Client shall defend and indemnify Company, its Affiliates, and Sub-processors for any claim brought against them arising from an allegation of Client’s breach of this section, whether by a Data Subject or a government authority. This provision does not diminish Client or Data Subject’s rights under Applicable Data Protection Laws related to Company’s adherence to its obligations under the Applicable Data Protection Laws.
4. Sub-Processing.
4.1. General Authorization. By entering into this DPA, Client provides general authorization for Company to engage Sub-processors to Process Client Personal Data on behalf of Client in accordance with this section.
4.2. List of Sub-processors. The Sub-processors currently engaged by Company are listed in Annex I to this DPA. Company may continue to engage the Sub-processors already engaged as of the date of this DPA specified in Annex I to this DPA, subject to Company in each case meeting the obligations set out in Section 4.5 of this DPA.
4.3. New Sub-processors. Client agrees to Company maintaining and updating its list of Sub-processors online here. This contains a mechanism for Client to subscribe to notifications of new Sub-processors. If Client does not subscribe to such notifications, Client expressly waives any right it may have to prior notice to changes to authorized Sub-processors. Company will provide such notice, to those emails subscribed (“Notice Date”), at least twenty (20) days before allowing any new Sub-processor to Process Client Personal Data (“Notice Period”).
4.4. Objections; Sole Remedy. If Client objects to any new or replacement Sub-processor on reasonable grounds related to data protection, it shall notify Company of such objections in writing within ten (10) days of the Notice Date by sending an email to privacy@cyberresilience.com describing its legitimate, good-faith objection. Client and Company will work together in good faith to consider a mutually acceptable resolution to such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable period of time. Client may, as its sole and exclusive remedy, terminate the Agreement and any applicable SOF by providing written notice to Company and paying Company all amounts due and owing under the Agreement as of the date of such termination. Company will refund Client any prepaid fees covering the remainder of the Term following the date of termination, without imposing a penalty for such termination on Client. If Client does not object in writing to Company’s engagement of a new Sub-processor during the Notice Period, Client shall be deemed to have approved the engagement and ongoing use of that Sub-processor and waives its right to object.
4.5. Company obligations when engaging Sub-processors. When Company engages a Sub-processor, to the extent required under Applicable Data Protection Laws:
4.5.1. Prior to the Sub-processor Processing Client Personal Data, Company shall carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Client Personal Data required by the Applicable Data Protection Laws, this DPA, and the Agreement.
4.5.2. Company must enter into a written agreement with each such Sub-processor containing data protection obligations imposing data protection terms that require the Sub-processor to protect Client Personal Data to the standard required by the Applicable Data Protection Laws and that are no less protective than those in this DPA with respect to the protection of Client Personal Data to the extent applicable to the nature of the services provided by each such Sub-processor.
4.5.3. Except as otherwise set forth in the Agreement or this DPA, Company will be liable for the acts and omissions of its Sub-processors to the same extent Company would be liable if performing the services of each Sub-processor directly.
4.5.4. Company will restrict the Sub-processor’s access to Client Personal Data only to what is necessary to provide or maintain the Software in accordance with the Agreement, and Company will prohibit the Sub-processor from accessing the Client Personal Data for any other purpose.
4.6. Disclosure of Sub-processor agreements. Client agrees that by Company’s compliance with this Section 5, Company fulfills its obligations under Clauses 9(a) and (b) of the SCCs. Client further acknowledges that, for the purposes of Clause 9(c) of the SCCS, Company may be restricted from disclosing Sub-processor agreements to Client due to confidentiality restrictions. Notwithstanding this, Company shall use reasonable efforts to require Sub-processors to permit Company to disclose Sub-processor agreements to Client and will provide to Client (upon reasonable request and on a confidential basis), all information that Company can reasonably provide in connection with such Sub-processor agreement.
5. Compliance Assistance
5.1. Data Subject Rights. Taking into account the nature of the Processing of Client Personal Data, Company shall provide reasonable assistance to Client to comply with its data protection obligations with respect to Data Subject rights (including rights of access, rectification, erasure, restriction, objection, and data portability) under the Applicable Data Protection Laws.
