Data Processing Addendum

Last Updated: April 4th, 2024

This Data Processing Addendum (“DPA”) is incorporated into and forms a part of the Master Services & Software Licensing Agreement between Pathify Holdings Inc. and its subsidiaries (“Pathify”) and Customer that governs Customer’s access to and use of the Services (“Agreement”).  Capitalized terms not defined herein have the meaning given in the Agreement.

1. Definitions

In this DPA, the following terms (and derivations thereof) have the meanings set out below:

  • Affiliate” means any person or entity that owns or controls, is owned or controlled by, or is under common control or ownership with, a party to this Agreement, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.
  • Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
  • Customer” means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.
  • Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Pathify on behalf of Customer. For the avoidance of doubt, Customer Content does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Customer Content.
  • Customer Personal Data” means Personal Data that is contained within Customer Content.
  • Data Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.
  • Data Protection Laws” means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Customer Personal Data.
  • Data Subject” means an identified or identifiable natural person.
  • Parties” or “Party” means Customer and/or Pathify as applicable.
  • Personal Data” means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household.
  • Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
  • Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.
  • Professional Services” means implementation, configuration, integration, training, advisory, and other professional services related to the online Services that are provided or controlled by Pathify.
  • Services” means the Professional Services and the Subscription Service and any other online service or application provided or controlled by Pathify for use with the Subscription Services.
  • Pathify Personnel” means any individual authorized by Pathify to Process Customer Personal Data.
  • Subprocessor” means any individual or entity (including any third party but excluding Pathify Personnel) appointed by or on behalf of Pathify to Process Customer Personal Data in connection with the Agreement.
  • Subscription Services” means the subscription-based online services and applications that are provisioned and controlled by Pathify.
  • Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
  • User” means any individual authorized or invited by Customer or another User to access and use the online Services available to Customer under an Order and the terms of the Agreement.

2. Roles of Parties

2.1. Customer and Pathify agree that, as between the Parties, Customer is a Controller and Pathify is a Processor of Customer Personal Data and that each Party is solely responsible for its compliance with Data Protection Laws applicable to it and for fulfilling any of its related obligations to third parties, including Data Subjects and Supervisory Authorities.

2.2. Customer as Controller.

2.2.1. Customer is solely responsible for the accuracy of Customer Personal Data and the legality of the means by which Customer acquires, discloses, and processes Customer Personal Data.

2.2.2. Customer’s instructions to Pathify to Process Customer Personal Data will comply with Data Protection Laws and be duly authorized, with all necessary rights, permissions, and consents secured.

2.3. Pathify as Processor.

2.3.1. Pathify will Process Customer Personal Data only: (a) as instructed by Customer in writing or as initiated by authorized Users via an online Service; (b) as necessary to provide the Services and prevent or address technical problems with an online Service or violations of the Agreement or this DPA; or (c) as required by applicable law. Schedule 1 (Details of Processing of Customer Personal Data) sets out a description of Pathify’s Processing of Customer Personal Data. Pathify agrees to immediately inform Customer if Pathify reasonably believes that any instruction to Process Customer Personal Data violates, or would violate, Data Protection Laws.

2.3.2. Pathify will ensure that Pathify Personnel: (a) access Customer Personal Data only to the extent necessary to perform Pathify’s Processing obligations under this DPA and the Agreement; (b) are bound by confidentiality obligations with respect to Customer Personal Data substantially as protective as those set forth in this DPA and the Agreement; and (c) are subject to appropriate training relating to the Processing of Customer Personal Data.

2.3.3. Pathify will not sell or share Customer Personal Data in violation of Data Protection Laws.

2.3.4. Pathify will not assess the type or substance of Customer Content to identify whether it is Customer Personal Data and/or subject to any specific legal requirements.

2.3.5. Following termination of the DPA, Pathify will return or delete Customer Content in accordance with the Agreement.

