CLIENT / HUMAN SECURITY, INC. DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) (including its appendices) is made by and between Client and HUMAN (each a “Party”; collectively the “Parties”) and entered into as of the Effective Date of the Agreement (as defined below) for the purpose of governing the Processing by HUMAN of Personal Data (both as defined below) on behalf of Client pursuant to the Subscription Agreement entered into between HUMAN and Client (the “Agreement”). This DPA is incorporated into and made subject to the terms of the Agreement. In the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of the DPA shall prevail. In case of a conflict or inconsistency between the operative provisions in this DPA and the Standard Contractual Clauses in Appendix 3, if applicable, the Standard Contractual Clauses shall supersede and take precedence. Capitalized terms used, but not defined herein, shall have the meaning as defined in the Agreement. 

In the event of a conflict in the meanings of defined terms in the Applicable Laws, the meaning from the law applicable to the Processing of Personal Data of the relevant Data Subject applies.

5. Security Breach Procedures

6. Attestations or Certifications. Upon the request of Client, no more than once per year, HUMAN shall provide a copy of its current attestation of compliance to any industry or compliance standards maintained by HUMAN.  The reports, information, attestations and certifications provided to Client pursuant to this Section shall be HUMAN’s confidential information under the Agreement.

7. Audit Rights. Client shall have the right, upon prior written notice, to monitor HUMAN’s compliance with this DPA through reasonable and appropriate steps, including an annual audit which may include manual reviews, automated scans, internal or third-party assessments, or other technical and operational testing. HUMAN shall cooperate with any such audit initiated by Client, provided that such audit will not unreasonably interfere with the normal conduct of HUMAN’s business. Unless the audit reveals a breach by HUMAN of this DPA or Applicable Laws, Client shall bear the costs of the audit.

8. Deletion of Personal Data. At any time during the term of the Agreement, at Client’s written request or upon the termination or expiration of the Agreement for any reason, HUMAN shall, and shall instruct all Authorized Persons to, promptly and securely dispose of all copies of Personal Data unless the applicable law requires continued storage of all or portions of the Personal Data. Notwithstanding the foregoing, to the extent it is not commercially reasonable for HUMAN to remove Personal Data from archive or other backup media, HUMAN may retain Personal Data on such media in accordance with its backup or other disaster recovery procedures. In the event HUMAN retains Personal Data after the term of the Agreement, HUMAN shall continue to comply with the confidentiality and privacy obligations hereunder until it is no longer in possession of Personal Data. 

9. Data Transfers. HUMAN may, subject to this Section 9, process the relevant Client Data anywhere HUMAN or its Sub-processors maintain facilities or have a point of presence. With regard to Personal Data of a Data Subject in the EEA or United Kingdom, Client authorizes HUMAN to transfer Personal Data from the EEA and/or the United Kingdom to the United States through the protections provided by the Standard Contractual Clauses, herein incorporated by reference in accordance with Appendix 3. HUMAN will ensure that any Sub Processor agrees to comply with the appropriate Standard Contractual Clauses. Both Parties shall ensure compliance with the Standard Contractual Clause Agreement as set out at Appendix 3. In connection with the use of the Standard Contractual Clauses, the Parties further agree and acknowledge that: (i) sections of this DPA addressing the same or similar subject matter as the Standard Contractual Clauses may be used to satisfy the applicable requirements of the Standard Contractual Clauses; and (ii) if required, the Parties shall sign a copy of the Standard Contractual Clauses and take such further action as is required by Applicable Laws to ensure that the Standard Contractual Clauses are legally valid. Where HUMAN’s Processing of Personal Data requires an onward transfer mechanism to lawfully transfer Personal Data from one jurisdiction to another, HUMAN will enter into the appropriate Standard Contractual Clauses or, at HUMAN’s election, HUMAN will offer and comply with another mechanism that enables the lawful transfer of Personal Data to a third country in accordance with Article 45 or 46 of the GDPR.   

