DPA (GDPR)

Effective date: March 10, 2022.

This Data Processing Agreement (“DPA”) is an addendum to the Customer Terms of Service (“Agreement”) between FingerprintJS Inc. (“FingerprintJS”) and the Customer. This DPA includes and incorporates by reference the annexes and addenda referenced at the bottom of this document. All capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement. Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorised Affiliates (defined below).

The parties agree as follows:

1. Definitions

"Adequate Jurisdiction" means the UK, European Economic Area, or a country, territory, specified sector or international organisation which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as: (i) determined by the European Commission with respect to Personal Data relating to data subjects in the European Economic Area; or (ii) set out in the UK Data Protection Act 2018 or determined by the UK Secretary of State in accordance with regulations made under the UK Data Protection Act 2018 with respect to personal data relating to data subjects in the UK.

Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

Authorised Affiliate” means any of Customer Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Agreement.

Control” means either (i) an ownership, voting or similar interest representing twenty five (25%) or more of the total interests then outstanding of the entity in question; or (ii) the power to direct or cause the direction and management of an entity's policies in accordance with the acquirer's wishes, whether as a result of the ownership of shares, control of the board of directors, contract or any powers conferred by the entity's articles of association or other constitutional documents. The term “Controlled” shall be construed accordingly.

Controller” has the meaning given to it in the GDPR.

"Controller Clauses" means Module One (controller to controller) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

Customer Data” means any data that FingerprintJS and/or its Affiliates processes on behalf of Customer in the course of providing the Services under the Agreement.

"Customer Personal Data" means any Personal Data contained within the Customer Data, as set out in Schedule 2.

Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.

EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and, where applicable, the "UK GDPR" as defined in The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019 (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded or replaced).

Personal Data” has the meaning given to it in the GDPR.

Processor” has the meaning given to it in the GDPR.

"Processor Clauses" means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.

Security Incident” means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data.

Services” means any product or service provided by FingerprintJS to Customer pursuant to and as more particularly described in the Agreement.

"Standard Contractual Clauses" means the Controller Clauses and the Processor Clauses.

Sub-processor” means any Processor engaged by FingerprintJS or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or any FingerprintJS Affiliate.

2. Scope and Applicability of this DPA

2.1 This DPA applies where and only to the extent that FingerprintJS processes Customer Personal Data on behalf of the Customer in the course of providing the Services and such Customer Personal Data is subject to EU Data Protection Law or the Data Protection Laws of, Switzerland. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

2.2 Role of the Parties. Save as set out in Section 2.5, the parties acknowledge that it is their intention that, as between FingerprintJS and Customer, Customer is the Controller of Customer Personal Data and FingerprintJS shall process Customer Personal Data only as a Processor on behalf of Customer.

2.3 Customer Obligations. Customer agrees that: (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Customer Personal Data; (ii) it shall ensure that any processing instructions it issues to FingerprintJS with respect to Customer Personal Data shall comply with applicable Data Protection Laws.

2.4 Processing of Personal Data. Notwithstanding clause 8.1 of the Processor Clauses, FingerprintJS shall process Customer Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement; and (ii) processing to perform any steps necessary for the performance of the Agreement, in each case unless processing is required by applicable law in the UK, Switzerland, the European Union or a Member State of the European Union, in each case to which FingerprintJS is subject, in which case FingerprintJS shall, to the extent permitted by such applicable law, inform the Customer of that legal requirement before processing that Customer Personal Data. The parties agree that, for the purposes of clause 8.1(a) of the Processor Clauses, the Agreement and this DPA shall be the Customer's instructions for the processing of Customer Personal Data. To the extent that any of the Customer's instructions require processing of Customer Personal Data in a manner that falls outside the scope of the Services, FingerprintJS may:

  • (a) make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by FingerprintJS or such additional charges as FingerprintJS may reasonably determine; or

  • (b) terminate the Agreement and the Services. *

2.5 Our Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that FingerprintJS shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data, FingerprintJS is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.

3. Standard Contractual Clauses

3.1 Subject to clause 3.3:

  • (a) to the extent that FingerprintJS processes Customer Personal Data as a processor on behalf of the Customer, the Processor Clauses shall apply to any transfers of Customer Personal Data falling within the scope of the GDPR from the Customer (as data exporter) to FingerprintJS (as data importer); and

  • (b) to the extent that FingerprintJS processes Customer Personal Data as a controller, the Controller Clauses shall apply to any transfers of Customer Personal Data falling within the scope of the GDPR from the Customer (as data exporter) to FingerprintJS (as data importer).

