Data Protection Addendum   

1.1. In this Data Protection Addendum ("DPA"), Sightview Software, LLC and its affiliates (including, but not limited to, iMedicWare, LLC, My Vision Express, LLC, Medflow EHR, LLC, Management Plus EHR, LLC, MD Office, LLC, Sightview MIPS Services, LLC, Sightview RCM, LLC, Sightview EHR Holdings, LLC, and LensOnDemand) will be referred to as "Sightview" and terms like "we", "our", or "us".  The Client will be referred to as “you”, or “your”, and “Customer”. 

1.2. This DPA governs your access to and use of our products and services that link to or reference, or the terms and conditions for which reference, this DPA ("Software and Services"). The Software and Services include, at the relevant time, all of our: 

1. websites ("Sites"), including Sightview.com;
2. cloud-based or licensed on-premise electronic health records systems, including our patient portal, regulatory compliance portal, and associated systems such as practice management systems (collectively, "Systems");
3. application programing interface ("API") or other interfaces; and
4. other products and services, such as:
   1. i.  implementation, training, and other professional services;
   2. data conversion, data extract, and data delivery services and products;
   3. analytics tools and services;
   4. reminder and other text messages;
   5. self-service user portals, including customer support messaging platforms;
   6. knowledge bases and learning platforms, including educational or training programs;
   7. telehealth and related products and services; and
   8. patient portals ("Patient Portals").

The Software and Services also include everything provided through or as part of the Software and Services, such as all services, software, and Content (as defined below). To be clear, the Software and Services do not include, and Sightview does not provide, any healthcare services. 

1.3. Please read this DPA carefully before you use the Software and Services as they are a legal agreement between Sightview and you once they are accepted. Please also review our Terms of Service and Use and Privacy Policy to learn about our information collection, use, and privacy practices associated with the Services. 

1.4. By clicking "I accept," "Agree," or other similar icon (where applicable), or otherwise by using any of the Software and Services, you accept and agree to be bound by this DPA, including the mandatory arbitration and class action waiver in the Transaction Document (please see Section 1.6.c., below).  If you do not agree with any portion of these Terms, then do not click "I accept," "Agree" or other similar icon and do not use any Software and Services. 

1.5. If you are using the Software and Services on behalf of another person or an entity, then you:  

1. represent and warrant that you are an authorized representative of that person or entity with the authority to bind that person or entity to this DPA and to take the actions contemplated in this DPA, where applicable, including on behalf of others (who may include your employer, employees, clients, patients, contractors, relatives, wards, or principals); and, 
2. agree to be bound by this DPA on behalf of that person or entity. References to "You", "Your", and similar terms refer to both you as an individual and, if applicable, such person or entity.

1.6. As may be described in more detail in this DPA and other applicable documents, PLEASE NOTE: 

1. Sightview does not provide healthcare services. Sightview provides Services to help healthcare providers manage their medical practices, which includes Services that permit patients to interact with their providers. The terms for any healthcare services provided by a provider are as separately agreed upon by the provider and the patient. Sightview is neither a party to nor bound by any such terms.
2. Limitations on Liability and Claims. This DPA contains important provisions that limit our liability to you and that governs how claims that you and Sightview have against each other may be brought. These provisions will require you to submit claims you have against us to final and binding arbitration and to do so on an individual basis, not as a plaintiff or class member in any purported class or representative action or proceeding.
3. Transaction Document. You may have signed an Order Form Agreement, Software and Services Agreement, Business Associate Agreement, Master Software License Agreement, Master Service Agreement, Sightview Services and Support Agreement, Automatic Payment Consent Form, or other document with terms and conditions for specified Services ("Transaction Document"). This DPA incorporates the Transaction Documents and serves to supplement the Transaction Document. The terms used in this DPA shall have the meanings set forth in this DPA.  Capitalized terms not otherwise defined herein shall have the meaning given to them in the Transaction Document.
4. Service-Specific Terms. This DPA contains general terms that apply to all the Services, as well as certain terms that apply only to particular Services ("Service-Specific Terms"). Some Software – Service - Specific Terms are in Appendix A. We also may present to you or post to our Sites additional Software – Service - Specific Terms through the Software and Services that apply to particular features of the Services. To the extent that this DPA conflicts with the Software -Service - Specific Terms, the Software – Service ­ Specific terms will control with respect to the Software and Services to which they relate.
5. Changes to the DPA Terms. We may change the terms of this DPA at any time. Unless we say otherwise, changes will be effective upon the last updated date at the top of this DPA. Please check this DPA regularly to ensure that you are aware of any changes to the terms of the DPA. We may try to notify you of material changes to this DPA, such as by posting a notice directly on the Services, by sending an email notification (if you have provided your email address to us), or by other reasonable methods. In any event, your use of the Services after changes to the terms of this DPA means you have accepted the changes. If you do not agree with the changes, immediately stop using the Services.
6. Practice Terms and Conditions, Privacy Statements. If you are a patient, your Provider or his or her office may have required you to agree to terms and conditions, privacy statements, or other documents. Those are separate from these Terms. These Terms cover any of the Services you or your Provider use, where any terms and conditions, privacy statements, or other documents your Provider or his or her office have presented you address your Provider's provision of his or her services and his or her office's use and handling of your data and other information 

