Data Processing Addendum
This Data Processing Addendum, including its schedules and the Standard Contractual Clauses (collectively, the "DPA") is entered into by and between the customer contracting entity agreeing to the Agreement ("Customer") on behalf of itself and its Affiliates, and Product School Incorporated ("Product School") and shall be effective on the date both parties execute the DPA ("Effective Date"). Product School has entered into an agreement (the "Agreement") with Customer pursuant to which Product School has agreed to provide certain services to Customer ("Services"). All capitalized terms used herein and not defined herein have the meanings set forth in the Agreement.
1. Definitions
1.1. "Affiliate" means any entity that is directly or indirectly controlled by, controlling or under common control with an entity. "Control" for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. "Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, European Data Protection Law and all laws and regulations of the United States, including the CCPA.
1.3. "CCPA" means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100-1798.199), including as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act), and any amendments and its implementing regulations that become effective on or after the effective date of this DPA (as amended, superseded or replaced from time to time).
1.4. "European Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR") (ii) the EU GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 ("UK GDPR") and the UK Data Protection Act 2018 (together, "UK Data Protection Law"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); or (iv) any applicable data protection laws made under or pursuant to or that apply in conjunction with (i), (ii), or (iii) (in each case, as may be amended, superseded or replaced from time to time).
1.5. "Europe" means the European Economic Area (the "EEA"), United Kingdom ("UK") and Switzerland.
1.6. "Personal Data" means information relating to an identified or identifiable natural person ("data subject") but includes "personal data", "personally identifiable information" or "personal information", which shall have the definition set forth in the Applicable Data Protection Law and be processed by Product School in accordance with this DPA in connection with the Services.
1.7. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
1.8. "Security Incident" means a personal data breach or any unauthorized access or breach of security leading to the theft, accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to any Personal Data processed by Product School under or in connection with the Agreement.
1.9. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021.
1.10. "Sub-processor" means any third-party service provider engaged by Product School in its role as a processor, which processes any Personal Data relating to this DPA and/or the Agreement.
1.11. "UK Addendum" means the "UK Addendum to the EU Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the UK Data Protection Act 2018.
1.12. The terms "controller", "processor", "supervisory authority", "personal data breach" and "processing" shall have the meaning given to them in European Data Protection Law and "process", "processes" and "processed" shall be interpreted accordingly. The terms "consumer", "personal information", "business", "sale" (including the terms "sell," "selling," "sold," and other variations thereof) and "service provider" shall have the meaning given to them in the CCPA.
2. Scope of this DPA and Relationship of the Parties
2.1. Scope. This DPA applies where and only to the extent Product School processes any Personal Data protected by Applicable Data Protection Law under the Agreement in the course of providing the Services pursuant to the Agreement as follows:
2.1.1. Where and to the extent Customer is a controller or business (as applicable) and Product School and/or each relevant Product School Affiliate processes Personal Data as a processor or service provider (as applicable), Product School shall be a processor or service provider (as applicable) of the Personal Data and this DPA shall apply accordingly;
2.1.2. Where Customer is a processor or service provider of the Personal Data covered by this DPA on behalf of third-party controllers or businesses ("Third Party Controllers"), Product School and/or each relevant Product School Affiliate shall be a Sub-processor or service provider (as applicable) of the Personal Data and this DPA shall apply accordingly;
2.1.3 Where and to the extent Customer is a controller or business (as applicable) and Product School and/or each relevant Product School Affiliate processes Personal Data as a controller or business (as applicable), Product School will process such Personal Data in compliance with Applicable Data Protection Law, Sections 2, 3, 7.2, 7.3, 7.4, 7.5, 8, 10, and 11 of this DPA, and Schedules 2 and 3 of this DPA, to the extent applicable, only.
2.2. Compliance with Law. Each party will comply with its obligations under Applicable Data Protection Law in respect of the Personal Data it processes under the Agreement and this DPA. If Applicable Data Protection Law and corresponding obligations related to the processing of Personal Data change, the parties shall discuss in good faith any necessary amendments to this DPA.
2.3. California. The parties agree that: (i) Product School shall not retain, use or disclose Personal Data for any purpose other than the permitted purposes under this DPA; (ii) Personal Data was not sold to Product School and Product School shall not sell Personal Data subject to the CCPA; and (iii) Product School shall not retain, use or disclose Personal Data outside of the direct business relationship between Customer and Product School. Product School certifies that it understands the restrictions set out in this Section 2.3 and will comply with them.
3. Product School as a Controller
3.1 Independent Controllers. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a separate and independent controller under Applicable Data Protection Law and neither party shall be responsible for the other party's compliance with Applicable Data Protection Law.
3.2 Product School Controller Obligations. Product School and each Product School Affiliate shall:
3.2.1 comply with all applicable European Data Protection Law when processing Personal Data;
3.2.2 only Process the Personal Data: (i) in order to perform its obligations under the Agreement; and (ii) solely to the extent permitted by applicable European Data Protection Law to the extent necessary for the following purposes: (a); and,
3.2.3 notify Customer within 24 hours upon becoming aware of a Security Incident and, where reasonably practicable, provide a copy of any proposed notification and consider in good faith any comments made by Customer before notifying any affected third party.
4. Product School Processing of Personal Data
4.1 Processor Purposes for Processing. Product School will at all times: (i) process the Personal Data solely for the purposes of providing the Services as set forth in the Agreement ("Permitted Purpose"), particularly under Schedules 1 and 2 of this DPA, and only in accordance with Customer's documented lawful instructions; and (ii) not process the Personal Data for its own purposes or those of any third-party. Product School shall not (a) sell or disclose Personal Data for monetary or other valuable consideration; (b) retain, use or disclose Personal Data for any purpose other than for the Permitted Purpose, including retaining, using or disclosing Personal Data for a commercial purpose other than performing the Services under the Agreement; or (iii) retain, use, or disclose Personal Data outside the direct business relationship between Product School and Customer.
4.2 Compliance with Applicable Data Protection Law. Each Party shall comply with its obligations under Applicable Data Protection Law with respect to any Personal Data it processes under this DPA and the Agreement.
4.3 Third Party Controller Notices. Where Customer is itself a processor or service provider (as applicable) of the Personal Data acting on behalf of a Third Party Controller, Customer shall serve as the sole point of contact for Product School and Product School need not interact directly with (including to seek any authorizations directly from) any such Third Party Controller, other than through the regular provision of the Services to the extent required under the Agreement. Where Product School would (including for the purposes of the SCCs) otherwise be required to provide information, assistance, cooperation, or other notification to such Third Party Controller, Product School shall provide it solely to Customer in accordance with this DPA.
5. Sub-processing
5.1 Authorized Sub-processors. Customer hereby provides a general authorization to Product School in its role as a processor or service provider to engage Sub-processors to process Personal Data. The Sub-processors engaged by Product School are listed in Schedule 3.
5.2 Notice. If Customer in writing requests notifications (via [email protected]) to a preferred Customer email address, Product School shall notify Customer of any new engagement of a Sub-processor at least fifteen (15) days before any such changes by sending an email to such email address to allow Customer to raise any reasonable objections on grounds of data protection. If Customer objects to the addition or replacement of any Sub-processor on reasonable grounds relating to data protection and Product School is unable to resolve such objection, Customer may terminate the Agreement.
5.3 Sub-processor Requirements. Product School shall:
5.3.1 enter into a written agreement with each Sub-processor imposing data protection terms that require Sub-processor to protect Personal Data to the standard required by Applicable Data Protection Law and this DPA (including its Schedules);
5.3.2 retain Sub-processors which present sufficient guarantees in terms of security and data protection in accordance with Applicable Data Protection Law;
5.3.3 ensure the Sub-processor processes Personal Data strictly for the Permitted Purpose;
5.3.4 remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Product School to breach any of its obligations under this DPA.
