PropelAuth Logo

Data Processing Addendum

Terms of ServiceAdditional Terms (PropelAuth BYO)DPA

Effective Date: 2025-11-13

This DATA PROCESSING ADDENDUM ("DPA") forms part of the PropelAuth Terms of Service (the "Agreement") between: (i) PropelAuth, Inc. ("Vendor"), acting on its own behalf; and (ii) Customer ("Customer") acting on its own behalf (Vendor and Customer will together be referred to as the "Parties"). This DPA shall be effective as of the last signature below.

The terms used in this DPA shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1.Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.1.2 "CCPA" means the California Consumer Privacy Act of 2018, California Civil Code Section 1798.100, et seq., and, effective January 1, 2023, as amended by the California Privacy Rights Act of 2020 ("CPRA") and from time to time thereafter, and its implementing regulations.

1.1.3 "Data Breach" means a breach of security leading to the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to, or other Processing of Personal Data transmitted, stored, or otherwise Processed;

1.1.4 "Data Protection Laws" means all data protection laws and regulations applicable to a Party’s Processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Laws and the CCPA;

1.1.5 "Data Subject Request" means a request made by a Data Subject in accordance with the rights granted under Data Protection Laws, including but not limited to requests to know, delete and opt-out under the CCPA and requests to access, rectify, erase, restrict Processing, data portability, object to Processing and not to be subject to automated individual decision making under EU Data Protection Laws.

1.1.6 "DORA" means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) 600/2014, (EU) No. 909/2014 and (EU) 2016/1011.

1.1.7 "EU Data Protection Laws" means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) in respect of the United Kingdom ("UK") any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union) and (v) in respect of Switzerland, the revised Federal Act on Data Protection of 25 September 2020 ("revFADP");

1.1.8 "Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

1.1.9 "EU Standard Contractual Clauses" means the contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, amended as indicated in Section 14.4 of this DPA;

1.1.10 "Personal Data" means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person or particular household;

1.1.11 "Process" or "Processing" means any operation or set of operations which is performed on Personal Data by Vendor or its Subprocessors, or in connection with and for the purposes of the provision of the Services, whether or not accomplished by automatic means, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and as defined by Data Protection Laws;

1.1.12 "Sensitive Data" means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" or "special personal information" under applicable Data Protection Laws;

1.1.13 "Services" means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Customer pursuant to the Agreement;

1.1.14 "Subprocessor" means any person appointed by or on behalf of Vendor to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Subprocessors may include third parties or Affiliates of Vendor but shall exclude Vendor employees, contractors, or consultants.

1.1.15 "U.K. GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

1.1.16 "U.K. Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data from controllers to processors established in third countries which do not ensure an adequate level of protection, as described in Article 46 of the UK GDPR and approved by the European Commission decision 2010/87/EU.

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data Breach", and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Personal Data.

2.1 Roles of the Parties. The parties acknowledge and agree that with respect to the Processing of Personal Data under the Agreement, Customer is the Controller, and Vendor is the Processor or Service Provider. The subject matter, duration, purpose of the Processing, and types of Personal Data and categories of Data Subjects under this DPA are set forth in Annex 1.

2.2 N/A

2.3 Customer Obligations. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its Processing of Personal Data and any processing instructions it issues to Vendor; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Vendor to Process Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any content created, sent or managed through the Service.

2.4 Vendor’s Obligations. Vendor will adhere to applicable Data Protection Laws in Processing Personal Data. Vendor will Process Personal Data only in accordance with Customer’s documented written instructions. The Parties agree that the Agreement sets out Customer’s complete and final instructions to Vendor in relation to the Processing of Personal Data, and processing outside of the scope of these instructions (if any) shall require prior written agreement of both of the Parties.

2.5 Lawfulness of Customer’s Instructions. Customer shall ensure that Vendor’s processing of Personal Data in accordance with Customer’s instructions will not cause Vendor to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.

2.6 Details of the Processing. The subject-matter of the Processing of Personal Data by Vendor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex I hereto.

3. Subprocessing.

3.1 General Authorization. Customer generally authorizes the use of Subprocessors to Process Personal Data in connection with fulfilling Vendor’s obligations under the Agreement and/or this DPA. A list of current Subprocessors can be viewed at https://www.propelauth.com/subprocessor-list (the "Subprocessor List"). Customer hereby authorizes Vendor to engage the Subprocessors listed in the Subprocessor List.

