WebinarGoing global the right way: Unlock international SaaS growth - Feb 7th   Join us

Data Processing Addendum

LAST UPDATED: 1 February 2023

This Data Processing Addendum (the "Addendum" or “DPA”) forms part of your agreement with Provider (as defined below) for the provision of our services wherein we act as a Processor to process Customer Personal Data (“Agreement”). 

The terms used in this Addendum shall have the meanings set forth in this Addendum and capitalized terms not defined herein shall have the meaning set forth in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum. Each reference to the Addendum in this Addendum means this Addendum including its Schedules and Appendices.

If you have any questions or concerns with respect to this Agreement or the services you may contact us at legal@paddle.com.

In the course of providing the services to Customer pursuant to the Agreement, Provider may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data.

1. DEFINITIONS

Affiliate Entity means any corporation, partnership, limited liability company or other form of legal entity, which directly or indirectly controls, is controlled by or is under joint control, from time to time. 

Applicable Data Protection Laws means:

  • To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
  • To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Supplier is subject, which relates to the protection of personal data.
  • To the extent that the California Privacy Acts apply, the law of the state of California, which relates to the protection of personal data. 

California Privacy Acts means the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”).

Customer Personal Data means any Personal Data Processed by Provider (or a Sub-processor) on behalf of Customer pursuant to or in connection with the Agreement;

EU GDPR means the General Data Protection Regulation ((EU) 2016/679), as it has effect in EU law

Provider means Paddle.com Inc. of 3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803, USA

Sub-processor means any person (including any third party, but excluding an employee of Provider or any of its subcontractors) appointed by or on behalf of Provider to Process Personal Data on behalf of Customer under the Agreement;

Security Documentation means the security documents located at www.profitwell.com/security as amended from time to time, or as otherwise made available by the Processor to the Controller.

Services means the services provided by Provider subject to the terms and conditions of the applicable Agreement in which Provider acts as Processor for the Customer. 

Standard Contractual Clauses mean:

  • where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and 
  • where the UK GDPR applies, the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 ("UK Approved Addendum") and the accompanying Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any further version published by the Information Commissioner's Office ("UK Mandatory Clauses")

UK GDPR  has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Processing", "Processor", and "Supervisory Authority" shall have the same meaning as in the UK GDPR, and shall be construed accordingly.

2. EFFECTIVENESS

2.1 Legal Authority. Customer represents to Provider that he or she has the legal authority to bind Customer and is lawfully able to enter into contracts.

2.2 Termination. This Addendum will terminate upon the earliest of: (i) termination of the Agreement as permitted hereunder or by the terms of the Agreement (and without prejudice to the survival of accrued rights and liabilities of the parties and any obligations of the parties which either expressly or by implication survive termination); (ii) as earlier terminated pursuant to the terms of this Addendum or (iii) as agreed by the parties in writing.

3. PROCESSING OF PERSONAL DATA

3.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller, Provider is a Data Processor and that Provider will engage Sub-processors pursuant to the requirements set forth in clause 5 "Sub-processors" below.

3.2 Customer Authority. Customer represents and warrants that it is and will at all relevant times remain duly and effectively authorized to give the instruction set forth in clause 3.4 below on behalf of itself.

3.3 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws. Customer's instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. In addition, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Personal Data provided by the Customer shall not contain information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric, data concerning health or data concerning an individual's sex life or sexual orientation ("Special Categories of Data").

