Data processing addendum

Last Updated on 4/19/2024

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is entered into as of the last date executed below by and between SecurityPal, Inc., a Delaware corporation with a principal place of business located at 415 Mission Street, Floor 37, Suite 117, San Francisco, CA 94105 for itself and on behalf of its Affiliates (“SecurityPal”), and Client (defined below).

THIS DPA APPLIES BETWEEN THE PARTIES WHERE CLIENT CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO SECURITYPAL FOR PROCESSING BY MEANS OF THE SERVICES, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA (INCLUDING FOR CLARITY THE STANDARD CONTRACTUAL CLAUSES) EITHER ON BEHALF OF YOURSELF, OR THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (EACH, A “CLIENT”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CLIENT AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO SECURITYPAL. SECURITYPAL RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CLIENT’S CONTINUED TRANSFER OF PERSONAL DATA.

This DPA forms part of SecurityPal’s Master Services Agreement (available at: https://www.securitypalhq.com/terms-of-service) (collectively, the “Agreement”) between the parties under which SecurityPal will provide the Services to Client which involves the Processing of Personal Data subject to Applicable Data Protection Laws. The purpose of this DPA is to set forth the terms under which SecurityPal Processes Personal Data on behalf of Client.

This DPA consists of the main body and Schedules 1 through 4. Execution of this DPA shall include acceptance of the Standard Contractual Clauses (defined below) and its Annexes (see Schedule 2 below).

1. Definitions. Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. The terms controller, data subject, processor and supervisory authority have the meanings set forth in the GDPR.

1. “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws, UK GDPR and the CCPA.
2. “CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
3. “EEA” means the European Economic Area. 
4. “European Data Protection Laws” means the GDPR and other data protection laws and regulations of the EEA, European Union, its Member States, Switzerland, Iceland, Liechtenstein, and Norway, in each case, to the extent applicable to the Processing of Personal Data under the Agreement.   
5. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.
6. “Information Security Incident” means a confirmed breach of SecurityPal’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in SecurityPal’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
7. “Personal Data” means Client Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby”, provided that such data is electronic data and information submitted by or for Client to the Services.
8. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. “Security Measures” are SecurityPal’s security measures implemented and maintained as administrative, technical and physical safeguards designed to protect the security and integrity of Personal Data and prevent Information Security Incidents, further described in Schedule 2 Annex III hereto and any other measures required by Applicable Data Protection Laws.
10. “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, currently located here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
11. “Subprocessors” means third parties that SecurityPal engages to Process Personal Data in relation to the Services. 
12. “UK GDPR” means the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule. 

‍

2. Duration and Scope of DPA. This DPA will remain in effect so long as SecurityPal Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Schedules 1 and 2 to this DPA apply solely to Processing subject to European Data Protection Laws.  Schedule 3 to this DPA applies solely to Processing subject to the UK GDPR. Schedule 4 to this DPA applies solely to Processing subject to the CCPA to the extent Client is a “business” (as defined in CCPA) with respect to such Processing. 

3. Client Instructions. SecurityPal will Process Personal Data only in accordance with Client’s instructions to SecurityPal. This DPA is a complete expression of such instructions, and Client’s additional instructions will be binding on SecurityPal only pursuant to an amendment to this DPA signed by both parties. Client instructs SecurityPal to Process Personal Data to provide the Services and as authorized by the Agreement. SecurityPal shall inform Client immediately: (a) if, in its opinion, an instruction from Client constitutes a breach of any Applicable Data Protection Laws; (b) if SecurityPal is unable to follow Client’s instructions for the Processing of Personal Data; or (c) if SecurityPal has reason to believe that SecurityPal is subject to changes in Applicable Data Protection Laws contrary to any Client instructions or terms or requirements of this DPA.

4. Security.

1. SecurityPal Security Measures. SecurityPal may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
2. Information Security Incidents. SecurityPal will notify Client without undue delay of any Information Security Incident of which SecurityPal becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps SecurityPal recommends the Client take to address the Information Security Incident. SecurityPal’s notification of or response to an Information Security Incident will not be construed as SecurityPal’s acknowledgement of any fault or liability with respect to the Information Security Incident.
3. Reviews and Audits of Compliance. some text
   1. Client may audit SecurityPal’s compliance with its obligations under this DPA not more than once per year, and on such other occasions as may be required by European Data Protection Laws, including if mandated by Client’s supervisory authority, at Client’s sole cost, on no less than 15 days advanced written notice. Such audit must be conducted at SecurityPal’s principal place of business, during regular business hours, subject to the agreed Final Audit Plan (defined below) and SecurityPal’s safety, security or other relevant policies, and may not unreasonably interfere with SecurityPal’s business activities.
   2. To request an audit, Client must submit a proposed audit plan to SecurityPal at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. SecurityPal will review the proposed audit plan and provide Client with any concerns or questions (for example, any request for information that could compromise SecurityPal security, privacy, employment or other relevant policies). SecurityPal will work cooperatively with Client to agree on a “Final Audit Plan.” Nothing in this Section 4(c) shall require SecurityPal to breach any duties of confidentiality.  
   3. SecurityPal will contribute to each audit by providing Client or Client’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, SecurityPal may object to the auditor if the auditor is, in SecurityPal’s reasonable opinion, not independent, a competitor of SecurityPal, or otherwise manifestly unsuitable. Such objection by SecurityPal will require the Client to appoint another auditor or conduct the audit itself.
   4. Client will promptly notify SecurityPal of any non-compliance discovered during the course of an audit and provide SecurityPal any audit reports generated in connection with any audit under this Section 4(c), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Client may use the audit reports only for the purposes of meeting Client’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
   5. Client shall reimburse SecurityPal for any time expended by SecurityPal and any third parties in connection with any audits or inspections under this Section 4(c) at SecurityPal’s then-current professional services rates, which shall be made available to Client upon request. For clarity, Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit.
4. Impact Assessments and Consultations. SecurityPal will (taking into account the nature of the Processing and the information available to SecurityPal) reasonably assist Client in complying with its obligations under Articles 35 and 36 of the GDPR, by: (i) making available documentation describing relevant aspects of SecurityPal’s information security policies, procedures and measures applied in connection therewith; and (ii) providing the other information contained in the Agreement, including this DPA.
5. Client’s Responsibilities.
   1. Client Obligations. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject, including those that have opted-out from sales or other disclosures of personal data, to the extent applicable under Applicable Data Protection Laws. Without limitation of Client’s obligations under the Agreement, Client: (a) agrees that Client is solely responsible for its use of the Services, including (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, (2) securing the account authentication credentials, systems and devices Client uses to access the Services, (3) securing Client’s systems and devices that SecurityPal uses to provide the Services, and (4) backing up Personal Data; (b) shall comply with its obligations under Applicable Data Protection Laws; (c) shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Client has given all notices to, and has obtained all consents from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for SecurityPal to Process Personal Data as contemplated by the Agreement; and (d) shall comply with its obligations under Applicable Data Protection Laws, including any applicable requirement to provide notice to data subjects of the use of SecurityPal as processor (including where the Client is a processor, by ensuring that the ultimate controller does so).
   2. Prohibited Data. Client represents and warrants to SecurityPal that Client Data does not and will not, without SecurityPal’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).

‍

5. Data Subject Rights.

1. Data Subject Request Assistance. SecurityPal will (taking into account the nature of the Processing of Personal Data) provide Client with assistance reasonably necessary for Client to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in SecurityPal’s possession or control.  Client shall compensate SecurityPal for any such assistance at SecurityPal’s then-current professional services rates, which shall be made available to Client upon request.
2. Client’s Responsibility for Requests. If SecurityPal receives a Data Subject Request, SecurityPal will advise the data subject to submit the request to Client and Client will be responsible for responding to the request.

‍

6. European Data Protection Laws & Specific Provisions. 

2. GDPR. SecurityPal will Process Personal Data in accordance with GDPR directly applicable to SecurityPal’s provision of its Services and as provided for in Schedules 1 and 2 hereto.
3. UK GDPR. SecurityPal will Process Personal Data in accordance with UK GDPR directly applicable to SecurityPal’s provision of its Services and as provided for in Schedule 3 hereto.
4. Impact of Local Laws. As of the Effective Date, SecurityPal has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data as set forth in the Infrastructure and Subprocessors Documentation, including any requirements to disclose Personal Data or measures authorizing access by a Public Authority, prevent SecurityPal from fulfilling its obligations under this DPA. If SecurityPal reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Client. In such a case, SecurityPal shall use reasonable efforts to make available to the affected Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening Client. If SecurityPal is unable to make available such change promptly, Client may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by SecurityPal in accordance with the Local Laws by providing written notice in accordance with the “Notices” section of the Agreement. Client shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
   ‍

7. Subprocessors.

1. Consent to Subprocessor Engagement. Client authorizes the following Subprocessors to Process Personal Data: (i) SecurityPal’s Affiliates; and (ii) the Subprocessors set forth in Schedule 2 Annex III hereto (also located here: https://assurance.securitypal.com/) as updated by SecurityPal from time to time) (“Subprocessor Site”).
2. Information About Subprocessors. Information about Subprocessors, including their functions and locations, is available in Annex III below and the Subprocessor Site (each as may be updated by SecurityPal from time to time).
3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, SecurityPal will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. SecurityPal shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.
4. Subprocessor Changes. When SecurityPal engages any new Third Party Subprocessor after the effective date of the Agreement, SecurityPal will update the Subprocessor Site and notify Client. This Section 7(d) will not apply with respect to GDPR but instead will be replaced by the requirements of the Standard Contractual Clauses set forth in Section D (6) and D (7) of Schedule 1 hereto.
5. Opportunity to Object to Subprocessor Changes. If Client objects to such engagement in a written notice to SecurityPal on reasonable grounds relating to the protection of Personal Data, Client and SecurityPal will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Client may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to SecurityPal and pay SecurityPal for all amounts due and owing under the Agreement as of the date of such termination. 