3. Security

3.1. Pathify will implement and maintain technical, physical, and organizational measures and controls designed to protect and secure Customer Content (including the return and deletion thereof) in accordance with the Agreement. Notwithstanding the foregoing, Customer is solely responsible for independently assessing and ultimately implementing such security configuration settings made available to Customer by Pathify as it deems necessary to meet its requirements and legal obligations under applicable Data Protection Laws.

3.2. Customer acknowledges that, through its Users, Customer: (a) controls the type and substance of Customer Content; and (b) sets User permissions to access Customer Content; and therefore, Customer is responsible for reviewing and evaluating whether the documented functionality of an online Service meets Customer’s required security obligations relating to Customer Personal Data under Data Protection Laws.

4. Subprocessors

4.1. Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Company.

4.2. Pathify will carry out appropriate due diligence on each Subprocessor and have a written agreement with each Subprocessor that includes provisions for Processing Customer Personal Data that are at least as protective as those set out in this DPA.

4.3. In accordance with Data Protection Laws, Pathify is liable for Subprocessors’ acts and omissions, including a Subprocessor’s appointment of another Subprocessor.

5. Data Subject Requests

5.1. Pathify will notify Customer in writing without undue delay, and in any event within 10 business days, following receipt and verification of any requests Pathify receives directly from a Data Subject relating to Customer Personal Data, and Pathify may only respond directly to a Data Subject request: (a) to confirm that such request relates to Customer; (b) as required by applicable law; or (c) with the written consent of Customer. Except as provided herein, Pathify, as processor, has no intention to respond to or fulfill any Data Subject requests.

5.2. At Customer’s written request and to the extent Customer is unable to access Customer Personal Data on its own, Pathify will provide reasonable assistance to Customer in accessing Customer Personal Data for Customer to respond to such Data Subject requests. To the extent legally permitted, Customer will be responsible for any expenses attributable to Pathify’s assistance efforts outside the normal course of business.

6. Data Breach.

6.1. Pathify will notify Customer in writing without undue delay, and in any event within 72 hours, upon Pathify becoming aware of a Data Breach.

6.2. Pathify will investigate and, as necessary, mitigate or remediate a Data Breach in accordance with Pathify’s security incident policies and procedures (“Breach Management”).

6.3. Pathify will notify Customer in writing without undue delay, and in any event within 72 hours, upon Pathify becoming aware of a Data Breach.

6.4. If Customer requires specific information relating to a Data Breach in addition to the Breach Information, at Customer’s written request and to the extent Customer is unable to access the additional information on its own, Pathify will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

7. Audit Rights.

7.1. Pathify will use external auditors to annually audit and verify the adequacy of its security measures and controls (“Audit”). The Audit will: (a) be performed by independent third party security professionals at Pathify’s selection and expense; (b) include testing of the security measures and controls of the online Services, performed according to AICPA SOC2 standards or such other alternative standards substantially equal to AICPA SOC2, that results in the generation of, at a minimum, a SOC2 report or the substantive equivalent; and (c) include penetration testing of the online Services and result in the generation of a penetration test report.  The reports generated by the Audit (“Reports”) will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. For clarity, each Report will only discuss the online Services in general commercial availability at the time the Report was issued; subsequently released Services, if covered by a Report, will be in the next annual iteration of such Report.

7.2. Upon Customer’s written request, Pathify will provide reasonable assistance to Customer in relation to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of Pathify’s Processing activities and the information available to Pathify. If Customer requires information for its compliance with Data Protection Laws in addition to the foregoing and the Reports, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Pathify will allow for and cooperate with a Customer mandated audit by a third party auditor in relation to the Pathify’s Processing of Customer Personal Data (“Customer Audit”), provided that:

7.2.1. Customer provides Pathify reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;

7.2.2. Pathify approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;

7.2.3. Customer and the auditor act to avoid causing any damage, injury, or disruption to Pathify’s premises, equipment, or business in the course of such Customer Audit; and

7.2.4. Customer initiates only one Customer Audit in any calendar year unless otherwise required by a Supervisory Authority.

8. International Provisions

8.1. The Parties acknowledge and agree that the Processing of Customer Personal Data by Pathify may involve an international transfer of Customer Personal Data from Customer to Pathify (“International Transfer”).

