Data Protection Agreement

This Data Processing Addendum, including Schedule A and Annexes I-III (“DPA”), forms an integral part of the Agreement (“Main Agreement”) entered between INCRMNTAL Ltd. ("Company") and between the counterparty agreeing to these terms ("Customer"; each “Party” and together “Parties”) and applies to the extent that Company processes Personal Data on behalf of the Customer, in the course of its performance of its obligations under the Main Agreement.

If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.

All capitalized terms not defined herein shall have the meaning set forth in the Main Agreement.

1. Definitions
1.1 "Approved Jurisdiction" means a jurisdiction approved as having adequate legal protections for data by the European Commission (or by the UK Information Commissioner's Office, where applicable), currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en and here: https://ico.org.uk/media/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now-the-transition-period-has-ended-1-0.pdf 
1.2 “Data Protection Laws” means, any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state, federal or national level, pertaining to data privacy, data security or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (as amended, and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), US Data Protection Laws, and any amendments or replacements to the foregoing.
1.3 “Data Subject” means a natural person to whom Personal Data relates. Where applicable, a Data Subject shall include "Consumer", as this term is defined under the US Data Protection Laws.
1.4 "EEA" means those countries that are members of the European Economic Area.
1.5 "Security Incident" shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach (as defined under the GDPR) will comprise a Security Incident. 
1.6 “Special Categories of Data“ means personal data as defined under Article 9 of the GDPR, and where applicable, sensitive personal information, as defined under US Data Protection Laws. 
1.7 “Standard Contractual Clauses” the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021, as available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.
1.8 ”UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which was entered into force on 21 March, 2022.
1.9 “US Data Protection Laws” means, as applicable, any and all applicable laws, rules, acts, decrees, directives, regulations and binding regulatory guidance, on any state or federal level, pertaining to data privacy, data security and the protection of Personal Data, including, without limitation, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and the regulations enacted thereunder, Colorado Privacy Act, 2021 Colo. ALS 483; 2021 Colo. Ch. 483; 2021 Colo. SB. 190, Connecticut Data Privacy and Online Monitoring Act, Conn. Gen. Stat. §42-515 et. Seq., Utah Consumer Privacy Act, Utah Code Ann. Title 13, Ch. 61, Virginia Consumer Data Protection Act, Va. Civ. Code § 59.1, the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001 et seq, the Oregon Consumer Privacy Act, ORS 646A.570-646A.589, as well as any future laws, amendments, or regulations that may be enacted or promulgated governing data protection within the United States.
1.10 The terms “controller”, “Personal Data” “process(ing)” and “processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, controller shall be deemed “Business“, processor shall be deemed “Service Provider“ or “Contractor”, and Personal Data shall be deemed “Personal Information” as these terms are defined under US Data Protection Laws.
1.11 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

2. Application of this DPA
2.1 This DPA will only apply to the extent all of the following conditions are met:
2.1.1 Company processes Personal Data that is made available by the Customer in connection with the Main Agreement (whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer);
2.1.2 Data Protection Laws apply to the processing of Personal Data.
2.2 This DPA will only apply to the services for which the Parties agreed to in the Main Agreement ("Services"), which incorporates the DPA by reference.

3. Parties' Roles
3.1 In respect of the Parties' rights and obligations under this DPA regarding the Personal Data, the Parties hereby acknowledge and agree that the Customer is the Controller or Processor (as well as, as applicable, the Business or Service Provider, as these terms are defined under US Data Protection Laws) and Company is a Processor or Sub-Processor (as well as, as applicable, the Service Provider, as this term is defined under the US Data Protection Laws), and accordingly:
3.1.1 Company agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA;
3.1.2 The Parties acknowledge that the Customer discloses Personal Data to Company only for the performance of the Services and that this constitutes a valid business purpose for the processing of such data. 
3.2 If Customer is a Processor, Customer warrants to Company that Customer’s instructions and actions with respect to the Personal Data, including its appointment of Company as another Processor and concluding the Standard Contractual Clauses, have been authorized by the relevant Controller.
3.3 Notwithstanding anything to the contrary in the DPA, Customer acknowledges that Company shall have the right to collect, use and disclose Personal Data: 
3.3.1 collected in the context of providing the Services to Customer for its legitimate internal business purposes including but not limited to for the purposes of billing, record-keeping, account management, support, protection against fraudulent or illegal activity and the prevention of misuse of the Services, for the purpose of compliance with legal obligations, and the establishment, exercise and defense of legal claims. 
3.3.2 collected in the context of using the Services, for the purpose of analytics, market research, product improvement and development. The Company may use aggregated and/or anonymized information for any purpose, subject to the confidentiality obligation in the Main Agreement.
3.4 To the extent any data referred to under section ‎‎3.3 above is considered Personal Data, then the Company shall be deemed to be an independent Controller of such data under Data Protection Laws, and its Processing shall be outside the scope of this DPA.