‍

8. Return or Deletion of Personal Data. Upon request by Client made within 30 days after the effective date of termination or expiration of this Agreement, SecurityPal will make SecurityPal will delete or return Client Data within 30 days of such request. After such 30-day period, SecurityPal will have no obligation to maintain or provide any Client Data, and as provided in the Documentation will thereafter delete or destroy all copies of Client Data in its systems or otherwise in its possession or control, unless legally prohibited.

9. Miscellaneous. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect.  In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that SecurityPal’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by SecurityPal to Client under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to SecurityPal’s primary points of contact with Client; or (c) to any email provided by Client for the purpose of providing it with Services-related communications or alerts.  Client is solely responsible for ensuring that such email addresses are valid.

SCHEDULE 1
TRANSFER MECHANISMS FOR STANDARD CONTRACTUAL CLAUSES DATA TRANSFERS

1. Definitions. For the purposes of this Schedules 1 and 2, these terms shall be defined as follows: 
   1. "EU C-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
   2. "EU P-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).
2. ‍International Transfer Mechanisms. If, in the performance of the Services, Personal Data that is subject to GDPR, or any other law relating to the protection or privacy of individuals under European Data Protection Laws, is transferred to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent such transfers are subject to the European Data Protection Laws:
   1. The EU C-to-P Transfer Clauses. Where Client and/or its Affiliate is a Controller and a data exporter of Personal Data and SecurityPal is a Processor and data importer in respect of that Personal Data, then the parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in Schedule 1; and/or
   2. The EU P-to-P Transfer Clauses. Where Client and/or its Affiliate is a Processor acting on behalf of a Controller and a data exporter of Personal Data and SecurityPal is a Processor and data importer in respect of that Personal Data, the parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in Schedule 1.
3. ‍Roles. For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Client is the data exporter and SecurityPal is the data importer and the parties agree to the following. If and to the extent an Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to ‘Client’ in this Schedule include such Affiliate. Where this Schedule 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.

‍

D. Standard Contractual Clauses Operative Provisions and Additional Terms.

1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Annexes to the Standard Contractual Clauses are set out in Schedule 2.
2. Docking Clause. The option under clause 7 shall not apply.
3. Instructions. This DPA and the Agreement are Client’s complete and final documented instructions at the time of signature of the Agreement to SecurityPal for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Client to Process Personal Data include onward transfers to a third party located outside the EEA for the purpose of the performance of the Services.
4. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by SecurityPal to Client only upon Client's written request.
5. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 4(b) through 4(c) of this DPA.
6. General Authorization for Use of Subprocessors. Option 2 under clause 9 shall apply. The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from those set forth in Annex III (see Schedule 2 below). The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
   
   Where SecurityPal enters into the EU P-to-P Transfer Clauses with a Subprocessor in connection with the provision of the Services, Client hereby grants SecurityPal and SecurityPal’s Affiliates authority to provide a general authorization on Controller's behalf for the engagement of subprocessors by Subprocessors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such subprocessors. 

7. Notification of New Subprocessors and Objection Right for New Subprocessors. Pursuant to clause 9(a), Client acknowledges and expressly agrees that SecurityPal may engage new Subprocessors as described in Section D (6) above. SecurityPal shall inform Client of any changes to Subprocessors following the procedure provided for in Section D (6) above. Client may object to new Subprocessors as described in Section 7(e) of the DPA above.
8. Complaints & Redress. SecurityPal shall inform Client if it receives a Data Subject Request with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Client. SecurityPal shall not otherwise have any obligation to handle the request (unless otherwise agreed with Client). The option under clause 11 shall not apply.
9. Liability. SecurityPal's liability under clause 12(b) shall be limited to any damage caused by its Processing where SecurityPal has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Client, as specified in Article 82 GDPR.
10. Supervision. Clause 13 shall apply as follows: 

1. Where Client is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Client with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority. 
2. Where Client is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority. 
3. Where Client is established in the United Kingdom or falls within the territorial scope of application of UK GDPR, the Information Commissioner's Office shall act as competent supervisory authority.

12. Notification of Government Access Requests. For the purposes of clause 15(1)(a), SecurityPal shall notify Client (only) and not the Data Subject(s) in case of government access requests. Client shall be solely responsible for promptly notifying the Data Subject as necessary.
13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either: (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.
14. Choice of Forum and Jurisdiction. The courts under clause 18 shall be those designated in the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either: (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses.
15. Data Exports from the United Kingdom under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom subject exclusively to the UK GDRP: (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Applicable Data Protection Laws of the United Kingdom (i.e., UK GDPR); and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK GDPR.
16. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 

‍

E. Additional Terms for the EU P-to-P Transfer Clauses. For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree the following:

1. Instructions and notifications. For the purposes of clause 8.1(a), Client hereby informs SecurityPal that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Client warrants that its Processing instructions as set out in the Agreement and this DPA, including its authorizations to SecurityPal for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller. Client shall be solely responsible for forwarding any notifications received from SecurityPal to the relevant Controller where appropriate.
2. Security of Processing. For the purposes of clause 8.6(c) and (d), SecurityPal shall provide notification of a personal data breach concerning Personal Data Processed by SecurityPal to Client. 
3. Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to SecurityPal by Client. If SecurityPal receives an enquiry directly from a Controller, it shall forward the enquiry to Client and Client shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate. 
4. Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, SecurityPal shall notify Client about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed) but shall not notify the relevant Controller. Client shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request. 

‍

SCHEDULE 2
ANNEX I THROUGH III TO THE STANDARD CONTRACTUAL CLAUSES

‍

This Schedule 2 contains Annex I through III to the Standard Contractual Clauses and and must be completed and signed by each party below where indicated.

‍

ANNEX I

‍

A. LIST OF PARTIES

‍

Data exporter(s): Client

‍

Data importer(s):

1. Name: SecurityPal, Inc.

Address: 415 Mission Street, Floor 37, Suite 117, San Francisco, CA 94105

Contact person’s name, position and contact details: Pukar Hamal, CEO & Founder

Role: Processor (or Subprocessor as the case may be)

Activities relevant to the data transferred under these Clauses: Processing Personal Data / Services

‍

B. DESCRIPTION OF THE TRANSFER

‍

The Processing activities carried out by SecurityPal under the Agreement may be described as follows:

‍

Categories of data subjects whose personal data is transferred

Client, its end users and its end-customers to the extent Client sends such personal data to processor

Categories of personal data transferred

Categories of Personal Data chosen by controller and issued to processor or subprocessor as the case may be via the Service

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None, but if any, solely to the extent Sensitive data is transferred to processor by controller via the Services

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous   basis).

On a continuous basis as determined by controller as permitted under the Agreement

Nature of the processing

Processing for the Services (e.g., related to security reviews, RFPs, RFIs and Client Data at controller’s request)

Purpose(s) of the data transfer and further processing

To provide the Services to controller (e.g., related to security reviews, RFPs, RFIs and Client Data at controller’s request)

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the term of the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

For the term of the Agreement

‍

3. COMPETENT SUPERVISORY AUTHORITY

‍

The competent supervisory authority in accordance with Clause 13 of the Standard Contractual Clauses as identified in Schedule 1 Section D (14) of this DPA.

‍

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

‍

SecurityPal processes all Personal Data received from Controller under this DPA in conformity with the following technical and organizational measures:

‍

Information Security Organization

• SecurityPal’s Information Security Policy outlines roles and responsibilities for personnel with responsibility for the security, availability, and confidentiality of the Product and Service.
• The designated officer is responsible for the design, implementation, and management of the organization’s security policies, which are reviewed at least annually. Annual review includes assessment of internal controls used in the achievement of SecurityPal’s Service commitments and system requirements. Following review, any deficiencies are resolved in accordance with the Risk Assessment and Management Program.
• The designated officer also performs an annual formal risk assessment, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats. The designated officer maintains a risk register, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
• The Security team is responsible for identifying and tracking incidents and creating a ‘lessons learned’ document and sharing it with the engineering team. The Engineering team is responsible for Software development and deployment.