8.2. To the extent that Pathify Processes Customer Personal Data originating from and protected by applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.

8.3. To the extent that Customer’s use of the Services requires a valid transfer mechanism to lawfully transfer Customer Personal Data from a jurisdiction (i.e., the European Economic Area (“EEA”), the UK, Switzerland or any other jurisdiction listed in Schedule 4) to Pathify located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

8.4. If any Transfer Mechanism fails as a lawful data transfer mechanism for an International Transfer, the Parties will act in accordance with Section 9.8 (Variations in Data Protection Laws) of this DPA.

9. General

9.1. Amendment; Waiver. Unless otherwise expressly stated herein, this DPA may be modified only by a written agreement executed by an authorized representative of each Party.  The waiver of any breach of this DPA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach.

9.2. Severance. If any provision of this DPA is held to be unenforceable, then that provision is to be construed either by modifying it to the minimum extent necessary to make it enforceable (if permitted by law) or disregarding it (if not permitted by law), and the rest of this DPA is to remain in effect as written. Notwithstanding the foregoing, if modifying or disregarding the unenforceable provision would result in failure of an essential purpose of this DPA, the entire DPA will be considered null and void.

9.3. Order of Precedence. Regarding the subject matter of this DPA, in the event of any conflict between this DPA and any other written agreement between the Parties (including the Agreement), this DPA will govern and control. Any data processing agreements that may already exist between Parties are superseded and replaced by this DPA in their entirety. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the applicable Standard Contractual Clauses will prevail.

9.4. Notices. Unless otherwise expressly stated herein, the parties will provide notices under this DPA in accordance with the Agreement, provided that all such notices may be sent via email.

9.5. Governing Law and Jurisdiction. Unless prohibited by Data Protection Laws, this DPA is governed by the laws stipulated in the Agreement and the Parties to this DPA hereby submit to the choice of jurisdiction and venue stipulated in the Agreement, if any, with respect to any dispute arising under this DPA.

9.6. Enforcement.  Regardless of whether Customer or its affiliate(s) or a third-party is a Controller of Customer Personal Data, unless otherwise required by law: (a) only Customer will have any right to enforce any of the terms of this DPA against Pathify; and (b) Pathify’s obligations under this DPA, including any applicable notifications, will be to only Customer.

9.7. Liability. As between the Parties to this DPA, each Party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.

9.8. Variations in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Services and Pathify’s business operations.

9.9. Reservation of Rights. Notwithstanding anything to the contrary in this DPA: (a) Pathify reserves the right to withhold information the disclosure of which would pose a security risk to Pathify or its customers or is prohibited by applicable law or contractual obligation; and (b) Pathify’s notifications, responses, or provision of information or cooperation under this DPA are not an acknowledgement by Pathify of any fault or liability.

9.10. Regulatory Requests. In the event Pathify is required by law or legal process to disclose Customer Personal Data, Pathify, to the extent legally permitted, agrees to give Customer prior notice of such disclosure to afford Customer a reasonable opportunity to appear, object, and obtain a protective order or other appropriate relief regarding such disclosure.

SCHEDULE 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) of the GDPR.

Subject matter and duration of the Processing of Personal Data:

  • The subject matter and duration of the Processing of Personal Data are set out in the Privacy Policy and this DPA.

The nature and purpose of the Processing of Personal Data

  • Processing of Personal Data by Pathify is reasonably required to facilitate or support the provision of the Services as described under the Privacy Policy and this DPA.

Type of Personal Data and Categories of Data Subjects:

  • The types of Personal Data and categories of Data Subject about whom the Personal Data relates are determined and controlled by Customer in its sole discretion.

Obligations and Rights of the Controller:

  • The obligations and rights of Customer are set out in the Privacy Policy and this DPA.

SCHEDULE 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses.

1. General

1.1. Information Security Program. Pathify shall maintain a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the Processing and security of Customer Content and the Pathify systems or networks used to Process or secure Customer Content in connection with providing the Services under the Agreement.

