Data Processing Addendum

LAST UPDATED: APRIL 13, 2022


This Data Processing Addendum (the "Addendum") forms part of the Terms of Service, available at https://www.profitwell.com/terms-security, as updated from time to time between you and ProfitWell (as defined below) or other agreements between you and ProfitWell governing your use of the ProfitWell Application and Price Intelligently Application and any other services (“Services”) purchased by you from ProfitWell (“Agreement”) when the GDPR applies to your use of the Services to process Client Personal Data.

The terms used in this Addendum shall have the meanings set forth in this Addendum and capitalized terms not defined herein shall have the meaning set forth in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum. Each reference to the Addendum in this Addendum means this Addendum including its Schedules and Appendices.

If you have any questions or concerns with respect to this Agreement or the Services you may contact the Company at product@profitwell.com.

In the course of providing the Services to Client pursuant to the Agreement, Provider may Process Personal Data on behalf of Client and the parties agree to comply with the following provisions with respect to any Personal Data.

1. Definitions

Any capitalized term not defined in this DPA shall have the meaning given to it in the Terms of Use.

Client Personal Data means any Personal Data Processed by ProfitWell (or a Subprocessor) on behalf of Client pursuant to or in connection with the Agreement;

Data Protection Laws means all laws and regulations, including laws and regulations of the UK, the European Union, the European Economic Area and their member states , and the GDPR, applicable to the Processing of Client Personal Data under the Agreement which are applicable to Client., including:

i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "EU GDPR"); and ii) the EU GDPR as implemented into the law of the United Kingdom by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018 (the "UK GDPR").

ProfitWell means 200 OK, LLC and any affiliate entity ("Affiliate Entity" being any corporation, partnership, limited liability company or other form of legal entity, which directly or indirectly controls, is controlled by or is under joint control, from time to time);

Sub-processor means any person (including any third party, but excluding an employee of Provider or any of its sub-contractors) appointed by or on behalf of Processor to Process Personal Data on behalf of Client under the Agreement;

Subsidiary means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;

Security Documentation means the security documents located at https://www.profitwell.com/terms-security as amended from time to time, or as otherwise made available by the Processor to the Controller.

Standard Contractual Clauses means:

i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and ii) where the UK GDPR applies, the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 ("UK Approved Addendum") and the accompanying Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any further version published by the Information Commissioner's Office ("UK Mandatory Clauses")

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Processing", "Processor", and "Supervisory Authority" shall have the same meaning as in the GDPR, and shall be construed accordingly.

2. Effectiveness


2.1 Legal Authority. Client signatory represents to ProfitWell that he or she has the legal authority to bind Client and is lawfully able to enter into contracts.

2.2 Termination. This Addendum will terminate upon the earliest of: (i) termination of the Agreement as permitted hereunder or by the ProfitWell's Terms and Conditions (and without prejudice to the survival of accrued rights and liabilities of the parties and any obligations of the parties which either expressly or by implication survive termination); (ii) as earlier terminated pursuant to the terms of this Addendum or (iii) as agreed by the parties in writing.

3. Processing of Personal Data


3.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Data Controller, ProfitWell is a Data Processor and that ProfitWell will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-processors" below.

3.2 Client Authority. Client represents and warrants that it is and will at all relevant times remain duly and effectively authorized to give the instruction set forth in Section 3.4 below on behalf of itself.

3.3 Client's Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. Client's instructions for the Processing of Personal Data shall comply with Data Protection Laws. In addition, Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Personal Data provided by the Client shall not contain information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric, data concerning health or data concerning an individual's sex life or sexual orientation ("Special Categories of Data").