Personnel Security

• SecurityPal has established a Code of Conduct outlining ethical expectations, behavior standards, and ramifications of noncompliance, as well as Acceptable Use, Data Protection, and Information Security Policies. Internal personnel acknowledge all codes and procedures within 30 days of hire.
• Background checks are performed on full-time employees within 30 days of the employee’s start date as permitted by local laws. Reference checks are performed on contractors who have access to production data.
• Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.

Access Controls and Asset Management

• Internal users are provisioned access to systems based on role as defined in the access matrix, which is reviewed and approved annually by the designated officer.  The designated officer approves any additional access required outside the access matrix.
• The designated officer and the founder conduct quarterly user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities. Identified access changes are tracked to remediation.
• Access to production machines, network devices, and support tools requires a unique ID.
• Internal user access to systems and applications with service data requires two-factor authentication in the form of user ID / password, and one-time passcode.
• SecurityPal has formal policies for password strength and use of authentication mechanisms. 
• Production infrastructure is restricted to users with a valid authentication key; administrative access to production servers and databases is restricted to the Back-end Engineering team.
• Upon termination or when internal users no longer require access, infrastructure and application access is removed within one business day.
• Internal use of the internal admin tool is logged. These logs are reviewed regularly for appropriateness.
• The Engineering team maintains a list of the company’s system components, owners, and their business function, and the Designated officer reviews this list annually.

Incident Management and Business Continuity 

• SecurityPal’s Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents through to resolution.
• The Security team tracks identified incidents according to the Incident Response Plan and creates a ‘lessons learned’ document after each high or critical incident. This document is shared with the Engineering team to make any required changes.
• The designated officer maintains a disaster recovery plan, which is tested at least annually. The Engineering team reviews test results and makes changes to the plan accordingly.

Change Controls

• SecurityPal’s Change Management Process and Standard governs the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
• System changes are tested via automated test scripts prior to being deployed into production. 
• Code SecurityPal requests are independently peer reviewed prior to integrating the code change into the master branch.
• System users who make changes to the development system are unable to deploy their changes to production without independent approval.
• Configuration changes are tested (if applicable) and approved prior to being deployed into production.
• The production and testing environments are segregated; production data is not used in the development and testing environments.

Data and Availability Controls

• SecurityPal’s Data Protection Policy details the security and handling protocols for service data.
• Full backups are performed daily and retained in accordance with the Backup Policy. The Engineering team restores backed-up data to a non-production environment at least annually to validate the integrity of backups.

• Access to erase or destroy customer data is limited to the designated employees with appropriate access controls.
• The designated officer and the Engineering team manually delete data that is no longer needed from databases and other file stores in accordance with agreed-upon customer requirements.
• SecurityPal’s Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
• Encryption is used to protect the transmission of data over the internet; service data is encrypted at rest.
• The Engineering team encrypts hard drives for portable devices with full disk encryption.

• System tools monitor company load balancers and notify appropriate personnel of any events or outages based on predetermined criteria. Any identified issues are tracked through resolution in accordance with the Incident Response Plan.
• The Services are configured to support continuous availability.

Vendor and Vulnerability Management 

• SecurityPal’s Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle. The designated officer assesses new vendors according to the Vendor Risk Management Policy prior to engaging with the vendor.
• SecurityPal’s Vulnerability Management and Patch Program outlines the procedures to identify, assess, and remediate identified vulnerabilities.
• Vulnerability scans are executed monthly on production systems. The designated officer and the Engineering team track critical or high-risk vulnerabilities through resolution. Management has implemented intrusion prevention and detection tools to provide monitoring of network traffic to the production environment.
• The Engineering team uses logging and monitoring software to collect data from servers and endpoints, and detect potential security threats and unusual system activity.
• The Engineering team uses alerting software to notify impacted teams of potential security and availability events. 

‍

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the Subprocessors set forth in the Subprocessor Site (located here):

‍

https://assurance.securitypal.com/

‍

SCHEDULE 3
TRANSFER MECHANISMS FOR UK GDPR

‍

1. Definitions. For the purposes of this Schedule 3, these terms shall be defined as follows: 
   1. “UK GDPR IDTA” means the terms of the “International Data Transfer Agreement” (located here: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf) and issued pursuant to Section 119A of the Data Protection Act 2018. 
   2. “UK GDPR Addendum” or “UK Addendum” means the terms of the “International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers” (located here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) and issued pursuant to Section 119A of the Data Protection Act 2018.
2. ‍International Transfer Mechanisms. If, in the performance of the Services, Personal Data that is subject to UK GDPR or any other law relating to the protection or privacy of individuals that applies in the United Kingdom is transferred out of the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the UK GDPR IDTA and/or UK Addendum shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the UK GDPR.‍
3. ‍Appendix Information. Annex I through III, set forth in Schedule 2 to this DPA, contain Appendix Information for the UK IDTA and UK Addendum and are incorporated therein by reference.

‍

SCHEDULE 4

CALIFORNIA SCHEDULE

‍

1. For purposes of this Schedule 4, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information, the Processing of which is governed by the CCPA.
2. It is the parties’ intent that with respect to any personal information, SecurityPal is a service provider. SecurityPal shall: (i) not “sell” (as defined in the CCPA) personal information; and (ii) not retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing personal information for a commercial purpose (as defined in the CCPA) other than providing the Services. For the avoidance of doubt, the foregoing prohibits SecurityPal from retaining, using or disclosing personal information outside of the direct business relationship between SecurityPal and Client. SecurityPal hereby certifies that it understands the obligations under this section 2 and shall comply with them.
3. The parties acknowledge that SecurityPal’s retention, use and disclosure of personal information authorized by Client’s instructions documented in the DPA are integral to SecurityPal’s provision of the Services and the business relationship between the parties.

‍

DATA PROCESSING ADDENDUM

‍

This Data Processing Addendum (“DPA”) is entered into as of the last date executed below by and between SecurityPal, Inc., a Delaware corporation with a principal place of business located at 415 Mission Street, Floor 37, Suite 117, San Francisco, CA 94105 for itself and on behalf of its Affiliates (“SecurityPal”), and Client (defined below).

THIS DPA APPLIES BETWEEN THE PARTIES WHERE CLIENT CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO SECURITYPAL FOR PROCESSING BY MEANS OF THE SERVICES, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA (INCLUDING FOR CLARITY THE STANDARD CONTRACTUAL CLAUSES) EITHER ON BEHALF OF YOURSELF, OR THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (EACH, A “CLIENT”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CLIENT AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO SECURITYPAL. SECURITYPAL RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CLIENT’S CONTINUED TRANSFER OF PERSONAL DATA.

This DPA forms part of SecurityPal’s Master Services Agreement (available at: https://www.securitypalhq.com/terms-of-service) (collectively, the “Agreement”) between the parties under which SecurityPal will provide the Services to Client which involves the Processing of Personal Data subject to Applicable Data Protection Laws. The purpose of this DPA is to set forth the terms under which SecurityPal Processes Personal Data on behalf of Client.

This DPA consists of the main body and Schedules 1 through 4. Execution of this DPA shall include acceptance of the Standard Contractual Clauses (defined below) and its Annexes (see Schedule 2 below).

1. Definitions. Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. The terms controller, data subject, processor and supervisory authority have the meanings set forth in the GDPR.

1. “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws, UK GDPR and the CCPA.
2. “CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
3. “EEA” means the European Economic Area. 
4. “European Data Protection Laws” means the GDPR and other data protection laws and regulations of the EEA, European Union, its Member States, Switzerland, Iceland, Liechtenstein, and Norway, in each case, to the extent applicable to the Processing of Personal Data under the Agreement.   
5. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.
6. “Information Security Incident” means a confirmed breach of SecurityPal’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in SecurityPal’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
7. “Personal Data” means Client Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby”, provided that such data is electronic data and information submitted by or for Client to the Services.
8. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. “Security Measures” are SecurityPal’s security measures implemented and maintained as administrative, technical and physical safeguards designed to protect the security and integrity of Personal Data and prevent Information Security Incidents, further described in Schedule 2 Annex III hereto and any other measures required by Applicable Data Protection Laws.
10. “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, currently located here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
11. “Subprocessors” means third parties that SecurityPal engages to Process Personal Data in relation to the Services. 
12. “UK GDPR” means the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule. 

‍

2. Duration and Scope of DPA. This DPA will remain in effect so long as SecurityPal Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Schedules 1 and 2 to this DPA apply solely to Processing subject to European Data Protection Laws.  Schedule 3 to this DPA applies solely to Processing subject to the UK GDPR. Schedule 4 to this DPA applies solely to Processing subject to the CCPA to the extent Client is a “business” (as defined in CCPA) with respect to such Processing. 

