These Terms and Conditions of Use (the “Agreement”) are a legal agreement between Zift Solutions, Inc. (“Company’) a North Carolina Corporation and “you,” a person or entity acting as an authorized partner of a customer of the Company to whom the Company has agreed to provide the Company’s software-as-a-service offerings (each, a “Customer”) under an agreement between the Customer and the Company. This Agreement governs your access to and use of the Company’s software-as-a-service offerings through the interface made available by the Company to authorized partners of the Customer (such interface, the “Partner Portal”) as directed by the Customer.  The Company’s software-as-a-service offerings and the Partner Portal are referred to collectively in this Agreement as the “Services.”  As used herein, “You,” “you,” and “your” refer to you as the person accepting the terms of this Agreement in your own capacity and for and on behalf of the authorized partner of the Customer.

IN ORDER TO USE THE SERVICES YOU MUST ACCEPT ALL OF THE TERMS OF THIS AGREEMENT IN YOUR OWN CAPACITY AND FOR AND ON BEHALF OF THE ENTITY WITH WHOM YOU ARE ASSOCIATED (THE AUTHORIZED PARTNER). AFTER READING THE TERMS, IF YOU AGREE TO THEM, PLEASE INDICATE YOUR DECISION BY CLICKING ON “I AGREE” ON THE SERVICE REGISTRATION PAGE. IF YOU DO NOT AGREE, YOU WILL NOT BE ALLOWED TO USE THE SERVICES. Company may revise and update this Agreement at any time, in which case it will notify you and all other users of the changes to the Agreement. Your continued use of the Services will mean you accept those changes and agree to this Agreement as revised. You may not amend or change this Agreement unless Company agrees to such amendment or change in writing.

1. Your Use of the Services

You may use the Services, subject to the terms and conditions of this Agreement. You are solely responsible for your use of the Services. You specifically agree that you may not use the Services for anything other than a lawful and legitimate purpose. Examples of prohibited uses of the Services include, but are not limited to: (a) deceptive and unfair trade practices; (b) introduction of viruses, worms or other programming routines that are intended to disrupt or interfere with the intended operation of the Services; (c) promotion of any unlawful activity or purpose, including any activity that could give rise to criminal or civil liability; (d) any activity that infringes on the copyright, patent, trademark or other rights of any person or entity; and (e) any activity that infringes any applicable law governing the use and disclosure of information regarding an identified or identifiable individual that is Processed in connection with Services (“Personal Data”). In addition to the foregoing, you may not use the Services in any way that (i) does not comply with the terms of this Agreement, as amended by Company from time to time, or any other terms, rules, or guidelines provided by Company concerning your use of the Services, or (ii) might adversely affect Company’s public image, reputation or goodwill. You agree: (i) not to reverse engineer, disassemble or decompile the Services or any part thereof; (ii) to take all reasonable steps to insure that the Services, and the trade secrets, confidential and proprietary information contained therein, are not disclosed to any person other than your employees, licensees or agents who have a need for access in order to use them; (iii) not to remove the copyright, trade secret or other proprietary protection legends or notices which appear on the Services; and (iv) that you shall promptly notify Company of and shall otherwise cooperate with Company in preventing any unauthorized use or copying of the Services by your employees, agents, customers or others. Company reserves the right to provide maintenance and upgrades to its systems, which may make the Services temporarily unavailable. Company will attempt to schedule downtime during hours of low usage such as weekends, holidays and off-peak business hours, but under certain conditions Company may have to work on the system at other times.

2. Suspension or Termination of the Services and the Agreement

Notwithstanding anything else herein to the contrary, without limiting Company’s other remedies in law or equity, Company may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your ability to access the Services and/or terminate this Agreement, without notice or liability therefor, for any reason whatsoever (in Company’s sole determination), including but not limited to if (a) you breach this Agreement or any other agreement between Company and you; (b) Company is unable to verify or authenticate any information you provide to it (which it has no duty to do but may pursue in its sole and absolute discretion); or (c) Company believes, in its sole and absolute discretion, that your actions may cause, result in or carry a risk of legal liability for you, Company or any third party. Upon termination of this Agreement, any provision of this Agreement that by its terms imposes continuing obligations on you shall survive the termination of this Agreement.