3.4 ProfitWell's Processing of Personal Data.

a. ProfitWell shall only Process Client Personal Data for the purpose of the provision of the Services under the Agreement and in accordance with Client's documented instructions which are consistent with the terms of the Agreement, unless Processing is required by Data Protection Laws to which ProfitWell (or the applicable sub-processor) is subject, in which case ProfitWell shall to the extent permitted by the Data Protection Laws inform Client of that legal requirement before the relevant Processing of that Client Personal Data.
b. This Addendum, the Agreement, and any Order Forms thereunder, are Client's complete and final instructions to ProfitWell for the Processing of Client Personal Data. Any additional or alternate instructions must be agreed upon separately.
c. The following are deemed instructions of the Client to ProfitWell: The processing of Client Personal Data (i) in accordance with the Agreement, this Addendum and any Order Forms under the Agreement, including without limitation with the transfer of Client Personal Data to any country or territory; and (ii) to comply with other documented instructions provided by Client where such instructions are consistent with the terms of the Agreement.
d. ProfitWell is permitted to share information relating to this Data Processing Agreement or obtained pursuant to this agreement with ProfitWell's Subsidiaries to the extent necessary for the provision of the Services in accordance with clause 5. ProfitWell may aggregate and anonymise Client Personal Data (such that it ceases to become Client Personal Data) in order to create reports, provide and improve the ProfitWell Services and the services of its Subsidiaries, and to provide better functionality to ProfitWell's and ProfitWell's Subsidiaries' clients.

3.5 Details of the Processing. The subject-matter of Processing of Client Personal Data by ProfitWell is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Client Personal Data and categories of Data Subjects Processed under this Addendum, as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws), are further specified in Exhibit A to this Addendum, as may be amended by the parties from time to time.

4. ProfitWell Personnel


Throughout the term of this Addendum, ProfitWell shall restrict its personnel from Processing Client Personal Data without authorization by ProfitWell and shall limit the Processing to that which is needed for the specific individual's job duties in connection with ProfitWell's provision of the Services under the Agreement. ProfitWell will impose appropriate contractual obligations on its personnel, including relevant obligations regarding confidentiality, data protection and data security.

5. Sub-Processors


5.1 Appointment of Sub-Processors. The Client acknowledges and agrees that: (i) Subsidiaries of the ProfitWell may be used as Sub-processors; and (ii) the ProfitWell and its Subsidiaries respectively may engage Sub-processors in connection with the provision of the Services.

5.2 List of Current Sub-processors and Notification of New Sub-processors. When requested by the Client, the ProfitWell shall make available to Client an up-to-date list of all Sub-processors used for the processing of Client Personal Data.

5.3 Objection Right for New Sub-processors. ProfitWell shall give Client prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 14 days of receipt of that notice, Client notifies ProfitWell in writing of any objections (on reasonable grounds) to the proposed appointment, then (i) ProfitWell shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and (ii) where such a change cannot be made within 14 days from ProfitWell's receipt of Client's notice, notwithstanding anything in the Agreement, Client may by written notice to ProfitWell with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor.

5.4 Sub-processing Agreement; Liability. ProfitWell has or shall enter into a written agreement with each Sub-processor (the "Sub-processing Agreement") containing data protection obligations not less protective than those in the Agreement and/or this Addendum with respect to the protection of Client Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. ProfitWell shall be liable for the acts and omissions of its Sub-processors to the same extent ProfitWell would be liable if performing the services of each Sub-processor directly under the terms of this Addendum.

6. Security


6.1 Adequate Measure. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ProfitWell shall in relation to the Client Personal Data implement and maintain throughout the term of this Addendum, the technical and organizational measures set forth in Exhibit B (the "Security Measures"). Client acknowledges and agrees that it has reviewed and assessed the Security Measures and deems the appropriate for the protection of Client Personal Data.

6.2 Personal Data Breach Risk. In assessing the appropriate level of security, ProfitWell shall take account of the risks that are presented by Processing, in particular from an incident of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Client Personal Data ("Personal Data Breach").

7. Data Subject Rights


7.1 Correction, Blocking and Deletion. ProfitWell shall comply with any commercially reasonable request by Client to correct, amend, block, or delete Client Personal Data, as required by Data Protection Laws, to the extent ProfitWell is legally permitted to do so.