3.2 For the purposes of the Standard Contractual Clauses:

  • (a) Annex I.A (List of Parties) shall be deemed to incorporate the information in Schedule 1;

  • (b) Annex I.B (Description of Transfer) shall, for the purposes of the Processor Clauses, be deemed to incorporate the information in Part 1 of Schedule 2;

  • (c) Annex I.B (Description of Transfer) shall, for the purposes of the Controller Clauses, be deemed to incorporate the information in Part 2 of Schedule 2;

  • (d) Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority identified in Schedule 1; and

  • (e) Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Schedule 3.

3.3 With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from the Customer (as data exporter) to FingerprintJS (as data importer):

  • (a) neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018 (together, the "UK Data Protection Laws");

  • (b) the Standard Contractual Clauses are deemed to be amended to the extent necessary so they operate:

    • (i) for transfers made by the Customer to FingerprintJS, to the extent that UK Data Protection Laws apply to the Customer's processing when making that transfer; and

    • (ii) to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR; and

  • (c) the amendments referred to in clause (b) include (without limitation) the following:

    • (i) references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;

    • (ii) references to Regulation (EU) 2018/1725 are removed;

    • (iii) references to the "Union", "EU" and "EU Member State" are all replaced with the "UK";

    • (iv) the "competent supervisory authority" shall be the Information Commissioner;

    • (v) clause 17 of the Standard Contractual Clauses is replaced with the following:
      "These Clauses are governed by the laws of England and Wales";

    • (vi) clause 18 of the Standard Contractual Clauses is replaced with the following:
      "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts"; and

    • (vii) any footnotes to the Standard Contractual Clauses are deleted in their entirety.

4. Sub-processing

4.1 Authorised Sub-processors. The parties agree that, for the purposes of clause 9 of the Standard Contractual Clauses, Customer gives FingerprintJS general authorisation to engage Sub-processors to process Customer Personal Data on Customer's behalf. The Sub-processors currently engaged by FingerprintJS and authorised by Customer are listed in Schedule 4.

4.2 Sub-processor Obligations. FingerprintJS shall: (i) enter into a written agreement with the Sub-processor imposing the same data protection obligations on the Sub-processor as set out in this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause FingerprintJS to breach any of its obligations under this DPA.

4.3 Changes to Sub-processors. FingerprintJS shall provide Customer with fourteen (14) calendar days' notice (for which email shall suffice) of any proposed changes to the Sub-processors, including any information reasonably necessary to enable the Customer to assess the Sub-processor and exercise its right to object.

4.4 Objection to Sub-processors. If the Customer objects to FingerprintJS's use of a new Sub-processor (including when exercising its right to object under clause 9(a) of the Standard Contractual Clauses) it shall: (i) notify FingerprintJS of its objection promptly in writing within five (5) calendar days of receipt of FingerprintJS' notice in accordance with Section 4.3; and (ii) provide documentary evidence that reasonably shows that the Sub-processor does not or cannot comply with the requirements in this DPA (including the Standard Contractual Clauses). In such an event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by FingerprintJS without the use of the objected-to-new Sub-processor by giving to the other party thirty (30) calendar days' written notice. During such notice period, FingerprintJS may suspend the affected portion of the Services.

5. Customer warranties and undertakings

5.1 The Customer represents and warrants that:

  • (a) it has provided all applicable notices to data subjects and, to the extent required, obtained consent from data subjects in each case as required for the lawful processing of Customer Personal Data in accordance with the Agreement and this DPA; and

  • (b) without prejudice to the generality of clause 8 of the Standard Contractual Clauses (as applicable), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 3 are:

    • (i) appropriate to ensure the security of the Customer Personal Data, including protection against a personal data breach; and

    • (ii) otherwise consistent with the Customer's obligations under Article 32 of the GDPR.

6. Security and Audits

6.1 Security Measures. FingerprintJS shall implement and maintain appropriate technical and organisational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data, in accordance with FingerprintJS' security standards described in Schedule 3 (“Security Measures”).