1.2. Confidentiality; Training. Pathify will ensure that Pathify Personnel: (a) are bound by confidentiality obligations with respect to Customer Content substantially as protective as those set forth in the Agreement; and (b) are subject to appropriate training relating to the Processing of Customer Content.

1.3. Definitions.

1.4. “Agreement” means the agreement that governs Customer’s access to and use of the online Services.

1.5. “Customer” means the individual or entity that executes or accepts an Order or registers for free trial access to and use of a Service and has entered into an Agreement.

1.6. “Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Pathify on behalf of Customer.

1.7. “Process” means any operation or set of operations performed upon Customer Content, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

1.8. “Security Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.

1.9. “Services” means the Subscription Services and any other online service or application provided or controlled by Pathify for use with the Subscription Services.

1.10. “Pathify Personnel”  means any individual authorized by Pathify to Process Customer Content.

1.11. “Subscription Service” means the subscription-based online services and applications that are provisioned or controlled by Pathify.

1.12. “User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement.

2. Security Controls

In accordance with its information security program, Pathify shall implement appropriate physical, organizational, and technical controls designed to: (a) ensure the security, integrity, and confidentiality of Customer Content Processed by Pathify; and (b) protect Customer Content from known or reasonably anticipated threats or hazards, including to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of Processing. Without limiting the foregoing, Pathify will, as appropriate, utilize the following controls:

2.1. Firewalls. Pathify will install and maintain firewall(s) to protect data accessible via the Internet.

2.2. Updates. Pathify will maintain programs and routines to keep the Pathify Information Systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications.

2.3. Anti-malware.  Pathify will deploy and use anti-malware software and will keep the anti-malware software up to date. Pathify will use such software to mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably be detected.

2.4. Testing. Pathify will regularly test its security systems, processes, and controls to ensure they meet the requirements of these Security Practices.

2.5. Access Controls. Pathify will secure Customer Content processed by Pathify Information Systems by complying with the following:

2.5.1. Pathify will assign a unique ID to Pathify Personnel with access to Pathify Information Systems.

2.5.2. Pathify will restrict access to Pathify Information Systems to only Pathify Personnel necessary to perform a specified obligation as permitted by the Agreement.

2.5.3. Pathify will regularly review (at a minimum once every ninety (90) days) the list of Pathify Personnel and services with access to Pathify Information Systems and remove accounts that no longer require access.

2.5.4. Pathify will not use manufacturer supplied defaults for system passwords on any operating systems, software, or Pathify Information Systems, will mandate the use of system-enforced “strong passwords” in accordance with or exceeding the best practices (described below), and will require that all passwords and access credentials be kept confidential and not shared among Pathify Personnel.

2.5.5. At a minimum, Pathify production passwords will: (i) contain at least eight (8) characters; (ii) not match previous passwords, the user’s login, or common name; (iii) be changed whenever an account compromise is suspected or assumed; and (iv) be regularly replaced.

2.5.6. Pathify will enforce account lockout by disabling accounts Processing Customer Content when an account exceeds a designated number of incorrect password attempts in a certain period.

2.5.7. Pathify will maintain log data for all use of accounts or credentials by Pathify Personnel for access to Pathify Information Systems and will regularly review access logs for signs of malicious behavior or unauthorized access.

2.6. Policies. Pathify will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for Pathify Personnel that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.

2.7. Development. Development and testing environments will be separate from Pathify Information Systems.

2.8. Deletion. Pathify will utilize procedures that are at a minimum in accordance with National Institute of Standards and Technology (NIST) SP 800-88 Revision 1 recommendations (or a successor standard widely used in the industry) to render Customer Content unrecoverable prior to disposal of media. 

2.9. Encryption. Pathify will utilize cryptographic standards mandating authorized algorithms, key length requirements, and key management processes that are consistent with or exceed then-current industry standards, including NIST recommendations, and utilize hardening and configuration requirements consistent in approach with then-current industry standards, including SANS Institute, NIST, or Center for Internet Security (CIS) recommendations. Pursuant to such standards, Pathify will encrypt Customer Content at rest within the online Services and will only allow encrypted connections to the online Service for the transfer of Customer Content.