7.2 Measures to assist with Data Subject Rights. Taking into account the nature of the Processing, ProfitWell shall assist Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client's obligations, as reasonably understood by Client, to respond to requests to exercise Data Subject rights under the Data Protection Laws. To the extent legally permitted, Client shall be responsible for any costs arising from ProfitWell's provision of such assistance.

7.3 Response to Requests: ProfitWell
a. shall promptly notify Client if it or any Sub-processor receives a request from a Data Subject under any Data Protection Laws & Regulation in respect of Client Personal Data; and
b. shall not and shall ensure that no Sub-processor responds to that request except on the documented instructions of Client or as required by Data Protections Laws to which ProfitWell or Sub-processor is subject, in which case ProfitWell shall, to the extent permitted by such Data Protections Laws inform Client of that legal requirement before it or the applicable Sub-processor responds to the request

8. Personal Data Breach


8.1 Notification of Data Breach. ProfitWell shall, to the extent permitted by law, notify Client without undue delay upon ProfitWell or any Sub-processor becoming aware of a Personal Data Breach, providing Client with sufficient information to allow Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Assistance. ProfitWell shall cooperate with Client and take such reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation


ProfitWell shall provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Client reasonably considers to be required of it by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law & Regulation, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, ProfitWell or the Sub-processors.

10. Return or Destruction of Personal Data.


10.1 Return or Deletion. Subject to the provisions of Section 10.2 below, at Client's election, made by written notice to ProfitWell following 30 days of the date of cessation of any Services involving the Processing of Client Personal Data (the "Cessation Date"), ProfitWell shall, and shall procure that all Sub-processors: (a) return a complete copy of all Client Personal Data to Client in such format and manner requested by Client and reasonably acceptable to ProfitWell; and (b) delete and procure the deletion of all other copies of Client Personal Data Processed by ProfitWell or any Sub-processor. ProfitWell shall comply with any such written request within 30 days of the Cessation Date.

10.2 Retention of Copies. ProfitWell and each Sub-processor may retain Client Personal Data to the extent required by applicable European Union law or the law of an EU Member State and only to the extent and for such period as required by such laws and always provided that ProfitWell shall ensure the confidentiality of all such Client Personal Data and shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in such law requiring its storage and for no other purpose.

11. Audit


11.1 Report on Compliance. Subject to the provisions of Section 11.3 below, at Client's written request, ProfitWell will provide Client all information necessary to demonstrate compliance with this Addendum. The information provided will constitute ProfitWell Confidential Information under the confidentiality provisions of the Agreement or a non-disclosure agreement, as applicable.

11.2 Audit. ProfitWell shall allow for and contribute to audits, including inspections, by any Client or an auditor mandated by Client in relation to the Processing of the Client Personal Data by ProfitWell or Sub-processors in accordance with Sections 11.1 and 11.3 to this Addendum

11.3 Process. The parties agree that the audits described in Section 11.2 above and/or in the Standard Contractual Clauses shall be carried out in accordance with the following specifications:

a. Client may contact ProfitWell in accordance with the "Notices" Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Client may also review previous audits of ProfitWell's systems by an independent third party ("Third Party Audit") if such a report is available.

b. Client shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the ProfitWell or Sub-processor premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

c. Before the commencement of any such on-site audit, Client and ProfitWell shall mutually agree upon the scope, timing, and duration of the audit.

d. ProfitWell or Sub-processor need not give access to its premises for the purposes of such an audit or inspection:
i. to any individual unless he or she produces reasonable evidence of identity and authority;
ii. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Client undertaking an audit has given notice to ProfitWell that this is the case before attendance outside those hours begins; or
iii. for the purposes of more than one audit or inspection, in respect of ProfitWell or each Sub-processor, in any calendar year, except for any additional audits or inspections which: (A) Client reasonably considers necessary because of genuine concerns as to ProfitWell's or applicable Sub-processor's compliance with this Addendum; or (B) Client is required or requested to carry out by Data Protection Law and Regulation, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory; where Client has identified its concerns or the relevant requirement or request in its notice to ProfitWell.