3. User Content

You represent that any information provided by you in connection with your use of the Services is accurate, complete and current, and you agree to update that information promptly if there is any change. You represent that any Personal Data or other information you provide that pertains to another individual or party was obtained and is supplied with their prior express consent, in compliance with applicable laws governing the actual and proposed use of Personal Data, and consistent with any applicable agreements or contractual obligations that govern the operations performed on Personal Data such as collection, recording, storage, alteration, use, disclosure, erasure, or destruction (“Processing”). If this Agreement is being accepted by any individual for you, then you represent that such individual has the authority to execute this Agreement on your behalf.

4. User Materials

As part of the Services, you may create or provide information, messages, data and other materials in electronic format that will be stored, uploaded, posted, e-mailed or otherwise transmitted using the Services (collectively “User Materials’). You represent that you have obtained all necessary third party rights, including, without limitation, copyrights, for any User Materials that belong to third parties. It is your responsibility to determine if it is necessary for you to obtain, and for obtaining, any licenses required to use third party information or content that is part of the User Materials. You agree not to use the Services for, and the User Materials will not contain, any material that breaches any applicable laws, rules, or regulations, or any material that is otherwise infringing, illegal, sexually explicit, hateful, vulgar, threatening, abusive, harassing, defamatory, or racially, ethnically, or otherwise objectionable, including, without limitation, any materials that could give rise to any liability to Company or which might adversely affect Company’s public image, reputation or goodwill. YOU WILL BE RESPONSIBLE FOR MAKING BACK-UP AND ARCHIVAL COPIES OF ALL USER MATERIALS. IN NO EVENT WILL COMPANY BE RESPONSIBLE TO YOU OR ANY OTHER PERSON FOR ANY LOSS, CORRUPTION OR ALTERATION OF USER MATERIALS, OR FOR ANY LOSS ARISING OUT OF ANY BREACH OF ANY SECURITY, INCLUDING, WITHOUT LIMITATION, ANY SPECIAL, DIRECT, INDIRECT OR OTHER DAMAGES OF ANY KIND.

5. Use of Data; Data Protection

Company and you shall both take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage. Company and you shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Data Breaches, to help ensure the ongoing confidentiality, integrity, and availability of the Personal Data and Processing systems, including, as applicable and appropriate, the measures referred to in Article 32 of GDPR, as defined in Section 6 of this Agreement. Company’s current security measures are described in Schedule 2 to this Agreement. Zift reserves the right to update or modify its security measures, provided that in no event will any update or modification materially reduce the level of protection provided for Personal Data. Notwithstanding the above, you agree that you are responsible for your secure use of the Services, including keeping any access credentials, such as a user ID and or password, secure, secret, and confidential.  You are responsible for changing your credentials if you believe that they have been compromised or stolen or might otherwise be misused.

Company shall notify you without undue delay after becoming aware of any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data processed by Company on your behalf (“Data Breach”). Company shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as it deems necessary and reasonable in order to remediate the cause of such Data Breach. Company shall provide information related to the Data Breach to you as reasonably necessary for you to maintain compliance with applicable laws, including GDPR. The obligations herein shall not apply to incidents that are caused by you or any Customer with which you are associated, including your or such customer’s employees, partners, subcontractors, or agents.

Company may use the User Materials : (i) to provide the Services to you and therefore as part of the delivery of services to the Customer that you are associated with; (ii) to uses that are closely related to provision of Services, such as analytics for Service enhancement, trouble-shooting, administration, and compliance; and (iii) if you use the Services to share User Materials with the Customer with whom you are associated, that Customer may process and transmit those User Materials to the same extent that you process User Materials. In addition, Company may use User Materials for other purposes, such as evaluating and improving the Services; provided that such data is used in an aggregated form, does not include any Personal Data, and cannot be used in any way to identify you or any of your end users. You represent that you have the authorization needed, if any, under applicable law to supply User Materials to Company for the uses and disclosures described in this Agreement and Company’s privacy policy. You agree that Company may collect, use, disclose and otherwise process Personal Data as described in Company’s privacy policy.