2.0 EFFECT OF THIS DPA 

In consideration of the mutual obligations set out herein, the Client hereby agrees that the terms and conditions set out below shall be added as an Addendum to the Transaction Document and replace any existing data processing agreement or data protection addendum. Except where the context requires otherwise, references in this DPA to the Transaction Document are to the Transaction Document as amended by, and including, this DPA. 

3.0 DEFINITIONS

In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly: 

1. "Applicable Data Protection Laws" means, as applicable:
   1. the GDPR;
   2. in respect of the United Kingdom, the GDPR as it forms part of the laws by virtue of section 3 of the European Union (Withdrawal Act 2018) and the Data Protection Act 2018 ("UK GDPR");
   3. any other national laws implementing or transposing the GDPR; and,
   4. the CCPA;
2. "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798. l 00et.seq., as amended and supplemented by the California Privacy Rights Act of 2020, and their implementing regulations;
3. "Contracted Processor" means Vendor or a Sub-Processor;
4. "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
5. "Customer Data" means all permitted electronic data stored by Customer or processed through use of the Services but does not include Prohibited Information;
6. "Customer Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Master Agreement;
7. "Data Subject" means the identified or identifiable living individual to whom Personal Data relates, or which otherwise constitutes a "consumer" under Applicable Data Protection Laws;
8. "EEA" means the European Economic Area;
9. "EU Standard Contractual Clauses" or "EU SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021 /914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries;
10. "GDPR" means EU General Data Protection Regulation 2016/679;
11. “Personal Data” means any information relating to an identified or identifiable natural person, or which otherwise constitutes “personal data” or “personal information” under Applicable Data Protection Laws;
12. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed;
13. "Processing" or "Process" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
14. "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
15. "Restricted Transfer" means: (i) in relation to Customer Personal Data which is subject to the GDPR, a transfer of Customer Personal Data from the EEA to a country outside of the EEA which is not  subject to an adequacy determination by the European Commission; (ii) in relation to Customer Personal Data which is subject to the UK GDPR, a transfer of Customer Personal Data from the United Kingdom to any other country which is not  based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and/or (iii) in relation to Customer Personal Data which is subject to the Swiss Federal Data Protection Act ("Swiss FADP"), a transfer of Customer Personal Data from Switzerland to any other country which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner;
16. "Services" means the subscription services to be made available to Custom to the Master Agreement;
17. "Standard Contractual Clauses" means the EU Standard Contractual Clauses, or the UK Addendum, as applicable;
18. "Sub-Processor" means any entity appointed by or on behalf of Vendor to Process Customer Personal Data on behalf of Customer in connection with the Master Agreement; and,
19. "UK Addendum" means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office under section l l 9A(l) of the UK Data Protection Act 2018, Version B1.0, in force 21 March 2022.