10. Sub-Processors. Subject to Section 11, HUMAN may engage third-party Sub-Processors in connection with the provision of the Services provided that, before the Sub-Processor first Processes Personal Data, HUMAN: (a) enters into a written agreement with the Sub-Processor on terms at least as protective as those set out in this DPA as well as to comply with Applicable Laws, and (b) carries out adequate due diligence to ensure the Sub-Processor is capable of providing the level of protection for Personal Data required by this DPA. HUMAN shall provide Client with a current list of the Sub-Processors that HUMAN has engaged in connection with the provision of Services upon Client’s request. HUMAN shall provide to Client written notice of any change to the list of Sub-Processors at least thirty (30) days prior to the date the change takes effect.  

11. Right to Object. Client hereby grants HUMAN general written authorization to engage Sub-Processors in connection with the provision of the Services. HUMAN shall give Client notice of the appointment of any new Sub-Processor through Client’s account dashboard.  If Client reasonably objects in writing to the use of a new Sub-Processor within forty-eight (48) hours of the notice date, then the Parties shall use good faith efforts to find a reasonable replacement in a mutually agreeable manner.

12. Client Instructions.  Client acknowledges that HUMAN is reliant on Client for direction concerning the extent to which HUMAN may Process Personal Data on behalf of Client in performance of the Services.  HUMAN shall not be liable under the Agreement for any claim or complaint brought by a Data Subject, Consumer or Regulatory Authority arising from any action or omission by HUMAN, to the extent that such action or omission results from Client’s instructions or failure to comply with its obligations under Applicable Laws.

13. Dispute. Governing Law. The Parties hereby submit to the choice of law and choice of venue and jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; provided, however, that with respect to any disputes under the GDPR only, the Parties agree that this DPA shall be governed by the laws of Ireland.

14. Compelled Disclosures.  Any disclosure by HUMAN or its representatives of any of the Personal Data pursuant to applicable federal, state, or local law, regulation, or valid order issued by a court or governmental agency of competent jurisdiction (a “Legal Order”) will be subject to the terms of this paragraph. Prior to making such a disclosure, HUMAN shall, to the extent permitted under the Legal Order, provide Client with: (a) prompt written notice of such requirement so that Client may seek, at its sole cost and expense, a protective order or other remedy; and (b) reasonable assistance, at Client’s sole cost and expense, in opposing such disclosure or seeking a protective order or other limitations on disclosure. If, after providing such notice and assistance as required herein, HUMAN remains subject to a Legal Order to disclose any Personal Data, HUMAN shall make reasonable efforts to disclose no more than the portion of Personal Data which such Legal Order specifically requires HUMAN to disclose.

15. Liability. The liability of each Party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Any reference to any “limitation of liability” of a Party in the Agreement shall be interpreted to mean the aggregate liability of a Party under the Agreement and this DPA.

Appendix 1 – Details of the Parties and Processing

A. List of Parties

Data exporter(s): the Client designated in the Agreement entered into with Human Security, Inc. 

Name and Address:  As indicated in the Agreement 

Activities relevant to the data transferred under the SCCs and this DPA: use of the Services in accordance with the Agreement.

Signature and Date: This Appendix 1 shall be deemed executed upon execution of the DPA. 

Role: Data exporter’s role is set forth in Section 2.1 of the DPA.

Data importer(s):

Name:  Human Security, Inc. (“HUMAN”)

Address: 841 Broadway, New York, New York 10003

Contact person’s name, position, and contact details:  legal@humansecurity.com; privacy@humansecurity.com

Signature and Date: This Appendix 1 shall be deemed executed upon execution of the DPA.

Role: Processor

B. Description of Processing and Transfer

The categories of Data Subject to whom the Personal Data relates

Data Subjects include the identified or identifiable individuals contained in data submitted to the Services by Client, including end users who access or use Client Properties.