3.4 Provider's Processing of Personal Data.

  1. Provider shall only Process Customer Personal Data for the purpose of the provision of the Services under the Agreement and in accordance with Customer's documented instructions which are consistent with the terms of the Agreement, unless Processing is required by Applicable Data Protection Laws to which Provider (or the applicable Sub-processor) is subject, in which case Provider shall to the extent permitted by the Applicable Data Protection Laws inform Customer of that legal requirement before the relevant Processing of that Customer Personal Data.
  2. This Addendum, the Agreement, and any Order Forms thereunder, are Customer's complete and final instructions to Provider for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately.
  3. The following are deemed instructions of the Customer to Provider: The processing of Customer Personal Data (i) in accordance with the Agreement, this Addendum and any Order Forms under the Agreement, including without limitation with the transfer of Customer Personal Data to any country or territory; and (ii) to comply with other documented instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
  4. Provider is permitted to share information relating to this Data Processing Agreement or obtained pursuant to this agreement with Provider's Subsidiaries to the extent necessary for the provision of the Services in accordance with clause 5. Provider may aggregate and anonymise Customer Personal Data (such that it ceases to become Customer Personal Data) in order to create reports, provide and improve the Provider Services and the services of its Subsidiaries, and to provide better functionality to Provider's and Provider's Subsidiaries' customers.

3.5 Details of the Processing. The subject-matter of Processing of Customer Personal Data by Provider is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects Processed under this Addendum, as required by article 28(3) of theEU GDPR and UK GDPR (and, possibly, equivalent requirements of other Applicable Data Protection Laws), are further specified in Exhibit A to this Addendum, as may be amended by the parties from time to time.

4. PROVIDER PERSONNEL

Throughout the term of this Addendum, Provider shall restrict its personnel from Processing Customer Personal Data without authorization by Provider and shall limit the Processing to that which is needed for the specific individual's job duties in connection with Provider's provision of the Services under the Agreement. Provider will impose appropriate contractual obligations on its personnel, including relevant obligations regarding confidentiality, data protection and data security.

5. SUB-PROCESSORS

5.1 Appointment of Sub-Processors. The Customer acknowledges and agrees that: (i) Affiliated Entities of the Provider may be used as Sub-processors; and (ii) the Provider and its Affiliated Entities respectively may engage Sub-processors in connection with the provision of the Services.

5.2 List of Current Sub-processors and Notification of New Sub-processors. When requested by the Customer, the Provider shall make available to Customer an up-to-date list of all Sub-processors used for the processing of Customer Personal Data.

5.3 Objection Right for New Sub-processors. Provider shall give Customer written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 14 days of receipt of that notice, Customer notifies Provider in writing of any objections (on reasonable grounds) to the proposed appointment, then (i) Provider shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and (ii) where such a change cannot be made within 14 days from Provider's receipt of Customer's notice, notwithstanding anything in the Agreement, Customer may by written notice to Provider with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor.

5.4 Sub-processing Agreement; Provider has or shall enter into a written agreement with each Sub-processor (the "Sub-processing Agreement") containing data protection obligations not less protective than those in the Agreement and/or this Addendum with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Provider shall be liable for the acts and omissions of its Sub-processors to the same extent Provider would be liable if performing the services of each Sub-processor directly under the terms of this Addendum.

6. SECURITY

6.1 Adequate Measure. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall in relation to the Customer Personal Data implement and maintain throughout the term of this Addendum, the technical and organisational measures set forth in Exhibit B (the "Security Measures"). Customer acknowledges and agrees that it has reviewed and assessed the Security Measures and deems it appropriate for the protection of Customer Personal Data.

6.2 Personal Data Breach Risk. In assessing the appropriate level of security, Provider shall take account of the risks that are presented by Processing, in particular from an incident of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data ("Personal Data Breach").

7. DATA SUBJECT RIGHTS

7.1 Correction, Blocking and Deletion. Provider shall comply with any commercially reasonable request by Customer to correct, amend, block, or delete Customer Personal Data, as required by Applicable Data Protection Laws, to the extent Provider is legally permitted to do so.

7.2 Measures to assist with Data Subject Rights. Taking into account the nature of the Processing, Provider shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Provider's provision of such assistance.