4. Compliance with Laws
4.1 Each Party shall comply with its respective obligations under Data Protection Laws. 
4.2 Company shall provide reasonable cooperation and assistance to Customer in relation to Company’s processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under Data Protection Laws.
4.3 Company agrees to notify Customer promptly if it becomes unable to comply with the terms of this DPA and take reasonable and appropriate measures to remedy such non-compliance.
4.4 Throughout the duration of the DPA, Customer represents and warrants that: 
3.4.1 Personal Data has been and will continue to be collected, processed and transferred by Customer to Company in accordance with the relevant provisions of Data Protection Laws; 
3.4.2 Customer is solely responsible for determining the lawfulness of the data processing instructions it provides to Company and shall provide Company only instructions that are lawful under Data Protection Laws;
3.4.3 the processing of Personal Data by Company for the Permitted Purposes, as well as any instructions to Company in connection with the processing of the Personal Data (“Processing Instructions”), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Law; and that
3.4.4 The Customer has informed Data Subjects of the processing and transfer of Personal Data pursuant to the DPA and obtained any relevant consents or established other lawful grounds thereto (including without limitation any consent required in order to comply with the Processing Instructions and the Permitted Purposes).

5. Processing Purpose and Instructions
5.1 The subject matter of the processing, the nature and purpose of the processing, the type of Personal Data and categories of Data Subjects, shall be as set out in the Main Agreement, or in the attached Annex I.
5.2 Company shall process Personal Data only for the Permitted Purposes and in accordance with Customer’s written Processing Instructions (unless waived in a written requirement), the Main Agreement and Data Protection Laws, unless Company is otherwise required to do so by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Company shall promptly inform Customer if, in Company’s opinion, an instruction is in violation of Data Protection Laws. 
5.3 To the extent that the Processing Instructions may result in the Processing of any Personal Data outside the scope of the Main Agreement or the Permitted Purposes, then such Processing will require prior written agreement between Company and Customer, which may include any additional fees that may be payable by Customer to Company for carrying out such Processing Instructions. 
5.4 Company shall not process Personal Data for any purpose other than for the purpose of performing the Services or for a lawful commercial or business purpose (as defined under US Data Protection Laws), or as otherwise permitted under Data Protection Laws. Company's performance of the Services may include disclosing Personal Data to Sub-Processors where such disclosure is necessary for the provision of the Services and Company’s activities.

6. Reasonable Security and Safeguards
6.1 Company represents, warrants, and agrees to use security measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed or processed by Company in connection with this DPA, and (ii) to protect such data from Security Incidents. Such security measures include, without limitation, the security measures set out in Annex II.
6.2 The security measures are subject to technical progress and development and Company may update or modify the security measures from time to time provided that such updates and modifications shall not, in the Company’s discretion, result in the degradation of the overall security of the services procured by Customer.
6.3 Company shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who has access to and processes Personal Data. Company shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Security Incidents
Upon becoming aware of a Security Incident, Company will notify Customer without undue delay and will provide information relating to the Security Incident as reasonably requested by Customer. Company will make reasonable endeavors, at Customer's expense, to assist Customer in mitigating, where possible, the adverse effects of any Security Incident.

8. Security Assessments and Audits
8.1 Company audits its compliance with data protection and information security standards on a regular basis. Such audits are conducted by Company’s internal audit team or by third party auditors engaged by Company, and will result in the generation of an audit report (“Report”), which will be Company’s confidential information.
8.2 Company shall, upon prior written notice and subject to obligations of confidentiality, no more than once a year and in normal business hours, allow its data processing procedures and documentation to be inspected by Customer (or its designee), at Customer's expense, in order to ascertain compliance with this DPA; Company shall cooperate in good faith with such audit requests by providing access to relevant knowledgeable personnel and documentation. 
8.3 At Customer’s written request, and subject to obligations of confidentiality, Company may satisfy the requirements set out in this section by providing Customer with a copy of the Report so that Customer can reasonably verify Company’s compliance with its obligations under this DPA. 