4.0 AUTHORITY

5.0 PROCESSING OF CUSTOMER PERSONAL DATA

1. The Company shall:
   1. i. comply with all Applicable Data Protection Laws in the Processing of Customer Personal Data to the extent applicable to the Company’s provision of Software and Services under the Transaction Document;
   2. not Process Customer Personal Data other than pursuant to the Transaction Document, the DPA, or on the Customer’s documented instructions unless Processing is required by applicable laws to which the Company is subject, in which case the Company shall to the extent permitted by applicable laws inform the Customer of that legal requirement before the relevant Processing of that Customer Personal Data; and,
   3. inform Customer if, in its opinion, Customer’s instructions violate Applicable Data Protection Laws.
2. The Customer:
   1. shall comply with all Applicable Data Protection Laws in its use of the Software and Services of the Company;
   2. acknowledges and agrees that it is solely responsible for the accuracy, quality, and legality of:
      1. the Customer Personal Data; 
      2. the means by which Customer acquired such Customer Personal Data (including without limitation all necessary consent(s) required from Data Subjects); and, 
      3. the instructions it provides to Vendor regarding the Processing of such Customer Personal Data (including without limitation ensuring that it falls within the scope of the consent provided by Data Subjects); 
         
   3. shall not provide or make available to the Company any Personal Data in violation of the Transaction Document or other wise inappropriate for the nature of the Software and Services;
   4. to the extent that it is reasonably necessary for the provision of the Software and Services and consistent with the Transaction Document, instructs the Company (and authorizes the Company to instruct each Sub-Processor) to:
      1. Process Customer Personal Data;
      2. Transfer Customer Personal Data to any country or territory; and, 
         
   5. warrants and represents that it is and will at all relevant times:
      1. Comply with Sections 5.b.i. to 5.b.iii.; and, 
      2. Remain duly and effectively authorized to give the instruction set out in Section 5.b.iv. 
3. Appendix 1 to this DPA sets out certain information regarding the Process Personal Data by the Company.

6.0 PERSONNEL

The Company shall take reasonable steps designed to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, in each case limiting access to those individuals who need to know/access the relevant Customer Personal Data, as necessary for the purposes of the Transaction Document, and to comply with Applicable Data Protection Laws in the context of that individual's duties to the Contracted Processor, and subjecting all such individuals to confidentiality undertakings or professional or statutory obligations of confidentiality. 

7.0 SECURITY

The Company will maintain and enforce commercially reasonable physical and logical security methods and procedures to protect Customer Personal Data.  The Company will test its systems for potential security vulnerabilities at least annually.  The Company will use commercially reasonable efforts to remedy any breach of security or unauthorized access, and reserves the right to suspend access to the in the event of a suspected or actual security breach. Customer acknowledges that the services and data transmitted are provided via the Internet, a publicly-available computer network, and that such networks are susceptible to failure, attack and hacking.  The Company shall implement appropriate technical and operational measures to ensure a level of security appropriate to the general risks involved in the Services as required by Applicable Data Protection Laws. Notwithstanding any other provision, this section sets forth the Company’s entire obligation to protect Customer Personal Data on the Services. Customer will maintain and enforce commercially reasonable security methods and procedures to prevent misuse of the log-in information of its employees and other users.  The Company shall not be liable for any damages incurred by Customer or any third party in connection to unauthorized access resulting from the actions of Customer or its representatives.

8.0 SUB PROCESSING

1. Customer authorizes the Company to appoint Sub-Processors in accordance with this section 6 and any restrictions in the Master Agreement. Each Sub­ Processor is also authorized to appoint sub- processors in accordance with this section 8.
2. The Company may continue to use those Sub-Processors already engaged by the Company as at the date of this Addendum. Where the Company intends to make changes to the use of any of its Sub-Processors, it shall inform Customer 30 days prior to the date of the appointment of the new Sub-Processor. Where Customer objects to such a change (acting reasonably on the basis of any data protection concerns), Customer shall notify the Company prior to the appointment date of the new Sub­ Processor. In such case, the Company and Customer shall meet in good faith to cure any objections.
3. In case of termination of the impacted Software and Services, Customer shall be liable for any contracted fees or charges for the remainder of the term of the Transaction Document and any Order Forms thereunder.  
4. With respect to each Sub-Processor, the Company shall:
   1. before the Sub-Processor first Processes Customer Personal Data (or, where relevant, in accordance with section 8.2), carry out adequate checks to ensure that the Sub- Processor is capable of providing the level of protection for Customer Personal Data required by the Company;
   2. ensure that it enters into a written agreement with each Sub- Processor on terms which offer at least a similar level of protection for Customer Personal Data as those set out in this DPA and meet the requirements of Applicable Data Protection Laws; and, 
   3. provide to Customer for review such copies of the the Company agreement with Sub-Processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.