2.10. Remote Access. Pathify will ensure that any access from outside of its protected corporate or production environments to Pathify Information Systems or to Pathify’s corporate or development workstation networks will require appropriate connection controls, such as VPN or multi-factor authentication.

3. Use of Third Parties

3.1. General.  Third parties engaged by Pathify in accordance with the Agreement will maintain (at a minimum) substantially similar levels of security as applicable and required by these Security Practices.

3.2. Data Hosting.  Pathify will ensure that any third party hosting provider (“Infrastructure-as-a-Service” or “IaaS”) utilized by Pathify to Process Customer Content meet the following requirements:

3.2.1. Base Requirements. At a minimum Pathify will ensure IaaS providers: (a) maintain adequate physical security and access controls as set forth in Section 2.5 of these Security Practices; (b) use professional HVAC & environmental controls; (c) utilize professional network/cabling environment; (d) use professional fire detection/suppression capability; and (e) maintain a comprehensive business continuity plan.

3.2.2. Annual Audit; Assessment.  Conduct annual independent risk assessments and audits. Such assessments and audit reports will be provided to Pathify and, if required by law, made available to Customer, provided Pathify may remove all commercial and confidential information or terms unrelated to the security practices of the IaaS. In addition, Pathify shall conduct annual reviews and assessments of any critical IaaS to validate the security measures at a minimum meet the requirements of these Security Practices.

3.2.3. Enhanced Requirements.  Possess requirements and capabilities of a highly-available, redundant (“N+1”) data center, where multiple components each give at least one independent backup component to ensure that system functionality continues at acceptable performance levels in the event of a system failure.

4. System Availability

Pathify will maintain (or, with respect to systems controlled by third parties, ensure that such third parties maintain) a disaster recovery (“DR”) program designed to recover the Subscription Service’s availability following a disaster. At a minimum, such DR program will include the following elements: (a) routine validation of procedures to regularly and programmatically create retention copies of Customer Content for the purpose of recovering lost or corrupted data; (b) inventories, updated at minimum annually, that list all critical Pathify Information Systems; (c) annual review and update of the DR program; and (d) annual testing of the DR program designed to validate the DR procedures and recoverability of the service detailed therein.

5. Security Breach

5.1. Procedure.

5.1.1. Pathify will notify Customer in writing without undue delay upon Pathify becoming aware of confirmed Security Breach.

5.1.2. Pathify will investigate and, as necessary, mitigate or remediate a Security Breach in accordance with Pathify’s security incident policies and procedures (“Breach Management”).

5.1.3. Subject to Pathify’s legal obligations, Pathify will provide Customer with information available to Pathify as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligation under applicable laws as a result of a Security Breach.

5.1.4. If Customer requires information relating to a Security Breach in additional to the Incident Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Pathify will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

5.2. Unsuccessful Attempts. An unsuccessful attack or intrusion is not a Security Breach subject to this Section 5. An “unsuccessful attack or intrusion” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents.

5.3. Customer or User Involvement.  Unauthorized or unlawful access to Customer Content that results from the Customer’s configuration settings, compromise of a User’s login credentials, or from the intentional or inadvertent sharing or disclosure of Customer Content by the Customer or a User is not a Security Breach.

5.4. Notifications. Notification(s) of Security Breach, if any, will be delivered to one or more of Customer’s SysAdmin users by any reasonable means Pathify selects, including email. Customer is solely responsible for maintaining accurate contact information in the online Service at all times.

5.5. Disclaimer. Pathify’s obligation to report or respond to a Security Breach under this Section 5 is not an acknowledgement by Pathify of any fault or liability of Pathify with respect to the Security Breach.

6. Auditing and Reporting

6.1. Monitoring.  Pathify monitors the effectiveness of its information security program on an ongoing basis by conducting various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls.