3.2 New Subprocessors. When Vendor engages a new Subprocessor to Process Personal Data, Vendor will, at least ten (10) days before the new Subprocessor begins Processing Personal Data, notify Customer by updating the Subprocessor List.

3.3 Communication With Subprocessors. Customer shall not directly communicate with Vendor’s Subprocessors about the Services, unless agreed to in writing by Vendor in Vendor’s sole discretion.

4. Security.

4.1 Vendor’s Personnel. Vendor shall ensure that any person who is authorized by Vendor to process Personal Data (including its staff and agents) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.2 Security Measures. Vendor shall implement and maintain commercially reasonable technical and organizational measures that are designed to protect against Data Breaches involving, and unauthorized or accidental destruction, loss, alteration or damage, unauthorized disclosure of or access to, Personal Data and designed to preserve the security and confidentiality of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in accordance with the security standards described in Annex D (the "Security Measures").

4.3 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Vendor may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provides to Customer.

4.4 Customer’s Obligations Regarding Security Measures. Customer is responsible for independently determining whether the Security Measures adequately meet its obligations under applicable Data Protection Laws. Customer is also responsible for its secure use of the Services, including protecting the security of Personal Data in transit to and from the Services (including securely backing up or encrypting any such Personal Data).

5. Security Breach.

5.1 Notification. In the event that Vendor becomes reasonably aware of any Security Breach, Vendor will use good faith efforts to notify Customer of the Security Breach without undue delay, but in no even later than five (5) business days after Vendor becomes reasonably aware of the Security Breach. The notification obligations in this Section 5 do not apply to incidents that are caused by Customer or Customer’s personnel or users or to unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewall or networked systems.

5.2 Manner of Notification. Notification of a Security Breach, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means that Vendor selects, including via electronic mail. It is Customer’s sole responsibility to ensure that it maintains accurate contact information with Vendor at all times.

5.3 Data Breach Management. Vendor shall make commercially reasonable efforts to identify the cause of a Data Breach and take those steps that Vendor deems necessary and reasonable to remediate the cause of such Data Breach to the extent that remediation is within Vendor’s reasonable control.

6. Termination.

6.1 Termination. This DPA shall terminate automatically upon the later of (a) the termination or expiry of the Agreement, or (b) Vendor’s deletion or return of the Personal Data to customer.

6.2 Return or Deletion of Data. Upon termination or expiration of this DPA, Vendor shall (at Customer’s election) delete or return to Customer all existing copies of Personal Data, unless Data Protection Laws require continued retention of the Personal Data. Upon Customer’s request, Vendor shall confirm compliance with these obligations in writing. This requirement shall not apply to Personal Data that Vendor has archived on backup systems, which Personal Data shall be deleted by Vendor at such time as Vendor next restores to its active systems the backup that contains the Personal Data.

7. Data Subject Requests.

7.1 Data Subject Requests. In the event that a Data Subject Request is made to Vendor, Vendor shall not respond to the Data Subject Request directly, except to direct the Data Subject to contact Customer directly or as required by Data Protection Laws. If Vendor is required by Data Protection Laws to respond to the Data Subject Request, it shall notify Customer by any means that Vendor selects, including via electronic mail, unless prohibited from doing so by Data Protection Laws. For the avoidance of doubt, nothing in the Agreement or the DPA shall restrict or prevent Vendor from responding to any Data Subject Request or request or inquiry from a Data Protection Authority in relation to Personal Data for which Vendor is a Controller.

8. Jurisdiction Specific Terms.

8.1 To the extent that Vendor Processes Personal Data subject to the GDPR, the terms of Annex B shall apply and are hereby incorporated into the DPA by this reference. To the extent that Vendor Processes Personal Data subject to the CCPA, the terms of Annex C shall apply and are hereby incorporated into the DPA by this reference. To the extent that Customer is subject to DORA and Vendor is an Information and Communication Technology Third Party Service Provider of Customer as that term is defined in Article 3(19) of DORA, the terms of Annex E shall apply and are hereby incorporated into the DPA by this reference.