9.0 DATA SUBJECT RIGHTS

The Company shall promptly notify the Customer upon becoming aware of any request from a Data Subject under any Applicable Data Protection Laws in respect to Customer Personal Data. If requested by Customer, the Company shall assist by implementing appropriate technical and organizational measures to assist the Customer's obligations to respond to requests to exercise Data Subject rights. the Company may apply an additional charge or charges, distinct from any charges or fees payable by Customer under the Master Agreement or applicable Addendum for the provision of assistance in responding to any Data Subject request.  Charge(s) shall be at the Company's discretion; however, shall be proportionate to any level of assistance and agreed in advance.

10.0 PERSONAL DATA BREACH

1. The Company shall notify Customer without undue delay upon the Company becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information regarding such Personal Data Breach.
2. The Company shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

11.0 DATA PROTECTION IMPACE ASSESSMENT AND PRIOR CONSULTATION

The Company shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer under Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Company. 

12.0 DELETION OR RETURN OF CUSTOMER PERSONAL DATA

1. The deletion, return or other treatment of Customer Personal Data on termination of the Transaction Document shall be managed in accordance with the terms of the Transaction Document.
2. Each Contracted Processor may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that the Company shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws or the Transaction Document requiring its storage and for no other purpose.
   

13.0 INFORMATION AND AUDIT RIGHTS

1. Subject to the subsections herein in this Section, the Company shall make available to Customer on request as reasonably necessary to demonstrate compliance with this Addendum, and shall, at Customer's cost, allow for and contribute to audits, including inspections, by Customer or an auditor r by Customer in relation to the Processing of the Customer Personal Data.
2. Customer undertaking an audit shall give the Company reasonable notice of any audit conducted under this Section, and may only exercise its right to audit no more than once every twelve (12) months.
3. Save for any disclosures required for compliance with Applicable Data Protection Laws, Customer undertakes to keep, and ensure its auditors keep, all results or findings from any audit confidential and shall indemnify the Company against any and all losses incurred by the Company as a result of any breach of this section.
   

14.0 CCPA

To the extent that Customer Personal Data includes personal information protected under the CCPA, the parties acknowledge and agree that Customer is a "Business" and the Company is a "Service Provider", as both terms are defined in the CCPA. the Company will Process such Customer Personal Data in accordance with the CCPA insofar as it relates to the provision of the Services and will not sell, share, retain, use, or disclose such Customer Personal Data (protected under the CCPA) other than for the specific purpose of providing the Services or outside of a direct business relationship between the Company and Customer. In addition, the Company will not combine such Customer Personal Data (protected under the CCPA) it receives from, or on behalf of, Customer with Personal Data that the Company receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, except where such combination is permitted under the CCPA. the Company shall notify Customer if it becomes aware that it cannot comply with its obligations as a Service Provider under the CCPA. 

15.0 DATA TRANSFER

1. Customer acknowledges and agrees that it may be necessary for Customer Personal Data to be transferred outside of the country or territory it originates from in order to perform services pursuant to the Transaction Document.  In relation to any Customer Personal Data protected by the GDPR, the UK GDPR and/or the Swiss FADP, Learning Technologies Group and its US affiliates included in its certification have certified their compliance and adherence to the EU-US Data Privacy Framework program (EU-U.S. DPF), the UK Extension to EU-U.S. DPF and the Swiss-US Data Privacy Framework program and applicable principles.
2. To the extent that a transfer of Customer Personal Data from Customer to the Company is a Restricted Transfer, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this Addendum, as follows:
   1. European Transfers. In relation to transfers of Customer Personal Data originating from the EEA and subject to the EU GDPR, the EU secs shall apply as follows:
      1. Customer is the  "data exporter" and the Company is the  "data importer”;
      2. Module 2 (Controller to Processor) shall apply;
      3. in clause 7, the optional docking clause shall apply;
      4. in clause 9, option 2 applies, and the time period for prior notice of Sub­ Processor changes is stated in section 8 of this DPA;
      5. in clause 11, the optional language does not apply;
      6. in clause 17, option l applies, the EU secs are governed by Irish law;
      7. in clause 18(b), disputes will be resolved before the courts of Ireland; and,
      8. Annex I, II and Ill of the EU secs shall be deemed completed with the information set out in Appendix I, II and Ill to this Addendum respectively; 
         