7.3 Response to Requests: Provider

  1. shall promptly notify Customer if it or any Sub-processor receives a request from a Data Subject under any Applicable Data Protection Laws & Regulation in respect of Customer Personal Data; and
  2. shall not and shall ensure that no Sub-processor responds to that request except on the documented instructions of Customer or as required by Data Protections Laws to which Provider or Sub-processor is subject, in which case Provider shall, to the extent permitted by such Data Protections Laws inform Customer of that legal requirement before it or the applicable Sub-processor responds to the request

8. PERSONAL DATA BREACH

8.1 Notification of Data Breach. Provider shall, to the extent permitted by law, notify Customer without undue delay upon Provider or any Sub-processor becoming aware of a Personal Data Breach, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.

8.2 Assistance. Provider shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Provider shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with regulatory authorities or other competent data privacy authorities, which Customer reasonably considers to be required of it by Article 35 or 36 of the UK GDPR or equivalent provisions of any other Data Protection Law & Regulation, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Provider or the Sub-processors.

10. RETURN OR DESTRUCTION OF PERSONAL DATA.

10.1 Return or Deletion. Subject to the provisions of clause 10.2 below, at Customer's election, made by written notice to Provider following 30 days of the date of cessation of any Services involving the Processing of Customer Personal Data (the "Cessation Date"), Provider shall, and shall procure that all Sub-processors: (a) return a complete copy of all Customer Personal Data to Customer in such format and manner requested by Customer and reasonably acceptable to Provider; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by Provider or any Sub-processor. Provider shall comply with any such written request within 30 days of the Cessation Date.

10.2 Retention of Copies. Provider and each Sub-processor may retain Customer Personal Data to the extent required by applicable European Union law or the law of an EU Member State and only to the extent and for such period as required by such laws and always provided that Provider shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in such law requiring its storage and for no other purpose.

11. AUDIT

11.1 Report on Compliance. Subject to the provisions of clause 11.3 below, at Customer's written request, Provider will provide Customer all information necessary to demonstrate compliance with this Addendum. The information provided will constitute Confidential Information of the Provider under the confidentiality provisions of the Agreement or a non-disclosure agreement, as applicable.

11.2 Audit. Provider shall allow for and contribute to audits, including inspections, by any Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Provider or Sub-processors in accordance with clauses 11.1 and 11.3 to this Addendum

11.3 Process. The parties agree that the audits described in clause 11.2 above and/or in the Standard Contractual Clauses shall be carried out in accordance with the following specifications:

  1. Customer may contact Provider in accordance with the "Notices" clause of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Customer may also review previous audits of Provider's systems by an independent third party ("Third Party Audit") if such a report is available.
  2. Customer shall make (and ensure that each of its mandated auditors makes) all reasonable endeavours to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Provider or Sub-processor premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
  3. Before the commencement of any such on-site audit, Customer and Provider shall mutually agree upon the scope, timing, and duration of the audit.
  4. Provider or Sub-processor need not give access to its premises for the purposes of such an audit or inspection:
    - to any individual unless he or she produces reasonable evidence of identity and authority;
    - outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer undertaking an audit has given notice to Provider that this is the case before attendance outside those hours begins; or
    - for the purposes of more than one audit or inspection, in respect of Provider or each Sub-processor, in any calendar year, except for any additional audits or inspections which: (A) Customer reasonably considers necessary because of genuine concerns as to Provider's or applicable Sub-processor's compliance with this Addendum; or (B) Customer is required or requested to carry out by Data Protection Law and Regulation, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Data Protection Laws in any country or territory; where Customer has identified its concerns or the relevant requirement or request in its notice to Provider.

11.4 Following the Audit:

  1. If Customer chooses to conduct an independent audit rather than rely on a current Third Party Audit, if applicable and available, or if Customer makes such a choice because a current Third Party Audit is not available, Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Provider will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit.
  2. Customer shall promptly notify Provider with information regarding any noncompliance discovered during the course of an audit

12. TRANSFER OF DATA

12.1 Standard Contractual Clauses. Where Personal Data relating to an EU or UK Data Subject is transferred outside of the EEA it shall be processed only by entities which: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with the Processor; or (iii) have other legally recognised appropriate safeguards in place.