6.2 Confidentiality of Processing. FingerprintJS shall ensure that any person who is authorised by FingerprintJS to process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

6.3 Security Incident Response. Upon becoming aware of a Security Incident, FingerprintJS shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

6.4 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that FingerprintJS may, by written notice to the Customer, update or modify the Security Measures from time to time following any review by FingerprintJS of the Security Measures in accordance with clause 8.6 of the Standard Contractual Clauses, provided that such updates and modifications do not result in the degradation of the overall level of protection afforded to the Customer Personal Data by FingerprintJS under this DPA.

6.5 Audits. With respect to any audits conducted under clauses 8.9(c) and (d) of the Standard Contractual Clauses, the parties agree that:

  • (a) all such audits shall be conducted:

    • (i) on reasonable written notice to FingerprintJS;

    • (ii) only during FingerprintJS' normal business hours; and

    • (iii) in a manner that does not disrupt FingerprintJS' business; and

  • (b) the Customer (or, where applicable, a third party independent auditor appointed by the Customer) shall:

    • (i) enter into a confidentiality agreement with FingerprintJS prior to conducting the audit in such form as FingerprintJS may request; and

    • (ii) ensure that its personnel comply with FingerprintJS' and any Sub-processor's policies and procedures when attending FingerprintJS' or Sub-processor's premises, as notified to the Customer by FingerprintJS or Sub-processor.

6.6 Reports. FingerprintJS shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm FingerprintJS's compliance with this DPA, provided that Customer shall not exercise this right more than once per year.

7. Return or Deletion of Data

7.1 Upon deactivation of the Services, FingerprintJS shall, subject to Section 7.2: (i) if requested to do so by the Customer within seven (7) days of the date of termination of the Agreement or deactivation of the Services, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by the Customer to FingerprintJS; and (ii) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by FingerprintJS or any Sub-processors.

7.2 FingerprintJS may retain Customer Personal Data:

  • (a) to the extent required by applicable laws, and only for such period and such purposes as required by applicable laws; or

  • (b) to the extent that the Customer Personal Data has been archived on back-up systems, provided that FingerprintJS shall securely isolate and protect such Customer Personal Data from any further processing, except to the extent required by applicable law, and purge such Customer Personal Data from the applicable back-up systems in accordance with its normal back-up cycle,

in each case, in accordance with clauses 8.5 and 16(d) of the Standard Contractual Clauses.

7.3 FingerprintJS shall, with respect to any Customer Personal Data retained in accordance with Section 7.2, ensure the confidentiality of all such Customer Personal Data.

8. Cooperation

8.1 To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Services, FingerprintJS shall (at Customer's expense) taking into account the nature of the processing, provide reasonable cooperation to assist Customer by appropriate technical and organisational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. In the event that any such request is made directly to FingerprintJS, FingerprintJS shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If FingerprintJS is required to respond to such a request, FingerprintJS shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

8.2 To the extent FingerprintJS is required under Data Protection Law, FingerprintJS shall (at Customer's expense) provide reasonably requested information regarding FingerprintJS processing of Customer Personal Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

9. Costs

9.1 The Customer shall pay to FingerprintJS on demand all costs and expenses incurred by FingerprintJS in connection with:

  • (a) implementing any changes to the Services under clause 4.4;

  • (b) facilitating and contributing to any audits of FingerprintJS under or clauses 8.9(c) and (d) of the Standard Contractual Clauses;

  • (c) facilitating and contributing to any audits of FingerprintJS conducted by a supervisory authority;

  • (d) responding to queries or requests for information from the Customer relating to the processing of Customer Personal Data under clauses 8.9(a), 8.9(c) or 8.9(e) of the Standard Contractual Clauses;

  • (e) any assistance provided by FingerprintJS to the Customer with its fulfilment of its obligations to respond to data subjects' requests for the exercise of their rights under the GDPR; and

  • (f) any assistance provided by FingerprintJS to the Customer with any data protection impact assessments or prior consultation with any supervisory authority of the Customer.

10. Miscellaneous

10.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. Without prejudice to the generality of clause 5 of the Standard Contractual Clauses, in the event of any conflict between the Agreement, this DPA and the Standard Contractual Clauses, the following order of precedence shall apply:

  • (a) The Standard Contractual Clauses (or, with respect to transfers of Customer Personal Data subject to the UK GDPR, the Standard Contractual Clauses as amended by clause 3.3).

  • (b) The main body of this DPA.

  • (c) The Agreement.

10.2 This DPA is a part of and incorporated into the Agreement so references to "Agreement" in the Agreement shall include this DPA.