   2. United Kingdom Transfers. In relation to transfers of Customer Personal Data originating from the United Kingdom and subject to the UK GDPR, the UK Addendum shall apply as follows: 
      1. in Table l of the UK Addendum, the parties' key contact information is located in the Transacted Document and / or the relevant Order Form;
      2. in Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in section 13.2.l (European Transfers) of this Addendum;
      3. in Table 3 of the UK Addendum:
         • (aa) the information required for Annex l A is located in Appendix I of this Addendum;
         • (bb) the information required for Annex l B is located in Appendix I of this Addendum;
         • (cc) the information required for Annex II is located in Appendix II of this Addendum;
         • (dd) the information required for Annex Ill is located in Appendix Ill of this Addendum; and, 
           
      4. in Table 4 of the UK Addendum, neither party may end the UK Addendum. 
         
         
   3. Swiss Transfers. In relation to transfers of Customer Personal Data originating from Switzerland and subject to the Swiss FADP, the EU SCCs as implemented under in section 13.2. l (European Transfers) of this Addendum shall apply with the following modifications:   
      1. all references in the EU secs to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss FADP, and references to specific Articles of "Regulation (EU) 2016/679" will be replaced with the equivalent article or section of the Swiss FADP;
      2. all references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with clause I.8.(c);
      3. in clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;
      4. in clause 17, the EU secs are governed by the laws of Switzerland; and,
      5. in clause I.8.(b), disputes will be resolved before the courts of Switzerland. 
3. The Company shall ensure adequate data transfer mechanisms are in place for any om to Sub-Processors to ensure compliance with the Applicable Data Protection Laws and protection of Customer Personal Data.
   

16.0 SURVIVAL

Any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this DPA shall remain in full force and effect. 

17.0 GENERAL TERMS

1. Governing Law and Jurisdiction. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Transaction Document with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity, termination or the consequences of its nullity and all non-contractual or other obligations arising out of or in connection with it.
2. Limited Liability.  Nothing in this DPA reduces the Company’s obligations under the Transaction Document in relation to the protection of Customer Personal Data or permits the Company to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Transaction Document.  CUSTOMER AGREES AND ACCEPTS THAT IT SHALL NOT BE ENTITLED TO BRING A CLAIM UNDER BOTH THE TRANSACTION DOCUMENT AND / OR THE RELEVANT ODER FORM(S) AND THIS DPA FOR DAMAGE OR LOSS CAUSED BY THE SAME EVENT GIVING RISE TO THAT CLAIM. THE COMPANY’S ENTIRE AGGREGATE LIABILITY HEREUNDER SHALL BE AS STATED IN THE LIMITATION OF LIABILITY PROVISIONS AGREED BETWEEN CUSTOMER AND THE COMPANY IN THE TRANSACTION DOCUMENT, AND THE COMPANY’S (OVERALL) AGGREGATE LIABILITY EXPOSURE TOWARDS THE CUSTOMER SHALL THEREFORE NOT BE EXPANDED AS A RESULT OF ENTERING INTO THIS DPA.
3. Order of Precedence. Subject to Section 17.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Transaction Document and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreement entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
4. Severance. Should any provision of this DAP be invalid or unenforceable, the remaining terms of this DPA shall remain valid and in force.  The invalid or unenforceable provision shall be either:
   1. amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible; or, 
   2. construed in a manner as if the invalid or unenforceable part had never been contained therein.
      

APPENDIX 1 

1. LIST OF PARTIES
   1. Data Exporters:

2. DATA AND TRANSFER

3. COMPETENT SUPERVISORY AUTHORITY FOR THE EU SCC’s

APPENDIX 2

TECHNICAL AND ORGANIZATIONAL MEASUERES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA 

1. USE OF CUSTOMER DATA

The Company will only utilize Customer Data for the purposes of fulfilling its obligations under the Agreement.  The Company will maintain and enforce physical and logical security procedures with respect to its access and maintenance of Customer Data contained on the Company’s servers. 