3. Client Instructions. SecurityPal will Process Personal Data only in accordance with Client’s instructions to SecurityPal. This DPA is a complete expression of such instructions, and Client’s additional instructions will be binding on SecurityPal only pursuant to an amendment to this DPA signed by both parties. Client instructs SecurityPal to Process Personal Data to provide the Services and as authorized by the Agreement. SecurityPal shall inform Client immediately: (a) if, in its opinion, an instruction from Client constitutes a breach of any Applicable Data Protection Laws; (b) if SecurityPal is unable to follow Client’s instructions for the Processing of Personal Data; or (c) if SecurityPal has reason to believe that SecurityPal is subject to changes in Applicable Data Protection Laws contrary to any Client instructions or terms or requirements of this DPA.

4. Security.

1. SecurityPal Security Measures. SecurityPal may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
2. Information Security Incidents. SecurityPal will notify Client without undue delay of any Information Security Incident of which SecurityPal becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps SecurityPal recommends the Client take to address the Information Security Incident. SecurityPal’s notification of or response to an Information Security Incident will not be construed as SecurityPal’s acknowledgement of any fault or liability with respect to the Information Security Incident.
3. Reviews and Audits of Compliance. some text
   1. Client may audit SecurityPal’s compliance with its obligations under this DPA not more than once per year, and on such other occasions as may be required by European Data Protection Laws, including if mandated by Client’s supervisory authority, at Client’s sole cost, on no less than 15 days advanced written notice. Such audit must be conducted at SecurityPal’s principal place of business, during regular business hours, subject to the agreed Final Audit Plan (defined below) and SecurityPal’s safety, security or other relevant policies, and may not unreasonably interfere with SecurityPal’s business activities.
   2. To request an audit, Client must submit a proposed audit plan to SecurityPal at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. SecurityPal will review the proposed audit plan and provide Client with any concerns or questions (for example, any request for information that could compromise SecurityPal security, privacy, employment or other relevant policies). SecurityPal will work cooperatively with Client to agree on a “Final Audit Plan.” Nothing in this Section 4(c) shall require SecurityPal to breach any duties of confidentiality.  
   3. SecurityPal will contribute to each audit by providing Client or Client’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, SecurityPal may object to the auditor if the auditor is, in SecurityPal’s reasonable opinion, not independent, a competitor of SecurityPal, or otherwise manifestly unsuitable. Such objection by SecurityPal will require the Client to appoint another auditor or conduct the audit itself.
   4. Client will promptly notify SecurityPal of any non-compliance discovered during the course of an audit and provide SecurityPal any audit reports generated in connection with any audit under this Section 4(c), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Client may use the audit reports only for the purposes of meeting Client’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
   5. Client shall reimburse SecurityPal for any time expended by SecurityPal and any third parties in connection with any audits or inspections under this Section 4(c) at SecurityPal’s then-current professional services rates, which shall be made available to Client upon request. For clarity, Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit.
4. Impact Assessments and Consultations. SecurityPal will (taking into account the nature of the Processing and the information available to SecurityPal) reasonably assist Client in complying with its obligations under Articles 35 and 36 of the GDPR, by: (i) making available documentation describing relevant aspects of SecurityPal’s information security policies, procedures and measures applied in connection therewith; and (ii) providing the other information contained in the Agreement, including this DPA.
5. Client’s Responsibilities.
   1. Client Obligations. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject, including those that have opted-out from sales or other disclosures of personal data, to the extent applicable under Applicable Data Protection Laws. Without limitation of Client’s obligations under the Agreement, Client: (a) agrees that Client is solely responsible for its use of the Services, including (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, (2) securing the account authentication credentials, systems and devices Client uses to access the Services, (3) securing Client’s systems and devices that SecurityPal uses to provide the Services, and (4) backing up Personal Data; (b) shall comply with its obligations under Applicable Data Protection Laws; (c) shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Client has given all notices to, and has obtained all consents from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for SecurityPal to Process Personal Data as contemplated by the Agreement; and (d) shall comply with its obligations under Applicable Data Protection Laws, including any applicable requirement to provide notice to data subjects of the use of SecurityPal as processor (including where the Client is a processor, by ensuring that the ultimate controller does so).
   2. Prohibited Data. Client represents and warrants to SecurityPal that Client Data does not and will not, without SecurityPal’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).

‍

5. Data Subject Rights.

1. Data Subject Request Assistance. SecurityPal will (taking into account the nature of the Processing of Personal Data) provide Client with assistance reasonably necessary for Client to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in SecurityPal’s possession or control.  Client shall compensate SecurityPal for any such assistance at SecurityPal’s then-current professional services rates, which shall be made available to Client upon request.
2. Client’s Responsibility for Requests. If SecurityPal receives a Data Subject Request, SecurityPal will advise the data subject to submit the request to Client and Client will be responsible for responding to the request.

‍

6. European Data Protection Laws & Specific Provisions. 

2. GDPR. SecurityPal will Process Personal Data in accordance with GDPR directly applicable to SecurityPal’s provision of its Services and as provided for in Schedules 1 and 2 hereto.
3. UK GDPR. SecurityPal will Process Personal Data in accordance with UK GDPR directly applicable to SecurityPal’s provision of its Services and as provided for in Schedule 3 hereto.
4. Impact of Local Laws. As of the Effective Date, SecurityPal has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data as set forth in the Infrastructure and Subprocessors Documentation, including any requirements to disclose Personal Data or measures authorizing access by a Public Authority, prevent SecurityPal from fulfilling its obligations under this DPA. If SecurityPal reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Client. In such a case, SecurityPal shall use reasonable efforts to make available to the affected Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening Client. If SecurityPal is unable to make available such change promptly, Client may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by SecurityPal in accordance with the Local Laws by providing written notice in accordance with the “Notices” section of the Agreement. Client shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
   ‍

7. Subprocessors.

1. Consent to Subprocessor Engagement. Client authorizes the following Subprocessors to Process Personal Data: (i) SecurityPal’s Affiliates; and (ii) the Subprocessors set forth in Schedule 2 Annex III hereto (also located here: https://assurance.securitypal.com/) as updated by SecurityPal from time to time) (“Subprocessor Site”).
2. Information About Subprocessors. Information about Subprocessors, including their functions and locations, is available in Annex III below and the Subprocessor Site (each as may be updated by SecurityPal from time to time).
3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, SecurityPal will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. SecurityPal shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.
4. Subprocessor Changes. When SecurityPal engages any new Third Party Subprocessor after the effective date of the Agreement, SecurityPal will update the Subprocessor Site and notify Client. This Section 7(d) will not apply with respect to GDPR but instead will be replaced by the requirements of the Standard Contractual Clauses set forth in Section D (6) and D (7) of Schedule 1 hereto.
5. Opportunity to Object to Subprocessor Changes. If Client objects to such engagement in a written notice to SecurityPal on reasonable grounds relating to the protection of Personal Data, Client and SecurityPal will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Client may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to SecurityPal and pay SecurityPal for all amounts due and owing under the Agreement as of the date of such termination. 

‍

8. Return or Deletion of Personal Data. Upon request by Client made within 30 days after the effective date of termination or expiration of this Agreement, SecurityPal will make SecurityPal will delete or return Client Data within 30 days of such request. After such 30-day period, SecurityPal will have no obligation to maintain or provide any Client Data, and as provided in the Documentation will thereafter delete or destroy all copies of Client Data in its systems or otherwise in its possession or control, unless legally prohibited.

9. Miscellaneous. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect.  In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that SecurityPal’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by SecurityPal to Client under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to SecurityPal’s primary points of contact with Client; or (c) to any email provided by Client for the purpose of providing it with Services-related communications or alerts.  Client is solely responsible for ensuring that such email addresses are valid.

SCHEDULE 1
TRANSFER MECHANISMS FOR STANDARD CONTRACTUAL CLAUSES DATA TRANSFERS

1. Definitions. For the purposes of this Schedules 1 and 2, these terms shall be defined as follows: 
   1. "EU C-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
   2. "EU P-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).
2. ‍International Transfer Mechanisms. If, in the performance of the Services, Personal Data that is subject to GDPR, or any other law relating to the protection or privacy of individuals under European Data Protection Laws, is transferred to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent such transfers are subject to the European Data Protection Laws:
   1. The EU C-to-P Transfer Clauses. Where Client and/or its Affiliate is a Controller and a data exporter of Personal Data and SecurityPal is a Processor and data importer in respect of that Personal Data, then the parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in Schedule 1; and/or
   2. The EU P-to-P Transfer Clauses. Where Client and/or its Affiliate is a Processor acting on behalf of a Controller and a data exporter of Personal Data and SecurityPal is a Processor and data importer in respect of that Personal Data, the parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in Schedule 1.
3. ‍Roles. For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Client is the data exporter and SecurityPal is the data importer and the parties agree to the following. If and to the extent an Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to ‘Client’ in this Schedule include such Affiliate. Where this Schedule 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.