6. Cooperation and Individual Rights
6.1 Notices and Requests. Product School shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to any requests, complaints or other communications from data subjects, consumers, governmental and regulatory or judicial bodies relating to the processing of the Personal Data under the Agreement, including requests from data subjects seeking to exercise their rights under Applicable Data Protection Law. In the event that any such request, complaint or communication is made directly to Product School, Product School shall promptly notify Customer in writing and shall not respond to such communication without Customer's express authorization, unless required to do so by law.
6.2 Government or Regulatory Requests. If Product School becomes aware that any government agency or authority (including law enforcement or national security) requests access to the Personal Data (whether on a voluntary basis or through a subpoena or court order), Product School shall: (i) promptly notify Customer by email; (ii) inform the government agency that Product School is a processor of the data and is not authorized to disclose the data, and that Product School will need to promptly notify Customer regarding the request; (iii) attempt to redirect the agency to request the data directly from Customer; (iv) reasonably cooperate with all instructions of Customer, including if Customer (or its Third Party Controller) wishes to limit, challenge or protect against disclosure; and (v) not provide access to the data unless and until authorized by Customer in writing. Product School shall not be required to comply with the obligations under Section 5.2(i) to (v) in full if it is under a legal prohibition or mandatory legal compulsion that prevents it from complying. Product School shall use reasonable and lawful efforts to challenge any such prohibition or compulsion, and Product School shall only disclose the Personal Data to the extent it is legally required to do so and in accordance with applicable lawful process.
6.3 DPIA Assistance. Product School will assist Customer to conduct a data protection impact assessment and, at Customer's reasonable request, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to data subjects.
6.4 Customer Requests. Product School will promptly deal with all inquiries from Customer relating to its processing of the Personal Data under the Agreement including making available all information necessary to demonstrate its compliance with Applicable Data Protection Law and this DPA.
7. Security and Audits
7.1 Security Audit Standards. Product School shall maintain records in accordance with ISO 27001, or similar applicable Information Security Management System (“ISMS”) standards. Upon request, Product School shall provide copies of relevant external compliance certifications, audit report summaries and/or other documentation reasonably required to verify Product School's compliance with this DPA. Product School shall also respond to Customer security questionnaires.
7.2 Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope context and purposes of the Processing, Product School shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data (including but not limited to Security Incidents) and to preserve the security and confidentiality of Personal Data. Such measures will include, at minimum, those measures described in Schedule 2 of this DPA ("Security Measures"). Product School shall ensure that any person who is authorized by Product School to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty), including to ensure that the authorized person processes any Personal Data only for the purpose of delivering the Services under the Agreement to Customer.
7.3 Updates to Security Measures. Product School shall regularly and periodically determine whether upgrades, additions or modifications of applicable controls or Security Measures are required to meet the obligations under this DPA, including upon actual or constructive knowledge of relevant changes in technology and internal and external threats to Personal Data and the Services. Product School may update and/or modify the Security Measures from time to time, provided that such updates and/or modifications do not result in the degradation of the overall security of the Personal Data and continue to exceed the measures described in Schedule 2.
7.4 Data Access. Product School shall ensure that any person who processes Personal Data on Product School's behalf: (a) is required to protect and process all Personal Data in a manner consistent with the terms of the Agreement and this DPA; and (b) will receive appropriate training by Product School regarding the protection of Personal Data prior to receiving access to Personal Data.
7.5 Security Incident Response. Upon becoming aware of a Security Incident, Product School shall notify Customer within 24 hours and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer, including the type of data affected, the identity of affected person(s), and steps taken to mitigate the Security Incident as soon as such information becomes known or available to Product School. Product School shall keep and maintain a record of every Security Incident.
