Data Processing Program (International)

Apptega Inc. (“Apptega”) and the entity in the signatory block below (“Customer”) and, jointly with Apptega, (the “Parties”) have entered into a Subscription Agreement (the “Agreement”), whereby Apptega provides certain services that may entail the Processing of Personal Data (“Services”). The parties have agreed to supplement the Subscription Agreement with this Data Processing Program (the “Program”).

WHEREAS
In the course of the performance of the Services, Apptega may have access to or may be provided by the Customer, its affiliated companies, subsidiaries and holding company, with certain Personal Data which Apptega will need to Process on behalf of the Customer. To ensure that all Personal Data at all times is processed in accordance with Data Protection laws, the Parties have agreed to execute this Data Processing Program, including its Appendixes (the “DPP”);

ANDWith respect to the Processing of the Personal Data, the Customer acts as a Data Controller and Apptega acts as Data Processor.

THEREFORE: This Program sets forth the requirements applicable to Personal Data Processed in connection with providing the Services.  With effect from the date signed by the last party below (the "Effective Date"), the Parties agree to the following:

IT HAS BEEN AGREED AS FOLLOWS:

1. DEFINITIONS

The following terms have the following meanings when used in this DPP:

Data Protection Laws means the General Data Protection Regulation (EU 2016/679) (GDPR), the Directive on privacy and electronic communications (2002/58/EC), the California Consumer Privacy Act of 2018 and its implementing regulations (CCPA) and any other applicable laws within the scope of the Services, including any implementing national laws, any regulatory requirements, guidance and codes of practice applicable to the processing or Personal Data (as amended or replaced from time to time).

Personal Data means information that is Processed solely for Customer by or on behalf of Apptega in connection with the Services that constitutes “personal data”, “personal information” or its equivalent term under applicable Data Protection Laws.

Process or Processing, Data Subjects, Data Controller (or “Controller”), Data Processor (or “Processor”) and Sell have the meaning given to those terms or equivalent terms under Data Protection Laws.

2. ROLES OF THE PARTIES
   

2.1.    The Customer shall be the Data Controller and Apptega shall be the Data Processor in respect of Personal Data processed by Apptega on the Customer's behalf in performing its obligations under this DPP.

2.2.    The Customer shall be solely responsible for determining the purposes for which and the manner in which Personal Data are, or are to be, processed.

3. APPTEGA’S OBLIGATIONS

3.1.    Apptega, as Data Processor, shall comply with the requirements of Data Protection Laws in respect of the provision of the Services and otherwise in connection with this DPP and will assist Customer in its compliance with applicable Data Protection Laws.

3.2.    Without prejudice to clause 3.1 above, Apptega shall in respect of the Processing of the Personal Data:

3.2.1.    Process the Personal Data only according to the contractually intended purpose and on written instructions and directions received from the Customer (which shall include the terms of this DPP) and comply promptly with all such instructions and directions received from the Customer from time to time;

3.2.2.    immediately notify the Customer if, in Apptega' reasonable opinion, any instruction or direction from the Customer infringes applicable Data Protection Laws;

3.2.3.    not Process the Personal Data or permit it to be processed or access, in whole or in part, other than for the provision of the Services and only to the extent reasonably necessary for the performance of this DPP;

3.2.4.    Process the Personal Data in accordance with the specified duration, purpose, type and categories of Data Subjects as set out in Appendix 1 (Details of the Data Processing);

3.2.5.    not Sell Personal Data and not retain, use, or disclose the Personal Data outside of its direct business relationship with Customer and under Customer’s prior written authorization only.

3.2.6.    not copy, export or extract any Personal Data in any manner and ensure full compliance of this obligation by its representatives and potential sub-processor, as defined under this DPP;

3.2.7.    ensure that it has in place, and shall maintain for the duration of the DPP or the destruction of Personal Data, whichever is later, all necessary or appropriate technical and organizational measures, taking into account the nature and volume of Personal Data, that are designed to:

(a)    protect the integrity, availability, resilience, confidentiality, and security of all Personal Data,(b)    protect the Personal Data against accidental or unlawful destruction, damage, or loss, alteration, or unauthorized disclosure or access, (c)    pseudonymize and encrypt Personal Data as appropriate, and(d)    provide a level of security appropriate to the risk represented by the Processing and the nature of the Personal Data to be protected as required under Data Protection Laws;

3.2.8.        ensure full compliance with any technical and organizational measures as set forth in Appendix 2 to the DPP;

3.2.9.        keep the Personal Data confidential, and not disclose, in whole or in part, the Personal Data to any person or   entity, except to its employees, subcontractors or agents:

(a)    on a need-to-know basis and only as necessary for the performance of the Services;

(b)    who are duly authorized to this effect as a result of their position and qualification and bound by obligations equivalent to those set out under this Clause 3;

(c)    who have received appropriate training about the Data Protection Laws concerning the handling of Personal Data;

(d)    who are informed of the confidentiality nature of the Personal Data; and

(e)    who are subject to a duty of confidence.

