Data Processing Addendum

Last updated: June 20, 2024

This Data Processing Addendum (“DPA”) is entered into between Ontic Technologies, Inc. (“Ontic”) and [Client] (“Client”) and is incorporated into and governed by the Master Services Agreement or other agreement governing the provision of services by Ontic to Client, entered into between Ontic and Client (“Agreement”). This DPA supplements the Agreement and applies exclusively to Ontic’s Processing of Client Personal Data in providing services to Client under the Agreement.

Any capitalized term not defined in this DPA shall have the meaning given to it in the Agreement. This DPA is not intended to remove or lessen Client’s obligations with respect to Client Data under the Agreement.

1. Definitions

Terms such as “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority that are defined under Applicable Data Protection Laws (defined below) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and shall have the meanings assigned to them in such Applicable Data Protection Laws. Other capitalized terms not otherwise defined in this DPA shall have the respective meanings assigned to them in this Section 1.

Affiliate” means any entity which is directly or indirectly controlling, controlled by, or under common control with a party to the Agreement.

Applicable Data Protection Law(s)” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, including any applicable US or EU Data Protection Law. Applicable Data Protection Laws may include, depending on the circumstances and location, EU Data Protection Law (defined below), Cal. Civ. Code §§ 1798.100 et seq., as amended by the CCPA (defined below), Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act) (“CPA”), Connecticut’s Data Privacy Act (“CTDPA”), Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act) (“UCPA”), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (“VCDPA”) (collectively “U.S. Privacy Laws”), and the EU Data Protection Law (defined below), and applicable subordinate legislation and regulations implementing those laws.

CCPA” means Section 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations.

Client Personal Data” means any data that comprises Personal Data of Data Subjects Processed by Ontic (“Submitted Data”) on behalf of Client.

EEA” means the European Economic Area, which constitutes the member states of the European Union (“EU“) and Norway, Iceland, and Liechtenstein, as well as for purposes of this DPA, the United Kingdom.

EU Data Protection Law means the GDPR and the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“).

Services” means the Ontic Services set forth in the Agreement, including the Processing of Client Personal Data.

Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1623940939861 (“EU SCCs”); and (ii) where the UK GDPR applies, the EU SCCs as amended and modified by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); in each case as may be amended, superseded or replaced from time to time.

Sub-Processor” means any third-party person or entity engaged by Ontic to process Client Personal Data in the delivery of the SaaS Platform to the Client.

2. Purpose and Scope

An overview of the categories of Data Subjects, types of Client Personal Data being Processed and the nature and purpose of the Processing is provided in Annex 1A. The Parties acknowledge and agree that with regard to the Processing of Client Personal Data under Applicable Data Protection Law and this DPA, Client is the Controller and Ontic is the Processor or Service Provider. Each Party will comply with its respective obligations under Applicable Data Protection Law with respect to the Processing of Client Personal Data.

By entering into this DPA, Client instructs Ontic to Process Client Personal Data: (a) to provide the Services in accordance with the features and functionality of the Services, the Agreement, and related documentation; (b) to enable Client’s User-initiated actions on and through the Services; (c) as set forth in the Agreement and applicable Order Forms and/or SOWs; and (d) as further documented by written instructions given by Client. Notwithstanding the foregoing, Ontic will inform Client promptly if it becomes aware that Client’s instructions may violate Applicable Data Protection Law.

3. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Ontic shall, in relation to Client Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including those outlined in Annex 2 of this DPA, “Security Measures“). In assessing the appropriate level of security, Ontic shall take into account the risks that are presented by Processing Client Personal Data including, in particular, the risks presented by a Client Personal Data Breach (as defined in Section 5). Ontic may make such changes to the Security Measures as Ontic deems necessary or appropriate from time to time, including without limitation to comply with Applicable Data Protection Law, but no such changes will materially reduce the overall level of protection for Client Personal Data. Ontic will take appropriate steps to ensure compliance with the Security Measures by its employees, agents, contractors and Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Client Personal Data have agreed to appropriate obligations of confidentiality.