7.6 Security Audits. On written request from Customer, Product School shall provide written responses (which may include audit report summaries) to all reasonable requests for information made by Customer related to the Product School's processing of Personal Data necessary to confirm Product School's compliance with this DPA, provided that Customer shall not exercise this right more than once in any 12 month rolling period. Notwithstanding the foregoing, Customer (or its appointed representatives) may also exercise such audit right of Product School's operations and facilities in the event Customer is expressly required to provide this information to a data protection authority. Any such inspections shall take place during normal business hours and be subject to reasonable prior notice.
8. International Transfers
8.1 Transfers Generally. To the extent that Product School transfers Personal Data to Sub-processors in jurisdictions that do not provide the same level of data protection, it will do so on the basis of legally valid transfer methods that incorporate appropriate transfer mechanism provisions to protect Personal Data and in compliance with the requirements of Applicable Data Protection Law and this DPA.
8.2 European Data Transfers. Product School shall not transfer, whether by direct or onwards transfer, any Personal Data under this DPA that is protected by European Data Protection Laws ("European Data") in or to any country, territory or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of European Data Protection Law) (a "non-Adequate Country"), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law.
8.3 Standard Contractual Clauses. The parties agree that where Customer transfers (directly or via onward transfer) European Data to Product School located in a non-Adequate Country, the parties agree to be subject to the Standard Contractual Clauses, which shall be automatically incorporated by reference and form an integral part of this DPA, as follows:
8.3.1 Product School as a Processor or Sub-processor. In relation to European Data that is protected by the EU GDPR and is processed in accordance with Sections 2.1.1 and 2.1.2 of this DPA, the SCCs shall apply completed as follows:
8.3.1.1 Module Two (Section 2.1.1) or Three (Section 2.1.2) will apply;
8.3.1.2 in Clause 7, the optional docking clause will not apply;
8.3.1.3 in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 4 above;
8.3.1.4 in Clause 11, the optional language will not apply;
8.3.1.5 in Clause 17, Option 1 will apply, and the SCCs will be governed by the law of Spain;
8.3.1.6 in Clause 18(b), disputes shall be resolved before the courts of Spain;
8.3.1.7 Annex I of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and
8.3.1.8 Subject to Sections 6.2 and 6.3 of this DPA, Annex II of the SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA;
8.3.2 Product School as a Controller. In relation to European Data that is protected by the EU GDPR and is processed in accordance with Section 2.1.3 of this DPA, the SCCs shall apply completed as follows:
8.3.2.1 Module One will apply;
8.3.2.2 in Clause 7, the optional docking clause will apply;
8.3.2.3 in Clause 11, the optional language will not apply;
8.3.2..4 in Clause 17, Option 1 will apply, and the SCCs will be governed by Spain law;
8.3.2.5 in Clause 18(b), disputes shall be resolved before the courts of Spain;
8.3.2.6 Annex I of the SCCs shall be deemed completed with the information set out in Schedule 2 of this DPA; and
8.3.2.7 Subject to Sections 7.2 and 7.3 of this DPA, Annex II of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA.
8.3.3 UK Transfer Mechanism. In relation to European Data that is protected by the UK GDPR, the SCCs: (i) shall apply as completed in accordance with Section 7.3.1 above; and (ii) shall be deemed amended as specified by the UK Addendum attached as Schedule 4, which shall deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
8.3.4 Swiss Transfer Mechanism. To the extent the European Data is subject to the Swiss DPA, Product School agrees to process such European Data in compliance with the SCCs, which are incorporated herein in full by reference and form an integral part of this DPA in accordance with Section 7.3. and the following modifications:
8.3.4.1 references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA;
8.3.4.2 references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;
8.3.4.2.1 references to "EU", "Union" and "Member State" shall be replaced with references to "Switzerland";
8.3.4.2.2 Clause 13(a) and Part C of Annex II shall not be used and the "competent supervisory authority" shall be the Swiss Federal Data Protection and Information Commissioner;
8.3.4.2.3 references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland";
8.3.4.2.4 in Clause 17, the SCCs shall be governed by the laws of Switzerland;
8.3.4.2.5 in Clause 18(b), disputes shall be resolved before the courts of Switzerland; and
8.3.4.2.6 the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.