Categories of Personal Data Processed and transferred

HUMAN Processes the limited Personal Data HUMAN needs to perform the particular Services, as instructed and/or authorized by Client. 

Dependent on the Services and as advised by the Client, HUMAN may Process the following types of Client Personal Data:
IP address and other online identifiers (e.g., user ID, cookie ID); device identifiers (e.g., device ID, mobile ID); geolocation; account credentials (e.g., registration date); log-in credentials (e.g., username, password); name; phone number; and email address. 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

HUMAN does not collect “sensitive categories” of Personal Data as such term is defined by EU GDPR.

The frequency of the Processing and transfer (e.g. whether the data is transferred on a one-off or continuous basis).

HUMAN will Process Personal Data to the extent necessary to perform the Services pursuant to the Agreement and as further instructed by Client in writing and as otherwise permitted by the Agreement and the DPA. 

The nature and purpose of the Processing 

HUMAN will Process Personal Data to provide the Services in accordance with the Agreement and the DPA. 

Purpose(s) of the data transfer and further Processing 

HUMAN will Process Personal Data to provide the Services in accordance with the Agreement and the DPA. 

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period 

The duration of the Processing of the Personal Data is set out in the Agreement and this DPA.  Personal Data is deleted based on the terms of the Agreement and this DPA, legal requirements related to data storage and if Personal Data is no longer needed to perform the Services and there is no lawful reason to keep it. 

The obligations and rights of Client 

The obligations and rights of Client are set out in the Agreement and this DPA.

C. Sub-Processors 

HUMAN uses certain Sub-Processors to support its data processing activities on behalf of HUMAN’s Clients. Depending on the nature and scope of the Services, not all the listed Sub-Processors would be involved in each processing activity. Please visit https://www.humansecurity.com/subprocessors-list for the current list of sub-processors.

HUMAN may update this list from time to time in accordance with the terms of the DPA.

D. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13

For the EEA Standard Contractual Clauses, the competent supervisory authority is determined in accordance with Clause 13 of the EEA SCCs.

For the UK Standard Contractual Clauses, the competent supervisory authority is the UK Information Commissioner’s Office.

Appendix 2 – Technical and Operational Measures

DATA SECURITY

This Data Security Appendix is made a part of the attached DPA between Client and HUMAN. The Agreement and DPA, including without limitation this Data Security Appendix, reflects the Parties’ agreement with regard to the Processing and safeguarding of Personal Data. 

Implementation of the provisions of this Appendix by HUMAN shall be consistent with industry standards, where applicable. Unless otherwise stated, capitalized terms in this Appendix shall have the meanings set forth in the Agreement or DPA. 

1. Organizational Security Measures. 

1.1. Point of Contact. HUMAN shall appoint a representative to act as a point of contact for the Client with respect to this Data Security Appendix. The representative shall be responsible for ensuring HUMAN’s compliance with this Data Security Appendix. 

1.2. Security Program. HUMAN has developed and implemented, and will regularly update and maintain as appropriate and needed: (a) a written and comprehensive information security program in compliance with Applicable Laws; and (b) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft (“Security Program”). Specifically, such Security Program shall include, at a minimum and in addition to the items contained in Section 2 below: 

1.2.1. A disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Personal Data as well as security needs for back­up sites and alternate communication networks. 

1.2.2. Secure transmission and storage of Personal Data. 

1.2.3. Personnel security and integrity, including background checks where consistent with applicable law. 

1.2.4. Annual training to HUMAN’s employees on how to comply with the HUMAN’s physical, technical, and administrative information security safeguards and confidentiality obligations under Applicable Laws. 

1.2.5. Quarterly review of authentication and access control mechanisms over Personal Data, media, applications, operating systems and equipment. 