4. Data Subject Rights

If Ontic receives a request from a Data Subject in relation to Client Personal Data, then, to the extent legally permissible, Ontic will advise the Data Subject to submit their request to Client and Client will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Client hereby agrees that Ontic may confirm to a Data Subject that his or her request relates to Client. To the extent Client is unable through its use of the Services to address a particular Data Subject request, Ontic will, upon Client’s request and taking into account the nature of Client Personal Data Processed, provide reasonable assistance in addressing the Data Subject request (provided Ontic is legally permitted to do so and that the Data Subject request was made in accordance with Applicable Data Protection Laws). To the extent permitted by Applicable Data Protection Law, Client shall be responsible for any costs arising from Ontic’s provision of such assistance.

5. Client Personal Data Breach

Ontic will notify Client without undue delay after becoming aware of a Personal Data Breach with respect to Client Personal Data transmitted, stored, or otherwise Processed by Ontic or its Sub-Processors (a “Client Personal Data Breach“). Such notice may be provided (1) by posting a notice in the Services; (2) by sending an email to the email address set forth on an Order Form or SOW; (3) by sending a notice to Client at the contact information listed on the signature page to this DPA; and/or (4) pursuant to the notice provisions of the Agreement. Client shall ensure that its contact information is current and accurate at all times during the terms of this DPA. Ontic will promptly take all actions relating to its Security Measures (and those of its Sub-Processors) that it deems necessary and advisable to identify and remediate the cause of a Client Personal Data Breach. In addition, Ontic will promptly provide Client with: (i) reasonable cooperation and assistance with regard to the Client Personal Data Breach, (ii) reasonable information in Ontic’s possession concerning the Client Personal Data Breach insofar as it affects Client, including remediation efforts and any notification to Supervisory Authorities and, (iii) to the extent known: (a) the possible cause of the Client Personal Data Breach; (b) the categories of Client Personal Data involved; and (c) the possible consequences to Data Subjects. Ontic’s notification of or response to a Client Personal Data Breach under this Section will not constitute an acknowledgment of fault or liability with respect to the Client Personal Data Breach, and the obligations herein shall not apply to Personal Data Breaches that are caused by Client, its Users or any other user who accesses the Services that Client should reasonably be responsible for. If Client decides to notify a Supervisory Authority, Data Subjects, or the public of a Client Personal Data Breach, Client will provide Ontic with advance copies of the proposed notices and, subject to Applicable Data Protection Law (including any mandated deadlines under EU Data Protection Law), allow Ontic an opportunity to provide any clarifications or corrections to those notices. Subject to Applicable Data Protection Law, Ontic will not reference Client in any public filings, notices, or press releases associated with the Client Personal Data Breach without Client’s prior written consent.

6. Client Responsibilities

Without limiting its responsibilities under the Agreement, Client is solely responsible for: (a) any of Client’s account data, Client’s account login credentials (including activities conducted with login credentials), and other data provided by Client to Ontic, subject to Ontic’s Processing obligations under the Agreement and this DPA; and (b) providing any notices required by Applicable Data Protection Law to, and receiving any required consents and authorizations required by Applicable Data Protection Law from, persons whose Personal Data may be included in Client’s account data, Client’s account login credentials and other data provided by Client to Ontic. Further, no provision of this DPA includes the right to, and Client shall not, directly or indirectly, enable any person or entity other than its Users to access and use the Services or use (or permit others to use) the Services other than as described in the applicable Order Form, SOW, order, the Agreement and this DPA, or for any unlawful purpose.

7. Sub-Processors

The Controller acknowledges and agrees that:

(a) Affiliates of the Processor may be used as Sub-Processors; and

(b) the Processor and its Affiliates respectively may engage Sub-Processors in connection with the provision of the Services.

As a condition to permitting a Sub-Processor to Process Client Personal Data, Ontic will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Client Personal Data. Subject to this Section 7, Ontic reserves the right to engage and substitute Sub-Processors as it deems appropriate but shall: (a) remain responsible to Client for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Ontic’s performance of this DPA to the same extent Ontic would be liable if performing the Services directly.

Ontic’s current list of Sub-Processors is set forth in Annex 3.

During the term of this DPA, the Ontic shall provide the Client with at least 14 days notification, via email (or in-application notice), of any new or replacement Sub-Processor(s) who may process Client Personal Data before authorizing any new or replacement Sub-Processor(s) to process Client Personal Data in connection with the provision of the Services. If the Client objects to a new or replacement Sub-Processor within 14 days of such notice, and Ontic is unable to take corrective steps to exclude such Sub-Processor, then either party may terminate the relevant portion of the applicable Order Form or SOW with respect to those Services which cannot be provided by Ontic without the use of the new or replacement Sub-Processor. Ontic will refund the Client any prepaid fees covering the remainder of the Term of the applicable Order Form or SOW following the effective date of termination with respect to such terminated Services. If the Client does not provide a timely objection notice with respect to a new Sub-Processor, Client will be deemed to have authorized Ontic to use of the Sub-Processor and to have waived its right to object. Ontic may use a new or replacement Sub-Processor while the objection procedures under this Section 7 are in process.

8. Transfer Mechanisms

Subject to the terms and conditions of the Agreement and Applicable Data Protection Law, Ontic currently makes available the Standard Contractual Clauses as a transfer mechanism. The Standard Contractual Clauses apply to any transfer of Client Personal Data under this DPA from the EEA to a country which is not deemed to have Adequacy (to the extent such transfers are subject to Applicable Data Protection Law). 

(a) The Standard Contractual Clauses and the terms of this Section 8(a) apply to any transfer of Submitted Data, to the extent such transfer is subject to EU Data Protection Law:

1) For the purposes of the EU SCCs: (i) the module two (controller to processor) terms shall apply; (ii) Clause 9, Option 2 of the applicable module of the EU SCCs shall apply and Ontic may engage Sub-Processors as described in Section 7 of this DPA; (iii) in Clause 11, the optional language shall be deleted; (iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the EU SCCs shall be carried out as set out in and subject to the requirements of Section 9 of this DPA; (v) pursuant to Clauses 8.5 and 16(d), upon termination of this DPA, Client Personal Data will be returned and/or destroyed in accordance with Section 11 of this DPA; (vi) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by Irish law; (vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (viii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum.

2) For the purposes of the UK SCCs, the UK SCCs shall be populated with the relevant information set out in the Annexes to this Addendum.

3) If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA regarding the transfer of Submitted Data from Client to Ontic, the Standard Contractual Clauses shall prevail to the extent of such conflict.

(b) The Standard Contractual Clauses and the terms of this Section 8(b) apply to any transfer of Returned Data, to the extent such transfer is subject to EU Data Protection Law: 

1) For the purposes of the EU SCCs: (i) module four (processor to controller) terms shall apply; (ii) in Clause 11, the optional language shall be deleted; (iii) the audits described in Clauses 8.3 of the module four of the EU SCCs shall be carried out as set out in and subject to the requirements of Section 9 of this DPA; (iv) pursuant to Clauses 16(d), upon termination of this DPA, Client Personal Data will be returned and/or destroyed in accordance with Section 11 of this DPA; (v) in Clause 17, the EU SCCs shall be governed by Irish law; (vi) in Clause 18, disputes shall be resolved before the courts of Ireland, and (vii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum.

2) For the purposes of the UK SCCs, the UK SCCs shall be populated with the relevant information set out in the Annexes to this Addendum.

3) If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA regarding the transfer of Returned Data from Ontic to Client, the Standard Contractual Clauses shall prevail to the extent of such conflict.

9. Audit

Where required by Applicable Data Protection Law, Ontic will allow Client (directly or through a third-party auditor subject to written confidentiality obligations) to conduct an audit of Ontic’s procedures relevant to the protection of Client Personal Data to verify Ontic’s compliance with its obligations under this DPA. Any audit conducted under this DPA shall consist of examination of the most recent reports, certificates, and/or extracts prepared by an independent third-party auditor mutually agreed upon by the parties and bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not sufficient under Applicable Data Protection Law, the Client may, at its own expense, conduct a more extensive audit which will be:

(a) limited in scope to matters specific to the Client and agreed in advance with Ontic;

(b) carried out during US local business hours and upon reasonable notice which shall be not less than 30 days unless an identifiable material issue has arisen;

(c) conducted in a way which does not interfere with Ontic’s day-to-day business; and

(d) undertaken no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Client Personal Data Breach.

To that end and before the commencement of any such audit, Client and Ontic shall mutually agree upon the audit’s participants, schedule, and scope, which shall in no event permit Client or its third-party auditor to access the Services’ hosting sites, underlying systems, or infrastructure. Representatives of Client performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement, and shall abide by Ontic’s security policies while on Ontic’s premises. Client is liable and responsible for ensuring that such individuals comply with Client’s and their confidentiality obligations. Upon completion of an audit, Client agrees to promptly furnish to Ontic any written audit report or, if no written report is prepared, to promptly notify Ontic of any non-compliance discovered during the course of the audit. The results of any audit shall be considered Ontic’s Confidential Information. If properly identified in detail, Ontic will remedy any material deficiency pursuant to its applicable policy. Client shall reimburse Ontic for its time expended in connection with an audit at Ontic’s then-current professional service rates, which shall be made available to Client upon request and shall be reasonable taking into account the time and effort required by Ontic. If a third party is to conduct an audit under this Section 9, Ontic may object to the auditor if the auditor is, in Ontic’s reasonable opinion, a competitor of Ontic or not reasonably acceptable to Ontic. Such objection by Ontic will require Client to appoint another auditor or conduct the audit itself. Nothing in this Section 9 shall be construed to require Ontic to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make available to Ontic without restrictions on further disclosure.

10. Impact Assessment and Additional Information

Ontic will provide Client with reasonable cooperation, information, and assistance as needed to fulfill Client’s obligation under Applicable Data Protection Law, including as needed to carry out a data protection impact assessment related to Client’s use of the Services (in each case to the extent Client does not otherwise have access to the relevant information, and such information is in Ontic’s control). Without limiting the foregoing, Ontic shall provide reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 10 to the extent required by Applicable Data Protection Law.

11. Data Deletion

Client may request that Ontic return or delete Client Personal Data in accordance with the Agreement.

12. Client Data Subject to U.S. Privacy Laws

As used in this Section 12, “Business Purpose”, “Collects”, “Consumer”, “Sell”, “Share” and “Service Provider” have the meanings assigned to them in the U.S. Privacy Laws.

If Client Data comprises Personal Information subject to U.S. Privacy Laws (“U.S. Privacy Law Personal Data“), Ontic is the Service Provider. The parties agree as follows with respect to such U.S. Privacy Law Personal Data: 

(a) U.S. Privacy Law Personal Data is disclosed by or on behalf of Client only for the limited and specified purposes of Ontic providing the Services to Client pursuant to the terms of the Agreement. Each party agrees to comply with all applicable obligations under U.S. Privacy Laws and shall provide the same level of privacy protection to U.S. Privacy Law Personal Data as required by U.S. Privacy Laws.

(b) Ontic will not Sell or Share any U.S. Privacy Law Personal Data it Collects pursuant to the Agreement.

(c) Ontic agrees not to retain, use or disclose U.S. Privacy Law Personal Data Collected pursuant to the Agreement for any commercial purpose other than for the Business Purposes specified in the Agreement or as otherwise permitted by U.S. Privacy Laws.

(d) Ontic will not retain, use or disclose U.S. Privacy Law Personal Data Collected pursuant to the Agreement outside of the direct business relationship between Ontic and Client, unless expressly permitted by U.S. Privacy Laws.

(e) Client shall have the right to take reasonable and appropriate steps to help ensure that Ontic uses the U.S. Privacy Law Personal Data Collected pursuant to the Agreement in a manner consistent with its obligations under U.S. Privacy Laws.

(f) Ontic shall notify Client if it makes a determination that it can no longer meet its obligations under U.S. Privacy Laws. Upon such notice, Client may take reasonable and appropriate steps to stop and remediate unauthorized use of U.S. Privacy Law Personal Data in Ontic’s possession or control.

(g) Ontic will enable Client to comply with Consumer requests made pursuant to U.S. Privacy Laws. Client will inform Ontic of any Consumer request it receives pursuant to the U.S. Privacy Laws that Ontic must comply with and provide information necessary for Ontic to comply with the request. If Ontic receives a request to know or a request to delete from a Consumer with respect to U.S. Privacy Law Personal Data, Ontic shall either act on behalf of Client in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.

(h) Notwithstanding the foregoing, as permitted under U.S. Privacy Laws, Ontic may retain, use or disclose U.S. Privacy Law Personal Data Collected pursuant to the Agreement: (i) for the specific Business Purpose(s) set forth in the Agreement that is required by U.S. Privacy Laws, (ii) to retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a Service Provider under U.S. Privacy Laws, (iii) for internal use by Ontic to build or improve the quality of its services it is providing to Client, even if this Business Purpose is not specified in the Agreement, provided that Ontic does not use the U.S. Privacy Law Personal Data to perform services on behalf of another person, (iv) to prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement or (v) for the purposes enumerated in U.S. Privacy Law.

13. Liability

Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including any annexes attached hereto or clauses referenced herein, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Applicable Data Protection Law.

14. Term and Termination

Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement. 

ANNEX 1A

PROCESSING DETAILS

Information of the Parties

Data exporters and data importers:

  • Name: The Client entity identified in the Agreement or on an applicable Order Form or SOW.
    • Address: The Client’s address specified on the Order Form or SOW. 
    • Client’s Contact person’s name, position, and contact details:
      • Name: _____________________ 
      • Position: ___________________
      • Email: _____________________
    • Activities relevant to the data transferred under the Standard Contractual Clauses:  Client as the data exporter and data importer is a client of Ontic as the data importer and data exporter, and utilizing the Ontic’s services as described in more detail in the Agreement.  
    • Role (controller/processor):  Controller.
  • Name: Ontic Technologies, Inc.
    • Address: 4009 Marathon Blvd., Austin, Texas 78756.
    • Ontic’s Contact person’s name, position, and contact details:  Scott Shepherd, Chief Legal Officer, legal@ontic.com. 
    • Activities relevant to the data transferred under these Clauses: Ontic as the data importer and data exporter is providing certain services to Client as the data exporter and data importer, as described in more detail in the Agreement. 
    • Role (controller/processor):  Processor

Categories of data subjects

The Personal Data transferred may include but is not limited to the following categories of Data Subjects:

Individuals about whom data is uploaded to the Services by (or at the direction of) Client or by its Users, Affiliates, and other participants whom Client has granted the right to access the Services in accordance with the provisions of the Agreement.

Categories of personal data

The Personal Data transferred may include but is not limited to the following categories of data: 

Any data uploaded to the Services by (or at the direction of) the Client or by its Users, Affiliates, and other participants whom Client has granted the right to access the Services in accordance with the provisions of the Agreement.