6. Additional Terms Applicable to Personal Data Subject to GDPR

The following terms apply only to Processing of Personal Data that is subject to GDPR. For purposes of this Agreement, the term “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and shall include the corresponding laws of the United Kingdom and any other applicable data protection legislation in that territory (including the UK GDPR and Data Protection Act 2018).  As used in this Agreement, the term “Processing” has the meaning ascribed under GDPR.

6.1 Roles of Parties. As between You and Company, you are the party that determines the purposes and means of the Processing of Personal Data (“Controller”) and Company is the party Processing Personal Data on your behalf (“Processor”). Company shall Process Personal Data as a Processor acting at your direction, and you acknowledge that a Customer that you are associated with also may act as an independent Controller of any Personal Data that you choose to share with that Customer through the Services, in which case Company will also Process Personal Data at that Customer’s direction for their purposes. Company shall Process Personal Data in compliance with all laws applicable to it as a Processor of Personal Data, including GDPR and the e-Privacy Directive or its successor regulation. Your instructions to Company will comply with applicable law and you will at all times hold a valid legal basis for the Processing Company performs on your behalf. You have (or have caused to be) provided any privacy policy or notice, and obtained all consents and rights, necessary under applicable law, including GDPR if applicable, for Company to Process Personal Data and provide the Services. Your Processing of Personal Data, including through use of the Services, and your Processing instructions to Company, will at all times fully comply with any obligations or limitations imposed by any Customer with which you are associated and shall not infringe on any of their rights in such Personal Data. You shall immediately notify Company and cease Processing Personal Data in the event any required authorization or legal basis for Processing is revoked or terminated. Company will notify you in the event it reasonably believes your Processing instructions infringe GDPR.

6.2 Processing Scope. Company shall Process Personal Data only for the purposes described in the Agreement, in accordance with your documented lawful instructions, or as required by applicable law. Company will undertake Processing of Personal Data on your behalf to deliver the Services as set forth herein and shall continue until you and all Customers with which you are associated direct that Processing should cease, or all agreements applicable to such Services are terminated, whichever occurs first. The details of the Processing of Personal Data, including the subject matter, duration, nature, and purposes of the Processing; the categories of Data Subjects; and the types of Personal Data are set forth in Schedule 1 to this Agreement.

6.3 Duty of Confidentiality.Company shall ensure that any person who is authorized by it to Process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality.

6.4 Deletion or Return of Personal Data. Upon termination or expiration of the Agreement, Company shall (at your election) delete or return, if feasible, to you all Personal Data remaining in Company’s possession or control, save that this requirement shall not apply: (i) to the extent Company is required by applicable law to retain some or all of the Personal Data; (ii) if Company is Processing the Personal Data on behalf of a Customer acting as an independent Controller pursuant to an independent data protection agreement; or (iii) to Personal Data Company has archived on back-up systems, which will be deleted in accordance with Company’s standard data retention policies and procedures. In all such cases, Company shall maintain the Personal Data securely and limit Processing to the purposes that prevent deletion or return of the Personal Data.

6.5 Sub-processing. This Agreement constitutes your written authorization for Company to engage other Processors (“Sub-processors”) to Process Personal Data on your behalf, including the Sub-processors currently engaged by Company. Company shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Personal Data in accordance with this Agreement; (ii) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by GDPR; (iii) remain responsible for its compliance with the obligations of this Agreement and for any acts or omissions of the Sub-processor that cause Company to breach any of its obligations under this Agreement; and (iv) notify you in the event that it intends to engage different or additional Sub-processors that will Process Personal Data pursuant to this Agreement, which may be done by email or through another mechanism made available by Company to you that enables you to receive such notifications.  . You must raise any objection to new Sub-processors within five (5) calendar days of the posted update and your objection shall only be effective if submitted to Company in writing, specifically describing your reasonable belief that Company’s proposed use of the Sub-processor(s) will materially, adversely affect your compliance with GDPR. In any such case, the parties will make reasonable efforts to reconcile the matter. In the event your concern cannot be resolved, Company may terminate this Agreement with no penalty.