3.2.10.    notify the Customer without undue delay of becoming aware, of any accidental, unlawful or unauthorized access, loss and/or destruction of Personal Data on Apptega’s systems or as a result of or related to Apptega’s access or Processing of such Personal Data or otherwise during the execution of the Services by Apptega ("Personal Data Breach") in writing, with such notice to include relevant known details of the breach such as (i) the time and nature of the incident, (ii) the affected system, the number of Data Subjects affected, the categories of Personal Data affected,  (iii) the likely consequences of the Personal Data Breach, (iv)  the name  and contact details of the data protection officer or other point of contact at Apptega where more information can be obtained and (v) the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate possible adverse effects of the Personal Data Breach. Apptega shall co-operate and assist the Customer with any investigation regarding the Personal Data Breach, including with notification obligations as mandated under Data Protection Laws and take all necessary measures to limit further unauthorized disclosure of or unauthorized Processing of Personal Data in connection with the Personal Data Breach. Apptega shall further assist the Customer to comply with its obligation to document any Personal Data Breach by performing a root cause analysis promptly upon becoming aware of such Personal Data Breach and sharing the outcome of such analysis with the Customer;

3.2.11.    deal promptly and properly with all reasonable enquiries from the Customer relating to its Processing of the Personal Data;

3.2.12.    assist the Customer in conducting any required privacy impact assessment upon request from the Customer;

3.2.13.    implement privacy by design and privacy by default principles in relation to the tools and applications Apptega uses to provide the Services and especially regarding the data science and machine learnings techniques that may be used for the needs of the Services;

3.2.14.    implement and maintain a complete and updated record of Processing activities of the Personal Data in accordance with the Data Protection Laws. Apptega will provide the Customer a copy of such record annually upon Customer's request;

3.2.15.    assist the Customer promptly for any exercise of Data Subjects’ rights and reasonably cooperate with and support the Customer in fulfilling its obligations as Data Controller in relation to such Data Subject requests at all times;

3.2.16.    notify the Customer promptly upon receipt of any request from government office or other administrative body, or law enforcement authority, court order to disclose any of the Personal Data, including the basis for the requirement, the scope of the disclosure and to whom the Personal Data must be disclosed, and shall provide all reasonable assistance in opposing such disclosure at the request and cost of the Customer;

3.2.17.    not sub-process and/or delegate any part of the Processing of the Personal Data to any third parties without the written consent of the Customer; and

3.2.18.    subject to above clause 3.2.16, Apptega shall select any such sub-processor with due diligence, and verify whether the sub-processor is able to comply with their obligations under Data Protection Laws in relation to the Processing of Personal Data. Furthermore, Apptega shall:

(a)    procure that sub-processors enter into written agreements with Apptega which contain terms no less onerous than the terms set out under this DPP; and.

(b)    remain fully liable to the Customer for the performance of the sub-processor's obligations under Data Protection Laws or for any acts or omissions of any sub-processors.

The current sub-processors are set forth at: https://www.apptega.com/en-us/compliance/sub-processors

The Customer may subscribe to receive notifications of new subprocessors.  In case of any intended changes concerning the addition or replacement of sub-processors, the Customer will have an opportunity to object based on reasonable grounds to such Processing of Personal Data.  If the Parties cannot resolve the Customer’s objection, Apptega may cease to provide the Services (either temporarily or permanently) to Customer and / or the Customer may terminate the Agreement, if the Subprocessor in question cannot be replaced or mitigated.  