11.4 Following the Audit:

a. If Client chooses to conduct an independent audit rather than rely on current Third Party Audit, if applicable and available, or if Client makes such choice because a current Third Party Audit is not available, Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit. ProfitWell will provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit.

b. Client shall promptly notify ProfitWell with information regarding any noncompliance discovered during the course of an audit

12. Transfer of Data


12.1 Standard Contractual Clauses. Where Personal Data relating to an EU or UK Data Subject is transferred outside of the EEA it shall be processed only by entities which: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with the Processor; or (iii) have other legally recognised appropriate safeguards in place, such as a certification under the EU-US Privacy Shield (to the extent in force and applicable) or Binding Corporate Rules.

12.2 Applicability. Section 12.1 shall not apply to a cross border transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant cross border to take place without breach of applicable Data Protection Law and Regulation (a "Restricted Transfer").

12.3 Transfers between Client and ProfitWell. The Standard Contractual Clauses apply to (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all affiliates of Client, if any, established within the UK, the European Economic Area (EEA) and Switzerland that have purchased Services on the basis of an Order Form. For the purpose of the Standard Contractual Clauses and this Section 12, the Client and its affiliates shall be deemed to be "Data Exporters" and the following terms shall apply:

a. in relation to Client Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
i. Module Two will apply;
ii. in Clause 7, the optional docking clause will apply;
iii. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.3 of this Agreement;
iv. in Clause 11, the optional redress mechanism will not apply;
v. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
vi. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
vii. Annex I of the EU SCCs shall be deemed completed with the information set out in Exhibit A to this Agreement (Details of the Processing);
viii. Annex II of the EU SCCs shall be deemed completed with the information set out in Exhibit B to this Agreement (Security Measures).

b. In relation to Client Personal Data that is protected by the UK GDPR, the parties agree that the EU SCCs subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this Agreement. The parties hereby agree that in relation to the UK Addendum:
i. the information required for Table 1 is contained in Exhibit A of this Agreement and the start date shall be deemed dated the same date as the EU SCCs;
ii. in relation to Table 2, the version of the EU SCCs to which the UK Approved Addendum applies shall be Module Two;
iii. in relation to Table 3, the description of the transfer are as set out in Exhibit A, and ProfitWell's technical and organisational measures are set in Exhibit B, and the list of ProfitWell's sub-processors shall be provided via its website at learn.profitwell.com/article/se5xmjlhhd-what-data-sub-processors-do-you-use or other such links as provided by ProfitWell from time to time. and Clause 5 of this Agreement; and
iv. in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.

12.4 Sub-processors. ProfitWell warrants and represents that, before the commencement of any Restricted Transfer to a Sub-processor, it shall ensure that one of the following is in place: (i) the Standard Contractual Clauses are at all relevant times incorporated into the agreement between ProfitWell, or a relevant intermediate Sub-processor, on the one hand and Sub-processor on the other hand; (ii) that Sub-processor enters into an agreement incorporating the Standard Contractual Clauses with Client or that (iii) ProfitWell's entry into the Standard Contractual Clauses under Section 12.1 above as agent for and on behalf of that Sub-processor, will have been duly and effectively authorized (or subsequently ratified) by that Sub-processor.

12.5 Conflict. In the event of any conflict or inconsistency between the body of this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

13. Jurisdiction and Governing Law.


13.1 Law. Save for as specified in relation to the Standard Contractual Clauses, this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws in which the data exporter is established.

13.2 Jurisdiction. With respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity the parties submit to the jurisdiction of the competent courts in which the data exporter is established.