5.1.1. To the extent Company is able to verify that a Data Subject is associated with the Client, Company shall promptly notify Client if it receives a request from a Data Subject to exercise any Data Subject rights in respect of that Data Subject’s Personal Data (a “Data Subject Request”). Company shall not respond to a Data Subject Request without Client’s prior written consent, except to confirm that such requests relates to the Client or to advise the Data Subject to submit the request to Client, or as required by Applicable Data Protection Laws.
5.2. Cooperation Obligations. Upon Client’s reasonable request, and taking into account the nature of the applicable Processing, Company will provide reasonable assistance to Client in fulfilling Client’s obligations under Applicable Data Protection Laws (including data protection impact assessments and consultations with regulatory authorities), provided that Client cannot reasonably fulfill such obligations independently.
6. Audit Rights.
6.1. Audit Reports. Company is regularly audited by independent third-party auditors and/or internal auditors. Upon request, and on the condition that Client has entered into an applicable non-disclosure agreement with Company, Company will supply copies of, or extracts from, Company’s audit reports related to the security of the Software (“Audit Reports”) to Client so Client can verify Company’s compliance with the audit standards against which it has been assessed, and this DPA. If Client cannot reasonably verify Company’s compliance with the terms of this DPA, Company will provide written responses, on a confidential basis, to all reasonable requests for information made by Client related to its processing of Client Personal Data, provided that such right may only be exercised no more than once every twelve (12) months.
6.2. Audits. Client may request an audit of Company to verify Company’s compliance with the terms of this DPA only to the extent:(1) such an audit is required by Applicable Data Protection Laws or a competent supervisory authority; and (2) Company’s compliance cannot be demonstrated by means that are less burdensome on Company, including under Section 6.1 of this DPA.
6.2.1. Any audit under this section must meet the following requirements, unless otherwise required by the Applicable Data Protection Laws or competent supervisory authority:
6.2.1.1. Client may not perform more than one audit in any twelve (12) month-period;
6.2.1.2. Client shall be responsible for any costs associated with the audit, to be agreed upon in advance by the Parties;
6.2.1.3. Client must provide Company with at least thirty (30) days’ prior written notice of a proposed audit;
6.2.1.4. The scope of any audit, including, but not limited to, the time, duration, and security and confidentiality controls of the audit must be mutually agreed upon in advance by Client and Company prior to the audit taking place;
6.2.1.5. Audits may be conducted by Client directly or through an independent auditor appointed by Client, provided that Company approves such independent auditor, the independent auditor is not a competitor of Company; and the independent auditor is subject to appropriate statutory and contractual confidentiality obligations;
6.2.1.6. Client must ensure that its representatives including independent auditors performing an audit protect the confidentiality of all information obtained through the audit in accordance with the Confidentiality section of the Agreement, and execute an enhanced mutually agreeable nondisclosure agreement if requested by Company. If an audit requires access to Company’s premises, Client and its representatives must abide by Company’s applicable security policies while on Company’s premises.
6.2.1.7. Company may exclude information and documentation that would reveal the identity of other Company clients or information that Company is required to keep confidential. Any information or records provided pursuant to this Article 6 shall be considered Company’s Confidential Information and shall be subject to the Confidentiality provisions of the Agreement.
6.2.1.8. Client may create an audit report summarizing the findings and observations of the audit (“Audit Report”). Audit Reports are Confidential Information of Company, and Client will not disclose them to third parties unless otherwise authorized under the Confidentiality section of the Agreement.
6.2.1.9. Client must promptly disclose to Company any written Audit Report created, and any findings of noncompliance discovered as a result of the audit.
7. Incident Management and Notification.
7.1. Personal Data Breach. Upon Company becoming aware of any Personal Data Breach affecting Client Personal Data, Company shall without undue delay, and within the timeframes required by Applicable Data Protection Laws, notify Client of such Personal Data Breach. To the extent known, Company shall provide Client with sufficient information to report or inform Data Subjects of such Personal Data Breach.
7.1.1. Company shall cooperate with Client and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of such Personal Data Breach.
7.1.2. Company’s obligation to report or respond to a Personal Data Breach under this Article 7 is not and will not be construed as an acknowledgement by Company of any fault or liability of Company with respect to the Personal Data Breach.