6.6 International Transfers.

a. Company may Process Personal Data anywhere in the world where Company or its Sub-processors maintain data Processing operations. Company shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of GDPR.

b. To the extent Company’s performance or your use of the Services requires the transfer of Personal Data from within the European Economic Area or Switzerland to Company in the United States or any other country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data (an “EEA Restricted Transfer”), You and Company hereby enter into the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU Standard Contractual Clauses”) under Module 2 (Transfer Controller to Processor), which are incorporated by reference herein and will apply to the EEA Restricted Transfer(s), and are hereby completed as follows

i. You are the “data exporter” and Company is the “data importer.”

ii. For the purpose of Section II, Clause 8.1, this Agreement constitutes the final and complete instructions to Company for the Processing of Personal Data. Any additional or alternate instructions must be mutually agreed upon separately in writing and signed by both parties.

iii. For the purpose of Section II, Clause 8.9, the parties agree that any audits or inspections will be conducted in accordance with Section 7 (“Assistance”) of this Agreement.

iv. For the purpose of Section II, Clause 9, the parties select Option 2 and agree that Company may engage Subprocessors in accordance with Section 5 (“Subprocessing”) of this Agreement.

v. For the purpose of Section IV, Clause 17, the parties select Option 2, and if the data exporter’s Member State does not allow for third-party beneficiary rights, then the law of Ireland shall apply.

vi. For the purpose of Section IV, Clause 18, the parties agree that disputes arising from the EU Standard Contractual Clauses shall be resolved by the courts of Ireland.

vii. Annex I is deemed to be completed with the details set out in Schedule 1 to this Agreement.

viii. Annex II (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data) is deemed to be completed with the Technical and Organizational Security Measures set out in Schedule 2 to this Agreement.

ix. If and to the extent an EEA Restricted Transfer involves Personal Data originating from Switzerland and is subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”), the EU Standard Contractual Clauses are deemed to be supplemented with an additional annex that provides as follows:

1. for purposes of Clause 13 and Annex I.C, the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner;

2. the term “member state” as used in the EU Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18.c;

3. references in the EU Standard Contractual Clauses to the GDPR should be understood as references to the FADP; and

x. in the event of any conflict between this Agreement and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will prevail with respect to any EEA Restricted Transfer.

c. To the extent Company’s performance or Your use of the Services requires the transfer of Personal Data from within the United Kingdom to the United States or any other country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data (a “UK Restricted Transfer”), the terms of this Section 6.c will apply.

i.When the parties are lawfully permitted to rely on the standard contractual clauses published pursuant to the European Commission Decision of February 2010 (2010/87/EU) for the transfer of personal data to processors established in third countries under Directive 95/46/EC (the “UK Standard Contractual Clauses”) to conduct the UK Restricted Transfer, Company hereby enters into UK Standard Contractual Clauses, which are incorporated by reference herein, with you. For the purpose of any such UK Restricted Transfer, the UK Standard Contractual Clauses will be completed as follows:

1.You will be considered the “Data Exporter” and Company will be considered the “Data Importer.”

2. References in the UK Standard Contractual Clauses to “the law of the Member State in which the data exporter is established” shall hereby be deemed to mean “the law of the United Kingdom”; and any other obligation in the UK Standard Contractual Clauses determined by the law of the Member State in which the data exporter is established shall hereby be deemed to refer to an obligation under UK data protection laws.

3. The details of Appendix 1 are set forth in Schedule 1 to this Agreement.

4. The details of Appendix 2 are set forth in Schedule 2 to this Agreement.

ii. When Section i6.6.c.i of this Agreement does not apply, but the parties are lawfully permitted to rely on the EU Standard Contractual Clauses to conduct UK Restricted Transfers, subject to the completion and execution of a “UK Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018 (“UK Addendum”), then Company hereby enters into the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference herein, with You with respect to such UK Restricted Transfers. For the purpose of any such UK Restricted Transfer, the EU Standard Contractual Clauses will be completed as set forth in Section 6.6.b, subject to the amendments specified by the UK Addendum.

iii.When neither Section 6.6.c.i nor Section 6.c.ii of this Agreement apply, then Company shall cooperate with You to promptly implement appropriate safeguards for the UK Restricted Transfer as required or permitted by the UK GDPR.