14. Indemnification; Limitation of Liability.


If one party is held liable for a violation of this Addendum or, if applicable, any provision of the Standard Contractual Clauses, committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred in accordance with the provisions of the "Indemnification" Section of the Agreement. Each party's liability, taken together in the aggregate, arising out of or related to this Addendum and/or the Standard Contractual Clauses, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement. For the avoidance of doubt, ProfitWell's total liability for all claims from the Client or any third party arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.

Exhibit A: Details of the Processing

 
Processor / Data Importer:


Name: 200OK, LLC


Address: 109 Kingston St, 4th Floor, Boston, MA 02111


Contact person’s name, position and contact details: Patrick Campbell, President & CEO, patrick@profitwell.com


Activities relevant to the data transferred under these Clauses: Client receives the Services described in the Terms.


Role (controller/processor): Processor

Description of Transfer


Duration of the Processing: The duration of data processing shall be for the term agreed between data exporter and Provider in the Agreement or an applicable Order Form.

Nature and Purpose of the Processing: The scope and purpose of processing of the data subjects' personal data is to facilitate the provision of Provider's and its Subsidiaries' Services.

Types of Client Personal Data: The personal data transferred includes e-mail, user ID, name, phone number, last 4 digits of the card number, language, address, IP address, documents, and other data in an electronic form provided in the context of Provider's Services, which shall not include any Special Categories of Data.

Categories of Data Subjects: Data subjects include the Client's representatives and end users including employees, contractors, collaborators, and Client's customers. Data subjects may also include individuals attempting to communicate or transfer personal information to users of Provider's Services. The data subjects exclusively determine the content of data submitted to Provider.

Frequency of Transfer: Continuous

Competent Supervisory Authority: Where the EU GDPR applies, the competent supervisory authority shall be the Irish Data Protection Commissioner. Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner's Office.

Exhibit B: Security Measures

 
1. Personnel


Data Importer's personnel will not process customer data without authorization. Personnel are obligated to maintain the confidentiality of any customer data and this obligation continues even after their engagement ends.



2. Data Privacy Contact


200 OK, LLC


Attn: Michael Cox — ProfitWell


109 Kingston Street (4th Floor)


Boston, MA 02111



3. Technical and Organization Measures


The Data Importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:



3.1 Organization of Information Security.



a. Security Roles and Responsibilities. The Data Importer has appointed Michael Cox as the security officer responsible for coordinating and monitoring the security rules and procedures.



b. Duty of Confidentiality. The Data Importer's personnel with access to customer data are subject to confidentiality obligations.



3.2 Risk Management. The Data Importer conducts regular testing and monitoring of the effectiveness of its safeguards, controls, systems, including conducting penetration testing. The Data Importer implements measures, as needed, to address vulnerabilities discovered in a timely manner.



3.3 Storage. The Data Importer's database servers are hosted in a data center operated by a third party vendor, that has been qualified per the Data Importer's vendor management procedure. The Data Importer maintains complete administrative control over the virtual servers, and no third-party vendors have logical access to customer data.



3.4 Asset Management.



a. Asset Inventory. The Data Importer maintains an inventory of all media on which customer data is stored. Access to the inventories of such media is restricted to authorized personnel.



b. Asset Handling.


i. The Data Importer employees are required to utilize encryption to store data in a secure manner and are required to use two-factor authentication to access 200 OK, LLC's networks.


ii. The Data Importer imposes restrictions on printing customer data and has procedures for disposing of printed materials that contain customer data.


iii. The Data Importer's personnel must obtain authorization prior to storing customer data on portable devices, remotely accessing customer data, or processing customer data outside the Data Importer's facilities.



3.5 Software Development and Acquisition. For the software developed by Data Importer, Data Importer follows secure coding standards and procedures set out in its standard operating procedures.



3.6 Change Management. Data Importer implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for the Data Importer's software, information systems or network architecture. These change management procedures include appropriate segregation of duties.



3.7 Third Party Provider Management. In selecting third party providers who may gain access to, store, transmit or use customer data, Data Importer conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.