8. Return and Deletion of Client Personal Data.
8.1. Company shall only Process Client Personal Data for the duration specified in Annex I (the “Duration”).
8.2. At the end of the Duration and pursuant to the Agreement: Client hereby acknowledges and agrees that, due to the nature of the Client Personal Data Processed by Company, return (as opposed to deletion) of Client Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Client agrees it is hereby deemed to have selected deletion, in preference of return, of Client Personal Data for the purposes of Applicable Data Protection Laws.
8.3. Notwithstanding the foregoing, Company may retain Client Personal Data: (a) where deletion is not permitted under applicable law (including Applicable Data Protection Laws) or the order of a governmental or regulatory body; (b) where Company retains such Client Personal Data for internal record keeping and compliance with any legal obligations; and (c) where Company’s then-current data retention or similar back-up system stores Client Personal Data, provided that in any such case, such data will remain protected in accordance with the measures described in the Agreement, this DPA, and the Applicable Data Protection Laws.
9. Data Transfers.
9.1. Client acknowledges and agrees that Company may transfer and otherwise Process or have transferred or otherwise Processed Client Personal Data to Third Countries, including by any Sub-processor or Company Affiliate engaged in accordance with this Agreement, provided that such transfer is made in accordance with Applicable Data Protection Laws.
9.2. Notwithstanding anything to the contrary herein, and for the avoidance of doubt, Company may make international transfers without the consent or prior knowledge of Client where Company is compelled by law to make such transfer and is prohibited by law from advising Client of same.
9.3. Data transfers from the EAA, Switzerland and the UK
9.3.1. In connection with the provision of the Software, the parties anticipate that Company, its Affiliates, and Sub-processors may Process outside of the European Economic Area (“EEA”), Switzerland, and the United Kingdom, certain Personal Data protected by the European Data Protection Laws in respect of which Client may be a Controller.
9.3.2. The parties acknowledge that transfers of Client Personal Data under this Agreement that are subject to an applicable adequacy decision under the European Data Protection Laws do not require a separate approved transfer mechanism.
9.3.3. EU Transfers: For Client Personal Data protected by the EU GDPR that is transferred to Third Countries, the SCCs will apply as follows:
9.3.3.1. Module Two will apply where Client is a Controller and Module Three will apply where Client is a Processor;
9.3.3.2. In Clause 7, the optional docking clause will apply;
9.3.3.3. For purposes of Clauses 8.9(c)-(d), data exporter acknowledges and agrees that such obligations shall be satisfied by instructing data importer to comply with the audit measures described in Article 6 of this DPA;
9.3.3.4. In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 4.3 of this DPA;
9.3.3.5. In Clause 11, the optional language will not apply;
9.3.3.6. In Clause 17, Option 2 will apply, and if the data exporter’s Member State does not allow for third-party beneficiary rights, then the law of Ireland shall apply;
9.3.3.7. In Clause 18(b), disputes shall be resolved before the courts of the jurisdiction governing the Agreement between the parties or, if that jurisdiction is not an EU Member State, then the courts of Ireland;
9.3.3.8. Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
9.3.3.9. Annex II of the SCCs shall be deemed completed with the information set out in Annex II to this DPA.
9.3.4. UK transfers: For Client Personal Data that is protected by the UK GDPR that is transferred to Third Countries, the SCCs completed as set out above in Clause 9.3.3 of this DPA shall apply to such transfers of such Client Personal Data, except that:
9.3.4.1. The SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed between the transferring Client and Company;
9.3.4.2. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
9.3.4.3. For purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum, shall be deemed completed using the information contained in the Annexes of this DPA; and
9.3.4.4. Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”,
9.3.5. Swiss Transfers: For Client Personal Data that is protected by the Swiss FADP (as amended or replaced) that is transferred to Third Countries, the SCCs, completed as set out above in clause 9.3.3 of this DPA shall apply to transfers of such Client Personal Data, except that:
9.3.5.1. The competent supervisory authority in respect of such Client Personal Data shall be the Swiss Federal Data Protection and Information Commissioner;
9.3.5.2. In Clause 17, the governing law shall be the laws of Switzerland;
9.3.5.3. References to “Member States” in the SCCs shall be interpreted to refer to Switzerland, and Data Subjects located in Switzerland shall be entitled to exercise and enforce their rights under the SCCs in Switzerland;
9.3.5.4. References to the “General Data Protection Regulation”, “Regulation 2016/679” or “GDPR” in the SCCs shall be understood to be references to the Swiss FADP (as amended or replaced).