Such data may include, but is not limited to: 

  • Name
  • Image
  • Address
  • Phone Numbers
  • Social Media Handles
  • Birth Dates
  • Social Security Number
  • Driver’s License Number
  • Education Information
  • Professional/Employment Information

Sensitive data transferred (if applicable) and applied restrictions or safeguards:  

Special categories of data, if any, may be uploaded to the Services, by (or at the direction of) Client or by its Users, Affiliates, and other participants whom Client has granted the right to access the Services in accordance with the provisions of the Agreement, in compliance with Applicable Law, and may include, but is not limited to: 

  • Race or Ethnic Origin 
  • Political Opinions 
  • Religious or Philosophical Beliefs 
  • Trade-Union Membership 
  • Sex Life; Sexual Orientation

Frequency of the transfer

At Client’s discretion in using the Services during the term of the Agreement.

Nature of the processing:  

Client Personal Data transferred will be processed in accordance with the Agreement, any applicable Order Form or SOW, and may be subject to the following basic processing activities:

  1. Client Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter’s instructions.
  1. Technical support, issue diagnosis, security scans, and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Services and specifically in answer to a data exporter query.
  1. Disclosures in accordance with the Agreement, as compelled by Applicable Data Protection Laws.

Purpose(s) of the data transfer and further processing

Personal Data is processed for the purposes of providing the Services in accordance with the Agreement and any applicable Order Form or SOW.

Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:  

Personal Data will be retained and deleted in accordance with Section 11 of this DPA.

ANNEX 1B

COMPETENT SUPERVISORY AUTHORITY

Where the Client, as the data exporter, is established in an EU Member State, the supervisory authority responsible for ensuring compliance by the data exporter with Regulation (EU) 2016/679 regarding the data transfer shall act as the competent supervisory authority.

Where the Client as the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

Where the Client as the data exporter is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the  Member  States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them,  or whose behavior is monitored, are located shall act as competent supervisory authority.

ANNEX 2

SECURITY MEASURES

Ontic as the data importer has implemented and will maintain the following technical and organizational security measures:

Safeguards – Ontic has appropriate safeguards designed to protect Client Personal Data consistent with accepted industry practices and ensures that such safeguards comply with Applicable Data Protection Laws, the Agreement, and the DPA. 

These safeguards include: 

(a) secure facilities, data centers, paper files, servers, backup systems, and computing equipment including mobile devices and other equipment with information storage capability; 
(b) network, device application, database, and platform security; 
(c) secure transmission, storage, and disposal; 
(d) authentication and access controls within applications, operating systems, and equipment; 
(e) logging access and retention of such access control logs according to Ontic’s retention policies; 
(f) encryption of Client Personal Data at rest; 
(g) encryption of Client Personal Data in transit; 
(h) separation of Client Personal Data from information of Ontic’s other clients; 
(i) personnel security, including background checks consistent with Applicable Data Protection Law; 
(j) annual penetration testing and more frequent vulnerability scans – Ontic will promptly implement a corrective action plan to correct material issues identified; and 
(k) limiting access to Client Personal Data and providing privacy and information security training to Ontic’s employees (bound in writing by obligations of confidentiality in accordance with the terms of the Agreement and the DPA).

Malicious Code. Ontic will not introduce to Client’s systems or devices or use any software or code that contains Malicious Code designed to: 

(a) permit unauthorized access to Client’s systems or devices; or
(b) disable, erase, or otherwise harm software, hardware, or data owned or controlled by Client.

Business Continuity Plan. Ontic has developed a disaster recovery and business continuity plan (“DRBC Plan”) which includes: 

(a) documentation of applicable business processes, procedures, and responsibilities; 
(b) back-up methodology; 
(c) identification of disaster recovery scenarios and service level agreements for service recovery; 
(d) responsibilities of Sub-Processors in the event of a disaster; 
(e) a communications strategy; and 
(f) procedures for reverting to normal service. 

The DRBC Plan is reviewed annually and tested as appropriate. Ontic ensures it is able to implement the DRBC Plan at any time in accordance with its terms.

ANNEX 3

LIST OF SUBPROCESSORS

The Client as the data exporter has authorized the use of the Sub-Processors set forth below: 

Amazon Web Services or Google Cloud Services (depending on Client selection)
Cloudflare, Inc.
Rapid7
Auth0/Okta
Workato
Pusher