‍

D. Standard Contractual Clauses Operative Provisions and Additional Terms.

1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Annexes to the Standard Contractual Clauses are set out in Schedule 2.
2. Docking Clause. The option under clause 7 shall not apply.
3. Instructions. This DPA and the Agreement are Client’s complete and final documented instructions at the time of signature of the Agreement to SecurityPal for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Client to Process Personal Data include onward transfers to a third party located outside the EEA for the purpose of the performance of the Services.
4. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by SecurityPal to Client only upon Client's written request.
5. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 4(b) through 4(c) of this DPA.
6. General Authorization for Use of Subprocessors. Option 2 under clause 9 shall apply. The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from those set forth in Annex III (see Schedule 2 below). The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
   
   Where SecurityPal enters into the EU P-to-P Transfer Clauses with a Subprocessor in connection with the provision of the Services, Client hereby grants SecurityPal and SecurityPal’s Affiliates authority to provide a general authorization on Controller's behalf for the engagement of subprocessors by Subprocessors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such subprocessors. 

7. Notification of New Subprocessors and Objection Right for New Subprocessors. Pursuant to clause 9(a), Client acknowledges and expressly agrees that SecurityPal may engage new Subprocessors as described in Section D (6) above. SecurityPal shall inform Client of any changes to Subprocessors following the procedure provided for in Section D (6) above. Client may object to new Subprocessors as described in Section 7(e) of the DPA above.
8. Complaints & Redress. SecurityPal shall inform Client if it receives a Data Subject Request with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Client. SecurityPal shall not otherwise have any obligation to handle the request (unless otherwise agreed with Client). The option under clause 11 shall not apply.
9. Liability. SecurityPal's liability under clause 12(b) shall be limited to any damage caused by its Processing where SecurityPal has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Client, as specified in Article 82 GDPR.
10. Supervision. Clause 13 shall apply as follows: 

1. Where Client is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Client with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority. 
2. Where Client is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority. 
3. Where Client is established in the United Kingdom or falls within the territorial scope of application of UK GDPR, the Information Commissioner's Office shall act as competent supervisory authority.

12. Notification of Government Access Requests. For the purposes of clause 15(1)(a), SecurityPal shall notify Client (only) and not the Data Subject(s) in case of government access requests. Client shall be solely responsible for promptly notifying the Data Subject as necessary.
13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either: (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.
14. Choice of Forum and Jurisdiction. The courts under clause 18 shall be those designated in the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either: (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses.
15. Data Exports from the United Kingdom under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom subject exclusively to the UK GDRP: (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Applicable Data Protection Laws of the United Kingdom (i.e., UK GDPR); and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK GDPR.
16. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 

‍

E. Additional Terms for the EU P-to-P Transfer Clauses. For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree the following:

1. Instructions and notifications. For the purposes of clause 8.1(a), Client hereby informs SecurityPal that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Client warrants that its Processing instructions as set out in the Agreement and this DPA, including its authorizations to SecurityPal for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller. Client shall be solely responsible for forwarding any notifications received from SecurityPal to the relevant Controller where appropriate.
2. Security of Processing. For the purposes of clause 8.6(c) and (d), SecurityPal shall provide notification of a personal data breach concerning Personal Data Processed by SecurityPal to Client. 
3. Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to SecurityPal by Client. If SecurityPal receives an enquiry directly from a Controller, it shall forward the enquiry to Client and Client shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate. 
4. Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, SecurityPal shall notify Client about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed) but shall not notify the relevant Controller. Client shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request. 

‍

SCHEDULE 2
ANNEX I THROUGH III TO THE STANDARD CONTRACTUAL CLAUSES

‍

This Schedule 2 contains Annex I through III to the Standard Contractual Clauses and and must be completed and signed by each party below where indicated.

‍

ANNEX I

‍

A. LIST OF PARTIES

‍

Data exporter(s): Client

‍

Data importer(s):

1. Name: SecurityPal, Inc.

Address: 415 Mission Street, Floor 37, Suite 117, San Francisco, CA 94105

Contact person’s name, position and contact details: Pukar Hamal, CEO & Founder

Role: Processor (or Subprocessor as the case may be)

Activities relevant to the data transferred under these Clauses: Processing Personal Data / Services

‍

B. DESCRIPTION OF THE TRANSFER

‍

The Processing activities carried out by SecurityPal under the Agreement may be described as follows:

‍

Categories of data subjects whose personal data is transferred

Client, its end users and its end-customers to the extent Client sends such personal data to processor

Categories of personal data transferred

Categories of Personal Data chosen by controller and issued to processor or subprocessor as the case may be via the Service

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None, but if any, solely to the extent Sensitive data is transferred to processor by controller via the Services

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous   basis).

On a continuous basis as determined by controller as permitted under the Agreement

Nature of the processing

Processing for the Services (e.g., related to security reviews, RFPs, RFIs and Client Data at controller’s request)

Purpose(s) of the data transfer and further processing

To provide the Services to controller (e.g., related to security reviews, RFPs, RFIs and Client Data at controller’s request)

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the term of the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

For the term of the Agreement

‍

3. COMPETENT SUPERVISORY AUTHORITY

‍

The competent supervisory authority in accordance with Clause 13 of the Standard Contractual Clauses as identified in Schedule 1 Section D (14) of this DPA.

‍

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

‍

SecurityPal processes all Personal Data received from Controller under this DPA in conformity with the following technical and organizational measures:

‍

Information Security Organization

• SecurityPal’s Information Security Policy outlines roles and responsibilities for personnel with responsibility for the security, availability, and confidentiality of the Product and Service.
• The designated officer is responsible for the design, implementation, and management of the organization’s security policies, which are reviewed at least annually. Annual review includes assessment of internal controls used in the achievement of SecurityPal’s Service commitments and system requirements. Following review, any deficiencies are resolved in accordance with the Risk Assessment and Management Program.
• The designated officer also performs an annual formal risk assessment, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats. The designated officer maintains a risk register, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
• The Security team is responsible for identifying and tracking incidents and creating a ‘lessons learned’ document and sharing it with the engineering team. The Engineering team is responsible for Software development and deployment.

Personnel Security

• SecurityPal has established a Code of Conduct outlining ethical expectations, behavior standards, and ramifications of noncompliance, as well as Acceptable Use, Data Protection, and Information Security Policies. Internal personnel acknowledge all codes and procedures within 30 days of hire.
• Background checks are performed on full-time employees within 30 days of the employee’s start date as permitted by local laws. Reference checks are performed on contractors who have access to production data.
• Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.

Access Controls and Asset Management

• Internal users are provisioned access to systems based on role as defined in the access matrix, which is reviewed and approved annually by the designated officer.  The designated officer approves any additional access required outside the access matrix.
• The designated officer and the founder conduct quarterly user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities. Identified access changes are tracked to remediation.
• Access to production machines, network devices, and support tools requires a unique ID.
• Internal user access to systems and applications with service data requires two-factor authentication in the form of user ID / password, and one-time passcode.
• SecurityPal has formal policies for password strength and use of authentication mechanisms. 
• Production infrastructure is restricted to users with a valid authentication key; administrative access to production servers and databases is restricted to the Back-end Engineering team.
• Upon termination or when internal users no longer require access, infrastructure and application access is removed within one business day.
• Internal use of the internal admin tool is logged. These logs are reviewed regularly for appropriateness.
• The Engineering team maintains a list of the company’s system components, owners, and their business function, and the Designated officer reviews this list annually.

Incident Management and Business Continuity 

• SecurityPal’s Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents through to resolution.
• The Security team tracks identified incidents according to the Incident Response Plan and creates a ‘lessons learned’ document after each high or critical incident. This document is shared with the Engineering team to make any required changes.
• The designated officer maintains a disaster recovery plan, which is tested at least annually. The Engineering team reviews test results and makes changes to the plan accordingly.

Change Controls

• SecurityPal’s Change Management Process and Standard governs the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
• System changes are tested via automated test scripts prior to being deployed into production. 
• Code SecurityPal requests are independently peer reviewed prior to integrating the code change into the master branch.
• System users who make changes to the development system are unable to deploy their changes to production without independent approval.
• Configuration changes are tested (if applicable) and approved prior to being deployed into production.
• The production and testing environments are segregated; production data is not used in the development and testing environments.

Data and Availability Controls

• SecurityPal’s Data Protection Policy details the security and handling protocols for service data.
• Full backups are performed daily and retained in accordance with the Backup Policy. The Engineering team restores backed-up data to a non-production environment at least annually to validate the integrity of backups.

• Access to erase or destroy customer data is limited to the designated employees with appropriate access controls.
• The designated officer and the Engineering team manually delete data that is no longer needed from databases and other file stores in accordance with agreed-upon customer requirements.
• SecurityPal’s Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
• Encryption is used to protect the transmission of data over the internet; service data is encrypted at rest.
• The Engineering team encrypts hard drives for portable devices with full disk encryption.

• System tools monitor company load balancers and notify appropriate personnel of any events or outages based on predetermined criteria. Any identified issues are tracked through resolution in accordance with the Incident Response Plan.
• The Services are configured to support continuous availability.

