Data Processing Addendum

Capitalized terms used in this DPA shall have the meanings given to them in the Main Agreement unless otherwise defined herein. The following definitions are used in this DPA:

1.1. “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

1.2. “Authorized Affiliate” means any Customer Affiliate permitted to use the Service pursuant to the Main Agreement but have not signed their own “Main Agreement” and are not a “Customer” as defined under the Main Agreement.

1.3. “CCPA” means Sections 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time.

1.4. “Customer Data” means any Customer Content that is Personal Data and that Routable processes on behalf of Customer in the course of providing the Service, as more particularly described in Schedule A of this DPA.

1.5. “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests (as measured on a fully-diluted basis) then outstanding of the entity in question. The term “Controlled” will be construed accordingly.

1.6. “Data Protection Laws” means all data protection and privacy laws regulations applicable to a party and its processing of Personal Data under the Main Agreement, including, where applicable: (a) the GDPR, (b) all applicable implementations of the GDPR into national law, (c) in respect of the United Kingdom, the Data Protection Act 2019 and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR“), (d) the Swiss Federal Data Protection Act (“Swiss DPA“), and (e) the CCPA; in each case, as may be amended, superseded or replaced.

1.7. “Europe” means for the purposes of this DPA the European Economic Area (“EEA”), United Kingdom and Switzerland.

1.8. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

1.9. “Personal Data” means any information protected as “personal data”, “personal information” or “personally identifiable information” under Data Protection Laws.

1.10. “Restricted Transfer” means: (i) where the GDPR applies, a transfer of Customer Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Customer Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Customer Data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable).

1.11. “Standard Contractual Clauses” means (i) the standard contractual clauses between controllers and processors adopted by European Commission in its Implementing Decision 2010/87/EU of 5 February 2010, currently located at: L_2010039EN.01000501.xml (europa.eu)  (the “2010 Controller-to-Processor Clauses“); (ii) the standard contractual clauses between controllers and processors (Module 2) adopted by European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 and currently located at: https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf (the “2021 Controller-to-Processor Clauses“); and (iii) where the UK GDPR applies, the applicable standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs“).

1.12.  “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data, stored or otherwise processed by Routable in connection with the provision of the Service. “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems.

1.13. “Subprocessor” means any Processor having access to Customer Data and engaged by Routable to assist in fulfilling its obligations with respect to providing the Service pursuant to the Main Agreement (excluding any employee, consultant or independent contractor of Routable).

1.14. The terms “controller”, “data subject“, “processor”, “processing”, “personal data” and “sensitive data” shall have the meanings given to them in Data Protection Laws or if not defined therein, the GDPR, and the term “service provider” and “business” has the meaning set forth in the CCPA.

2.1. Data Processing Roles. Routable shall process Customer Data for the Permitted Purpose as a processor on behalf of Customer as the controller. For the purposes of the CCPA (where applicable), Routable shall process Customer Data as a service provider for the Customer as a business.

2.2. Compliance with Laws. Each party shall comply with its obligations under Data Protection Laws in respect of any Customer Data it processes under this DPA. For the avoidance of doubt, Routable is not responsible for complying with Data Protection Laws uniquely applicable to Customer by virtue of its business or industry, such as those generally applicable to online service providers.

2.3. Processing Instructions. Routable shall process Customer Data in accordance with Customer’s documented lawful instructions, unless obligated to do otherwise by applicable law, in which case Routable will notify Customer (unless that law prohibits Routable from doing so on important grounds of public interest). For these purposes, Customer instructs Routable to process Customer Data for the purposes described in Schedule A (the “Permitted Purpose”). The DPA and Main Agreement are Customer’s complete and final instructions. Any additional or alternate instructions must be consistent with the terms of the DPA and the Agreement.