9. Limitation of Liability.

9.1 Limitation of Liability. To the extent permitted by applicable Data Protection Laws, each Party’s (and all of that Party’s Affiliates’) liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.

9.2 Claims by Customer. Any claims made against Vendor or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.

9.3 Exclusion. In no event shall any Party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

10. Concluding Provisions.

10.1 Amendments. This DPA may not be amended or supplemented, nor shall any of its provisions be deemed to be waived or otherwise modified, except through a writing duly executed by authorized representatives of Vendor and Customer.

10.2 Severability. Should any provision of this DPA or any of the Annexes be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.

10.3 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction selected in the Agreement, without regard to conflict of laws provisions, unless required otherwise by Data Protection Laws.

10.4 Notice. Any notices that are required to be provided in this DPA shall be provided in accordance with any notice provision of the Agreement, unless otherwise specified.

10.5 Authorization. Customer represents that it is authorized to agree to and enter into this DPA.

ANNEX A TO DPA - DESCRIPTION OF THE PROCESSING

1. Subject Matter and Details of the Processing

The Parties acknowledge and agree that (i) the subject matter of the Processing under the Agreement is Vendor’s provision of the Services; (ii) the duration of the Processing is from Vendor’s receipt of Personal Data until deletion of all Personal Data by Vendor in accordance with the Agreement; (iii) the nature and purpose of the Processing is to provide the Services; (iv) the Data Subjects to whom the Personal Data pertains are individuals about whom Vendor processes Personal Data in connection with the Services; and (v) the categories of Personal Data are are provided by Customer or its users in connection with the Services.

2. Types of Personal Data

Email address and any other user properties as defined by the Customer, as well as any information needed to properly debug or prevent cyber attacks.

3. Categories of Data Subjects

  • Users that are added to the PropelAuth account (Customer Personnel)
  • Users that the Customer onboards to their product via PropelAuth

4. Categories of Sensitive Data

N/A unless Customer specifically requests it via the User Properties feature.

5. Obligations and Rights of the Controller

The obligations and rights of Customer are as set out in the Agreement and the DPA.

ANNEX B TO DPA - PROVISIONS APPLICABLE TO PROCESSING OF PERSONAL DATA SUBJECT TO EU DATA PROTECTION LAWS

The provisions of this Annex II will apply to the Processing by Vendor of Personal Data under the Agreement, but only to the extent that the Processing of Personal Data is subject to EU Data Protection Laws. In the event of any conflict between the provisions of this Annex II and the DPA or the Agreement, the provisions of this Annex II shall control.

1. Processing of Personal Data.

1.1. Roles of the Parties. When Processing Personal Data that is subject to EU Data Protection Law in accordance with Customer’s instructions, the Parties acknowledge that Customer is the Controller of the Personal Data and Vendor is the Processor.

1.2.Legality of Processing Instructions. Vendor shall inform Customer in writing, including by electronic mail, if it believes that an instruction of Customer relating to the Processing of Personal Data infringes on EU Data Protection Laws.

2. Subprocessors.

2.1. Objection to New Subprocessors. If Customer has a reasonable objection to the addition of a new Subprocessor to the Subprocessor List in accordance with Section 3.2 of the DPA, Customer must notify Vendor of the objection in writing within ten (10) calendar days of the addition of the new Subprocessor to the Subprocessor List. If Customer does not notify Vendor in writing of an objection within ten (10) calendar days, Customer waives any objection that it may have had to the new Subprocessor. If Customer submits an objection in accordance with this Section 2, the Parties agree to discuss Customer’s concerns in good faith with a view toward achieving a commercially reasonable resolution. If no such resolution can be reached within thirty (30) calendar days, Vendor may, at its option, either (a) withdraw the objectionable Subprocessor and either perform the Services itself, or appoint a new Subprocessor in accordance with the terms of Section 3.2 of the DPA, or (b) permit Customer to suspend or terminate the Services and the Agreement in accordance with the termination provisions of the Agreement without liability to either party (but Customer must pay any fees incurred for Services actually performed by Vendor prior to suspension or termination in accordance with the terms of the Agreement). The parties agree that by complying with this Section 2, Vendor fulfills its obligations under Section 9 of the Standard Contractual Clauses.

2.1.1. Subprocessor Contractual Terms. Vendor will contractually impose data protection obligations on its Subprocessors that are equivalent to those data protection obligations imposed on Vendor under the DPA and this Annex II.

2.1.2 .Liability for Acts/Omissions of Subprocessors. Vendor shall remain liable for the acts and omissions of its Subprocessors to the same extent that Vendor would be liable if it performed the services of each Subprocessor directly under the terms of this DPA.

3. Data Subject Requests.

Taking into account the nature of the Processing, Vendor shall assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request.

4. Data Protection Impact Assessment.

To the extent required under applicable Data Protection Laws, Vendor shall (taking into account the nature of the processing and the information available to Vendor) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with Supervisory Authorities as required by Data Protection Laws. Vendor shall comply with the foregoing by: (i) complying with Section 5 (Audits) of this Annex B; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing subsections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer’s expense).

5. Audits.

5.1. Audits Generally. Vendor will make information reasonably necessary to demonstrate compliance with this DPA available to Customer. Customer may audit Vendor’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by applicable Data Protection Laws, including where mandated by Customer’s Supervisory Authority. Any audit must be conducted during regular business hours, subject to the agreed final audit plan as set forth in Section 5.3 of this Annex II and subject to Vendor’s safety, security or other relevant policies, and may not unreasonably interfere with Vendor’s business activities.

5.2. Third Party Auditors. If a third party is to conduct an audit under Section 5.1 of this Annex II, Vendor may object to the auditor if the auditor is, in Vendor’s reasonable opinion, a competitor of Vendor. Such objection by Vendor will require Customer to appoint another auditor or conduct the audit itself. Customer will be responsible for all fees charged by any auditor appointed by Customer to execute any audit under this Section 5.

5.3. Audit Plan. Aside from an audit of a Supervisory Authority, to request an audit, Customer must submit a detailed proposed audit plan to Vendor at least thirty (30) calendar days in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the Parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the scope, duration and start date of the audit. Vendor will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Vendor’s security, privacy, employment or other relevant policies). Vendor will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 5.3 shall require Vendor to disclose any information where such disclosure would result in a breach of any duty of confidentiality.

5.4. Third Party Audit Reports. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Vendor has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.

5.5. Subprocessor Information. Nothing in this Section 5 shall be construed to require Vendor to furnish more information about its Subprocessors in connection with such audits than such Subprocessors make available to Vendor without restriction on further disclosure.

5.6. Audit Reports. Customer will promptly notify Vendor of any non-compliance discovered during the course of an audit and provide Vendor any audit reports generated in connection with any audit under this Section 5 unless prohibited by applicable Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. If any audit reveals that Vendor is not in compliance with the provisions of this DPA and/or applicable Data Protection Laws, Vendor shall take commercially reasonable corrective actions including temporary work-arounds reasonably necessary to comply with the provisions of this DPA and/or applicable Data Protection Laws.

6.Cross-Border Data Transfers.

6.1. Processing in United States of America. Customer acknowledges that, as of the date of this

DPA, Vendor’s primary Processing facilities are located in the United States of America.

6.2. EU Standard Contractual Clauses: For data transfers from the European Economic Area to a country that has not been deemed by the European Commission to provide an adequate level of protection of Personal Data pursuant to Article 45 of the GDPR, Module Two of the EU Standard Contractual Clauses will apply in the following manner:

6.2.1. In Clause 7, the optional docking clause will not apply;

6.2.2. In Clause 9(a), Option 2 will apply, and the time period for notice of Subprocessor changes will be as set forth in Section 3.2 (Subprocessing) of the DPA;

6.2.3. In Clause 11, the optional language will not apply;

6.2.4. In Clause 17, Option 1 will apply, and the EU Standard Contractual Clauses will be governed by Ireland law;

6.2.5. In Clause 18(b), disputes will be resolved before the courts of Ireland;

6.2.6. In Annex 1, Part A:

6.2.6.1. Data Exporter: Customer and authorized affiliates of Customer;

6.2.6.2. Contact Details: Customer’s email address, or the email address(es) for which Customer elects to receive privacy communications.