10.3 In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.

10.4 Other than the right of data subjects or not-for-profit bodies, organisations or associations under the conditions set out in Article 80(1) of the GDPR to bring claims under the Standard Contractual Clauses (as applicable), a person who is not a party to this DPA may not enforce any of its terms.

10.5 Notwithstanding the provisions of the Agreement, this DPA and the Standard Contractual Clauses shall (to the extent permitted under applicable law) be governed by, and construed in accordance with:

  • (a) where the Customer is established outside the UK, the laws of Ireland; or
  • (b) where the Customer is established in the UK, the law of England and Wales;

10.6 Notwithstanding the provisions of the Agreement, the Parties submit themselves to the jurisdiction of the following courts in respect of any disputes arising under this DPA (including the Standard Contractual Clauses):

  • (a) where the Customer is established outside the UK, the courts of Ireland; or

  • (b) where the Customer is established in the UK, the courts of England and Wales;

Schedule 1

PARTIES TO THE PROCESSING

Party:Customer / data exporterFingerprintJS / data importer
Role Controller Processor
Contact person Name:
Position:
Contact details:
Name: Valentin Vasilyev
Position: Chief Technology Officer
Contact details: [email protected]
Activities / services provided The Services (as defined in the Agreement)
Competent supervisory authorityn/a

Schedule 2

Details of processing

Part 1

Processing subject to the Processor Clauses

Data exporter

The data exporter is the Customer

Data importer

The data importer is FingerprintJS

Data subjects

The personal data transferred concern the following categories of data subjects:

  • Users of Customer websites.

Purpose(s) of the data transfer and further processing

The purpose of the data transfer and further processing is the provision of FingerprintJS' products and services to the customer, including device fingerprinting services for fraud detection and prevention, and bot and account sharing detection service for fraud prevention and security protection.

Categories of data

The personal data transferred concern the following categories of data:

  • Personal data contained within Visitor Data (as defined in the Agreement), including information relating to a user's device, operating system, browser, browser configuration, IP address, and approximate location.

Frequency of the transfer

The data is transferred on a continuous basis.

Subject matter of the processing

The provision of API services available at https://fpjs.io (including subdomains).

Nature of the processing

Transmitting, collecting, storing and analysing data in order to provide FingerprintJS' products and services to the customer, and any other activities related to the provision of FingerprintJS' products and services, including the collection of browser and device fingerprint information in connection with the provision of a fraud detection and prevention software as a service.

Duration

The personal data will be retained for the duration of the Agreement, subject to clause 7 of the DPA.

Sub-processor (if applicable)

For transfers to sub-processors, specify subject matter, nature and duration of the processing:
as set out in Schedule 4

Part 2

Processing subject to the Controller Clauses

Data Subjects

The Customer's employees and contractors that the Customer authorises to access and use the Services.

Purposes of the transfer(s) and further processing

The purpose of the data transfer and further processing is the operation, maintenance and improvement of FingerprintJS' products and services, including billing, account management, technical support, product development and sales and marketing.

Categories of data

The personal data transferred concern the following categories of data:

  • contact information, including name, address, phone number, email address, login details, employing / engaging organisation;

  • payment and transaction information;

  • contact preferences, including preference set for notifications, marketing communications, how the Service is displayed and the active functionalities on the Service;

  • comments and opinions; and

  • technical information regarding access to the Services (including IP address, approximate location, pages viewed and log data).

Recipients
The personal data transferred may be disclosed only to the following recipients or categories of recipients:

  • Sub-processors listed in Schedule 4.

  • Wildbit, LLC (d/b/a "Postmark").

Sensitive data

None.

Data protection registration information of data exporter

n/a

Additional useful information

n/a

Contact points for data protection enquiries

  • Data exporter: the contact details provided with the Account.

  • Data importer: [email protected]

Frequency of the transfer

The transfer is carried out on a continuous basis for the duration of the Agreement.

Subject matter of the processing

The subject matter of the processing is:

  • Administration, improvement, troubleshooting and testing of the data importer's technology, including browser fingerprinting bot detection and account sharing prevention technology.

  • Calculation of charges and fees owed by the Customer to FingerprintJS in respect of the Services.

  • Communication with Customer and their users in respect of the Services.

Nature of the processing

The processing of personal data in connection with the organisation, alteration, maintenance and improvement of FingerprintJS' products and services.