2. REASONABLE MEASURES

The Company will utilize reasonable measures to secure and defend its location and equipment against “hackers” and others who may seek to modify or access the Company’s servers or the information found therein without authorization.  The Company will test its systems for potential security vulnerabilities at least annually. 

3. INFORMATION SECURITY PROGRAM

The Company has a written information security program (“Information Security Program”) that includes administrative, technical, and physical safeguards that protect against any reasonably anticipated threats or hazards to the confidentiality of the Customer Data, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Customer Data. In particular, the Company’s Information Security shall include, but not be limited, to the following safeguards where appropriate or necessary to ensure the protection of Confidential Information and Personal Data. 

4. ACCESS CONTROLS

   • The Company utilizes Access Controls, which include policies, procedures, and physical and technical controls: 

     1. To limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; and, 
     2. To authenticate and permit access only to authorized individuals.
5. SECURITY INCIDENT PROCEDURES

The Company has policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Customer Data or information systems relating thereto, and procedures to identify and respond to validated security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. 

6. CONTINGENCY PLANNING

The Company has policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Data or systems that contain Customer Data, including a data backup plan and a disaster recovery plan. 

7. DEVICE AND MEDIA CONTROLS

The Company has policies and procedures that govern the receipt and removal of hardware and electronic media that contain Customer Data into and out of a the Company data center, and the movement of these items within a the Company data center, including policies and procedures to address the final disposition of Customer Data. 

8. AUDIT CONTROLS

The Company utilizes hardware, software, and/or procedural mechanisms that record activity in information systems that contain or use Customer Data. 

9. DATA INTEGRITY

The Company has policies and procedures to guard against the unauthorized disclosure, improper alteration, or unauthorized destruction of Customer Data. 

10. TRANSMISSION SECURITY

The Company utilizes encryption of electronic information while in transit to guard against unauthorized access to Customer Data that is being transmitted over public communications networks. 

11. SECURE DISPOSAL

The Company has policies and procedures regarding the disposal of Customer Data, taking into account available technology that can be used to sanitize storage media such that stored data cannot be practicably read or reconstructed. 

12. TESTING

The Company shall regularly test the key controls, systems and procedures of its Information Security Program to verify that they are properly implemented and effective in addressing the threats and risks identified. Tests will be conducted or reviewed in accordance with recognized industry standards (e.g. ISO27001 or SSAE18 and their successor audit standards, or similar industry recognized security audit standards). 

13. ADJUSTMENTS AND MODIFICATIONS

The Company shall monitor, evaluate, and adjust, as it deems necessary, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of Customer Data, and internal or external threats to the Company or the Customer Data. 

14. SECURITY TRAINING

The Company shall provide annual security awareness and data privacy training for its employees that will have access to Customer Data. 

15. CONFIDENTIALITY

The Company shall require that all its employees who are granted access to Customer Data undergo appropriate screening, where lawfully permitted, and enter into a confidentiality agreement prior to being granted such access. 

16. SUMMARY REQUESTS

Data Processor shall on request provide a summary of its information security policies it has implemented. 

APPENDIX 3

LIST OF SUB-PROCESSORS 

The Customer has authorized the use of the Sub-Processors as provided here:  <<LINK>> 

If the Company wishes to use the services of a new Sub-Processor, it shall notify the Customer. If the Customer reasonably objects to the appointment of the new Sub­ Processor the parties shall discuss in good faith the reasons for such objection and whether measures can be undertaken to meet those reasons. If within a period of 30 days from the Company being notified of an objection the parties have been unable to agree the measures, the Customer shall be entitled to terminate the processing of the applicable Customer Personal Data within 7 days of the end of such 30 day period. 

APPENDIX 4

LIST OF SUB-PROCESSORS 

This DPA does not cover any Processing activities carried out by the Company in its capacity as an independent Controller, including when it Processes Personal Data for the purpose of managing the relationship with Customer and invoicing.