3.2.19.    make available, once per annum upon the Customer’s reasonable request, information necessary to demonstrate compliance with  their obligations under this DPP and with Data Protection Laws and allow for and contribute to annual audits of Apptega’s systems that are used to Process or access Personal Data, including inspections, conducted, during normal business hours with advance prior written notice and not more than once annually (except in case of suspected breach or Personal Data Breach), by the Customer or another auditor as mandated by the Customer who will have entered into a confidentiality undertaking covering the audit  at any time. Apptega shall grant to the Customer all reasonable access rights and information required to perform such audits;

4. STANDARD CONTRACTUAL CLAUSES
   

So long as Apptega continues to be located outside the EEA, the United Kingdom, or Switzerland and the Personal Information Processed by Apptega pertains to Data Subjects located in the EEA, the United Kingdom, or Switzerland, the Customer and Apptega agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the form approved by the European Commission and currently available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en (as amended or updated from time to time) (“Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this Program. If and as necessary, the parties will execute the Standard Contractual Clauses.  Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Customer and the Service Provider, the Service Provider is a “data importer” and the Customer is the “data exporter” under the Standard Contractual Clauses. Further, Appendixes 1 and 2 of this Program will take the place of Appendixes 1 and 2 of the Standard Contractual Clauses, as applicable.

5. RETURN AND DESTRUCTION OF THE PERSONAL DATA

5.1.    At the Customer’s written request at any time, Apptega and the authorized sub-processor (if any) shall promptly return all Personal Data as well as authorized copies (if any) of the Personal Data in its possession, including extracts or other reproductions (if any), whether in written, electronic or other readable and processable format or media, to the Customer;

5.2.    Upon termination of retention periods as defined by the Customer for each category of Personal  Data, or upon termination or expiration of the DPP, Apptega shall securely delete, remove and destroy all Personal Data processed on behalf of the Customer as well as authorized copies (if any) of the Personal Data in its possession, including extracts, backups or other reproductions (if any), whether in written, electronic or other form or media, except where necessary to retain such Personal Data strictly for the purposes of compliance with applicable law.

5.3.    Upon Customer’s written request, Apptega shall certify that it has complied with Customer’s request regarding the return and deletion of the Personal Data.

5.4.    Apptega shall store all documents evidencing compliance of Processing of the Personal Data with this DPP and Data Protection Laws after termination or expiration of the DPP in accordance with applicable Data Protection Laws;  

5.5.    The parties acknowledge that Data Protection Laws are evolving over time and that new legislation is anticipated which might increase the Customer's or Apptega's data protection compliance obligations.  The Customer shall have responsibility for ensuring that the terms of this DPP satisfy its obligations as Data Controller of the Personal Data, and accordingly may submit to Apptega from time to time requests for these terms to be varied to the extent necessary to comply with mandatory requirements of the Data Protection Laws, specifying the scope of the required amendments in sufficient detail.  Upon receipt of such a request, Apptega shall prepare a document which describes any changes to this DPP, which shall be promptly submitted to the Customer for review.  For the avoidance of doubt, no such changes shall take effect until a written agreement describing the amendments has been executed by both parties.  6.     CCPA6.1.    Without limiting the generality of the foregoing, Apptega is prohibited from:

6.1.1.    using, disclosing, or Processing Personal Data for Apptega’s own purposes or to provide services to another person or entity, including but not limited to marketing or commercially exploiting (such as selling, renting, or leasing) Personal Data;6.1.2.    retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of providing Services under the Agreement, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing Services specified in the Agreement; and6.1.3.    retaining, using, or disclosing Customer Data outside of the direct business relationship between Customer and Apptega.6.1.4.    Notwithstanding the foregoing, to the extent permitted by the CCPA and other Applicable Law, Apptega may use Personal Data internally to build or improve the quality of the Services, provided that such use does not include building or modifying household or consumer profiles to use in providing another business, or correcting or augmenting data acquired from another source.

7. ORDER OF PRECEDENCE

7.1     This Program supplements, and does not replace, any existing obligations related to the privacy and security of Personal Data as already set forth in the Agreement. In the event of a conflict between the terms of this Program and the Agreement, Apptega shall comply with the obligations that provide the most protection for Personal Data. Subject to the foregoing, in the event of any inconsistency or conflict between the terms of the Agreement and this Program, the terms of the Agreement shall control.

The Parties hereby agree to this Program from the Effective Date on the terms set forth above.On behalf of the Data Processor (“Apptega”):Name:      __________________Position: ___________________

Signature …

On behalf of the Data Controller (“Customer”):Name:     ______________________Position:  _____________________    Signature …

Appendix 1 – Details of Processing

Categories of data subjects / Type of data    Subject matter and duration of processing    Nature and purpose of processingCategory of data subjects:

• End users who use the Apptega platform to build, manage or report on company cybersecurity and compliance programs
• Users that provide guidance or insights or perform tasks related to a company’s cybersecurity or compliance programs.

Type of data: Name, email address, browser generated information, location data, IP addresses.    Subject matter of processing is the following data: Name, email address, browser generated information, location data, IP addresses.

Duration of the processing:The processing is conducted until termination of the Agreements unless instructed otherwise by Controller at Customer’s sole discretion.     Apptega is a SaaS provider who, on behalf of Customer:

• collects information to help an organization build, manage and report its cybersecurity and compliance posture
• generates tasks and provides Customers the ability to upload and store artifacts that prove compliance with Customers cybersecurity framework objectives;
• stores the aforementioned user-generated content on behalf of the customer. Purpose of the processing is: -colletion and presentation of individual company’s cybersecurity posture to ensure organizations are meeting their cybersecurity and regulatory compliance requirements.

 Appendix 2 – Technical and Organizational Measures

Apptega may update or modify these Technical and Organizational Measures from time to time, provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the Agreement.

1. Data Center.Infrastructure. Apptega stores all production data in physically secure data centers operated by Amazon Web Services (“AWS”). AWS maintains several compliance certifications covering their operations. These can be viewed at https://aws.amazon.com/compliance/programs/

Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Most Services are designed to allow Apptega to perform certain types of preventative and corrective maintenance without interruption. Preventative and corrective maintenance of the Services is scheduled through a standard change process according to documented procedures.

Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations.

Server Operating Systems. Certain Apptega servers use a Linux based implementation customized for the application environment.

Business Continuity. Apptega replicates data over multiple systems to help to protect against accidental destruction or loss. Apptega has created business continuity planning and disaster recovery programs.

2. Networks & Transmission.Data Transmission. Data centers are typically connected via virtual private networks. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer. Apptega transfers data via Internet standard protocols.

External Attack Surface. Apptega employs multiple layers to protect its external attack surface. Apptega considers potential attack vectors and incorporates appropriate purpose-built technologies into external facing systems.

Encryption Technologies. Apptega makes HTTPS encryption (also referred to as SSL or TLS connection) available using a minimum of TLS 1.2.

3. Access Controls.Infrastructure Security Personnel. Apptega has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Apptega’s operations personnel are responsible for the ongoing monitoring of Apptega’s security, the review of the Services, and responding to incidents.

Access Control and Privilege Management. Administrators must authenticate themselves in order to administer the Services.

Internal Data Access Processes and Policies. Access Policy. Apptega’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Apptega designs its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Apptega requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Apptega’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication, password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength.

4. Data Storage and Isolation.Apptega stores data in a multi-tenant environment. Apptega logically isolates the Controller’s data, and the Controller will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable the Controller to determine the product sharing settings applicable to end users for specific purposes.
5. Personnel Security.Apptega personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Apptega conducts reasonably appropriate backgrounds checks on all employees.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Apptega’s confidentiality and privacy policies. Personnel are provided with security training. Apptega’s personnel will not process Customer data without written authorization.

6. Security by Design.Apptega’s platform and software code have been designed with the security of our customer’s data in mind. Apptega employs a code review process to increase the security of the code used to provide the Services and enhance the security posture in production environments.
7. Subprocessors.Prior to onboarding Subprocessors, Apptega conducts a review of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Apptega has assessed the risks presented by the Subprocessor, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.  A list of current subprocessors can be found at: https://www.apptega.com/en-us/compliance/sub-processors.
8. Vulnerability Management.Apptega conducts regular assessments on critical systems with the intent of finding system and application vulnerabilities.
9. Breach Detection and Response.Apptega uses a managed solution for safeguarding applications running on our platform and a threat detection service that continuously monitors for malicious activity and unauthorized behavior. Apptega also log access requests and usage of the platform to further facilitate security incident monitoring and response.

If a security incident is detected, Apptega will act promptly to identify, contain, mitigate, and remediate the incident.   All constituents will be promptly notified in accordance with law and applicable agreement(s).

10. Audit.For its data  and application hosting , Apptega follows a CIS v8 based information security management system with controls that are reviewed internally and externally on a regular basis.

Last updated: 07/01/2023