6.7 Assistance.

Company shall provide commercially reasonable cooperation to assist you in response to: (1) any requests from government authorities with authority relating to the Processing of Personal Data under this Agreement; (2) an individual’s request to access, correct, amend, delete, or block Processing of Personal Data; (3) your requests for information regarding Processing of Personal Data, such as information security reviews or data protection impact assessments. Company shall only be required to respond to commercially reasonable requests that are reasonably necessary for you to comply with GDPR, and only to the extent you do not have the ability to independently address these needs. Company shall not be compelled to respond if not legally permitted to do so. You shall be responsible for any and all costs arising from Company’s or its Sub-processors’ provision of assistance in accordance with this section. Company shall cooperate with on-site audits and inspections performed you only to the extent necessary to determine Company’s compliance with GDPR, at your sole expense and subject to reasonable fees and costs charged by Company, at a date and time and for a duration agreed upon by Company, and provided the audit or inspection does not and will not damage, injure, or disrupt Company’s premises, equipment, personnel, or business. Notwithstanding the foregoing, Company will not be required to disclose any proprietary or privileged information and, except with respect to requests by data protection authorities and data subjects, you shall not exercise your rights under this section more than once per year, including with respect to any support required to perform a data protection impact assessment.

7. Disclaimer of Warranty


8. Limitation of Liability


9. Indemnification

You agree to defend, indemnify and hold harmless Company, its officers, directors, employees, contractors, customers, suppliers and licensors, from and against any and all costs, fees, loss, claim or liability (including without limitation all attorneys’ fees and expenses) which they may incur in connection with (a) your breach of this Agreement or any other rules or guidelines provided to you by Company, or (b) your use of the Services or processing of Personal Data. You agree that you are responsible for any communications, transactions or use of the Services that are made using your credentials, together with any fees, charges, liability or other obligation that may result from such use.

10. Legal Compliance; Authority; Binding Nature

You shall comply with all applicable laws, statutes, ordinances and regulations regarding your use of the Services or processing of Personal Data. You agree, represent and warrant that (i) you understand the terms and conditions of this Agreement and that it constitutes a valid, binding obligation, and (ii) you have full power, authority and legal capacity to enter into this Agreement. You may not assign your rights in this Agreement to any other party without the express written agreement of Company.

11. Choice of Law; Miscellaneous

This Agreement shall be governed by and construed in accordance with the laws of the State of North Carolina, without regard to the choice of law provisions thereof. Any controversy or claim arising out of or relating to this Release, or the negotiation or breach thereof, shall be settled by arbitration in accordance with N.C. Gen. Stat. § 1-569.1 et seq. (the “Revised Uniform Arbitration Act’) and the then-current Rules of Commercial Arbitration of the American Arbitration Association, and judgment upon the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. The arbitration shall be held in Raleigh, North Carolina and shall be conducted in the English language, and shall be conducted before a single arbitrator mutually agreeable to the parties, or if no agreement can be reached, then selected by the American Arbitration Association. The arbitrator shall award reimbursement of attorneys’ fees and other costs of arbitration to the prevailing party, in such manner as the arbitrator shall deem appropriate. Any decision by an arbitrator may be affirmed and reduced to judgment in any court of competent jurisdiction. In addition, the losing party shall reimburse the prevailing party for the costs and expenses incurred by it, including attorneys’, arbitrators’ and courts’ fees and expenses, in connection with any action or proceeding hereunder.

This Agreement and the rights granted hereunder may not be assigned or transferred by you, in whole or in part without Company’s prior written consent. Any successor in interest or assign must agree to the terms and conditions of this Agreement. Without limiting the foregoing, you may not provide any other person access to the Services. If any provision of this Agreement is held invalid, such invalidity shall not affect any other provisions of this Agreement. Headings are inserted for reference only and shall not be construed as a part of this Agreement. No failure or delay on the part of Company to exercise any right under this Agreement will operate as a waiver thereof, nor will any single or partial exercise of any right preclude any other or further exercise thereof or of any other right. This Agreement represents the entire understanding and agreement between you and Company concerning your use of the Services, and supersedes any prior representations, understandings or agreements.

Schedule 1



List of Parties

The data exporter is You, acting as a Controller and using the Services provided by Company pursuant to the Agreement.

The data importer is Company, acting as a Processor and the provider of Services used by You pursuant to the Agreement.

Description of Transfer

Categories of Data Subjects

The Categories of Data Subjects may include the following:

  • Your Employees, contractors, and contact persons.
  • Your Prospects and customers of who are natural persons and who will receive communications and content on Your behalf through the use of the Services.