3.8 Human Resources Security. The Data Importer informs its personnel about relevant security procedures and their respective roles, as well as of possible consequences of breaching the security rules and procedures. Such consequences include disciplinary and/or legal action.



3.9 Physical and Environmental Security.



a. Physical Access to Facilities. The Data Importer limits access to facilities where information systems that process customer data are located to identified authorized individuals who require such access for the performance of their job function. Data Importer terminates the physical access of individuals promptly following the date of the termination of their employment or services or their transfer to a role no longer requiring access to customer data.



b. Physical Access to Components. The Data Importer maintains records of the incoming and outgoing media containing customer data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of customer data they contain.



c. Protection from Disruptions. The Data Importer uses commercially reasonable systems and measures to protect against loss of data due to power supply failure or line interference.



d. Component Disposal. The Data Importer uses commercially reasonable processes to delete customer data when it is no longer needed.



3.10 Communications and Operations Management.



a. Security Documents. The Data Importer maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel.



b. Data Recovery Procedures.

i. On an ongoing basis, the Data Importer maintains multiple copies of customer data from which it can be recovered.


ii. The Data Importer stores copies of customer data and a data recovery procedures in a different place from where the primary computer equipment processing the customer data is located.


iii. The Data Importer has procedures in place governing access to copies of customer data.


iv. The Data Importer has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data.



c. Encryption; Mobile Media. The Data Importer uses HTTPS encryption on all data connections. The Data Importer restricts access to customer data in media leaving its facilities.



d. Event Logging. The Data Importer logs the use of our data-processing systems. We maintain logs for at least 30 days.



3.11 Access Control.



a. Records of Access Rights. The Data Importer maintains a record of security privileges of individuals having access to customer data.



b. Access Authorization.


i. The Data Importer maintains and updates a record of personnel authorized to access systems that contain customer data.


ii. The Data Importer deactivates authentication credentials of employees or contract workers immediately upon the termination of their employment or services.


iii. The Data Importer identifies those personnel who may grant, alter, or cancel authorized access to data and resources.



c. Least Privilege.



i. Technical support personnel are only permitted to have access to customer data when needed for the performance of their job function.

ii. The Data Importer restricts access to customer data to only those individuals who require such access to perform their job function.



d. Integrity and Confidentiality.



i. The Data Importer instructs its personnel to disable administrative sessions when leaving the Data Importer's premises or when computers are unattended.

ii. The Data Importer stores passwords in a way that makes them unintelligible while they are in force.



e. Authentication.



i. The Data Importer uses commercially reasonable practices to identify and authenticate users who attempt to access information systems.

ii. Where authentication mechanisms are based on passwords, the Data Importer requires that the passwords are renewed regularly.

iii. Where authentication mechanisms are based on passwords, the Data Importer requires the password to be at least eight characters long.

iv. The Data Importer ensures that de-activated or expired identifiers are not granted to other individuals.

v. The Data Importer maintains commercially reasonable procedures to deactivate passwords that have been corrupted or inadvertently disclosed or pursuant to a number of failed login attempts.

vi. The Data Importer uses commercially reasonable password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.



f. Network Design. The Data Importer has controls to avoid individuals assuming access rights they have not been assigned to gain access to customer data they are not authorized to access.



3.12 Network Security.



a. Network Security Controls. Data Importer's information systems have security controls designed to detect and mitigate attacks by using logs and alerting.



b. Antivirus. Data Importer implements endpoint protection on its hosting environments, including antivirus; which are continuously updated with critical patches or security releases in accordance with Data Importer's server change control procedures.



3.13 Information Security Incident Management.



a. Record of Breaches. The Data Importer maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.

a. Record of Disclosure. The Data Importer tracks disclosures of customer data, including what data has been disclosed, to whom, and at what time.



3.14 Business Continuity Management. The Data Importer employs redundant storage and its procedures for recovering data are designed to attempt to reconstruct customer data in its original state from before the time it was lost or destroyed.