12.2 Applicability. Clause 12.1 shall not apply to a cross border transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant cross border to take place without breach of applicable Data Protection Law and Regulation (a "Restricted Transfer").

12.3 Transfers between Customer and Provider. The Standard Contractual Clauses apply to (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all Affiliated Entities of Customer, if any, established within the UK and the European Economic Area that are recipients of the Services. For the purpose of the Standard Contractual Clauses and this clause 12, the Customer and its Affiliated Entities shall be deemed to be "Data Exporters" and the following terms shall apply:

  1. in relation to Customer Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
    - Module Two will apply;
    - in Clause 7, the optional docking clause will apply;
    - in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in clause 5.3 of this Agreement;
    - in Clause 11, the optional redress mechanism will not apply;
    - in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
    - in Clause 18(b), disputes shall be resolved before the courts of Ireland;
    - Annex I of the EU SCCs shall be deemed completed with the information set out in Exhibit A to this Agreement (Details of the Processing);
    - Annex II of the EU SCCs shall be deemed completed with the information set out in Exhibit B to this Agreement (Security Measures).
  2. In relation to Customer Personal Data that is protected by the UK GDPR, the parties agree that the EU SCCs subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this Agreement. The parties hereby agree that in relation to the UK Addendum:
    the information required for Table 1 is contained in Exhibit A of this Agreement and the start date shall be deemed dated the same date as the EU SCCs;
    - in relation to Table 2, the version of the EU SCCs to which the UK Approved Addendum applies shall be Module Two;
    - in relation to Table 3, the description of the transfer are as set out in Exhibit A, and Provider's technical and organisational measures are set in Exhibit B, and the list of Provider's sub-processors shall be provided via its website at learn.profitwell.com/article/se5xmjlhhd-what-data-sub-processors-do-you-use or other such links as provided by Provider from time to time. and Clause 5 of this Agreement; and
    - in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.

12.4 Sub-processors. Provider warrants and represents that, before the commencement of any Restricted Transfer to a Sub-processor, it shall ensure that one of the following is in place: (i) the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Customer, or a relevant intermediate Sub-processor, on the one hand and Sub-processor on the other hand; (ii) that Sub-processor enters into an agreement incorporating the Standard Contractual Clauses with Provider or that (iii) Provider's entry into the Standard Contractual Clauses under clause 12.1 above as agent for and on behalf of that Sub-processor, will have been duly and effectively authorized (or subsequently ratified) by that Sub-processor.

12.5 Conflict. In the event of any conflict or inconsistency between the body of this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

13. California Privacy Acts

13.1 To the extent that the California Privacy Acts are applicable, then, notwithstanding anything to the contrary herein the Parties acknowledge:  

- In the context of the transfer of personal information to Customer to Provider; Provider is a service provider for the Customer. Customer shall disclose Personal Data to the Provider solely for: (i) a valid business purpose of providing the Services; and (ii) Provider to perform the business purpose, and (iii) for the avoidance of doubt, the transmission of personal information is not for the purposes of cross-context behavioural advertising . 

- Provider is prohibited from: (i) selling personal information; (ii) retaining, using, or disclosing personal information for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the personal information outside of the provisions of the Agreement.

- Both parties certify that they understand and will comply with the restrictions set forth in this clause ‎13.

For the purposes of this clause 13, the terms “personal information,” “consumer”, “service provider,” “business purpose”, “sale,” “cross-context behavioural advertising”, “share” and “sell” are as defined in Section 1798.140 of the California Privacy Acts.

14. JURISDICTION AND GOVERNING LAW.

14.1 Law. Save for as specified in relation to the Standard Contractual Clauses, this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of England and Wales.

14.2 Jurisdiction. With respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity the parties submit to the jurisdiction of the competent courts established in England and Wales.