1.2.6. Data retention and destruction procedures in accordance with Section 8 of the DPA. 

1.3. Training. HUMAN shall provide training to its Authorized Persons to ensure their treatment of the Personal Data is in accordance with the DPA, including this Data Security Appendix. HUMAN shall provide such training to Authorized Persons before they are allowed access to Personal Data and no less than annually thereafter. Such training shall be consistent with industry standards. Upon reasonable notice from Client, HUMAN will provide Client with summaries or copies of HUMAN’s relevant training program. 

1.4. Access. HUMAN shall limit disclosure of and access to Personal Data to only those Authorized Persons who have a business need to access such Personal Data in order to provide the Services to Client and/or to fulfill the purposes of the Agreement. HUMAN shall establish, maintain, and enforce the security principles of “segregation of duties” and “least privileged access” with respect to all Personal Data. HUMAN shall reasonably update all access rights based on personnel or computer system changes, and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to deliver the Services to Client and/or to fulfill the purposes of the Agreement. HUMAN shall verify all access rights through effective authentication methods. 

1.5. Background Investigations of Personnel. As permitted by law, HUMAN agrees that any employees of HUMAN or of any subcontractor who either are directly providing the Services under the Agreement and/or who have access to Personal Data shall have passed a background check. Each background check shall include the following minimum review: identity verification (utilizing Social Security numbers or other state/national ID number) and a criminal history check. Background checks must be performed by a member of the National Association of Professional Background Screeners or a competent industry recognized Client with the same level of professionalism within HUMAN’s jurisdiction. 

2. Physical and Technical Security Measures. 

2.1. Server Location. During the term of the Agreement, Personal Data shall at all times be hosted on servers that are physically located in the United States, unless otherwise agreed in writing by the Parties. HUMAN shall comply with and provide Client with commercially reasonable assistance to comply with Applicable Laws in the country to which and from which Personal Data will be transferred. 

2.2. Network Configuration, Access Control and Limiting Remote Access. HUMAN shall secure its computer networks by using and maintaining appropriate firewall and security screening technology that is designed to prevent unauthorized access. HUMAN ensures that the following network security controls are in place: (a) firewall platforms are hardened and have real time logging and alerting capabilities, (b) intrusion detection and prevention systems are in place and maintained at the perimeter and critical server systems, (c) access lists are implemented on network routers to restrict access to sensitive internal networks or servers, (d) remote access requires two factor authentication and occurs over an encrypted tunnel e.g. IPSec, SSL­VPN, and (e) systems servicing Client are segregated from other network zones logically and physically including DMZ, production databases, back office, and software development areas. HUMAN shall secure access to and from its systems by disabling remote communications at the operating system level if no business need exists and/or by tightly controlling access through management approvals, robust controls, logging, and monitoring access events and subsequent audits. HUMAN shall identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files. HUMAN ensures that privileged accounts (administrator, super user, etc.) will be controlled and reviewed on at least an annual basis. HUMAN enforces a process to control and manage user accounts upon termination of employment or change in role within 24 hours of such termination or change. 

2.3. Encryption. HUMAN shall use best efforts to encrypt all Personal Data in its possession, custody or control while at rest and in transit. For the avoidance of doubt, “encryption” shall be deployed using PGP or other industry best practice for key based encryption protocol. HUMAN will work with Client to test HUMAN’s ability to deliver the data in an encrypted form to Client. 

2.4. Third­ Party Data Centers. Where applicable, HUMAN using a third party data center to host the Services shall ensure that (a) all application and database servers are physically isolated within the data center and secured from unauthorized physical access, (b) physical and network access is limited to HUMAN’s Authorized Persons, and (c) Personal Data remains logically segregated from other data stored in any shared environment at all times and that use of any shared environment does not compromise the security, integrity, or confidentiality of Personal Data. 

2.5. Security Patches. HUMAN shall use commercially reasonable efforts to deploy all applicable and necessary system security patches to all software and systems that process, store, or otherwise support the Services, including operating system, application software, database software, web server software within industry best practices and in accordance with its information security policies. 