Types of Personal Data

The Personal Data may include the following categories of data:

  • Business contact details
  • Personal contact details
  • Social media identifiers
  • Professional information such as job function, title, and employee identification number; and user enrolment in the Services
  • Device information, such as device identifiers
  • Analytics information, such as cookie IDs and data concerning internet usage and engagement with communications

The Personal Data will not contain any sensitive or special categories of data.

Nature and Purposes of Processing

Company will Process Personal Data as necessary to perform the Services under the Agreement, including for the purposes of: (a) setting up, operating, monitoring, and providing the Services; (b) communicating with Users; and (d) executing other agreed-upon written instructions of Customer.

Period for which Personal Data Will be Retained

Personal Data will be retained for the duration of the Agreement and subject to Section 4 (Deletion or Return of Personal Data) of the Agreement.

Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Transfers will be made on a continuous basis

For transfers to Subprocessors, the subject matter, nature, and duration of the processing

The subject matter, nature, and duration of processing undertaken by Subprocessors will be the same as set forth in the Agreement and this Schedule

Competent Supervisory Authority

Under the EU Standard Contractual Clauses entered by the parties pursuant to the Agreement under Module 2 (Transfer Controller to Processor), the supervisory authority will be the competent supervisory authority that has supervision over Customer in accordance with Clause 13 of the EU Standard Contractual Clauses.







Company has implemented an information security program designed to protect against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage, which currently includes the measures described below.

Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including:

  • A badge-based access control system to control physical access and movement into and throughout Company’s facilities; and
  • Processes and procedures to promptly remove facility access rights from terminated personnel.

Access Controls – policies, procedures, and technical controls to ensure that all members of Company’s workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access, including:

  • Role-based access policies that restrict user access to systems and resources based on job responsibilities;
  • Processes to grant and revoke access rights based on business need, and to regularly review user access rights to ensure ongoing alignment with business needs;
  • Strong authentication procedures for production environments that require a username, password, and multifactor authentication; and
  • The use of firewall and intrusion detection systems to log access events for review by authorized Company personnel.

Security Awareness and Training – a security awareness and training program for members of Company’s workforce (including management), which includes training on how to implement and comply with Company’s security program, and which all workforce members are required to undergo upon initial hire and annually thereafter.

Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including:

  • deployment of an intrusion detection system to log access events and to monitor and restrict inbound internet traffic;
  • documented procedures to identify, escalate, and respond to suspected or known security incidents, mitigate harmful effects of security incidents; and
  • documented procedures to analyze the root cause of security incidents and to implement changes to existing controls, where appropriate, to better respond to future threats.

Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including:

  • documented business continuity and disaster recovery plans that include procedures to restore data and the functionality of affected systems, including procedures to rebuild systems, update software, install patches, and change configurations, as needed;
  • documented policies and procedures for the backup and recovery of data maintained in cloud-based environments, including periodic backups of production services, files, and databases, and the storage of backups in a separate data center; and
  • periodic testing of Company’s business continuity and disaster recovery plans.

Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Company facility, and the movement of these items within a Company facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.

Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including:

  • logging of system access activity, including user authentication, failed user login attempts, and access control list changes; and
  • regular reviews of the logs for unusual or suspicious activity.

Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.

Transmission Security – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network, including:

  • the use of encrypted VPNs to help ensure the security and integrity of the data passing over public networks;
  • protection of web-based traffic through industry-standard encryption protocols; and
  • deployment of antivirus software on servers, laptops, and desktops to detect and prevent the transmission of data or files that contain virus signatures recognized by the antivirus software.

Storage Security – technical security measures to guard against unauthorized access to Personal Data in storage, including:

  • encryption of data at rest in hosted environments;
  • use of a key management system to securely manage the lifecycle of encryption keys; and
  • use of full-device hard drive encryption to protection the confidentiality and integrity of information maintained on approved mobile devices.

Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Company’s security program.

Testing – Regular testing and monitoring of the effectiveness of Company’s security program, including through AICPA SOC 2 Type II audits of Company’s solution performed by an external third-party auditor, and through periodic vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and to ensure that these risks are addressed.

Adjustments to the Program – Monitoring, evaluation, and adjustment, as appropriate, of Company’s security program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Company or the Personal Data, and Company’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.