15. INDEMNIFICATION; LIMITATION OF LIABILITY.

If one party is held liable for a violation of this Addendum or, if applicable, any provision of the Standard Contractual Clauses, committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred in accordance with the provisions of the "Indemnification" clause of the Agreement. Each party's liability, taken together in the aggregate, arising out of or related to this Addendum and/or the Standard Contractual Clauses, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' clause of the Agreement. For the avoidance of doubt, Provider's total liability for all claims from the Customer or any third party arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.

EXHIBIT A: DETAILS OF THE PROCESSING

PROCESSOR / DATA IMPORTER:

Name: Paddle.com Inc. 

Address: 3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803, USA

Contact: privacy@paddle.com

Activities relevant to the data transferred under these Clauses: Customer receives the Services described in the Terms.

Role (controller/processor): Processor

DESCRIPTION OF TRANSFER

Duration of the Processing: The duration of data processing shall be for the term agreed between data exporter and Provider in the Agreement or an applicable Order Form.

Nature and Purpose of the Processing: The scope and purpose of processing of the data subjects' personal data is to facilitate the provision of Provider's and its Subsidiaries' Services.

Types of Customer Personal Data: The personal data transferred includes e-mail, user ID, name, phone number, last 4 digits of the card number, language, address, IP address, documents, and other data in an electronic form provided in the context of Provider's Services, which shall not include any Special Categories of Data.

Categories of Data Subjects: Data subjects include the Customer's representatives and end users including employees, contractors, collaborators, and Customer's customers. Data subjects may also include individuals attempting to communicate or transfer personal information to users of Provider's Services. The data subjects exclusively determine the content of data submitted to Provider.

Frequency of Transfer: Continuous

Competent Supervisory Authority: Where the EU GDPR applies, the competent supervisory authority shall be the Irish Data Protection Commissioner. Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner's Office.

EXHIBIT B: SECURITY MEASURES

1. PERSONNEL

Data Importer's personnel will not process customer data without authorization. Personnel are obligated to maintain the confidentiality of any customer data and this obligation continues even after their engagement ends.

2. DATA PRIVACY CONTACT

Paddle.com Inc. 

Attn: Michael Cox

3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803 USA

3. TECHNICAL AND ORGANIZATION MEASURES

The Data Importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:

3.1 Organization of Information Security.

a. Security Roles and Responsibilities. The Data Importer has appointed Michael Cox as the security officer responsible for coordinating and monitoring the security rules and procedures.

b. Duty of Confidentiality. The Data Importer's personnel with access to customer data are subject to confidentiality obligations.

3.2 Risk Management. The Data Importer conducts regular testing and monitoring of the effectiveness of its safeguards, controls, systems, including conducting penetration testing. The Data Importer implements measures, as needed, to address vulnerabilities discovered in a timely manner.

3.3 Storage. The Data Importer's database servers are hosted in a data center operated by a third party vendor, that has been qualified per the Data Importer's vendor management procedure. The Data Importer maintains complete administrative control over the virtual servers, and no third-party vendors have logical access to customer data.

3.4 Asset Management.

a. Asset Inventory. The Data Importer maintains an inventory of all media on which customer data is stored. Access to the inventories of such media is restricted to authorized personnel.

b. Asset Handling.

i. The Data Importer employees are required to utilize encryption to store data in a secure manner and are required to use two-factor authentication to access the networks.

ii. The Data Importer imposes restrictions on printing customer data and has procedures for disposing of printed materials that contain customer data.

iii. The Data Importer's personnel must obtain authorization prior to storing customer data on portable devices, remotely accessing customer data, or processing customer data outside the Data Importer's facilities.

3.5 Software Development and Acquisition. For the software developed by Data Importer, Data Importer follows secure coding standards and procedures set out in its standard operating procedures.

3.6 Change Management. Data Importer implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for the Data Importer's software, information systems or network architecture. These change management procedures include appropriate segregation of duties.