9. Cooperation and Assistance
9.1 If Company receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Main Agreement, including requests from individuals seeking to exercise their rights under applicable Data Protection Law, Company will promptly redirect the request to Customer. Company will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Company is required to respond to such a request, Company will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so. The Customer is responsible for verifying that the requestor is the data subject whose information is being sought or its duly authorized representative. Company bears no responsibility for information provided in good faith to Customer in reliance on this subsection.
9.2 If Company receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, Company shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. It is hereby clarified however that if no response is received from Customer within three (3) business days (or otherwise any shorter period as dictated by the relevant law or authority), Company shall be entitled to provide such information.
9.3 Notwithstanding the foregoing, Company will cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data. Customer shall cover all costs incurred by the Company in connection with its provision of such assistance.
9.4 Upon reasonable notice, Company shall: 
9.4.1 taking into account the nature of the processing, provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject's rights, at Customer’s expense;
9.4.2 provide reasonable assistance to the Customer in ensuring Customer’s compliance with its obligation to carry out data protection impact assessments or prior consultations with data protection authorities with respect to the processing of Personal Data, provided, however, that if such assistance entails material costs or expenses to Company, the Parties shall first come to agreement on Customer reimbursing Company for such costs and expenses.

10. Use of Sub-Processors
10.1 Customer provides a general authorization to Company to appoint (and permit each Sub-Processor appointed in accordance with this Clause to appoint) Processors and/or Sub Processors in accordance with this section. 
10.2 Company may continue to use those Sub-Processors already engaged by Company as at the date of this DPA, as specified in Annex III, subject to Company, in each case as soon as practicable, meeting the obligations set out in this Clause. 
10.3 Company can at any time appoint a new Sub-Processor provided that Customer is given ten (10) days' prior notice (such notice may be given through Company’s Services) and the Customer does not legitimately object to such changes within that time frame. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor's non-compliance with Data Protection Laws. If, in Company’s reasonable opinion, such objections are legitimate, Company shall either refrain from using such Sub-Processor in the context of the processing of Personal Data or shall notify Customer of its intention to continue to use the Sub-Processor. Where Company notifies Customer of its intention to continue to use the Sub-Processor in these circumstances, Customer may, by providing written notice to Company, terminate the affected portion of the Main Agreement.
10.4 With respect to each Sub-Processor, Company shall ensure that the arrangement between Company and the Sub-Processor is governed by a written contract including terms which offer at least the same level of protection as those set out in this DPA and meets the requirements of Data Protection Laws. 
10.5 Company will be responsible for any acts or omissions by its Sub-Processors, which may cause Company to breach any of its obligations under this DPA.
10.6 Company will only disclose Personal Data to Sub-Processors for the specific purposes of carrying out the Services on Company's behalf.

11. Transfer of EEA resident Personal Data outside the EEA
11.1 To the extent that Company processes Personal Data outside the EEA,  UK, or an Approved Jurisdiction, then the Parties shall be deemed to enter into the Standard Contractual Clauses and UK Addendum (as applicable), subject to any amendments contained in Exhibit A, in which event the Customer shall be deemed as the Data Exporter and the Company shall be deemed as the Data Importer (as these terms are defined therein). 
11.2 Company may transfer Personal Data of residents of the EEA or UK outside the EEA or UK (respectively) or an Approved Jurisdiction ("Transfer"), only subject to the following:
(A) the Transfer is necessary for the purpose of Company carrying out its obligations under the Main Agreement, or is required under applicable laws; and
(B) the Transfer is: (i) subject to appropriate safeguards (for example, through the use of the Standard Contractual Clauses, or other applicable frameworks), or (ii) in accordance with any of the exceptions listed in the Data Protection Laws (in which event Customer will inform Company which exception applies to each Transfer and will assume complete and sole liability to ensure that the exception applies).

12. Data Retention and Destruction
12.1 Company will only retain Personal Data for the duration of the Main Agreement or as required to perform its obligations under the Main Agreement, or as otherwise required to do so under applicable laws or regulations. Following expiration or termination of the Main Agreement, Company will delete or return to Customer all Personal Data in its possession as provided in the Main Agreement, except to the extent Company is required under applicable laws to retain the Personal Data. The terms of this DPA will continue to apply to such Personal Data. This section shall not apply to the activities that are the subject matter of section 3.3 herein.

13. Obligations under US Data Protection Laws
13.1 To the extent that Company processes Personal Data which is subject to the US Data Protection Laws, then in addition to the obligations set out herein, Company shall not: 
13.1.1 process the Personal Data other than on Customer’s documented instructions;
13.1.2 sell or share Personal Data (as the terms "sell" and "share" are defined under US Data Protection Laws) disclosed to or collected by it (or on its behalf) in connection with the Agreement, or, except as necessary to perform the Services, retain, collect, use or disclose said Personal Data, for any purpose, including commercial purposes, other than for the business purpose (as defined under US Data Protection Laws);
13.1.3 retain, use or disclose the personal information disclosed to it or collected by it (or on its behalf) in connection with the Agreement, outside the direct business relationship between the Company and the Customer, unless otherwise permitted under US Data Protection Laws;
13.1.4 combine the Personal Data of consumers that it collects, receives from, or on behalf of, the Customer with Personal Data that the Company receives from, or on behalf of, another person or persons or collects from its own interaction with consumers unless and solely to the extent necessary to perform the business purpose.
13.2 Company acknowledges and understands its obligations under this clause, and will comply with them.

14. General 
14.1 Any claims brought under this DPA will be subject to the terms and conditions of the Main Agreement, including any exclusions and limitations set forth therein.
14.2 In the event of a conflict between the Main Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
14.3 Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the Parties; (ii) expand the scope of, or remove any restrictions on, either Party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Company. Company will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.

Exhibit A - Standard Contractual Clauses and the UK Addendum

1. If Customer is a Controller – the Parties shall be deemed to enter into the Controller to Processor Standard Contractual Clauses (Module Two); if Customer is a Processor – the Parties shall be deemed to enter into the Processor to Processor Standard Contractual Clauses (Module Three).

2. This Exhibit A sets out the Parties' agreed interpretation of their respective obligations under Module Two or Module Three of the Standard Contractual Clauses (as applicable).

3. The Parties further agree that for the purpose of transfer of Personal Data between the Customer (Data Exporter) and the Company (Data Importer), the following shall apply:

3.1. Clause 7 of the Standard Contractual Clauses shall not be applicable.

3.2. In Clause 9, option 2 shall apply.

3.3. In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.

3.4. In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of the state of Ireland.

3.5. In Clause 18(b) the Parties choose the courts of Dublin.

4. The Parties shall complete Annexes I–III below, which are incorporated in the Standard Contractual Clauses by reference.

5.  To the extent the UK Addendum applies, the following shall apply:

5.1. All the information provided under the Standard Contractual Clauses shall apply to the UK Addendum with the necessary changes per the requirement of the UK Addendum. Annexes 1A, 1B and 2 to the UK Addendum shall be replaced with Annexes I–III below, respectively.

5.2. In Table 4 of the UK Addendum, either party may terminate the agreement in accordance with section 19 of the UK Addendum.

By entering into this Data Protection Agreement, the Parties hereby agree to the format changes made to the UK Addendum. 

Annex I – Description of Processing Activities

A. Identification of Parties

"Data Exporter": the Customer;

"Data Importer": the Company.

B. Description of Transfer

 
Annex II – Technical and Organizational Measures to Ensure the Security of the Data

Description of the technical and organizational measures implemented by the Company (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Security Management
Company maintains a written information security management system (ISMS), in accordance with this Annex, that includes policies, processes, enforcement and controls governing all storage/processing/transmitting of Personal Data, designed to (a) secure Personal Data against accidental or unlawful loss, access or disclosure; (b) identify reasonable foreseeable and internal risks to security and authorized access to Company Network, and (c) minimize security risks, including through risk assessment and regular testing. 
Company actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.

Maintain an Information Security Policy
Company’s ISMS is based on its security policies that are regularly reviewed (at least yearly) and maintained and disseminated to all relevant parties, including all personnel. Security policies and derived procedures clearly define information security responsibilities including responsibilities for:

• Maintaining security policies and procedures;
• Secure development, operation and maintenance of software and systems;
• Security alert handling;
• Security incident response and escalation procedures;
• User account administration;
• Monitoring and control of all systems as well as access to Personal Data.

Personnel is screened prior to hire and trained (and tested) through a formal security awareness program upon hire and annually. For service providers with whom Personal Data is shared or that could affect the security of Personal Data a process has been set up that includes initial due diligence prior to engagement and regular (typically yearly) monitoring.
Company is ISO 27001 certified / Company has implemented a risk-assessment process that is based on ISO 27001.