Duration

The personal data will be retained for the duration of the Agreement, subject to clause 7 of the DPA.

Sub-processor (if applicable)

For transfers to sub-processors, specify subject matter, nature and duration of the processing:

  • as set out in Schedule 4.

Schedule 3

Technical and Organisational Security Measures

1. Introduction

The data importer employs a combination of policies, procedures, guidelines and technical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction.

2. Governance and Policies

The data importer has organised leadership and defined policies related to information security to ensure alignment with business objectives to adequately serve clients. These policies are reviewed and approved annually by management and updates are communicated to employees and relevant external parties.

Roles and responsibilities for teams and team members are defined within the data importer’s organisational structure and reporting lines as well as written job descriptions. Management reviews the data importer's organisational structure at least annually as part of strategic planning, and any changes are made as needed based on changing reporting lines, authorities, and responsibilities.

The data importer has following security policies and related processes in place:

  • (a) Data classification and business impact assessment

  • (b) Selection, documentation, and implementation of security controls

  • (c) Assessment of security controls

  • (d) User access authorization and provisioning

  • (e) Removal of user access

  • (f) Monitoring of security controls

  • (g) Security management

3. Access control

The data importer has implemented role-based access controls that limit access to sensitive information to only those individuals who require access based on job function, active employment, and management approval. The data importer maintains an up-to-date and complete inventory of information technology assets and asset owners.

Administrative level access to the data importer's critical systems (network, application, source code, and related databases) is limited to appropriate individuals based on job function and current employment with the data importer.

Administrative level access to critical system components including (production servers, databases, system infrastructure components, and front-end application level) are restricted to appropriate individuals based on job function and current employment with the data importer.

Access to the Amazon Web Services ("AWS") environment is controlled with security groups configured to prevent access based on pre-defined access control lists. Monitoring tools are in place to monitor the AWS environment and administrators receive notification of issues detected by the system based on predefined alert thresholds.

Sensitive authentication data such as service accounts and encryption keys are stored in a key management system. Access to sensitive authentication data is limited to only appropriate individuals based on job function and active employment with the data importer.

Remote access to the data importer's network and system infrastructure requires a unique username, password, and one-time multi-factor authentication code to authenticate. Remote access to the data importer's network and system infrastructure is limited to only appropriate individuals based on job function and active employment with the data importer.

Access to the data importer's systems requires a unique username and password. Password complexity standards within AWS are enforced and include the following:

  • (a) Minimum password length is 16 characters

  • (b) Require at least one uppercase letter from Latin alphabet (A–Z)

  • (c) Require at least one lowercase letter from Latin alphabet (a–z)

  • (d) Require at least one number

  • (e) Require at least one non alphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '.

  • (f) Passwords expires in 90 days

  • (g) Allow users to change their own password

4. Segmentation of personal data

The data importer has logically segmented its network so that unrelated portions of the information system are isolated from each other. All public internet facing systems are segregated from the production network through network segmentation, firewalling, logical access restrictions, and the use of load balancers which restricts access to production infrastructure. The data importer's information security program prohibits the use of shared user accounts unless approved by management.

5. Encryption and Transmission

All data classified as potentially sensitive is encrypted at the database level while at rest. All media containing sensitive data, including electronic, hardcopy, and photocopy, is destroyed when it is no longer needed for business or legal reasons as defined in the data importers' terms of service.

All data in transit is encrypted including the following:

  • (a) Information transmitted over the public internet (HTTPS)

  • (b) Data transferred within system components (TLS)

  • (c) Data transferred between organisations (SFTP)

Access to modify data transmission protocols is limited to appropriate individuals based on job function, current employment status, and inquiry with the data importer's management team.

All authentication and data transmission to the production applications, the operating systems hosting the applications, and associated production databases take place over secure transmission channels (i.e. VPN, SSH, SFTP, TLS). All production databases are encrypted using AES-256 bit encryption.

6. Data Backup and Recovery

The data importer performs incremental backups of its critical information systems on a daily basis, and full backups are performed on at least a weekly basis. IT management is alerted in the case of a backup failure, and backup failures are tracked to remediation.

Established entity standards exist for infrastructure and software hardening and configurations for key system components and infrastructure. The data importer has established a business continuity plan and disaster recovery plan, both of which are reviewed, tested, and updated on an annual basis.

7. Incident Management and System Monitoring

The data importer's management team has implemented an incident response plan that outlines the requirements for responding to anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives.