8.4 Alternative Transfer Mechanism. Product School shall promptly notify Customer in the event that a data protection authority and/or Applicable Data Protection Law no longer permits the lawful transfer of Personal Data to Product School pursuant to the terms of this DPA and/or requires that the parties adopt an alternative transfer solution that complies with Applicable Data Protection Law, then without prejudice to any other right or remedy available to Customer, Product School shall work with Customer and promptly take all reasonable and appropriate steps deemed necessary to ensure such processing or transfer is in compliance with Applicable Data Protection Law.
9. Deletion & Return of Data
9.1 Deletion & Return. Upon Customer's request, Product School shall: (a) securely destroy (upon written instructions of Customer) or return to Customer all Personal Data in its possession or control. This requirement shall not apply to the extent that Product School is required by any applicable law to retain some or all of the Personal Data, in which event Product School shall, on ongoing basis, isolate and protect the security and confidentiality of such Personal Data and prevent any further processing except to the extent required by such law and shall destroy or return to Customer all other Personal data; and/or immediately cease processing all Personal Data.
10. Limitation of Liability
10.1 This DPA is subject to any limitations of liability set forth in the Agreement.
11. General
11.1 Disclosures. Product School acknowledges that Customer may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request.
11.2 Survival. The obligations placed upon the Product School under this DPA (including, to the extent applicable, the Standard Contractual Clauses) shall survive so long as Product School and/or its Sub-processors process Personal Data on behalf of Customer. The provisions contained in this DPA and its attachments, exhibits and schedules that by their context are intended to survive termination or expiration will survive. The accrued rights and liabilities of the parties, as well as any express or implied obligations of the parties shall survive termination of this DPA.
11.3 Governing Law. This DPA is governed by the law which governs the Agreement and any dispute between the parties is to be handled as set out in the Agreement, unless required otherwise by Applicable Data Protection Law or the Standard Contractual Clauses.
11.4 Order of Precedence. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.
11.5 Modifications. This DPA may not be modified except by a subsequent written instrument signed by both parties.
11.6 Severability. If any part of this DPA is held unenforceable, the DPA will be interpreted with the unenforceable portion of the DPA deleted, and the validity of all remaining parts will not be affected.
11.7 Conflicts. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of any conflict between this DPA and any data privacy provisions set out in any Agreement, the parties agree that the terms of this DPA shall prevail.
SCHEDULE 1 (C2P AND P2P TRANSFERS)
Description of Processing Activities / Transfer
Annex 1(A) List of Parties:
Name of Data Importer: Product School, Inc.
Address: 548, Market St, San Francisco, CA, 22502
Contact details: [email protected]
Activities relevant to the data transferred under these Clauses: See Schedule 1(B) below and the Agreement.
Signature and date: This Schedule 1 shall automatically be deemed executed when the Addendum is executed by Product School.
Role (controller/processor): Controller/Processor
Name of Data Exporter: The party identified as the “Customer” in the Agreement.
Address: Reference is made to the Agreement.
Contact person’s name, email, position, and contact details: Reference is made to the Agreement.
Activities relevant to the data transferred under these Clauses: See Schedule 1(B) below and the Agreement.
Signature and date: This Schedule 1 shall automatically be deemed executed when the DPA is executed by Customer.
Role (controller/processor): Controller
Annex 1(B) Description of processing/transfer:
Nature and Purpose of Processing: Product School is a controller or processor to Customer and will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum.
Duration of Processing: The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the Personal Data in accordance with the terms of the Agreement and the DPA.
Categories of Data Subjects: Customer’s employees and other personnel who access Product School’s Services.