Vendor and Vulnerability Management 

• SecurityPal’s Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle. The designated officer assesses new vendors according to the Vendor Risk Management Policy prior to engaging with the vendor.
• SecurityPal’s Vulnerability Management and Patch Program outlines the procedures to identify, assess, and remediate identified vulnerabilities.
• Vulnerability scans are executed monthly on production systems. The designated officer and the Engineering team track critical or high-risk vulnerabilities through resolution. Management has implemented intrusion prevention and detection tools to provide monitoring of network traffic to the production environment.
• The Engineering team uses logging and monitoring software to collect data from servers and endpoints, and detect potential security threats and unusual system activity.
• The Engineering team uses alerting software to notify impacted teams of potential security and availability events. 

‍

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the Subprocessors set forth in the Subprocessor Site (located here):

‍

https://assurance.securitypal.com/

‍

SCHEDULE 3
TRANSFER MECHANISMS FOR UK GDPR

‍

1. Definitions. For the purposes of this Schedule 3, these terms shall be defined as follows: 
   1. “UK GDPR IDTA” means the terms of the “International Data Transfer Agreement” (located here: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf) and issued pursuant to Section 119A of the Data Protection Act 2018. 
   2. “UK GDPR Addendum” or “UK Addendum” means the terms of the “International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers” (located here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) and issued pursuant to Section 119A of the Data Protection Act 2018.
2. ‍International Transfer Mechanisms. If, in the performance of the Services, Personal Data that is subject to UK GDPR or any other law relating to the protection or privacy of individuals that applies in the United Kingdom is transferred out of the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the UK GDPR IDTA and/or UK Addendum shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the UK GDPR.‍
3. ‍Appendix Information. Annex I through III, set forth in Schedule 2 to this DPA, contain Appendix Information for the UK IDTA and UK Addendum and are incorporated therein by reference.

‍

SCHEDULE 4

CALIFORNIA SCHEDULE

‍

1. For purposes of this Schedule 4, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information, the Processing of which is governed by the CCPA.
2. It is the parties’ intent that with respect to any personal information, SecurityPal is a service provider. SecurityPal shall: (i) not “sell” (as defined in the CCPA) personal information; and (ii) not retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing personal information for a commercial purpose (as defined in the CCPA) other than providing the Services. For the avoidance of doubt, the foregoing prohibits SecurityPal from retaining, using or disclosing personal information outside of the direct business relationship between SecurityPal and Client. SecurityPal hereby certifies that it understands the obligations under this section 2 and shall comply with them.
3. The parties acknowledge that SecurityPal’s retention, use and disclosure of personal information authorized by Client’s instructions documented in the DPA are integral to SecurityPal’s provision of the Services and the business relationship between the parties.

‍

DATA PROCESSING ADDENDUM

‍

This Data Processing Addendum (“DPA”) is entered into as of the last date executed below by and between SecurityPal, Inc., a Delaware corporation with a principal place of business located at 415 Mission Street, Floor 37, Suite 117, San Francisco, CA 94105 for itself and on behalf of its Affiliates (“SecurityPal”), and Client (defined below).

THIS DPA APPLIES BETWEEN THE PARTIES WHERE CLIENT CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO SECURITYPAL FOR PROCESSING BY MEANS OF THE SERVICES, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA (INCLUDING FOR CLARITY THE STANDARD CONTRACTUAL CLAUSES) EITHER ON BEHALF OF YOURSELF, OR THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (EACH, A “CLIENT”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CLIENT AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO SECURITYPAL. SECURITYPAL RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) CLIENT’S CONTINUED TRANSFER OF PERSONAL DATA.

This DPA forms part of SecurityPal’s Master Services Agreement (available at: https://www.securitypalhq.com/terms-of-service) (collectively, the “Agreement”) between the parties under which SecurityPal will provide the Services to Client which involves the Processing of Personal Data subject to Applicable Data Protection Laws. The purpose of this DPA is to set forth the terms under which SecurityPal Processes Personal Data on behalf of Client.

This DPA consists of the main body and Schedules 1 through 4. Execution of this DPA shall include acceptance of the Standard Contractual Clauses (defined below) and its Annexes (see Schedule 2 below).

1. Definitions. Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement. The terms controller, data subject, processor and supervisory authority have the meanings set forth in the GDPR.

1. “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws, UK GDPR and the CCPA.
2. “CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
3. “EEA” means the European Economic Area. 
4. “European Data Protection Laws” means the GDPR and other data protection laws and regulations of the EEA, European Union, its Member States, Switzerland, Iceland, Liechtenstein, and Norway, in each case, to the extent applicable to the Processing of Personal Data under the Agreement.   
5. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.
6. “Information Security Incident” means a confirmed breach of SecurityPal’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in SecurityPal’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
7. “Personal Data” means Client Data that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby”, provided that such data is electronic data and information submitted by or for Client to the Services.
8. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9. “Security Measures” are SecurityPal’s security measures implemented and maintained as administrative, technical and physical safeguards designed to protect the security and integrity of Personal Data and prevent Information Security Incidents, further described in Schedule 2 Annex III hereto and any other measures required by Applicable Data Protection Laws.
10. “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, currently located here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
11. “Subprocessors” means third parties that SecurityPal engages to Process Personal Data in relation to the Services. 
12. “UK GDPR” means the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule. 

‍

2. Duration and Scope of DPA. This DPA will remain in effect so long as SecurityPal Processes Personal Data, notwithstanding the expiration or termination of the Agreement. Schedules 1 and 2 to this DPA apply solely to Processing subject to European Data Protection Laws.  Schedule 3 to this DPA applies solely to Processing subject to the UK GDPR. Schedule 4 to this DPA applies solely to Processing subject to the CCPA to the extent Client is a “business” (as defined in CCPA) with respect to such Processing. 

3. Client Instructions. SecurityPal will Process Personal Data only in accordance with Client’s instructions to SecurityPal. This DPA is a complete expression of such instructions, and Client’s additional instructions will be binding on SecurityPal only pursuant to an amendment to this DPA signed by both parties. Client instructs SecurityPal to Process Personal Data to provide the Services and as authorized by the Agreement. SecurityPal shall inform Client immediately: (a) if, in its opinion, an instruction from Client constitutes a breach of any Applicable Data Protection Laws; (b) if SecurityPal is unable to follow Client’s instructions for the Processing of Personal Data; or (c) if SecurityPal has reason to believe that SecurityPal is subject to changes in Applicable Data Protection Laws contrary to any Client instructions or terms or requirements of this DPA.

4. Security.

1. SecurityPal Security Measures. SecurityPal may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
2. Information Security Incidents. SecurityPal will notify Client without undue delay of any Information Security Incident of which SecurityPal becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps SecurityPal recommends the Client take to address the Information Security Incident. SecurityPal’s notification of or response to an Information Security Incident will not be construed as SecurityPal’s acknowledgement of any fault or liability with respect to the Information Security Incident.
3. Reviews and Audits of Compliance. some text
   1. Client may audit SecurityPal’s compliance with its obligations under this DPA not more than once per year, and on such other occasions as may be required by European Data Protection Laws, including if mandated by Client’s supervisory authority, at Client’s sole cost, on no less than 15 days advanced written notice. Such audit must be conducted at SecurityPal’s principal place of business, during regular business hours, subject to the agreed Final Audit Plan (defined below) and SecurityPal’s safety, security or other relevant policies, and may not unreasonably interfere with SecurityPal’s business activities.
   2. To request an audit, Client must submit a proposed audit plan to SecurityPal at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. SecurityPal will review the proposed audit plan and provide Client with any concerns or questions (for example, any request for information that could compromise SecurityPal security, privacy, employment or other relevant policies). SecurityPal will work cooperatively with Client to agree on a “Final Audit Plan.” Nothing in this Section 4(c) shall require SecurityPal to breach any duties of confidentiality.  
   3. SecurityPal will contribute to each audit by providing Client or Client’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, SecurityPal may object to the auditor if the auditor is, in SecurityPal’s reasonable opinion, not independent, a competitor of SecurityPal, or otherwise manifestly unsuitable. Such objection by SecurityPal will require the Client to appoint another auditor or conduct the audit itself.
   4. Client will promptly notify SecurityPal of any non-compliance discovered during the course of an audit and provide SecurityPal any audit reports generated in connection with any audit under this Section 4(c), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Client may use the audit reports only for the purposes of meeting Client’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
   5. Client shall reimburse SecurityPal for any time expended by SecurityPal and any third parties in connection with any audits or inspections under this Section 4(c) at SecurityPal’s then-current professional services rates, which shall be made available to Client upon request. For clarity, Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit.
4. Impact Assessments and Consultations. SecurityPal will (taking into account the nature of the Processing and the information available to SecurityPal) reasonably assist Client in complying with its obligations under Articles 35 and 36 of the GDPR, by: (i) making available documentation describing relevant aspects of SecurityPal’s information security policies, procedures and measures applied in connection therewith; and (ii) providing the other information contained in the Agreement, including this DPA.
5. Client’s Responsibilities.
   1. Client Obligations. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges and agrees that its use of the Services will not violate the rights of any data subject, including those that have opted-out from sales or other disclosures of personal data, to the extent applicable under Applicable Data Protection Laws. Without limitation of Client’s obligations under the Agreement, Client: (a) agrees that Client is solely responsible for its use of the Services, including (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, (2) securing the account authentication credentials, systems and devices Client uses to access the Services, (3) securing Client’s systems and devices that SecurityPal uses to provide the Services, and (4) backing up Personal Data; (b) shall comply with its obligations under Applicable Data Protection Laws; (c) shall ensure (and is solely responsible for ensuring) that its instructions in Section 3 comply with Applicable Data Protection Laws, and that Client has given all notices to, and has obtained all consents from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for SecurityPal to Process Personal Data as contemplated by the Agreement; and (d) shall comply with its obligations under Applicable Data Protection Laws, including any applicable requirement to provide notice to data subjects of the use of SecurityPal as processor (including where the Client is a processor, by ensuring that the ultimate controller does so).
   2. Prohibited Data. Client represents and warrants to SecurityPal that Client Data does not and will not, without SecurityPal’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).

‍

5. Data Subject Rights.

1. Data Subject Request Assistance. SecurityPal will (taking into account the nature of the Processing of Personal Data) provide Client with assistance reasonably necessary for Client to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in SecurityPal’s possession or control.  Client shall compensate SecurityPal for any such assistance at SecurityPal’s then-current professional services rates, which shall be made available to Client upon request.
2. Client’s Responsibility for Requests. If SecurityPal receives a Data Subject Request, SecurityPal will advise the data subject to submit the request to Client and Client will be responsible for responding to the request.

‍

6. European Data Protection Laws & Specific Provisions. 

2. GDPR. SecurityPal will Process Personal Data in accordance with GDPR directly applicable to SecurityPal’s provision of its Services and as provided for in Schedules 1 and 2 hereto.
3. UK GDPR. SecurityPal will Process Personal Data in accordance with UK GDPR directly applicable to SecurityPal’s provision of its Services and as provided for in Schedule 3 hereto.
4. Impact of Local Laws. As of the Effective Date, SecurityPal has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data as set forth in the Infrastructure and Subprocessors Documentation, including any requirements to disclose Personal Data or measures authorizing access by a Public Authority, prevent SecurityPal from fulfilling its obligations under this DPA. If SecurityPal reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Client. In such a case, SecurityPal shall use reasonable efforts to make available to the affected Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening Client. If SecurityPal is unable to make available such change promptly, Client may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by SecurityPal in accordance with the Local Laws by providing written notice in accordance with the “Notices” section of the Agreement. Client shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
   ‍

7. Subprocessors.

1. Consent to Subprocessor Engagement. Client authorizes the following Subprocessors to Process Personal Data: (i) SecurityPal’s Affiliates; and (ii) the Subprocessors set forth in Schedule 2 Annex III hereto (also located here: https://assurance.securitypal.com/) as updated by SecurityPal from time to time) (“Subprocessor Site”).
2. Information About Subprocessors. Information about Subprocessors, including their functions and locations, is available in Annex III below and the Subprocessor Site (each as may be updated by SecurityPal from time to time).
3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, SecurityPal will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. SecurityPal shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.
4. Subprocessor Changes. When SecurityPal engages any new Third Party Subprocessor after the effective date of the Agreement, SecurityPal will update the Subprocessor Site and notify Client. This Section 7(d) will not apply with respect to GDPR but instead will be replaced by the requirements of the Standard Contractual Clauses set forth in Section D (6) and D (7) of Schedule 1 hereto.
5. Opportunity to Object to Subprocessor Changes. If Client objects to such engagement in a written notice to SecurityPal on reasonable grounds relating to the protection of Personal Data, Client and SecurityPal will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Client may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to SecurityPal and pay SecurityPal for all amounts due and owing under the Agreement as of the date of such termination. 

‍

8. Return or Deletion of Personal Data. Upon request by Client made within 30 days after the effective date of termination or expiration of this Agreement, SecurityPal will make SecurityPal will delete or return Client Data within 30 days of such request. After such 30-day period, SecurityPal will have no obligation to maintain or provide any Client Data, and as provided in the Documentation will thereafter delete or destroy all copies of Client Data in its systems or otherwise in its possession or control, unless legally prohibited.

9. Miscellaneous. Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect.  In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that SecurityPal’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by SecurityPal to Client under this DPA may be given: (a) in accordance with any notice clause of the Agreement; (b) to SecurityPal’s primary points of contact with Client; or (c) to any email provided by Client for the purpose of providing it with Services-related communications or alerts.  Client is solely responsible for ensuring that such email addresses are valid.

SCHEDULE 1
TRANSFER MECHANISMS FOR STANDARD CONTRACTUAL CLAUSES DATA TRANSFERS

1. Definitions. For the purposes of this Schedules 1 and 2, these terms shall be defined as follows: 
   1. "EU C-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
   2. "EU P-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).
2. ‍International Transfer Mechanisms. If, in the performance of the Services, Personal Data that is subject to GDPR, or any other law relating to the protection or privacy of individuals under European Data Protection Laws, is transferred to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the parties to the extent such transfers are subject to the European Data Protection Laws:
   1. The EU C-to-P Transfer Clauses. Where Client and/or its Affiliate is a Controller and a data exporter of Personal Data and SecurityPal is a Processor and data importer in respect of that Personal Data, then the parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in Schedule 1; and/or
   2. The EU P-to-P Transfer Clauses. Where Client and/or its Affiliate is a Processor acting on behalf of a Controller and a data exporter of Personal Data and SecurityPal is a Processor and data importer in respect of that Personal Data, the parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in Schedule 1.
3. ‍Roles. For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Client is the data exporter and SecurityPal is the data importer and the parties agree to the following. If and to the extent an Affiliate relies on the EU C-to-P Transfer Clauses or the EU P-to-P Transfer Clauses for the transfer of Personal Data, any references to ‘Client’ in this Schedule include such Affiliate. Where this Schedule 1 does not explicitly mention EU C-to-P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.

‍

D. Standard Contractual Clauses Operative Provisions and Additional Terms.

1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Annexes to the Standard Contractual Clauses are set out in Schedule 2.
2. Docking Clause. The option under clause 7 shall not apply.
3. Instructions. This DPA and the Agreement are Client’s complete and final documented instructions at the time of signature of the Agreement to SecurityPal for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Client to Process Personal Data include onward transfers to a third party located outside the EEA for the purpose of the performance of the Services.
4. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by SecurityPal to Client only upon Client's written request.
5. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 4(b) through 4(c) of this DPA.
6. General Authorization for Use of Subprocessors. Option 2 under clause 9 shall apply. The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from those set forth in Annex III (see Schedule 2 below). The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
   
   Where SecurityPal enters into the EU P-to-P Transfer Clauses with a Subprocessor in connection with the provision of the Services, Client hereby grants SecurityPal and SecurityPal’s Affiliates authority to provide a general authorization on Controller's behalf for the engagement of subprocessors by Subprocessors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such subprocessors. 

7. Notification of New Subprocessors and Objection Right for New Subprocessors. Pursuant to clause 9(a), Client acknowledges and expressly agrees that SecurityPal may engage new Subprocessors as described in Section D (6) above. SecurityPal shall inform Client of any changes to Subprocessors following the procedure provided for in Section D (6) above. Client may object to new Subprocessors as described in Section 7(e) of the DPA above.
8. Complaints & Redress. SecurityPal shall inform Client if it receives a Data Subject Request with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Client. SecurityPal shall not otherwise have any obligation to handle the request (unless otherwise agreed with Client). The option under clause 11 shall not apply.
9. Liability. SecurityPal's liability under clause 12(b) shall be limited to any damage caused by its Processing where SecurityPal has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Client, as specified in Article 82 GDPR.
10. Supervision. Clause 13 shall apply as follows: 

1. Where Client is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Client with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority. 
2. Where Client is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority. 
3. Where Client is established in the United Kingdom or falls within the territorial scope of application of UK GDPR, the Information Commissioner's Office shall act as competent supervisory authority.

12. Notification of Government Access Requests. For the purposes of clause 15(1)(a), SecurityPal shall notify Client (only) and not the Data Subject(s) in case of government access requests. Client shall be solely responsible for promptly notifying the Data Subject as necessary.
13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either: (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.
14. Choice of Forum and Jurisdiction. The courts under clause 18 shall be those designated in the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either: (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses.
15. Data Exports from the United Kingdom under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom subject exclusively to the UK GDRP: (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Applicable Data Protection Laws of the United Kingdom (i.e., UK GDPR); and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK GDPR.
16. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 

‍

E. Additional Terms for the EU P-to-P Transfer Clauses. For the purposes of the EU P-to-P Transfer Clauses (only), the parties agree the following:

1. Instructions and notifications. For the purposes of clause 8.1(a), Client hereby informs SecurityPal that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Client warrants that its Processing instructions as set out in the Agreement and this DPA, including its authorizations to SecurityPal for the appointment of Subprocessors in accordance with this DPA, have been authorized by the relevant Controller. Client shall be solely responsible for forwarding any notifications received from SecurityPal to the relevant Controller where appropriate.
2. Security of Processing. For the purposes of clause 8.6(c) and (d), SecurityPal shall provide notification of a personal data breach concerning Personal Data Processed by SecurityPal to Client. 
3. Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to SecurityPal by Client. If SecurityPal receives an enquiry directly from a Controller, it shall forward the enquiry to Client and Client shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate. 
4. Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, SecurityPal shall notify Client about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed) but shall not notify the relevant Controller. Client shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request. 