6.2. Audit Reports.  Pathify uses external auditors to verify the adequacy of its security measures and controls for certain Services, including the Subscription Services. The resulting audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third party security professionals at Pathify’s selection and expense; and (d) result in the generation of a SOC2 report (“Audit Report”), which will be Pathify’s Confidential Information. The Audit Report will be made available to Customer upon written request no more than annually, subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. For the avoidance of doubt, each Audit Report will only discuss Services in existence at the time the Audit Report was issued; subsequently released Services, if within the scope of the Audit Report, will be in the next annual iteration of the Audit Report.

6.3. Penetration Testing.  Pathify uses external security experts to conduct penetration testing of certain online Services, including the Subscription Services. Such testing will: (a) be performed at least annually; (b) be performed by independent third party security professionals at Pathify’s selection and expense; and (c) result in the generation of a penetration test report (“Pen Test Report”), which will be Pathify’s Confidential Information. Pen Test Reports will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. 

6.4. Customer Audit.  If Customer legally requires information for its compliance with applicable laws in addition to the Audit and Pen Test Reports, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Pathify will allow for and cooperate with a Customer mandated audit by a third party auditor in relation to Pathify’s Processing of Customer Content (“Customer Audit”), provided that:

6.4.1. Customer provides Pathify reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;

6.4.2. Pathify approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;

6.4.3. Customer and the auditor act to avoid causing any damage, injury, or disruption to Pathify’s premises, equipment, or business in the course of such Customer Audit; and

6.4.4. Customer initiates only one Customer Audit in any calendar year unless otherwise required by  law enforcement.

SCHEDULE 3: CROSS BORDER TRANSFER MECHANISMS

1. Definitions

1.1. “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following:

1.1.1. EEA Standard Contractual Clauses; and

1.1.2. UK Standard Contractual Clauses.

1.2. “EEA Standard Contractual Clauses” or “Approved EU SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

1.3. “UK Standard Contractual Clauses” means the template Addendum issued by the Information Commissioner’s Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.

2. The EEA Standard Contractual Clauses

For data transfers from the European Economic Area that are subject to the EEA Standard Contractual Clauses, the EEA Standard Contractual Clauses will apply in the following manner:

2.1. Module One (Controller to Controller) will apply where Pathify is processing online Services usage data as a Controller. For clarity, usage data is analytical statistical, learned, or technical information derived from a customer’s use of the Service that does not include or reveal the contents of Customer Content. Such data is owned by Pathify and used to provide support, secure, and/or defend the Services.

2.2. Module Two (Controller to Processor) will apply where Customer is a Controller of Customer Personal Data and Pathify is a Processor of Customer Personal Data;

2.3. For each module, where applicable:

2.3.1. in Clause 7, the optional docking clause will not apply;

2.3.2. in Clause 9, Option 2 will apply, and the process for providing notice and the time period for objections of sub-processor changes will be as set forth in Section 4 (Subprocessors) of this DPA;

2.3.3. in Clause 11, the optional language will not apply;

2.3.4. in Clause 17, the EEA Standard Contractual Clauses will be governed by the laws of Germany.

2.3.5. in Clause 18(b), disputes will be resolved before the courts of Germany.

2.3.6. In Annex I, Part A:

Data Exporter:  Customer and authorized affiliates of Customer.

Contact Details:  Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.

Data Exporter Role:  The Data Exporter’s role is outlined in Section 2 of this DPA.

Signature & Date:  By entering into the DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date.

Data Importer: Pathify Inc.

Contact Details: [email protected].

Data Importer Role: The Data Importer’s role is outlined in Section 2 of this DPA.

Signature & Date: By entering into the DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date.

2.3.7. In Annex I, Part B:

The categories of data subjects are described in Schedule 1.

The sensitive data transferred is described in Schedule 1.

The frequency of the transfer is a continuous basis for the duration of the Agreement.

The nature of the processing is described in Schedule 1.

The purpose of the processing is described in Schedule 1.

The period of the processing is described in Schedule 1.