2.4. Customer Responsibilities. Customer shall, in its use of the Service and provision of instructions, process Customer Data in accordance with Data Protection Laws. Customer is solely responsible for: (i) the accuracy, quality, and legality of the Customer Data, (ii) the means by which Customer acquired such Customer Data; and (iii) the instructions it provides to Routable regarding the processing of such Customer Data. Customer shall ensure (i) that it has provided notice and obtained (or will obtain) all consents and rights necessary for Routable to process Customer Data pursuant to the Main Agreement and this DPA, (ii) its instructions are lawful and that the processing of Customer Data in accordance with such instructions will not violate applicable Data Protection Laws, and (iii) where the CCPA applies, that the Customer Data is provided to Routable in order to perform the Service for a valid “business purpose” (as defined in CCPA) only.

3.1  Authorized Subprocessors. Customer provides a general prior authorization for Routable to engage Sub-processors in order to provide the Service. The Subprocessors currently engaged by Routable are listed at https://www.routable.com/sub-processors (or such other URL as may be updated from time to time) (“Subprocessor Site”). Routable will remain responsible for any acts or omissions of any Subprocessor that cause Routable to breach any of its obligations under this DPA.

3.2 Notification of New Subprocessors. Routable will make available the Subprocessor Site and provide Customer with a mechanism to obtain notice of any updates to the Subprocessor Site including by direct email to Customer. At least ten (10) days prior to authorizing any new Subprocessor to process Customer Data, Routable will provide notice to Customer by updating the Subprocessor Site.

4.1 Security Measures. Routable will implement and maintain appropriate and reasonable technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data in accordance with the security measures described in Schedule B (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Routable may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.

4.2 Personnel. Routable restricts its personnel from processing Customer Data without authorization by Routable as set forth in the Security Measures and shall ensure that any person who is authorized by Routable to process Customer Data is under an appropriate obligation of confidentiality.

4.3 Customer Responsibilities. Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data transmitted via the systems it administers and maintains (i.e. email encryption), and taking any appropriate steps to securely encrypt or back up any Customer Data uploaded to the Service.

4.4 Security Incident Response. Upon becoming aware of a Security Incident, Routable will notify Customer without undue delay and, in any case within seventy-two (72) hours after becoming aware. Routable will provide information relating to the Security Incident to Customer promptly as it becomes known or as is reasonably requested by Customer to fulfil Customer’s obligations as controller. Routable will also take appropriate and reasonable steps to contain, investigate, and mitigate any Security Incident.

5.1 Audit Rights. Routable shall make available to Customer all information in Routable’s possession or control and provide all assistance in connection with audits of Routable’s premises, systems, and documentation as Customer may reasonably request to enable Customer to assess Routable’s compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 5 and where applicable, the Standard Contractual Clauses) by instructing Routable to comply with the audit measures described in the Security Measures and Section 5.2 below.

5.2 Audit Procedures. Where required under Data Protection Laws or where a data protection authority requires , Customer may, on giving at least thirty (30 days) prior written notice, request that Customer’s personnel or a third party (at Customer’s expense) conduct an audit of Routable’s facilities, equipment, documents and electronic data relating to the processing of Customer Data under the Main Agreement to the extent necessary to inspect and/or audit Routable’s compliance with this DPA, provided that: (i) Customer shall not exercise this right more than once per calendar year; (ii) such additional audit enquiries shall not unreasonably impact in an adverse manner Routable’s regular operations and do not prove to be incompatible with applicable Data Protection Laws or with the instructions of the relevant data protection authority; (iii) before the commencement of such additional audit, the parties shall mutually agree upon the scope, timing, and duration of the audit, and (iv) at all times during the scope of the audit, Customer and any appointed third party will comply with Routable’s policies, procedures, and reasonable instructions governing access to its systems and facilities, including limiting or prohibiting access to information that is confidential information. Without prejudice to the foregoing, Routable will provide all assistance reasonably requested by Customer to accommodate Customer’s request.

Customer acknowledges and agrees that Routable may transfer and process Customer Data to and in the United States and other locations in which Routable, its Affiliates, or its Subprocessors maintain data processing operations as more particularly described in the Subprocessor Site (defined above). Routable shall ensure that such transfers are made in compliance with Data Protection Laws and this DPA.

Promptly upon Customer’s request, or within one hundred eighty (180) days after the termination or expiration of the Main Agreement, Routable shall delete or return Customer Data in its possession or control. This requirement shall not apply to the extent Routable is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Routable shall securely isolate and protect from any further processing, except to the extent required by such laws.