10. General Terms.
10.1. Order of Precedence. If there is any conflict or inconsistency among the following documents regarding the Parties’ Personal Data obligations, the order of precedence is: (1) the SCCs, where applicable and materially affecting the adequacy of the Restricted Transfer; (2) the main body of this DPA; and (3) the Agreement. For the avoidance of doubt, provisions in this DPA that merely go beyond the SCCs without contradicting them shall remain valid. The same applies to conflicts between this DPA and the Agreement where this DPA shall only prevail regarding the Parties’ Personal Data protection obligations.
10.2. Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, should this not be possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this DPA contains any omission.
10.3. For the avoidance of doubt, by applying the provisions of this DPA, the PArties do not intend to grant third-party beneficiary rights to Data Subjects under this DPA when those Data Subjects would not otherwise benefit from such rights under the Applicable Laws.
ANNEX I-Description of Processing
A. List of Parties
a. Data Importer
| Name: | As set out in the applicable SOF |
| Address: | As set out in the applicable SOF |
| Contact Details for Data Protection: | Data Protection Officer, privacy@cyberresilience.com |
| Activities relevant to the data transferred under this DPA: | Processing to provide the Software pursuant to the Agreement entered into between Company and Client |
| Role (Controller/Processor): | Data Protection Officer, privacy@cyberresilience.com |
| Contact Details for Data Protection: | Processor (or sub-processor) |
b. Data Exporter
| Name: | As set out in the applicable SOF |
| Address: | As set out in the applicable SOF |
| Contact Details for Data Protection: | As set out in the applicable SOF |
| Activities relevant to the data transferred under this DPA: | Client’s activities related to this DPA are the use and receipt of the Software under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations. |
| Role (Controller/Processor): | Controller (or Processor on behalf of a third-party Controller) |
B. Description of Transfer of Client Personal Data
This Annex I sets out the description of Personal Data being processed and transferred under this Agreement:
1. Categories of Personal Data
Title, first name, last name, position/job title, email addresses, employer, usernames, phone numbers, controls/permissions in explicitly authorized account scans, LinkedIn profile URL, IP addresses, device type, operating system, browser type, ISP, geographic location (country only), referring URL and domain, pages visited.
2. Frequency and Duration of Processing
Taking into account Company’s Client Personal Data Processing, including the manner of receipt, collection, storage and use of Client Personal Data, the frequency of the processing of Client Personal Data depends on the nature and scope of the Software agreed to under the applicable SOF, the Client’s Documented Instructions, and Company’s need to Process Personal Data for the provision of the Software. Accordingly, Processing may occur either on a continuous basis or on-off basis, until the earlier of termination of this Agreement in accordance with its terms or the date upon which processing is no longer necessary for the purposes of either party performing its respective obligations under this Agreement (to the extent applicable).
3. Nature of Processing
Collection, storage, duplication, electronic viewing, deletion and destruction.
4. Purpose of Processing
Administration, support and management of customer business operations in provision of the Software.
5. Categories of Data Subject
Client’s employees or agents who access or use the Software, employees of Client; potentially former employees of Client, customers, officers, employees and temporary staff of Client and partners, complainants, correspondents, enquirers, suppliers, advisers, consultants and professional experts.
6. Sensitive Data
Not applicable
7. Sub-processors
Client acknowledges and agrees that Company may engage Sub-processors to process Client Personal Data. An up-to-date list of Sub-processors currently engaged by Company and authorized by Client along with a mechanism to subscribe to notifications of new Sub-processors is set forth here.
C. Competent Supervisory Authority
The competent supervisory authority shall be determined in accordance with the Applicable Data Protection Laws.
Annex II
Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Measures
As of the date of this DPA, the following technical and organizational measures have been implemented by Company to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Company may review and upgrade its security measures at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection listed below.