Frequency of the transfer: Continuous
Categories of Personal Data: Product School processes Personal Data contained in Customer Account Data, Customer Usage Data, and any Personal Data provided by Customer or its users or otherwise collected by Product School in order to provide the Services or as otherwise set forth in the Agreement or this Addendum. Categories of Personal Data include: name, email address, online identifiers such as IP address.
Sensitive Data or Special Categories of Data: No Sensitive Data shall be provided to Product School.
Annex 1(C) Competent supervisory authority:
The competent supervisory authority, in accordance with Clause 13 of the SCCs will be determined in accordance with European Data Protection Law.
SCHEDULE 2
Technical and Organizational Measures
Product School shall implement the following minimum technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons:
Type of measure | Implemented measure |
|---|---|
1. Measures of encryption of personal data | - Encryption of data at rest using AES-256 - TLS/SSL encryption for data in transit |
2. Measures for ensuring ongoing confidentiality, integrity and resilience of processing systems and services | - Multi-factor authentication (MFA) for access control - Implement role-based access controls and maintain detailed logs to monitor and restrict access to sensitive information according to each user’s operational requirements. |
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | - Daily backups with verification testing - Disaster recovery plan with regular drill exercises |
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | - We are committed to continuously enhancing our security measures through a structured approach aligned with Information Security Management System (ISMS) standards. These improvements are implemented as part of our ongoing planning and refresh processes, ensuring we consistently adapt to emerging security needs. |
5. Measures for user identification and authorisation | - Role-based access control (RBAC) with an access matrix - Use of a single sign-on (SSO) solution for user authentication |
6. Measures for the protection of Data during storage | - Database encryption at rest and restricted access |
7. Measures for ensuring physical security of locations at which personal data are processed | - Not Applicable |
8. Measures for ensuring events logging | - Comprehensive event logging will be implemented and maintained to ensure the recording, monitoring, protection, and periodic review of all access, modifications, and deletions of personal data, in compliance with security standards and applicable legal requirements. |
9. Measures for ensuring system configuration, including default configuration | - Standardized baseline configurations for all devices |
10. Measures for internal IT and IT security governance and management | - Defined roles and responsibilities in IT security policies - Periodic training on security policies and updates |
11. Measures for certification/assurance of processes and products | - Secure development lifecycle (SDLC) for product development |
12. Measures for ensuring data minimisation and accountability | - Role-based data access according to the principle of least privilege |
13. Measures for ensuring data quality | - Automated data validation checks |
14. Measures for ensuring limited data retention | - Data retention policy - Regular data reviews to validate necessity |
15. Measures for allowing data portability and ensuring erasure | -Data export and transfer guidelines |
SCHEDULE 3
List of Sub-processors
Name (full legal name) | Description of processing | Place of processing: |
|---|---|---|
Stripe | Payment Processing | US |
Google Cloud | Cloud storage and analytics | US |
Salesforce | CRM | US |
Customer.IO | Marketing automation | US |
Docebo | LMS | US |
Marketo | Marketing automation | US |
Twilio | Communication services | US |
Zendesk | Customer support software | US |
Contentful | Content management System | US |
Gearset | Salesforce deployment and management | US |
SCHEDULE 4
UK Addendum
This Schedule 5 forms part of this DPA and applies in accordance with Section 8.3.3 (UK Transfer Mechanism) of the DPA.
Start Date | The date of the Agreement | |
Parties | Exporter | Importer |
Parties' details | Name: As set forth in Schedule 1 to the DPA | Name: As set forth in Schedule 1 to the DPA |
Addendum secs | The Approved secs, including the Appendix Information and with only the following modules, clauses or optional provisions of the approved secs brought into effect for the purposes of this Addendum: See Section 7.3.3 of the DPA | |
Appendix Information | See Schedules 1 to this DPA | |
Mandatory Clauses | Part 2: Mandatory Clauses of the UK Addendum, as it is revised under Section 18 of those Mandatory Clauses |