8.1 Data Subject Rights Requests. Routable shall, taking into account the nature of the processing, reasonably assist Customer in responding to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data for the Permitted Purposes. In the event that any such request is made to Routable directly, Routable will not respond to such communication directly (except to direct the data subject to contact Customer) without Customer’s prior authorization, unless legally compelled to do so. If Routable is required to respond to such a request, Routable will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

8.2 Data Protection Impact Assessments (DPIAs). To the extent required under Data Protection Laws applicable to Europe, Routable will provide requested information regarding the Service necessary to enable Customer to carry out data protection impact assessments and prior consultations with data protection authorities.

9.1 Scope. The terms in this Section 9 apply only if and to the extent Customer is  established in Europe or the Customer Data is otherwise subject to Data Protection Laws applicable to Europe.

9.2  Processing Instructions. Without prejudice to Section 2.4 (Customer Responsibilities), Routable shall promptly notify Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any processing instructions from Customer violates Data Protection Laws.

9.3 Subprocessor Obligations. Routable will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective of Customer Data as this DPA or the Data Protection Laws to the extent applicable to the nature of the services provided by such Subprocessor.

9.4 Subprocessor Objection Right. If Routable objects on reasonable grounds relating to data protection to Company’s use of a new Subprocessor, then Company shall promptly, and within ten (10) days following Company’s notification pursuant to Section 5.2 (Notification of new Subprocessors) above, provide written notice of such objection to Routable. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties cannot agree to a mutually acceptable resolution, Routable shall as its sole and exclusive remedy have the right to terminate the relevant affected portion(s) of the service without liability to either party (but without prejudice to any fees incurred by Routable prior to suspension or termination). Upon termination by Routable pursuant to this Section, Company shall refund Routable any prepaid fees for the terminated portion(s) of the Service that were provided after the effective date of the termination.

9.5 Transfer Mechanism. To the extent the transfer of Customer Data from Customer to Routable is a Restricted Transfer and Data Protection Laws applicable to Europe require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be incorporated by reference into and form an integral part of this DPA, as follows:

(a) where the effective date of the Main Agreement is on or before 27 September 2021 and subject to (b) below, the 2010 Controller-to-Processor Clauses will apply until 27 December 2022 and thereafter, the 2021 Controller-to-Processor Clauses shall automatically apply;

(b) where the effective date of the Main Agreement is after 27 September 2021 or the Main Agreement is otherwise renewed prior to 27 December 2022, the 2021 Controller-to-Processor Clauses shall apply immediately;

(c) where the 2010 Controller-to-Processor Clauses apply, Appendix 1 and Appendix 2 shall be populated with the information in Schedule A (Description of Processing/ Transfer) and Schedule B (Security Measures) accordingly;

(d) where the 2021 Controller-to-Processor Clauses apply:

A. (i) in Clause 7, the optional docking clause will apply; (ii) in Clause 9 of Module Two, Option 2 will apply and the time period for prior notice of Sub-processor changes is identified in Section 3.2 of this DPA; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the 2021 Controller-to-Processor Clauses will be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I shall be deemed completed with the information set out in Schedule A (Description of Processing/ Transfer) of this DPA; (vii) Annex II shall be deemed completed with the information set out in Schedule B (Security Measures) (as applicable) of this DPA; and Aneex II shall be deemed completed with the information set out in Schedule C to this DPA.

B. In relation to Customer Data that is protected by the UK GDPR or Swiss DPA, the 2021 Controller-to-Processor Clauses as implemented under sub-paragraph (A) above will apply with the following modifications: (i) references to “Directive 95/46/EC” or “Regulation (EU) 2016/679” are interpreted as references to the UK GDPR or the Swiss DPA (as applicable); (ii) references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent article or section of the UK GDPR or Swiss DPA (as applicable); (iii) references to “EU”, “Union” and “Member State” are replaced with “UK” and “Switzerland” (as applicable); (iv) Clause 13(a) and Part C of Annex II are not used and references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection and Information Commissioner” and the “relevant courts of Switzerland” (as applicable);  (v) in Clause 17, the 2021 Controller-to-Processor Clauses  are governed by the laws of England and Wales or Switzerland (as applicable); and (vi) in Clause 18(b), disputes will be resolved before the courts of England and Wales or Switzerland (as applicable).