2.6. Protection Against Malicious Software. HUMAN shall use commercially reasonable efforts to protect its own information technology against malicious code and ensure that its connection to the Internet and for any other platform or network running the Services is secure, and shall in accordance with industry standards and its own information security practices, acquire and implement new technology, including monitoring hardware and software, as the technology becomes available and is proven stable, in HUMAN’s reasonable discretion, to ensure a secure and stable environment.   

2.7. Vulnerability Testing. Prior to providing any code, hosting services, or network connectivity to Client, HUMAN must perform and be able to show proof that external penetration testing has been completed and that any reported vulnerabilities have been remediated. Proof includes the external pen test report or cover letter. For software, this includes tests for security vulnerabilities that are a part of the OWASP Top 10 or SANs Top 25. HUMAN will promptly address, prioritize and correct security vulnerabilities identified in a vulnerability test or report. 

2.8. Life Cycle Development. HUMAN shall implement and maintain a secure software development life cycle for all applications which integrate with Client’s environment or are developed on Client’s behalf. HUMAN will observe all industry standard application security guidelines, such as the Open Web Application Security Project (OWASP). HUMAN will ensure that (a) regular reviews of application source code occur, (b) developers receive detailed coding and design training in application security, (c) development, testing, production and operational facilities are separated to reduce the risk of unauthorized access or changes to the production and operational systems and Personal Data, (d) software developers are restricted from accessing production environment unless a particular access request is reviewed and approved, and (e) data masking functionality is implemented in relation to software processing any financial related Personal Data (including payment card and banking information). 

2.9. System Change Control. HUMAN will use commercially reasonable efforts to ensure that change control procedures are documented and maintained and detail why the change was required, how and why changes were executed and include an emergency change process. The change control process includes considering security control requirements, implementing them where necessary and testing these changes prior to implementation. HUMAN will notify the Client of any upgrades or configuration changes which may impact the security of Personal Data. 

3. Security Reviews by Client. 

3.1. Internal Audits.  Upon Client’s written request, HUMAN shall provide Client, at HUMAN’s expense, with the results of the most recent data security compliance reports or any audit performed by or on behalf of HUMAN that assesses the effectiveness of HUMAN’s, and any relevant third parties performing services on HUMAN’s behalf, information security program, system(s), internal controls, and procedures relating to the Services (i.e., SSAE16 SOC1 or other) as relevant to the security and confidentiality of Personal Data, including any report summarizing any control issues and associated corrective action plans and any management responses. Such reports shall be of sufficient scope and in sufficient detail as may reasonably be required by Client to provide reasonable assurance that any material inadequacies would be disclosed by such examination, and, if there are no such inadequacies, the reports shall so state. 

4. Noncompliance. 

HUMAN will not knowingly materially lessen the security of any system used to collect, use, disclose, store, retain or otherwise Process Personal Data during the term of the Agreement.  In the event that HUMAN determines it is unable to comply with the obligations stated in the DPA or this Data Security Appendix, HUMAN shall promptly notify Client, and Client may take any one or more of the following actions: (a) suspend the transfer of Personal Data to HUMAN; (b) require HUMAN to cease Processing Personal Data; (c) demand the return or destruction of Personal Data; or (d) immediately terminate this Agreement. 

5. External Communication of Internal Controls.  

HUMAN communicates its security and availability commitments regarding its products and Services to external users via its Service Terms, Privacy Policy and documentation, which are posted on its website.  Client usage and external roles and responsibilities are communicated via several mediums, including the Subscription Agreement, Privacy Policy and documentation.  Support contact information is readily available to Clients through HUMAN’s website and other Client provided documentation.  Clients and users are encouraged to contact appropriate personnel if they become aware of items such as operational or security failures, Incidents, systems problems, concerns or other complaints.

Appendix 3 – Cross Border Transfer Mechanism

PRIOR VERSIONS

December 11, 2024

April 30, 2024