6.2.6.3. Data Exporter Role: The Data Exporter’s role is defined in Section 2 of this DPA.

6.2.6.4. Signature & Date:By entering into this DPA, Data Exporter is deemed to have signed the EU Standard Contractual Clauses (Module 2) incorporated herein, including their Annexes, as of the date of this DPA.

6.2.6.5. Data Importer: PropelAuth, Inc

6.2.6.6. Contact Details: support@propelauth.com 

6.2.6.7. Data Importer Role: The Data Importer’s role is outlined in Section 2 of this DPA.

6.2.6.8. Signature & Date:By entering into this DPA, Data Importer is deemed to have signed the EU Standard Contractual Clauses (Module 2) incorporated herein, including their Annexes, as of the date of this DPA.

6.2.7. In Annex I, Part B:

6.2.7.1. The categories of Data Subjects are described in Annex A, Section 3 to this DPA.

6.2.7.2. The Sensitive Data transferred is described in Annex A, Section 4 to this DPA.

6.2.7.3. The frequency of the transfer is a continuous basis for the duration of the Agreement.

6.2.7.4. The nature of the processing is described in Annex A, Section 1 to this DPA.

6.2.7.5. The purpose of the processing is described in Annex A, Section 1 to this DPA.

6.2.7.6. The period of the processing is described in Annex A, Section 1 to this DPA.

6.2.7.7. For transfers to Subprocessors, the subject matter of the processing is as follows: User activity logs, usage analytics, email and contact information, and other user data as defined via the PropelAuth user properties feature.

6.2.7.8. For transfers to Subprocessors, the nature of the processing is as follows: Webhosting, email services, automation, infrastructure logging tools, and marketing.

6.2.7.9. For transfers to Subprocessors, the duration of the processing is as follows: For the duration of the agreement

6.2.8. In Annex I, Part C, the competent Supervisory Authority is Ireland.

6.2.9. Annex D to this DPA serves as Annex II to the EU Standard Contractual Clauses.

6.3. U.K. Standard Contractual Clauses: For data transfers from the United Kingdom to a country that has not been deemed by the United Kingdom Information Commissioner’s Office to provide an adequate level of protection of Personal Data pursuant to Article 45 of the U.K. GDPR, the U.K. Standard Contractual Clauses will apply in the following manner:

6.3.1. The illustrative indemnification clause will not apply;

6.3.2. Annex A serves as Appendix 1 to the U.K. Standard Contractual Clauses; and

6.3.3. Annex D serves as Appendix 2 to the U.K. Standard Contractual Clauses.

6.4. Conflicts. To the extent there is any conflict between the EU Standard Contractual Clauses or the U.K. Standard Contractual Clauses and any other terms in this DPA, including Section 8.1 (Jurisdiction Specific Terms), the provisions of the EU Standard Contractual Clauses will prevail, but only to the extent that the EU Standard Contractual Clauses and/or the U.K. Standard Contractual Clauses apply.

6.5. Amendments to EU Standard Contractual Clauses or U.K. Standard Contractual Clauses. If the European Commission, the United Kingdom Information Commissioner’s Office or a Supervisory Authority amends the EU Standard Contractual Clauses or the U.K. Standard Contractual Clauses, the parties shall promptly discuss the proposed amendments and negotiate in good faith with a view toward agreeing and implementing those amendments as soon as is reasonably practicable.

ANNEX C TO DPA - PROVISIONS APPLICABLE TO PROCESSING OF PERSONAL DATA SUBJECT TO THE CCPA

The provisions of this Annex III will apply to the Processing by Vendor of Personal Data under the Agreement, but only to the extent that the Processing of Personal Data is subject to the CCPA. In the event of any conflict between the provisions of this Annex III and the DPA or the Agreement, the provisions of this Annex III shall control.