C. To the extent that and for so long as the 2021 Controller-to-Processor Clauses as implemented in accordance with sub-paragraph (B) above cannot be used to lawfully transfer Customer Data in accordance with the UK GDPR to Routable, the UK SCCs shall be incorporated into and form an integral part of this DPA and shall apply to transfers governed by the UK GDPR. For the purposes of the UK SCCs, the relevant annexes, appendices or tables of the UK SCCs shall be deemed populated with the information set out in Schedules A (Description of Processing/Transfers) and Schedule B (Security Measures) (as applicable) of this DPA.

(e) The rights and obligations afforded by Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.

9.6 Data Transfer Arrangements. To the extent Routable adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses adopted pursuant to Data Protection Laws) for the transfer of Personal Data (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Laws applicable to Europe and extends to territories to which Personal Data is transferred).

9.7 Notification of Government Access Requests: For the purposes of Clause 15(1)(a) of 2021 Controller-to-Processor Clauses , Routable shall notify Customer and not the data subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the data subject, as necessary.

10.1 Affiliate Communications. Customer is responsible for coordinating all communications with Routable on behalf of its Authorized Affiliates with regard to this DPA. Customer represents that it is authorized to issue instructions as well as make and receive any communications in relation to this DPA on behalf of its Authorized Affiliates.

10.2 Affiliate Enforcement. Authorized Affiliates may enforce the terms of this DPA directly against Routable, subject to the following provisions:

(a) Customer will bring any legal action, suit, claim, or proceeding which the Affiliate would other have it if were a party to the Main Agreement (each an “Affiliate Claim”) directly against Routable on behalf of such Affiliate, except where Data Protection Laws to which the relevant Affiliate is subject require that the Affiliate bring or be a party to such Affiliate Claim; and

(b) for the purpose of any Affiliate Claim brought directly against Routable by Customer on behalf of such Affiliate in accordance with this Section, any losses suffered by the relevant Affiliate may be deemed to be losses suffered by Customer.

11.1 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

11.2 Any claim or remedies Customer or its Affiliates may have against Routable and its respective employees, agents, or Sub-processors arising under or in connection with this DPA including: (i) for breach of this DPA (including the Standard Contractual Clauses); (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Customer; (iii) under GDPR, UK GDPR or Swiss DPA, including any claims relating to damages paid to a data subject; and (iv) breach of its obligations under the Standard Contractual Clauses, will, to the maximum extent permitted by law, be subject to any limitation and exclusion of liability provisions (including any agreed aggregate financial cap) that apply under the Main Agreement.

11.3 For the avoidance of doubt, Routable and its Affiliates’ total overall liability for all claims from Customer and its Affiliates arising out of or related to the Main Agreement and each DPA shall apply in the aggregate for all claims under the Main Agreement and this DPA together, including by Customer and its Affiliates.

12.1 For the purposes of the CCPA, Routable is prohibited from:

(a) selling Customer Data;

(b) retaining, using, or disclosing Customer Data for any purposes other than the specific purposes of performing the Service or as otherwise permitted under Main Agreement and this DPA; or

(c) retaining using or disclosing Customer Data outside the direct business relationship between Routable and Customer.

12.2 Routable hereby certifies that it understands the restrictions set out in Section 12.1 and will comply with them.

12.3 Notwithstanding the foregoing and anything to the contrary in the Main Agreement (including this DPA), Customer acknowledges that Routable shall have a right to process Customer Data for the purposes of creating anonymized, aggregate and/or de-identified information for its own legitimate business purposes, including where Customer has requested a Routable Service that includes the provision of benchmarking reports, compiling anonymized benchmarking reports and statistics.

13.1 The parties agree that this DPA shall replace any existing DPA the parties have previously entered into in connection with the Service.

13.2 As between Customer and Routable, this DPA is incorporated into and subject to the terms of the Main Agreement and shall be effective and remain in force for the term of the Main Agreement or the duration of the Service. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Customer Data.

13.3 Except as described in Section 10 (Authorized Affiliates), in no event shall this DPA benefit or create any right or cause of action on behalf of a third party, but without prejudice to the rights or remedies available to data subjects under Data Protection Laws or this DPA (including the Standard Contractual Clauses).

13.4 Each party acknowledges that the other party may disclose the Standard Contractual Clauses, this DPA, and any privacy related provisions in the Main Agreement to any regulator or supervisory authority upon request.

13.5 Notwithstanding anything to the contrary in the Main Agreement and without prejudice to Section 2.3, Routable may periodically make modifications to this DPA as may be required to comply with Data Protection Laws.

13.6 Other than as required by applicable Data Protection Laws or the Standard Contractual Clauses, the dispute mechanisms, including those related to venue and jurisdiction, set forth in the Main Agreement govern any dispute pertaining to this DPA.

SCHEDULE A

Description of Processing/Transfer

Annex 1(A): List of Parties

Data Exporter

Name: The party named as the ‘Customer” in the Main Agreement.

Address: The address for the Customer associated with its Routable account or as otherwise specified in the Order Form or Main Agreement.

Contact Person’s Name, position and contact details: The contact details associated with the Customer’s Routable account or as otherwise specified in the Order Form or Main agreement.

Activities relevant to the transfer: See Annex 1(B) below.

Signature and Date: By using the Service to transfer Customer Data to Routable located in a non-adequate country, the data exporter will be deemed to have signed this Annex 1.

Role: Controller

Data Importer

Name: Routable, Inc.

Address: ‌600 California St. Floor 11, San Francisco, CA 94108.

Contact Person’s Name, position and contact details: Omri Mor, Co-Founder and CEO, privacy@routable.com.

Activities relevant to the transfer: See Annex 1(B) below.

Signature and Date: By transferring Customer Data to non-adequate country on Customer’s instructions, the data importer will be deemed to have signed this Annex 1.

Role: Processor

Annex 1(B): Description of Transfer

Categories of Data Subjects:

Depending on the nature of the Service, Personal Data transferred may concern the following categories of data subjects:

• Customers
• Payment Recipients (“Clients”)

Categories of Personal Data:

Customers:

The types of Personal Data processed by Routable are determined and controlled by Customer in its sole discretion and may include, but are not limited to the following categories of Personal Data:

• Account registration information including name, postal address, email address, data of birth, telephone number, social security number, and account information
• Communications with Routable.
• Business information (such as a User’s (account representative) name, job title, the person they report to, phone number, email address, and country);
• User Content uploaded to the Service.

Clients:

Depending on the nature of the Services, the Personal Data may include:

• Account registration information including name, postal address, email address, data of birth, telephone number, social security number, and account information
• Where no account is registered, financial account information.
• Communications with Routable.
• User Content uploaded to the Service.

Special category data (if appropriate):

The Routable service does not involve the collection or processing of Special Category Data.

Frequency of the transfer (one-off or continuous):

Continuous basis depending on the nature of the Service.

Nature of processing:

The nature of the processing is the performance of the Service in accordance with the Main Agreement.

Purpose(s) of the data transfer and further processing:

The transfer is made for the following purposes: (i) to provide and improve the Service provided to Customer in accordance with the Main Agreement; (ii) processing initiated by Users in their use of the Service including by Clients; (iv) to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of the Main Agreement and this DPA, and (v) to comply with any legal obligation under applicable law, including Data Protection Law.

Customer Data may also be aggregated with other customer’s Customer Data for the purposes analyzing overall trends to compile anonymized reports and statistics in accordance with the Main Agreement.

Retention period (or, if not possible to determine, the criteria used to determine that period):

The duration of the processing is the term of Main Agreement or any applicable Order Form plus the period from expiration of the Main Agreement or Order Form (as applicable) until the return or deletion of the personal data by Routable in accordance with the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As above.

Annex 1(C): Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Clause 13 of 2021 Controller-to-Processor Clauses and the GDPR.

SCHEDULE B

Technical and Organisational Security Measures

Technical and organizational security measures to be implemented by Routable (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

Measures of pseudonymisation and encryption of personal data:

• Data at rest encrypted using AES-256 algorithm.
• Employee laptops are encrypted using full disk encryption.
• HTTPS encryption on every web login interface, using industry standard algorithms and certificates.
• Secure transmission of credentials using by default TLS 1.3, or TLS 1.2 where configured.
• Access to operational environments requires use of secure protocols such as HTTPS.
• Data that resides in Amazon Web Services (AWS) encrypted at rest as stated in AWS’ documentation and whitepapers. In particular, AWS instances and volumes are encrypted using AES-256. Encryption keys via AWS Key Management Service (KMS) are IAM role protected, and protected by AWS-provided HSM certified under FIPS 140-2.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:

• Routable is and shall continue to be annually audited against the SOC 2 Type II standard. The audit shall be completed by an independent third-party. Upon Customer’s written request, Routable will provide a summary copy (on a confidential basis) of the most recent resulting annual audit report, so that Customer can verify Routable’s compliance with the audit standards against which it has been assessed and this DPA. Although that report provides an independently audited confirmation of Routable’s security posture annually, the most common points of interest are further detailed below. Routable shall provide Customer with this initial evidence of compliance within thirty (30) days of written request and annually upon written request.
• Routable shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, Routable shall provide the executive summary of the report to Customer. Routable shall address all medium, critical vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Routable shall provide Customer with this initial evidence of compliance within thirty (30) days of written request.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:

• Routable internal systems are restricted to authorized personnel only
• Strong access controls based on the use of the ‘Principle of Least Privilege’.
• Differentiated rights system based on security groups and access control lists.
• Unique accounts and role-based access within operational and corporate environments.
• Access to systems restricted by security groups and access-control lists.
• Authorization requests are tracked, logged and audited on a regular basis.
• Removal of access for employee upon termination or change of employment.
• Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources.
• Password Complexity Requirements
• Passwords are never stored in clear-text and are encrypted in transit and at rest.
• Account provisioning and de-provisioning processes.
• Automatic account locking.
• Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse.
• Confidentiality requirements imposed on employees.
• Mandatory security trainings for employees, which covers data privacy and governance, data protection, confidentiality, social engineering, password policies, and overall security responsibilities inside and outside of Routable.
• Third party management
• Separation of networks based on trust levels.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing:

• User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems.
• Certain activities on Routable are not available directly to customers such as timestamps, IPs, login/logouts, and errors. These logs are available only to authorized employees, stored off-system, and available for security investigations.
• All logs can be accessed only by authorized Routable employees and access controls are in place to prevent unauthorized access.
• Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures.
• Network segmentation and interconnections protected by firewalls.
• Annual penetration testing for all components of the Routable SaaS, including web and mobile applications.
• Routable has in place a public Responsible Disclosure Program

Measures for user identification and authorization:

• Access to operational and production environments is protected by use of unique user accounts, strong passwords, use of Multi-Factor Authentication (MFA), role-based access, and least privilege scoped accounts.
• Authorization requests and provisioning is logged, tracked and periodically reviewed.
• Customer-generated OAuth tokens, are stored in an encrypted state.
• Keys required for decryption of those secrets are stored in a secure, managed repository (such as AWS KMS) that employs industry-leading hardware security models that meet or exceed applicable regulatory and compliance obligations.
• Access keys used by production Routable applications (e.g. AWS Access Keys) are accessible only to authorized personnel. They are rotated (changed) as required (e.g., pursuant to a security advisory or personnel departure) and at least yearly.
• User activity in operational environments including access, modification or deletion of data is being logged.

Measures for the protection of data during transmission:

• Remote access to the restricted environments is encrypted:

Measures for the protection of data during storage:

• Routable customer instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. Measures are in place to ensure executable uploads, code, or unauthorized actors are not permitted to access unauthorized data – including one customer accessing files of another customer.
• IT Endpoint security protection
• System inputs recorded via log filesControl Lists (ACL)
• Access to the internal admin tool requires Multi-factor Authentication (MFA)

Measures for ensuring physical security of locations at which personal data are processed:

• Routable is a remote company without physical premises. Physical security of Customer Data is the responsibility of Routable’s sub-processors that host Customer Data (E.g., Routable Cloud infrastructure provider).