Secure Networks and Systems
Company has installed and maintains a firewall configuration to protect Personal Data that controls all traffic allowed between Company’s (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive areas within its internal network. This includes current documentation, change control and regular reviews.
Company does not use vendor-supplied defaults for system passwords and other security parameters on any systems and has developed configuration standards for all system components consistent with industry-accepted system hardening standards.

Protection of Personal Data
Company keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage to that which is necessary, in accordance with the needs of its customers.
Company uses strong encryption and hashing for Personal Data anywhere it is stored. Company has documented and implemented all necessary procedures to protect (cryptographic) keys used to secure stored Personal Data against disclosure and misuse. All transmission of Personal Data across open, public networks is encrypted using strong cryptography and security protocols.

Vulnerability Management Program
Company protects all systems against malware and regularly updates anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Anti-virus software is used on all systems commonly affected by malware to protect such systems from current and evolving malicious software threats.
Company develops and maintains secure systems and applications by:

• Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities,
• Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices,
• Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.
   

Implementation of Strong Access Control Measures
"Company Network" means the Company’s data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Company to process or store Personal Data.
The Company Network will be accessible to employees, contractors and any other person as necessary to provide the services to the Customer. Company will maintain access controls and policies to manage what access is allowed to the Company Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Company will maintain corrective action and incident response plans to respond to potential security threats.
Company strictly restricts access to Personal Data on a need-to-know basis to ensure that critical data can only be accessed by authorized personnel. This is achieved by:
 

• Limiting access to system components and Personal Data to only those individuals whose job requires such access; and
• Establishing and maintaining an access control system for system components that restricts access based on a user’s need to know, with a default “deny-all” setting.

Company identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for their actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. 
Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials have been implemented as well as monitoring of repeated failed access attempts and timely termination of idling session.

User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.
Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.

Restriction of Physical Access to Personal Data
Any physical access to data or systems that house Personal Data are appropriately restricted using appropriate entry controls and procedures to distinguish between onsite personnel and visitors. Access to sensitive areas is controlled and includes processes for authorization based on job function and access revocation for personnel and visitors.
Media and backups are secured and (internal and external) distribution is strictly controlled. Media containing Personal Data no longer needed for business or legal reasons is rendered unrecoverable or physically destroyed.

Regular Monitoring and Testing of Networks
All access to network resources and Personal Data is tracked and monitored using centralized logging mechanisms that allow thorough tracking, alerting, and analysis on a regular basis as well as when something does go wrong. All systems are provided with correct and consistent time and audit trails are secured and protected, including file-integrity monitoring to prevent change of existing log data and/or generate alerts in cases of unauthorized access or anomalies of access. Audit trails for critical systems are kept for a year.

Security of systems and processes is regularly tested. This is to ensure that security controls for system components, processes and custom software continue to reflect a changing environment. 

All test results are kept on record and any findings are remediated in a timely manner.

Incident Management
Company has implemented and maintains an incident response plan and is prepared to respond immediately to a system breach. Incident management includes:
 

• Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers,
• Specific incident response procedures,
• Analysis of legal requirements for reporting compromises,
• Coverage of all critical system components,
• Regular review and testing of the plan,
• Training of staff,
• Inclusion of alerts from all security monitoring systems,
• Modification and evolution of the plan according to lessons learned and to incorporate industry developments.
   

Company has also implemented a business continuity policy (BCP) that is maintained and regularly tested. Data backup processes have been implemented and are tested regularly.

Physical Security
Physical Access Controls
Physical components of the Company’s office network are housed in nondescript facilities ("Facilities"). Physical barrier controls are used to prevent unauthorized entrance to Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires electronic access control validation. Visitors are required to sign-in with designated personnel, must show appropriate identification, and are continually escorted by authorized employees or contractors while visiting the Facilities.

Limited Employee and Contractor Access 
Company provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked.

Physical Security Protections 
All access points (other than main entry doors) are maintained in a secured (locked) state. Company also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.

Office Network Security
Access to the Company’s office network does not allow direct access to the production environment. All access to production environments requires the use of VPN connections, ensuring secure communication.

Device Management
The Company utilizes MDM systems to manage and secure all employee computers. This includes ensuring devices comply with security policies, encrypting data, and allowing remote wipe capabilities in the event a device is lost or compromised.

Continued Evaluation 
Company will conduct periodic reviews of the security of its Company Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Company will continually evaluate the security of its Company Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
 

Annex III – List of Sub-Processors

Below is the list of the Data Importer's Sub-processors: