Data Processing Addendum (“DPA”)

Part 1

1. The following capitalized terms used in this Part 1 of the DPA but not defined in the DPA or in the Agreement have the meaning ascribed to them in Cal. Civ. Code §1798.140: “Business”, “Consumer”, “Collect”, “Personal Information”, “Sell”, “Share”, “Business Purpose”, and “Service Provider”.
2. Definitions.
   1. CPRA mean the California Consumer Privacy Act as amended by the California Privacy Rights Act, Cal. Civ. Code §1798.100 et seq. and the regulations at 11 C.C.R. §7000 et seq.
3. This Part 1 applies only where Pairzon is Processing Personal Information as a Service Provider on behalf of the Customer and under the Customer’s instructions, where the Customer is a Business subject to the CPRA with respect to the Personal Information that Pairzon Processes. It does not apply to Pairzon’ Processing Personal Information of Customer’s representatives to market or promote its products, to administer the business or contractual relationship between Pairzon and the Customer or in other instances where Pairzon operates as the Business.
4. The Customer is disclosing the Personal Information to Pairzon only for one or more of the following limited and specified Business Purpose: (A) operating the Product in the software-as-a- service deployment model and which involves processing personal data in the course of data hosting; (B) providing technical support for the Product.
5. Pairzon commits to refrain from Selling or Sharing any Personal Information. Pairzon is prohibited from retaining, using, or disclosing the Personal Information that it Collects pursuant to the Agreement for any commercial purpose other than the foregoing Business Purposes, unless expressly permitted by the CPRA. Additionally, Pairzon is prohibited from retaining, using, or disclosing the Personal Information that it Collects pursuant to the Agreement outside the direct business relationship between Customer and Pairzon, unless expressly permitted by the CPRA.
6. Pairzon shall comply with all applicable sections of the CPRA and shall provide, with respect to Personal Information it Collects pursuant to the Agreement, the same level of privacy protection as required of Businesses by the CPRA as specified in Sections 8 and 9 below.
7. Pairzon grants Customer the right to take reasonable and appropriate steps to ensure that Pairzon uses the Personal Information it Collects pursuant to this Agreement in a manner consistent with Pairzon’ obligations under the CPRA. If required by Pairzon’ obligations under the CPRA, Pairzon shall grant Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Pairzon’ unauthorized use of Personal Information.
8. 8.         Pairzon must promptly notify Customer once it makes a determination that it can no longer meet its obligations under the CPRA.
9. Pairzon shall cooperate with the Customer in responding to and complying with Consumers’ requests made pursuant to the CPRA.
10. Pairzon shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code §1798.81.5. Pairzon shall perform regular internal or third-party assessments, audits, or other technical and operational testing of its security procedures and practices at least once every 12 months.
11. Pairzon shall take all steps reasonably necessary to ensure that the individuals who may have access to Personal Information (i) are informed of the confidential nature of Personal Information; and (ii) are subject to confidentiality undertakings or appropriate statutory obligations of confidentiality.

Part 2

1. Capitalized terms used in this Part 2 of the DPA but not defined in the DPA or in the Agreement have the meaning ascribed to them in Regulation (EU) 2016/679 (GDPR).
2. This Part 2 applies only where Pairzon is Processing Personal Data as a Processor on behalf of the Customer and under the Customer’s instructions, where the Customer is a Controller subject to the GDPR with respect to the Personal Data that Pairzon Processes. It does not apply to Pairzon’ Processing Personal Data of Customer’s representatives to market or promote its products, to administer the business or contractual relationship between Pairzon and the Customer or in other instances where Pairzon operates as the Controller.
3. Where no other more appropriate transfer mechanism set out in the applicable privacy and data protection laws for the transfer of Personal Data outside the European Union and the European Economic Area (“Third Country”/”Third Countries”) applies (e.g., an adequacy decision by the European Commission), transfers of Personal Data from the Controller to the Processor shall be governed by and be subject to the provisions of the data transfer agreement included in Sections 4 through 7 below (“Data Transfer Agreement”). If any new transfer mechanism permitting the transfer of Personal Data to Third Countries (e.g.: an adequacy decision by the European Commission) becomes available and is applicable, such mechanism shall replace the Standard Contractual Clauses of the Data Transfer Agreement.
4. Subject to the provisions of Section 3 above, Pairzon and the Customer hereby assent to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, under its MODULE TWO, as follows:
   1. In Section I, Clause 7 shall not apply.
   1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: Transfer controller to processor: The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).
   1. In In Section II (Obligations of the Parties), Clause 11(a) for MODULE TWO: the option shall not apply.
   1. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the law of Ireland.
   1. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of Ireland.
   1. In Annex I, for MODULE TWO: Transfer controller to processor:
      1. Data Exporter: The Customer identified in the Agreement.
         1. Activities relevant to the data transferred under these Clauses in one or more of these scenarios, which involve the provision of Personal Data to the data importer, including transfers outside of the European Economic Area: (A) using the Product in a software-as-a-service deployment model (“SaaS Services”) and which involve processing Personal Data in the course of data hosting; (B) seeking of technical support for the Product; and (C) seeking professional services which involve processing Personal Data in the course of performing the services.
         1. Role: controller

• Data Importer: Pairzon Inc.
  • Activities relevant to the data transferred under these Clauses in one or more of these scenarios, which involve the receipt of Personal Data from the data exporter, including through transfers to the data importer outside of the European Economic Area: (A) operating the Product in the software-as-a-service deployment model and which involves processing Personal Data in the course of data hosting; (B) providing technical support for the Product; and (C) providing professional services which involve processing Personal Data in the course of performing the services.
  • Role: processor.

• Description of Transfer:
  • Categories of data subjects whose Personal Data is transferred: Data exporters customers.
  • Categories of Personal Data transferred: name, email address, mobile number, transactional data, such as: purchase list, information related to online purchase activity, details of membership in membership clubs, location of purchase, payment method, sum(s) of purchase, etc., and automatic-passive information and meta-data, such as IP address, operating system, user/device id, geographic location information and type of device used.
  • Sensitive data transferred: None.
  • The frequency of the transfer: (A) Continuous in case of Product deployment in a software-as-a-service model; (B) At discrete eventualities of technical support requests and provisions of professional services
  • Nature of the processing: Recording, storage, consultation, use, disclosure by transmission and erasure, as necessary to store the Personal Data and provide technical support for the Product.
  • Purpose(s) of the data transfer and further processing: (A) Data hosting, in case of Product deployment in a software-as-a-service model; (B) provision of technical support for the Product or SaaS Services; and (C) provision of professional services.
  • The period for which the Personal Data will be retained: (A) For the duration of the Agreement and for thirty (30) days after the termination or expiration of the Agreement, in case of Product deployment in a software-as-a-service model or professional services; (B) For the duration of technical support request assignments. 
  • Transfers to (sub-) processors:

Name	Subject matter/nature	Duration
Amazon Web Services	Cloud infrastructure	For the duration of the Agreement and for thirty (30) days after the termination or expiration of the Agreement in case of Product deployment in a software-as-a-service model or professional services. For the duration of technical support requests.
Google Cloud	Cloud infrastructure	For the duration of the Agreement and for thirty (30) days after the termination or expiration of the Agreement in case of Product deployment in a software-as-a-service model or professional services. For the duration of technical support requests.

• Competent Supervisory Authority: the data exporter’s lead supervisory authority pursuant to the GDPR, or if none, then the supervisory authority in the EU member state where the data exporter’s EU establishment is located or the EU member state where the data exporter’s EU representative under Article 27 of the GDPR is located.
  • In Annex II, for MODULE TWO: Transfer controller to processor:
• Pseudonymization and encryption of Personal Data
  • All customer data is encrypted using at least AES 256 at rest and in transit.
• Data Integrity
  • Audit trails are maintained.
  • Pairzon performs Risk-based Validation
  • Pairzon has a Business Continuity Policy.
• Pairzon relies on SAAS vendors which comply with GDPR standards.
• Measures for assessing and evaluating the effectiveness of technical and organizations measures are in place order to monitor security of the processing include:
  • Business Continuity Plan
  • Code Review internally via GitLab.
  • Application Security Testing through external third party (once in two years)
• Measures for user identification and authorization
  • OpenVPN (for administrators) and MFA (for BO users) are used for identification and authorization.
• Measures for the protection of data during transmission
  • Data communication between our cloud-based systems and Pairzon laptops is encrypted using TLS 1.2 (or better) over HTTPS.
• Measures for the protection of data during storage
  • Backups are encrypted using encryption at the hardware and infrastructure layer.
  • The Pairzon laptop hard drives are encrypted using Bitlocker.
  • All data at rest at our SaaS vendors is encrypted. using 256-bit AES encryption, and is FIPS 140-2 compliant as described here – https://aws.amazon.com/compliance/data-center/controls/ (for AWS) and https://cloud.google.com/docs/security (for Google Cloud).
• Measures for ensuring physical security of locations at which Personal Data are processed
  • If applicable, Personal Data is processed by the Customer at the Customer’s data center (when using Pairzon Products on an on-prem basis).
  • For Personal Data that is provided to Pairzon, Pairzon relies on the physical security measures of its cloud service providers, AWS and Google Cloud, which adhere to security controls for ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, and ENS.
• Measures for ensuring events logging

Logging is standard on all Pairzon products, as well as endpoints and within every one of our SAAS vendors.

1. Measures for ensuring system configuration, including default configuration
   1. Pairzon’ SDLC ensures a standard configuration inside our products.
2. Measures for internal IT and IT security governance and management
   1. Pairzon maintains a solid IT Governance posture:
      1. Clear and well-communicated strategic goals
      1. Strong executive sponsorship of the process
      1. Defined roles and responsibilities
      1. Standardized data and information transparency
3. Measures for ensuring data minimization
   1. Pairzon’ products do not collect data beyond what is needed:
      1. Personal Data is collected for purposes of provision of services, support, customer relationships and billing.
      1. Logs are retained for purposes of forensics, support, data protection and compliance.
4. Measures for ensuring data quality

Encryption of data restricts alteration unless specifically entitled by the customer.