A. Technical and Organizational Security Measures of Company
1. Measures of pseudonymisation and encryption of personal data
a. All Client Personal Data is encrypted at rest and in transit that meets industry best practices;
b. Encryption of authentication credentials at rest using industry standard cryptography and key management practices
2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
a. Company maintains policies and procedures intended to maintain the confidentiality, integrity, availability, and resiliency of Client Data;
b. Utilization of anti-virus and anti-malware software;
c. Implementation and maintenance of a written, comprehensive information security program;
d. Logging and Monitoring to include security events, all critical assets that Process Personal Data, and system components that perform security functions (e.g., firewalls, IDS/IPS, authentication) intended to identify actual or attempted access by unauthorized individuals and anomalous behavior of security controls on a regular basis to assess whether controls are operating in a manner reasonably calculated to prevent and detect unauthorized access to or use of Client Personal Data;
e. Remote work procedures that require “clear desk, clear screen” standards in place and a remote work policy that restricts use to only authorized devices;
f. Data protection program elements, such as technical measures or documented procedures, to address data minimization and retention limits, data quality, and implementation of data subject rights, appropriate to the processing;
g. Review the scope of security measures at least annually or when there is a material change in business practices that may reasonably implicate the security or integrity of Client Personal Data;
h. Third-Party risk management
i. All third party or external vendors must be assessed via Company’s third-party risk management platform prior to engaging said vendor;
ii. Annual assessments of each third party or external vendor are automatically conducted and analyzed by Company’s security team
i. Email security, including, but not limited to:
i. All emails are scanned for malicious attachments and hyperlinks;
ii. SPF, DMARC, and DKIM are configured for all Company domains;
iii. Company employees are made aware when an email originates outside of the organization;
j. Security measures are in place to detect impersonation or social engineering attempts of Company executives and senior leadership;
k. Vulnerability Management-Internal and external vulnerability scans are performed to identify, prioritize, and remediate vulnerabilities to reduce exposure to potential exploits.
i. All production, development, and QA/Test are scanned for vulnerabilities;
ii. Vulnerabilities in production environments are evaluated for risk and impact, and are either remediated within SLA guidelines or are risk-accepted and added to the Company’s risk register.
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
a. The Company implements measures to ensure that Personal Data is protected from accidental destruction or loss, including by maintaining:
i. Business continuity and disaster recovery plans and procedures, including assigning appropriate Personnel to coordinate planning, training, and testing activities and periodic evaluation of said policies and procedures;
ii. Backups stored at alternative sites and available for restore in case of failure of primary systems;
iii. Incident management procedures that are regularly tested
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
a. Monitoring of security controls on a regular basis to assess whether controls are operating in a manner reasonably calculated to prevent and detect unauthorized access to or use of Client Personal Data;
b. Review the scope of security measures at least annually or when there is a material change in business practices that may reasonably implicate the security or integrity of Client Personal Data;
c. Company’s technical and organizational measures are regularly tested and evaluated by third-party auditors. These may include annual ISO/IEC 27001 audits; AICPA SOC 2 Type I, and other external audits. Measures are also regularly tested by internal audits, as well as annual and targeted risk assessments.
d. All Company employees and contractors are required to take annual security training, which includes, but is not limited to, physical security requirements, current cyber threats, and phishing;
e. All Company employees and contractors are required to take annual privacy training;
5. Measures for user identification and authorisation
a. Identity Access Management-strong access controls and authentication mechanisms are implemented to safeguard critical systems and data.
i. Access to all Company critical applications and infrastructure are provisioned on a per user basis upon request;
ii. Multi-factor Authentication is required for access to all Company critical applications, infrastructure, and data;
iii. Company employee and contractor access is deprovisioned automatically when departing the Company;
iv. Access and privileges to Company applications, infrastructure, and data are audited, at minimum, annually
v. A password vault is provided to all Company employees to create, store, and rotate strong, unique passwords
vi. Company Privileged accounts require the use of one time passcodes.
6. Measures for the protection of data during transmission
a. All Client Personal Data is encrypted at rest and in transit;
7. Measures for the protection of data during storage
a. All Client Personal Data is encrypted at rest and in transit;
8. Measures for ensuring physical security of locations at which personal data are processed
a. Implementation of physical entry controls and monitoring for Company locations where Client Personal Data is Processed, including requiring Personnel accessing these locations to employ individually identifiable entry controls that provide an audit trail of each entry, along with maintaining robust policies and procedures regarding access to Company locations by external parties.