2.3.8. In Annex I, Part C: in accordance with clause 13, the competent supervisory authority is identified as follows:

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Commission nationale de l’informatique et des libertés (CNIL) – 3 Place de Fontenoy, 75007 Paris, France shall act as the competent supervisory authority.

Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner’s Office shall act as the competent supervisory authority.

Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.

2.3.9. Schedule 2 serves as Annex II of the Standard Contractual Clauses.

3. The UK Standard Contractual Clauses

For data transfers from the UK that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will apply in the following manner: 

3.1. The EEA Standard Contractual Clauses, which are incorporated by reference into this DPA, will also apply to UK data transfers, subject to this Schedule 3.

3.2. The UK Addendum will be deemed executed between the parties, and the EEA SCCs will be deemed amended as specified by the UK Addendum in relation to the UK data transfers.

SCHEDULE 4: JURISDICTION SPECIFIC TERMS

1. United States

1.1. The definition of “Data Protection Law” includes any federal or state data protection laws in effect and applicable to Pathify’s Processing of Customer Personal Data in the United States.

1.2. The terms “business”, “commercial purpose”, “service provider”, “sell”, and “personal information” have the meanings given in the applicable Data Protection Law and in the context of Customer Personal Data that is Processed pursuant to this DPA.

1.3. With respect to Customer Personal Data, Pathify is a service provider under applicable Data Protection Law.

1.4. Pathify will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services, including to provide services to a different customer; (c) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Pathify and Customer; or (d) combine Customer Personal Data with other Personal Data that Pathify receives from another entity or collects from individuals, except as permitted by applicable law or as authorized by Customer.

1.5. The parties acknowledge and agree that the Processing of Customer Personal Data authorized by Customer’s instructions described in this DPA is integral to and encompassed by Pathify’s provision of the Services and the direct business relationship between the parties. Pathify agrees to inform Customer if, in its reasonable opinion, Pathify can no longer meet its applicable obligations under this Data Protection Law.

1.6. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that Pathify’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

1.7. To the extent that any online Services usage data is considered Customer Personal Data, Pathify is the business with respect to such data and will Process such data in accordance with its Privacy Policy. For clarity, usage data is analytical statistical, learned, or technical information derived from a customer’s use of the Service that  does not include or reveal the contents of Customer Content. Such data is owned by Pathify and used to provide support, secure, and/or defend the Services.

1.8. Remediation Requirements. Customer shall have the right to take reasonable and appropriate steps to (a) verify that Pathify uses the personal information that it received from, or on behalf of, Customer in a manner consistent with this DPA so that Customer can meet its obligations under Data Protection Law. This right may encompass performing Customer Audits in accordance with this DPA; (b) stopping and remediating Pathify’s unauthorized use of Customer Personal Data; and (c) taking any such other remediation efforts reasonably agreed upon by the parties. By way of example, and in accordance with the Agreement, Customer may require Pathify to provide documentation that verifies that Pathify no longer retains or uses Customer personal information of Data Subjects who have made a valid request of Customer to delete their personal information.

1.9. Certification. Pathify certifies that it understands and will comply with the obligations set forth in this the DPA and the Agreement, including the restrictions on its Processing of Customer personal information.

2. EEA

2.1. The definition of “Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).

2.2. When Pathify engages a Subprocessor, it will:

2.2.1. require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

2.2.2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

2.3. GDPR Penalties. Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

3. Switzerland

3.1. The definition of “Data Protection Laws” includes the Swiss Federal Act on Data Protection.

3.2. When Pathify engages a Subprocessor, it will:

3.2.1. require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

3.2.2. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

3.3. To the extent allowed and required by the Swiss Federal Act on Data Protection, a Data Subject may bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland.

3.4. To the extent required by the version of the Swiss Federal Act on Data Protection then in effect, the applicability of the Standard Contractual Clauses will be interpreted to include data pertaining to legal entities as Customer Personal Data.

4. United Kingdom

4.1. References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

4.2. When Pathify engages a Subprocessor, it will:

4.3. require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

4.4. require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.