Measures for ensuring events logging:

• Remote logging in AWS (Routable’s cloud infrastructure provider)

Measures for ensuring system configuration, including default configuration:

• Routable has a up-to-date Change Management Policy.
• Routable monitors changes to in-scope systems to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Changes are tracked in our version control platform.
• Mobile device management on employee devices

Measures for internal IT and IT security governance and management:

• Routable has in place a written information security policy, including supporting documentation.
• The authority and responsibility for managing Routable’s information security program has been delegated to Routable’s security and compliance program manager, who is authorized by senior management to take actions necessary to establish, implement, and manage Routable’s information security program.

Measures for certification/assurance of processes and products:

• Routable has been audited by a third party and has achieved SOC 2 Type 2 compliance, attesting to our commitment to controls that safeguard the confidentiality and privacy of information stored and processed in our service.

Measures for ensuring data minimization:

• Privacy assessments are performed related to implementation of new products/services and processing of personal data by third parties.
• Data collection is limited to the purposes of processing (or the data that the customer chooses to provide).
• Security measures are in place to provide only the minimum amount of access necessary to perform required functions.
• Data retention time limits are designed in accordance to domestic and international compliance requirements.
• Restricted access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.

Measures for ensuring data quality:

• Routable has a process that allows individuals to exercise their privacy rights (including a right to amend and update information), as described in Routable’s Privacy Policy.
• Applications are designed to reduce/prevent duplication. Many application level checks are in place to ensure data integrity and annually verified during our SOC 1 Type 1 Audit
• QA team that helps to ensure these items are working as designed and implemented before reaching our production environment.

Measures for ensuring limited data retention:

• After termination of all subscriptions associated with an environment, customer data submitted to the Services is retained in inactive status within the Services for  at least 90 days
• All deleted customer data follows a similar retention schedule of a recoverable delete between 0-90 days and a permanent delete within 91- 180 days

Measures for ensuring accountability:

• Customer Privacy Assessments are required when introducing any new product/service that involves processing of personal data.
• Data protection impact assessments are part of any new processing initiative.

Measures for allowing data portability and ensuring erasure:

• Routable has a process that allows individuals to exercise their privacy rights (e.g. right of erasure or right to data portability), as described in Routable’s Privacy Policy.

SCHEDULE C

Subprocessors

AWS

Infrastructure Provider

Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal

https://aws.amazon.com/privacy/?nc1=f_pr

Dwolla

Domestic Payments provider

666 Walnut St Suite 1830 Des Moines, IA 50309 United States

https://www.dwolla.com/legal/privacy/

Currencycloud

International Payments provider

12 Steward Street, London, England

https://www.currencycloud.com/legal/privacy/

Looker

Routable’s internal business intelligence software

2300 Harrison St, San Francisco, CA 94110

https://looker.com/trust-center/privacy/policy/

Google

Routable google based cloud productivity and collaboration tools

1600 Amphitheatre Parkway Mountain View, CA 94043

https://policies.google.com/privacy?hl=en

Customer.io

Customer.io is an automated messaging platform used by Routable sales and support

921 South West Washington Street, Suite 820,  Portland, OR 97205

https://customer.io/legal/privacy-policy/

Intercom

Customer Support Chat software used to serve and assit Routable clients

2nd Floor, Stephen Court, 18-21 Saint Stephen’s Green, Dublin 2

https://www.intercom.com/legal/privacy

Fivetran

Fivetran manages data delivery from source to destination, ensuring that Routable’s business analytical data is always accurate, up to date, and reliable.

405 14th St Floor 11 Oakland, CA 94612

https://fivetran.com/legal/privacy

dbt

dbt is a development framework that combines modular SQL with software engineering best practices to make data transformation reliable, fast, and fun.

915 Spring Garden St, Ste 500, Philadelphia, Pennsylvania 19123, US

https://www.getdbt.com/cloud/privacy-policy/

Freshdesk

Routable’s external support communication and management tool

2950 S Delaware St Suite 201, San Mateo, CA 94403

https://www.freshworks.com/privacy/