‍

SCHEDULE 2
ANNEX I THROUGH III TO THE STANDARD CONTRACTUAL CLAUSES

‍

This Schedule 2 contains Annex I through III to the Standard Contractual Clauses and and must be completed and signed by each party below where indicated.

‍

ANNEX I

‍

A. LIST OF PARTIES

‍

Data exporter(s): Client

‍

Data importer(s):

1. Name: SecurityPal, Inc.

Address: 415 Mission Street, Floor 37, Suite 117, San Francisco, CA 94105

Contact person’s name, position and contact details: Pukar Hamal, CEO & Founder

Role: Processor (or Subprocessor as the case may be)

Activities relevant to the data transferred under these Clauses: Processing Personal Data / Services

‍

B. DESCRIPTION OF THE TRANSFER

‍

The Processing activities carried out by SecurityPal under the Agreement may be described as follows:

‍

Categories of data subjects whose personal data is transferred

Client, its end users and its end-customers to the extent Client sends such personal data to processor

Categories of personal data transferred

Categories of Personal Data chosen by controller and issued to processor or subprocessor as the case may be via the Service

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None, but if any, solely to the extent Sensitive data is transferred to processor by controller via the Services

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous   basis).

On a continuous basis as determined by controller as permitted under the Agreement

Nature of the processing

Processing for the Services (e.g., related to security reviews, RFPs, RFIs and Client Data at controller’s request)

Purpose(s) of the data transfer and further processing

To provide the Services to controller (e.g., related to security reviews, RFPs, RFIs and Client Data at controller’s request)

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the term of the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

For the term of the Agreement

‍

3. COMPETENT SUPERVISORY AUTHORITY

‍

The competent supervisory authority in accordance with Clause 13 of the Standard Contractual Clauses as identified in Schedule 1 Section D (14) of this DPA.

‍

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

‍

SecurityPal processes all Personal Data received from Controller under this DPA in conformity with the following technical and organizational measures:

‍

Information Security Organization

• SecurityPal’s Information Security Policy outlines roles and responsibilities for personnel with responsibility for the security, availability, and confidentiality of the Product and Service.
• The designated officer is responsible for the design, implementation, and management of the organization’s security policies, which are reviewed at least annually. Annual review includes assessment of internal controls used in the achievement of SecurityPal’s Service commitments and system requirements. Following review, any deficiencies are resolved in accordance with the Risk Assessment and Management Program.
• The designated officer also performs an annual formal risk assessment, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats. The designated officer maintains a risk register, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
• The Security team is responsible for identifying and tracking incidents and creating a ‘lessons learned’ document and sharing it with the engineering team. The Engineering team is responsible for Software development and deployment.

Personnel Security

• SecurityPal has established a Code of Conduct outlining ethical expectations, behavior standards, and ramifications of noncompliance, as well as Acceptable Use, Data Protection, and Information Security Policies. Internal personnel acknowledge all codes and procedures within 30 days of hire.
• Background checks are performed on full-time employees within 30 days of the employee’s start date as permitted by local laws. Reference checks are performed on contractors who have access to production data.
• Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.

Access Controls and Asset Management

• Internal users are provisioned access to systems based on role as defined in the access matrix, which is reviewed and approved annually by the designated officer.  The designated officer approves any additional access required outside the access matrix.
• The designated officer and the founder conduct quarterly user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities. Identified access changes are tracked to remediation.
• Access to production machines, network devices, and support tools requires a unique ID.
• Internal user access to systems and applications with service data requires two-factor authentication in the form of user ID / password, and one-time passcode.
• SecurityPal has formal policies for password strength and use of authentication mechanisms. 
• Production infrastructure is restricted to users with a valid authentication key; administrative access to production servers and databases is restricted to the Back-end Engineering team.
• Upon termination or when internal users no longer require access, infrastructure and application access is removed within one business day.
• Internal use of the internal admin tool is logged. These logs are reviewed regularly for appropriateness.
• The Engineering team maintains a list of the company’s system components, owners, and their business function, and the Designated officer reviews this list annually.

Incident Management and Business Continuity 

• SecurityPal’s Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents through to resolution.
• The Security team tracks identified incidents according to the Incident Response Plan and creates a ‘lessons learned’ document after each high or critical incident. This document is shared with the Engineering team to make any required changes.
• The designated officer maintains a disaster recovery plan, which is tested at least annually. The Engineering team reviews test results and makes changes to the plan accordingly.

Change Controls

• SecurityPal’s Change Management Process and Standard governs the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
• System changes are tested via automated test scripts prior to being deployed into production. 
• Code SecurityPal requests are independently peer reviewed prior to integrating the code change into the master branch.
• System users who make changes to the development system are unable to deploy their changes to production without independent approval.
• Configuration changes are tested (if applicable) and approved prior to being deployed into production.
• The production and testing environments are segregated; production data is not used in the development and testing environments.

Data and Availability Controls

• SecurityPal’s Data Protection Policy details the security and handling protocols for service data.
• Full backups are performed daily and retained in accordance with the Backup Policy. The Engineering team restores backed-up data to a non-production environment at least annually to validate the integrity of backups.

• Access to erase or destroy customer data is limited to the designated employees with appropriate access controls.
• The designated officer and the Engineering team manually delete data that is no longer needed from databases and other file stores in accordance with agreed-upon customer requirements.
• SecurityPal’s Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
• Encryption is used to protect the transmission of data over the internet; service data is encrypted at rest.
• The Engineering team encrypts hard drives for portable devices with full disk encryption.

• System tools monitor company load balancers and notify appropriate personnel of any events or outages based on predetermined criteria. Any identified issues are tracked through resolution in accordance with the Incident Response Plan.
• The Services are configured to support continuous availability.

Vendor and Vulnerability Management 

• SecurityPal’s Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle. The designated officer assesses new vendors according to the Vendor Risk Management Policy prior to engaging with the vendor.
• SecurityPal’s Vulnerability Management and Patch Program outlines the procedures to identify, assess, and remediate identified vulnerabilities.
• Vulnerability scans are executed monthly on production systems. The designated officer and the Engineering team track critical or high-risk vulnerabilities through resolution. Management has implemented intrusion prevention and detection tools to provide monitoring of network traffic to the production environment.
• The Engineering team uses logging and monitoring software to collect data from servers and endpoints, and detect potential security threats and unusual system activity.
• The Engineering team uses alerting software to notify impacted teams of potential security and availability events. 

‍

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the Subprocessors set forth in the Subprocessor Site (located here):

‍

https://assurance.securitypal.com/

‍

SCHEDULE 3
TRANSFER MECHANISMS FOR UK GDPR

‍

1. Definitions. For the purposes of this Schedule 3, these terms shall be defined as follows: 
   1. “UK GDPR IDTA” means the terms of the “International Data Transfer Agreement” (located here: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf) and issued pursuant to Section 119A of the Data Protection Act 2018. 
   2. “UK GDPR Addendum” or “UK Addendum” means the terms of the “International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers” (located here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) and issued pursuant to Section 119A of the Data Protection Act 2018.
2. ‍International Transfer Mechanisms. If, in the performance of the Services, Personal Data that is subject to UK GDPR or any other law relating to the protection or privacy of individuals that applies in the United Kingdom is transferred out of the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the European Data Protection Laws, the UK GDPR IDTA and/or UK Addendum shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the UK GDPR.‍
3. ‍Appendix Information. Annex I through III, set forth in Schedule 2 to this DPA, contain Appendix Information for the UK IDTA and UK Addendum and are incorporated therein by reference.

‍

SCHEDULE 4

CALIFORNIA SCHEDULE

‍

1. For purposes of this Schedule 4, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information, the Processing of which is governed by the CCPA.
2. It is the parties’ intent that with respect to any personal information, SecurityPal is a service provider. SecurityPal shall: (i) not “sell” (as defined in the CCPA) personal information; and (ii) not retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing personal information for a commercial purpose (as defined in the CCPA) other than providing the Services. For the avoidance of doubt, the foregoing prohibits SecurityPal from retaining, using or disclosing personal information outside of the direct business relationship between SecurityPal and Client. SecurityPal hereby certifies that it understands the obligations under this section 2 and shall comply with them.
3. The parties acknowledge that SecurityPal’s retention, use and disclosure of personal information authorized by Client’s instructions documented in the DPA are integral to SecurityPal’s provision of the Services and the business relationship between the parties.

‍