  1. Definitions. As used in this Annex III, the terms "Business Purpose", "Person", "Personal Information", "Sale" and "Service Provider" shall have the same meaning as in the CCPA (California Civil Code Section 1798.140), and their cognate terms shall be construed accordingly.
  2. Roles of the Parties. The Parties acknowledge and agree that, with regard to the Processing of Personal Data that constitutes Personal Information performed solely on behalf of Customer, Vendor is a Service Provider and receives Personal Information pursuant to the Business Purpose of performing services on behalf of Customer, including providing user authentication services to Customer, allowing Customer to manage its own accounts and teams through hosted user interfaces and libraries created by Vendor, and providing Customer with the building blocks to add advanced authentication to Customer’s product, and providing similar services on behalf of the Customer. Customer is disclosing personal information to Vendor only for the limited and specified business purpose(s) identified in this Section 2.
  3. No Sale of Personal Data to Vendor. Customer and Vendor hereby acknowledge and agree that in no event shall the transfer of Personal Data that constitutes Personal Information from Customer to Vendor pursuant to the Agreement constitute a Sale of Personal Information to Vendor, and that nothing in the Agreement shall be construed as providing for the Sale of Personal Information. The Parties acknowledge and agree that Vendor’s access to Personal Data that constitutes Personal Information does not constitute part of the consideration exchanged by the Parties in respect of the Agreement.
  4. Limitations on Use and Disclosure. Vendor will not sell the Personal Data that constitutes Personal Information Processed under this DPA and will not retain, use or disclose the Personal Data that constitutes Personal Information for any purposes other than the specific purpose of performing the Services as provided in the Agreement, the Business Purposes specified in the Agreement and Section 2 of this Annex C, and as required under the CCPA. Vendor shall not retain, use or disclose Personal Data that constitutes Personal Information outside of the direct business relationship between Vendor and Customer. Vendor shall not retain, use or disclose Vendor hereby certifies that it understands the foregoing restriction and will comply with it in accordance with the requirements of the CCPA.
  5. Compliance With CCPA. Vendor shall comply with applicable obligations under the CCPA and agree to provide the same level of privacy protection to Personal Data that constitutes Personal Information as required by the CCPA. Vendor shall provide the same level of privacy protection with respect to Personal Information that it receives pursuant to this DPA as required of Businesses under the CCPA. If Vendor determines that it can no longer meet its obligations under the CCPA, it shall notify Customer in writing (including by email).
  6. Monitoring Compliance with CCPA. Customer shall have the right to take reasonable and appropriate steps to help to ensure that Vendor uses the Personal Data that constitutes Personal Information in a manner that is consistent with Customer’s obligations under the CCPA. The Parties agree that those reasonable and appropriate steps are listed in Section 5 of Annex B to this DPA.
  7. Remediating Unauthorized Use. Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data that constitutes Personal Information, including by requiring by requiring Vendor to provide documentation that verifies that it no longer retains or uses Personal Information of Consumers that have made a valid request to delete under the CCPA to Customer.
  8. Combining Personal Information. Vendor shall not combine Personal Data that constitutes Personal Information that Vendor receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another Person or Persons, or collects from its own interaction with the Data Subject (except to perform a Business Purpose as defined in regulations adopted pursuant to the CCPA).
  9. Assistance With Data Subject Requests. Customer shall inform Vendor of any consumer request made pursuant to the CCPA that Vendor must comply with and provide information necessary for Vendor to comply with the request.

ANNEX D TO DPA - SECURITY MEASURES

The technical and organisational measures implemented by Vendor pursuant to Section 4.2 of the DPA shall be as follows:

  1. Security Staffing and Background Checks.
  • Organizational management and dedicated staff responsible for the development, implementation and maintenance of Vendor’s information security program.
  • Employees are subject to background checks within 2 weeks of employment and before gaining access to sensitive systems.
  • Employees must complete management-approved security training during onboarding and revisit such training annually throughout their tenure.
  1. Audit and Risk Assessment. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Vendor’s organization, monitoring and maintaining compliance with Vendor’s policies and procedures, and reporting the condition of Vendor’s information security and compliance to internal management.
  2. Security Controls. Data security controls which include, at a minimum:
  • Logical segregation of data;
  • Restricted (e.g. role-based) access and monitoring; and
  • Utilization of encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
  1. Access Controls.
  • Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
  1. Password Security. Password controls designed to manage and control password strength, expiration and usage, including prohibiting users from sharing passwords and requiring that Vendor’s passwords that are assigned to its employees:
  • Be at least eight (8) characters in length;
  • Not be stored in readable format on Vendor’s computer systems; and
  • Newly issued passwords must be changed after first use.
  1. System Event Logging. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
  2. Operational Procedures. Operational procedures and controls designed to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media designed to render data contained therein as undecipherable or unrecoverable prior to final disposal or release from Vendor’s possession.
  3. Change Management. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Vendor’s technology and information assets.
  4. Incident response. Incident response management procedures designed to allow Vendor to investigate, respond to, mitigate and notify of events related to Vendor’s technology and information assets.
  5. Network Security. Network security controls that utilize firewalls and segregated access, and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
  6. Vulnerability Management Processes.
  • Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code; and
  • Third party vulnerability assessments are conducted periodically and vulnerabilities are remediated as appropriate in accordance with Vendor’s internal risk assessment policies.
  1. Business Continuity/Disaster Recovery. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters. Vendor Business Continuity and Disaster Recovery procedures (including restoration from backups) are reviewed and tested annually.
  2. Policy Review. Vendor’s security and privacy policies are reviewed and approved annually for Vendor’s business operations.

ANNEX E TO DPA - PROVISIONS APPLICABLE TO PROCESSING OF PERSONAL DATA FOR ENTITIES SUBJECT TO DORA

The provisions of this Annex E will apply to the Processing by Vendor of Personal Data under the Agreement, but only to the extent that Customer is subject to DORA and Vendor is an Information and Communication Technology Service Provider of Customer as that term is defined in Article 3(19) of DORA. In the event of any conflict between the provisions of this Annex E and the DPA or the Agreement, the provisions of this Annex E shall control.  

  1. Definitions.  Capitalized terms used in this Annex E that are not otherwise defined in the DPA shall have the same meaning as in Article 3 of DORA, and their cognate terms shall be construed accordingly.
  2. Description of ICT Services.  The ICT Services to be provided by Vender are described in Annex A to this DPA.  
  3. Critical or Important Functions.  Vender and Customer agree that Vender will not provide ICT Services that support a Critical or Important Function for Customer.
  4. Locations of Services/Processing.  The ICT Services are provided by the Vendor itself or via Subprocessors from, and Personal Data that Vendor Processes is Processed in, the European Economic Area and the United States of America. Vendor shall notify Customer in writing as provided in the Agreement if it envisages changing these locations.
  5. Data Protection.  The Parties agree that the provisions on the availability, authenticity, integrity and confidentiality in relation to the protection of data, including Personal Data, are described in Annex D.
  6. Return of Personal Data/Non-Personal Data.  In the event of the termination of this contract, or the insolvency, resolution or discontinuation of the business of Vendor, Vendor shall provide to Customer all Personal Data and Non-Personal Data that Vendor Processes on behalf of Customer in an easily accessible format reasonably requested by Customer.
  7. ICT Incidents.  In addition to Vendor’s obligations contained in Section 5 of the DPA, in the event of an ICT-Related Incident that is related to the ICT Services provided by Vendor, Vendor shall provide to Customer assistance reasonably requested by Customer at no additional cost.  
  8. Cooperation With Authorities.  Vendor shall fully cooperate with competent authorities and resolution authorities of Customer, including persons appointed by them.  
  9. Termination Rights.  The Parties agree that in addition to the termination rights and termination periods related to the Agreement that are described in the Agreement, Customer may terminate the Agreement (i) upon a significant breach by Vendor of applicable laws, regulations or contractual terms; (ii) if circumstances identified through the monitoring of ICT Third-Party Risk are deemed capable of altering the performance of the functions provided through the Agreement; (iii) in the event of Vendor’s evidenced weakness pertaining to its overall ICT Risk Management (in particular, in the way Vendor ensures the availability, authenticity, integrity and confidentiality of data, whether or not Personal Data or Sensitive Data); and (iv) where the competent authority can no longer effectively supervise Customer as a result of the conditions of, or circumstances related to, the Agreement.
  10. Additional Termination Rights.  To the extent that Customer’s competent authorities or resolution authorities require additional or extended termination rights or termination periods, Customer shall notify Vendor in writing as provided in the Agreement, in which case the additional or extended termination rights or termination periods shall apply.
  11. Participation in Security Awareness Programmes.  Customer has determined that it is not appropriate for Vendor to participate in Customer’s ICT Security Awareness Programmes.