3.7 Third Party Provider Management. In selecting third party providers who may gain access to, store, transmit or use customer data, Data Importer conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.

3.8 Human Resources Security. The Data Importer informs its personnel about relevant security procedures and their respective roles, as well as of possible consequences of breaching the security rules and procedures. Such consequences include disciplinary and/or legal action.

3.9 Physical and Environmental Security.

a. Physical Access to Facilities. The Data Importer limits access to facilities where information systems that process customer data are located to identified authorized individuals who require such access for the performance of their job function. Data Importer terminates the physical access of individuals promptly following the date of the termination of their employment or services or their transfer to a role no longer requiring access to customer data.

b. Physical Access to Components. The Data Importer maintains records of the incoming and outgoing media containing customer data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of customer data they contain.

c. Protection from Disruptions. The Data Importer uses commercially reasonable systems and measures to protect against loss of data due to power supply failure or line interference.

d. Component Disposal. The Data Importer uses commercially reasonable processes to delete customer data when it is no longer needed.

3.10 Communications and Operations Management.

a. Security Documents. The Data Importer maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel.

b. Data Recovery Procedures.

i. On an ongoing basis, the Data Importer maintains multiple copies of customer data from which it can be recovered.

ii. The Data Importer stores copies of customer data and a data recovery procedures in a different place from where the primary computer equipment processing the customer data is located.

iii. The Data Importer has procedures in place governing access to copies of customer data.

iv. The Data Importer has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data.

c. Encryption; Mobile Media. The Data Importer uses HTTPS encryption on all data connections. The Data Importer restricts access to customer data in media leaving its facilities.

d. Event Logging. The Data Importer logs the use of our data-processing systems. We maintain logs for at least 30 days.

3.11 Access Control.

a. Records of Access Rights. The Data Importer maintains a record of security privileges of individuals having access to customer data.

b. Access Authorization.

i. The Data Importer maintains and updates a record of personnel authorized to access systems that contain customer data.

ii. The Data Importer deactivates authentication credentials of employees or contract workers immediately upon the termination of their employment or services.

iii. The Data Importer identifies those personnel who may grant, alter, or cancel authorized access to data and resources.

c. Least Privilege.

i. Technical support personnel are only permitted to have access to customer data when needed for the performance of their job function. ii. The Data Importer restricts access to customer data to only those individuals who require such access to perform their job function.

d. Integrity and Confidentiality.

i. The Data Importer instructs its personnel to disable administrative sessions when leaving the Data Importer's premises or when computers are unattended.

ii. The Data Importer stores passwords in a way that makes them unintelligible while they are in force.

e. Authentication.

i. The Data Importer uses commercially reasonable practices to identify and authenticate users who attempt to access information systems. ii. Where authentication mechanisms are based on passwords, the Data Importer requires that the passwords are renewed regularly. iii. Where authentication mechanisms are based on passwords, the Data Importer requires the password to be at least eight characters long. iv. The Data Importer ensures that de-activated or expired identifiers are not granted to other individuals. v. The Data Importer maintains commercially reasonable procedures to deactivate passwords that have been corrupted or inadvertently disclosed or pursuant to a number of failed login attempts. vi. The Data Importer uses commercially reasonable password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.

f. Network Design. The Data Importer has controls to avoid individuals assuming access rights they have not been assigned to gain access to customer data they are not authorized to access.

3.12 Network Security.

a. Network Security Controls. Data Importer's information systems have security controls designed to detect and mitigate attacks by using logs and alerting.

b. Antivirus. Data Importer implements endpoint protection on its hosting environments, including antivirus; which are continuously updated with critical patches or security releases in accordance with Data Importer's server change control procedures.

3.13 Information Security Incident Management.

a. Record of Breaches. The Data Importer maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data. 

b. Record of Disclosure. The Data Importer tracks disclosures of customer data, including what data has been disclosed, to whom, and at what time.