Security events are documented, reviewed, and tracked to final remediation by data importer's management team. A root cause analysis is conducted to determine the cause and mitigate the risk of such an incident occurring in the future.

The data importer has security monitoring tools in place to monitor the data importer's production environment and provide an ongoing solution to monitor security threats and unusual system activities. The data importer's management team receives alerts from the tools, based on predefined thresholds, and confirmed security issues are tracked to remediation.

The data importer engages a third-party to perform external penetration tests of the system on an annual basis. Management assesses and prioritises the results of the penetration test and tracks issues of medium criticality or above to final remediation.

8. Asset and Software Management

The data importer has implemented a change management policy that outlines the requirements for authorization, design, development, configuration, documentation, testing, approval, and implementation of changes to infrastructure, data, and software. All system changes are tested, reviewed, and approved prior to implementation to the production environment. Access to make changes to source code is limited to only appropriate individuals based on job function and active employment with the data importer.

Version control software is in place to manage current versions of source code. Audit logs of all commits to source code libraries are maintained.

Source code scans are performed on in-scope application source code to detect potential vulnerabilities prior to the release of source code into the production environment. Any high-risk vulnerabilities are tracked to remediation prior to the promotion of each change into the production environment.

9. Physical Security

The data importer has a cloud-based infrastructure in AWS and relies on this subservice organisation to operate physical access controls to the data centres hosting the data importer's infrastructure. Additionally, the data importer does not own any facilities containing information assets which would require physical security controls to be implemented.

10. Endpoint Security

The data importer has enforced the following mobile device hardening standards for laptops and mobile phones:

  • (a) Evidence of device encryption

  • (b) Enterprise antivirus enabled

  • (c) Antivirus daily updates

  • (d) Requirement of user name and password

  • (e) Patches or regular OS updates

All laptops with access to the data importer's network are configured to enforce hard drive encryption.

The data importer's security policy prohibits the use of removable media storage without prior approval from management.

Anti-virus/anti-malware software is installed on workstations and laptops supporting the system. Antivirus software is configured to receive an updated virus signature at least daily. Network operations receives a report of devices that have not been updated in more than 24 hours and follows up on those devices.

11. Service providers

The data importer has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data to which they have access and to limit the use of personal data in accordance with the data importer's instructions.

12. Customer Communications

The data importer has reporting mechanisms in place for reporting security issues and compliance concerns from internal and external system users. Each report is reviewed by appropriate management personnel, based on the nature of the suspected security issues, in accordance with the data importer's Incident Response Policy.

Security incidents and unauthorised disclosures of internal or external user data are communicated to data subjects, relevant legal and regulatory authorities, and others as required by law, contract, or at the advice of legal counsel, per the incident response plan.

Customer responsibilities, which include responsibility for reporting operational failures, incidents, problems, concerns, and complaints, and the process for doing so, are described within customer agreements. The Company communicates relevant security and privacy commitments, made available on its public-facing website or by written request.

When major changes to security or privacy commitments are made, the Company communicates these changes to impacted stakeholders via email.

System descriptions are made available to authorised external users that delineate the boundaries of the system and describe relevant system components as well as the purpose and design of the system.

13. Staff training and awareness

The data importer maintains security policies and procedures which communicate objectives and responsibilities for internal control, necessary to support the function of internal control. Policies and procedures are made available to employees in the data importer's policy document repository.

The data importer has established standards and guidelines for management's, employees', and contractors' ethical behaviour, as outlined in the data importer's employee handbook. The handbook includes a termination policy for personnel who violate the data importer's policies and procedures, which may include disciplinary action up to and including involuntary termination.

All employees and contractors are required to sign an employment agreement that requires personnel to adhere to the data importer's code of conduct, security, and confidentiality policies and procedures as part of their initial terms and conditions of employment.

The data importer has implemented a formal disciplinary process to address instances of noncompliance with the data importer's standards of conduct related to security which includes disciplinary measures up to and including termination.

Roles and responsibilities are defined by written job descriptions and communicated to the data importer's employees upon hire, as well as to their managers and supervisors.

Management monitors personnel compliance with the code of conduct through a complaint submission system which serves as a mechanism for reporting deviations from the code of conduct. Any deviations to the code of conduct are addressed immediately in accordance with the employee handbook.

Schedule 4

List of Sub-processors

  1. Available upon request.