9. Measures for ensuring events logging
a. A robust visibility and monitoring program allows Company’s security team to quickly identify and triage potential threats across the Company, including, but not limited to:
i. Implementation of intrusion prevention and detection systems to monitor and log system resources for potential unauthorized access and generate alerts on attempted attacks;
ii. SIEM deployment to collect and aggregate logs from SaaS applications, physical and cloud-based infrastructure, communications applications, and security applications;
iii. All logs are immutable and cannot be altered or destroyed
iv. Custom dashboard and alerts are utilized to monitor critical data and infrastructure, enabling near real-time response to security related events;
10. Measures for ensuring system configuration, including default configuration
a. Ongoing monitoring and review of configurations including assessing the Software for security flaws;
11. Measures for internal IT and IT security governance and management
a. Maintenance of a written, proportionally comprehensive information security program consistent with applicable industry standards that includes, but is not limited to:
i. Information security policies;
ii. Access management;
iii. Change management;
iv. Physical and environmental security;
v. Incident response plans and procedures;
vi. Vulnerability management;
vii. Patch management;
viii. Business continuity and disaster recovery plans;
ix. Continuous monitoring;
x. Asset criticality and data classification;
xi. Data retention and destruction policies;
xii. Third party and vendor security;
xiii. Hiring policies;
xiv. Employment termination policies
xv. Security awareness;
xvi. Privacy policies;
xvii. Data security procedures
b. Implementation of a risk management program to help address security vulnerabilities and deploy security patches within a commercially reasonable timeframe
12. Measures for certification/assurance of processes and products
Company engages independent, external auditors to deliver industry standard privacy and security certifications. Company has obtained the following compliance certifications: SOC 2 Type 1; ISO 27001.
13. Measures for ensuring data minimisation
a. Implementation of data retention policies;
b. Implementation of controls designed to ensure that Client Personal Data is deleted consistent with applicable data retention policies;
c. Restriction of Company Personnel access to Client Personal Data to authorized Personnel who are subject to written confidentiality obligations and have participated in security awareness training;
14. Measures for ensuring data quality
a. Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality and/or integrity of any records containing Client Personal Data, regardless of format, and evaluation of and implementation of improvements, where necessary, to the effectiveness of the current safeguards for limiting such risks.
15. Measures for ensuring limited data retention
a. Implementation of data retention policies;
b. implementation of controls designed to ensure that Client Personal Data is deleted consistent with applicable data retention policies;
16. Measures for ensuring accountability
a. Adoption and implementation of data protection policies;
b. Execution of written agreements with Sub-processors who may have access to Client Personal Data;
c. Implementation of intrusion prevention and detection systems to monitor and log system resources for potential unauthorized access and generate alerts on attempted attacks;
d. Adoption of retention policies for logs, audit trails and other documentation that provides evidence of security, systems, and audit processes and procedures related to Client Personal Data;
e. Annual employee and contractor security and privacy awareness training.
17. Measures for allowing data portability and ensuring erasure
a. Encryption of Client Personal Data in transit utilizing industry standard cryptography and key management practices;
b. Where technically enforced, encryption of Client Personal Data and back-ups of Client Personal Data at rest utilizing industry standard cryptography and key management practices;
c. Encryption of authentication credentials at rest utilizing industry standard cryptography and key management practices.
18. Technical and Organizational Measures required to be taken by Company’s Sub-processors
For transfers to Sub-processors, Company, as Processor, requires that its Sub-processors take appropriate technical and organizational measures to assist the Controller in protecting the security, confidentiality, and integrity of Client Personal Data as follows:
a. Relevant agreements with Sub-processors include requirements for appropriate technical and organizational measures relevant to the Sub-processor services provided to Company;
b. Technical and organizational measures used to mitigate any risks associated with Sub-processor access to Client Personal Data in its provision of relevant Sub-processor services to Company are agreed upon with the Sub-processor and documented;
c. All relevant technical and organizational measures are established and agreed upon with each Sub-processor that may access, Process, or store Client Personal Data;
d. Company performs a security risk assessment for each Sub-processor that may access, Process, or store Client Personal Data.