1. Measures for ensuring limited data retention
   1. Paizon’s procedures for the disposal of electronic and physical media include destruction of physical media (cross-cut), physical destruction of storage media, and secure wiping of hard drives. For drives that can be reused, proper wiping of the drives is required.
   1. Audit trails are not maintained for all disposed of equipment and media. Pairzon maintains shredders (cross-cut) in any of our facilities. We do not outsource destruction of documents or other media.
2. Measures for ensuring accountability
   1. Pairzon requires that all uses of information and information technology resources comply with company policies, standards, procedures, and guidelines, as well as any applicable license agreements and laws including Federal, State, local and intellectual property laws. Unacceptable use includes, but is not limited to, the following: unauthorized use or disclosure of personal, private, sensitive, and/or confidential information.
   1. All access to Pairzon assets & data is access controlled through Open VPN, an audit trail is maintained, enabling nonrepudiation & accountability.
3. Measures for allowing data portability and ensuring erasure

As provided under Pairzon’s Privacy Policy, as shall be from time to time.

• Customer’s Audit Rights.

• Upon written request and at no additional cost to Customer, Pairzon shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing Pairzon’ compliance with its obligations under this DPA in the form of the relevant audits or certifications (“Reports”).

• If additional audit activities are legally required, the Customer may request inspections conducted by the Customer or an Auditor mandated by the Customer (“On-Site Audit”). Such On-Site Audit is subject to the following conditions: (i) On-Site Audits are limited to Pairzon processing facilities and to personnel involved in the processing activities covered by this DPA; (ii) On-Site Audits shall occur no more than once annually or as required by applicable data protection law or by a competent supervisory authority or immediately subsequent to a material personal data breach that affected the Personal Data processed by Pairzon under this DPA; (iii) On-Site Audits may be performed during regular business hours, solely insubstantially disrupting Pairzon business operations and in accordance with Pairzon security policies, and after a reasonable prior notice; and (iv) Customer shall bear any costs arising out of or in connection with the On-Site Audit. Customer shall be obliged to create an audit report summarizing the findings and observations of the On-Site Audit (“On-Site Audit Report”). On-Site Audit Reports as well as Audit-Reports are confidential information of Pairzon and shall not be disclosed to third parties unless required by applicable data protection law or subject to Pairzon consent. On-Site Audit Reports as well as Audit-Reports shall be provided to Pairzon without undue delay.

• Prior to any review of Reports or performance of On-Site Audits, the Customer and/or the Auditor may be required to execute a separate confidentiality agreement with Pairzon, and Pairzon may object in writing to such Auditor, if in Pairzon’ reasonable opinion, the Auditor is not suitably qualified, is a competitor of Pairzon or is in a conflict of interests with Pairzon. Any such objection by Pairzon will require Customer to either appoint another Auditor or conduct the On-Site Audit itself.
• Security Incident Response.
  • If Pairzon becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer’s Personal Data (“Security Incident”), Pairzon shall notify Customer without undue delay, and in any case, where feasible, notify Customer within seventy-two (72) hours after becoming aware. Pairzon shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
  • Unless legally prohibited to do so, Pairzon shall provide Customer timely information about the Security Incident, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Pairzon to mitigate or contain the Security Incident, the status of Pairzon’s investigation, and a contact point from which additional information may be obtained. Communications by or on behalf of Pairzon with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Pairzon of any fault or liability with respect to the Security Incident.
  • Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Security Incident which directly or indirectly identifies Pairzon (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Pairzon’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable data protection laws. In the latter case, unless prohibited by law, Customer shall provide Pairzon with reasonable prior written notice, to provide Pairzon with the opportunity to object to such disclosure and in any case, Customer will limit the disclosure to the minimum scope required.
• Cooperation.
  • Pairzon shall, to the extent legally permitted, notify Customer, without undue delay, or refer Data Subject to Customer, if Pairzon receives a request from a Data Subject to exercise their rights (to the extent available to them under applicable law) of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, its right not to be subject to an automated individual decision making, to opt-out of the sale of Personal Data (“Data Subject Request”). Taking into account the nature of the Processing, Pairzon shall assist Customer by appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under applicable data protection laws. Pairzon may refer Data Subject Requests received, and the Data Subjects making them, directly to the Customer for its treatment of such requests.
  • If Pairzon receives a demand to retain, disclose, or otherwise Process Customer’s Personal Data from law enforcement or any other government and/or public authority (“Third-Party Demand”), then Pairzon shall attempt to redirect the Third-Party Demand to Customer. Customer agrees that Pairzon can provide information to such third-party to the extent reasonably necessary to redirect the Third-Party Demand to Customer. If Pairzon cannot redirect the Third-Party Demand to Customer, then Pairzon shall, to the extent legally permitted to do so, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy.