Skip NavigationSkip Main

DATA PROCESSING AGREEMENT - JANUARY 2024

Last updated: January 17, 2024

This Data Processing Agreement (this “DPA”) is made as of the date of the last signature hereto (the “Effective Date”) by and between Company and its affiliates as applicable (“Company”) and Rarestep, Inc. d/b/a Fleetio (“Vendor”). Company and Vendor are referred to individually as a “Party” and collectively as the “Parties.”

Whereas the Parties entered into one or more agreements in which Vendor agreed to perform Services (as defined below) on behalf of Company (the “Agreements”), and the Parties wish to amend the Agreements to address requirements imposed by applicable Privacy Laws, the Parties agree as follows:

  1. 1. Definitions
  1. 1.1Covered Personal Information” means any personal information or personal data provided by Company to Vendor, collected by Vendor on behalf of Company, processed by Vendor on behalf of Company, or otherwise made available to Vendor pursuant to the Agreements.
  2. 1.2Portable Format” means to the extent technically feasible a structured, commonly used, machine readable, readily usable format that allows the consumer to transmit the Covered Personal Information to another entity or controller without hindrance, as further specified in the Privacy Laws.
  3. 1.3Privacy Laws” means applicable statutes, regulations or other laws pertaining to privacy or data protection, processing of Personal Information, and/or information security, including, but not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”); United Kingdom General Data Protection Regulation applicable by virtue of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”); Brazil Law No. 13,709/2018 (General Law for the Protection of Personal Data or “LGPD”); Personal Information Protection and Electronic Documents Act (“PIPEDA”); California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (“VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (“CPA”), the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (“UCPA”), the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. PA 22-15 § 1 et seq. (“PDPOM”); the Personal Information Protection Law of the People’s Republic of China (“PIPL”); and any other applicable federal or state laws or regulations regarding information privacy that are in effect or will come into effect during the term of the Agreements.
  4. 1.42021 Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses).
  5. 1.5Services” means the services provided by Vendor to Company as defined in the Agreements.
  6. 1.6UK Addendum” means the International Data Transfer Addendum to the 2021 Standard Contractual Clauses, issued by the Information Commissioner’s Office of the United Kingdom.
  7. 1.7 “Third Countries” means countries that are not recognized by the Privacy Laws as countries providing adequate protection of Personal Information.
  8. 1.8The terms “business,” “business purposes,” “consumer,” “controller,” “data subject,” “de-identified data,” “personal data,” “personal information,” “process” or “processing,” “processor,” “sell,” “sensitive data,” “sensitive personal information,” “service provider,” “share,” “subcontractor,” and “supervisory authority” shall have the meanings given to those terms in the Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect on the Effective Date.  In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.
  9. 1.9Capitalized terms not otherwise defined shall have the meaning given to them in the Agreements.
  1. 2. Terms of Data Processing
  1. 2.1Data Processing Exhibit – The Parties acknowledge and agree that the details of the processing are provided in Exhibit A, attached hereto.
  2. 2.2Data Processing Instructions – Vendor shall process the Covered Personal Information for the duration of the Agreement (unless otherwise agreed in writing) only (a) as necessary to effect Vendor’s obligations under the Agreements; and/or (b) on documented and customary instructions from Company, unless otherwise required by applicable law.  Vendor shall promptly notify Company if Vendor believes such instructions violate the applicable Privacy Laws.
  3. 2.3Compliance with Obligations – Vendor represents and warrants that Vendor, its employees, agents, subcontractors, and sub-processors (a) understand and shall comply with the Privacy Laws and this DPA while providing the Services, (b) will provide the level of privacy protection required by the Privacy Laws, and (c) shall provide Company with all reasonably-requested assistance to enable Company to fulfill its own obligations under the Privacy Laws. Upon the reasonable request of Company and in accordance with the requirements of the applicable Privacy Laws, Vendor shall make available to Company information in Vendor’s possession necessary to demonstrate Vendor’s compliance with this subsection and with applicable Privacy Laws in a manner consistent with Vendor’s obligations under the applicable Privacy Laws.
  4. 2.4Audit Rights – Upon written request by Company, but no more frequently than once every twelve (12) months, Vendor agrees, within a reasonable time, to provide Company with: (a) a summary of relevant audit reports demonstrating Vendor’s compliance with this DPA, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Vendor’s systems, or to the extent that any such vulnerability was detected, that Vendor has fully remedied such vulnerability. If the foregoing measures are not sufficient reasonably to demonstrate Vendor’s material compliance with its obligations under this DPA, Company may request such additional information as is reasonably necessary to demonstrate such compliance. Vendor shall use commercially reasonable efforts to provide such information within a reasonable time.
  5. 2.5Compliance Remediation; Termination Rights – Vendor agrees to notify Company promptly if Vendor determines that it can no longer meet its obligations under applicable Privacy Laws.  Upon receiving notice from Vendor in accordance with this subsection, Company may direct Vendor to take steps as reasonable and appropriate to remediate unauthorized use of Covered Personal Information or terminate the Agreements upon thirty (30) days’ notice.
  6. 2.6Changes to Privacy Laws – To the extent thisDPA requires a Party to comply with the Privacy Laws, compliance will be in accordance the Privacy Laws as in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under the Privacy Laws, it shall not apply until it is so required. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to the applicable Privacy Laws.
  7. 2.7Obligations at Termination – When the Agreements expire, Vendor will discontinue processing and destroy Covered Personal Information without undue delay unless otherwise instructed by Company.
  8. 2.8Impact Assessments – If applicable, Vendor shall, upon the reasonable request of Company, provide Company with such assistance and information as is reasonably necessary to enable Company to carry out privacy impact assessments, data protection impact assessments, and required consultations with supervisory authorities under applicable Privacy Laws.
  1. 3. Limitations on Processing of Covered Personal Information
  1. 3.1Data Restrictions – Vendor will not: (a) sell or share Covered Personal Information, (b) retain, use, or disclose Covered Personal Information for any purpose other than the limited purposes specified in the Agreements and Exhibit A hereto, such as providing the Services to Company; or (c) unless permitted by applicable Privacy Laws (i) retain, use, or disclose Covered Personal Information outside the direct business relationship with Company; or (ii) retain, use, or disclose Covered Personal Information for any commercial purpose not specified in the Agreements or Exhibit A hereto. Vendor may process Covered Personal Information to create de-identified data provided that (a) Vendor takes reasonable measures to ensure that such de-identified data cannot be associated with a consumer or household; (b) publicly commits to maintain and use the data only in de-identified form and not attempt to re-identify the data; and (c) contractually obligates any recipients of the information to comply with this sentence in the same manner as Vendor.
  2. 3.2Subcontractors; Sub-processors – Vendor shall engage subcontractors or sub-processors that process Covered Personal Information only with Company’s general written authorization. Company hereby provides such authorization to Vendor’s sub-processor list attached as Exhibit D hereto. Company can receive notification of any new Vendor sub-processors by emailing privacy@fleetio.com. Thereafter, Vendor shall provide Company with a list of any new sub-Processors before Vendor authorizes such new sub-processor to process Covered Personal Information. Further, Vendor shall ensure that Vendor’s subcontractors or sub-processors who collect, process, store, or transmit Covered Personal Information on Vendor’s behalf agree in writing to the same restrictions and requirements that apply to Vendor in this DPA with respect to Covered Personal Information, as well as to comply with applicable Privacy Laws.  
  3. 3.3Right to Object – Company may object in writing to Vendor’s appointment of a new subcontractor or sub-processor on reasonable grounds relating to data protection by notifying Vendor in writing within 30 calendar days of receipt of notice in accordance with Section 3.2. In the event Company objects, Vendor will use reasonable efforts to make available to Company a change in the Services or recommend a commercially reasonable change to Company’s configuration or use of the Services to avoid processing of Covered Personal Information by the objected-to new subcontractor or sub processor without unreasonably burdening Company. If Vendor is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Company may terminate the applicable ordering or purchasing documents with respect only to those Services which cannot be provided by Vendor without the use of the objected-to new subcontractor or sub-processor by providing written notice to Vendor. Vendor will refund Company any prepaid fees covering the remainder of the term of such ordering or purchasing documents following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Company.
  1. 4. Consumer and Data Subject Requests
  1. 4.1Cooperation – Vendor will implement and maintain sufficient processes and procedures to satisfy Company’s requests with respect to Covered Personal Information held by Vendor.
  2. 4.2Fulfillment of Consumer Requests – Upon receipt of a written request from Company (email is sufficient), Vendor shall, as applicable:
  1. (a)Securely erase or destroy, or cause to be erased or destroyed, specific pieces of Covered Personal Information, including any copies of such Covered Personal Information maintained by Vendor’s subcontractor(s) or sub-processor(s).
  2. (b)Provide information requested by Company about Vendor’s collection of the Covered Personal Information, including, without limitation, the categories of Covered Personal Information that were collected and categories of subcontractors or sub-processors to whom Vendor has disclosed the Covered Personal Information.
  3. (c)Provide the specific pieces of Covered Personal Information that Vendor and/or one of its subcontractors or sub-processors has collected or otherwise obtained about the consumer on behalf of Company in a Portable Format.
  4. (d)Modify, and direct its subcontractors or sub-processors to modify, specific pieces of Covered Personal Information.
  5. (e)Limit processing of Covered Personal Information in accordance with the instructions of Company.
  1. 4.3Referral of Direct Requests – Vendor agrees promptly to refer to Company applicable consumer requests submitted directly to Vendor for Covered Personal Information.
  1. 5. Security Controls
  1. 5.1Duty of Confidentiality – Vendor, its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to the Covered Personal Information.
  2. 5.2Security Measures – Vendor shall implement and maintain reasonable technical and organizational security measures, procedures, and practices appropriate to the nature of the Covered Personal Information to protect such Covered Personal Information from unauthorized access, destruction, use, modification, or disclosure (“Security Measures”), as set forth in Exhibit C. Such Security Measures shall meet or exceed applicable industry standards and any obligations set forth in the Agreements or applicable law.
  3. 5.3Access Controls – Vendor shall implement appropriate access controls restricting access to Covered Personal Information to only such employees, agents, subcontractors, and sub-processors as need to know the information in order to perform their obligations in furtherance of the Agreements.  
  4. 5.4Security Incident – Vendor will inform Company no later than 72 hours after Vendor’s having become aware of any unauthorized access, destruction, use, modification, or disclosure (each, a “Security Incident”) of any Covered Personal Information (to include, without limitation, any personal data breach as defined by applicable law). Vendor will provide Company with any information and cooperation reasonably requested by Company regarding such Security Incident.  Vendor shall not provide notice of such Security Incident without the prior written consent of Company unless required by applicable law.
  5. 5.5Encryption – Vendor will ensure that Covered Personal Information in Vendor’s control is sufficiently protected against unauthorized access and use, including by appropriate encryption, tokenization, or other substantially similar safeguards.
  6. 5.6Security Program – Vendor shall implement a comprehensive written security program that includes industry-standard administrative, technical, and physical safeguards designed to ensure the confidentiality, security, and integrity of Covered Personal Information (“Security Program”).  Upon Company’s reasonable request, Vendor will provide Company with documentation that demonstrates its compliance with this Section.
  1. 6. Inquiries
  1. 6.1Notification of Regulatory Inquiry – In the event that Vendor receives any regulatory inquiry or correspondence regarding Covered Personal Information in which Vendor or Company is named (an “Inquiry”), Vendor shall, to the extent not prohibited by applicable law or any regulatory authority:
  1. Promptly notify Company of such Inquiry;
  2. Provide Company with all copies of documents and correspondence relating to the Inquiry without unduly delay after receipt or delivery of such documents or correspondence;
  3. Not disclose any confidential information of Company or any affiliated party to the applicable authority without Company’s prior written consent.
  1. 6.2Response to Inquiry – Vendor shall take all other measures necessary to respond to or otherwise address the Inquiry adequately and in a timely manner.
  1. 7. Cross-Border Data Transfers
  1. 7.1Transfer Mechanism – With regard to any transfers of Covered Personal Information to countries that do not provide adequate protection for such data (as determined by the applicable Privacy Laws), the Parties hereby enter into applicable instruments in support of such transfer.    
  2. 7.2Transfers from the UK – For transfers of Covered Personal Information from the United Kingdom, the UK Addendum (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when it is available and is a valid transfer mechanism under applicable Privacy Laws.  The Parties further agree to the following provisions with respect to the UK Addendum:
  1. (a)Table 1 (Parties): The contents of Table 1 (Parties) shall be completed with details provided in Exhibit A.
  2. (b)Table 2 (Selected SCCs, Modules, and Selected Clauses):
  1. (i)The DPA EU SCCs shall be the Approved EU SCCs.
  2. (ii)Module Two will apply.
  3. (iii)In Clause 7, the Parties do not permit docking.
  4. (iv)In Clause 9, the Parties select Option 2 and a time period of 30 days.
  5. (v)In Clause 11, the Parties do not select the independent dispute resolution option.
  1. (c)Table 3 (Appendix Information): The list of parties and the description of the transfers are provided in Exhibit A, Part A and Exhibit B, Part A.  The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Exhibit C.
  2. (d)Table 4 (Ending this DPA when the Approved DPA Changes): The Parties agree that Exporter may end the DPA as set out in Section 19 of the UK Addendum.
  3. (e)Conflicts: In the event of any conflict or inconsistency between this DPA and the UK Addendum with respect to UK data subjects, the UK Addendum shall prevail.
  1. 7.3Transfers from the EEA – For all other transfers of Covered Personal Information, including transfers of Covered Personal Information from the European Economic Area, the 2021 Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Privacy Laws.  The Parties further agree to the following provisions with respect to the 2021 Standard Contractual Clauses:
  1. (a)Identity of the Parties:  The data exporter is Company, and the data importer is Vendor.  Accordingly, Module Two (controller to processor) is the sole module applicable to transfers involving Covered Personal Information.  
  2. (b)Conflicts:  In the event of any conflict or inconsistency between this DPA and the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall prevail.
  3. (c)Appendices:  Responses to the Annexes to the 2021 Standard Contractual Clauses are provided in Exhibit A, Part A and Exhibit B, attached hereto.
  4. (d)Transfer Impact Assessments:  Upon Company’s request, Vendor will make available to Company its documented assessment of its processing of Covered Personal Information hereunder for the purpose of Clause 14.
  5. (e)Specific Provisions:  The following specific provisions apply to the 2021 Standard Contractual Clauses:
  • In Clause 7, the Parties do not permit docking.  
  • In Clause 9(a), the Parties select Option 2 and a time period of 30 days.  
  • In Clause 11, the Parties do not select the independent dispute resolution option.  
  • In Clause 17 (Option 2), the Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, or if the date exporter is not established in an EU Member State, they shall be governed by the laws of the Republic of Ireland.
  • In Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland.
  1. 7.4Transfers from Brazil – The Parties agree to amend this DPA and adopt such mechanism for restricted transfers as is required by Brazil’s data protection domestic authority and provided that such mechanism is compatible with this DPA.
  1. 8. Miscellaneous
  1. 8.1Severability – If any provision of this DPA shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this DPA, and the remainder of this DPA shall be given effect, as if the Parties had not included the severed provision.
  2. 8.2Survival – All representations, warranties, and indemnities shall survive the termination and/or expiration of thisDPA and shall remain in full force and effect. All of a Party’s rights and privileges — to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this DPA — shall survive termination and shall be enforceable by that Party.
  3. 8.3General – Except as expressly set forth herein, the terms of the Agreements shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreements and the terms of this DPA, the terms of this DPA shall control.  Headers are for convenience and do not affect the interpretation of the terms of this DPA.

[Signature page follows]

In witness whereof, the Parties have executed this DPA effective as of the Effective Date.

Company

By (signature):  

Name:  

Title:  

Date:  

RARESTEP, INC. d/b/a FLEETIO

By (signature):

Signature of Jon Meachin

Name: Jon Meachin

Title: CEO

Date: January 17, 2024

 

EXHIBIT A

DETAILS OF DATA PROCESSING

A.        PARTIES

Role of Company

For purposes of the Agreements and this DPA, Company is the sole Party that determines the purposes and means of processing Covered Personal Information as the “business” or “controller.”  To the extent of any cross-border data transfers described in Exhibit B, Company is the data exporter.

Address

Contact Person’s Name, Position, and Contact Details

Signature

Date

Name of Vendor

Rarestep, Inc. d/b/a Fleetio

Role of Vendor

For purposes of the Agreements and this DPA, Vendor processes Covered Personal Information on behalf of Company as a “processor” or “service provider.”  To the extent of any cross-border data transfers described in Exhibit B, Vendor is the data importer.

Address

1900 2nd Ave. N. Suite 300, Birmingham, AL 35203 Attn: Legal

Contact Person’s Name, Position, and Contact Details

Jon Meachin

privacy@fleeito.com

Signature

Signature of Jon Meachin

Date

January 17, 2024


B.        PROCESSING TERMS

Duration of the processing

Vendor agrees to process Covered Personal Information solely as instructed in the Agreements and this DPA for the duration of the provision of the Services to, and the longer of such additional period as: (i) is specified in any provisions of the Agreements regarding data retention; and (ii) is required for compliance with law.

Nature of the processing

Such processing as is necessary to enable the Vendor to comply with its obligations and exercise its rights under the Agreements, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities.

Purpose of the processing

Vendor agrees to process Covered Personal Information for limited and specified purposes described in the Agreements, this DPA, or as otherwise directed by authorized personnel of Company in writing (email acceptable).

CPRA Mandatory Disclosure:  The specific business purposes are (select):

 Auditing:  Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

 Security & Integrity:  Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.

 Repair Functionality:  Debugging to identify and repair errors that impair existing intended functionality.

 Short-term, transient use:  Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.

 Performing services on behalf of Client:  Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.

 Advertising & Marketing:  Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.

 Internal Research:  Undertaking internal research for technological development and demonstration.

 Quality & Safety:  Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

Type of personal data processed

The following categories of Covered Personal Information:  Name, address, title, position, employer, contact information (e.g., email address, business address, phone number), time and location of transactions conducted on behalf of Company

Types of sensitive personal data  processed

N/A

Categories of data subjects

Current, past, and future customers and employees of Company

Obligations and rights of the Parties

As set out in the Agreements.

EXHIBIT B

CROSS BORDER DATA TRANSFERS

A.        DESCRIPTION OF CROSS-BORDER DATA TRANSFERS (IF APPLICABLE)

Description of activities relevant to the personal data transferred under the Standard Contractual Clauses

Performance of the Services pursuant to the Agreement

Categories of data subjects whose personal data is transferred

Current, past, and future customers and employees of Company

Categories of personal data transferred

The following categories of Covered Personal Information:  Name, address, title, position, employer, contact information (e.g., email address, business address, phone number), time and location of transactions conducted on behalf of Company

Types of sensitive (or special) categories of personal data transferred and applicable restrictions or safeguards

N/A

Frequency of the transfer

Continuous

Purpose of the data transfer and further processing

Provision of the Services as set forth in the Agreement.

Sub-processor transfers

Transfers to sub-processors will occur where necessary for the provision of the Services in accordance with the Agreements and this DPA solely for the term of the Agreements.

Competent Supervisory Authority

EEA data subjects:  Republic of Ireland

UK data subjects:  United Kingdom

EXHIBIT C

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

1. Information Security Management. Vendor will maintain appropriate cybersecurity measures to safeguard the security of any data that is owned, licensed, stored, or managed by Company, including but not limited to Covered Personal Information (“Company Data”). In no event shall Vendor take precautions any less stringent than those employed to protect its own proprietary and confidential information. In addition, Vendor agrees to develop and maintain any additional information measures as may be required by applicable  laws, including, without limitation, federal, state and local privacy and data protection laws and regulations for all jurisdictions in which Vendor is conducting commerce with Company Data. Vendor will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity, and accessibility of Company Data with comprehensive administrative, technical, procedural, and physical measures conforming to generally recognized industry standards and best practices that include the following:

 i. Information Security Program. Vendor must keep Company Data secure from accidental, unauthorized, or unlawful access, use, disclosure, alteration, destruction and/or loss by using administrative, technical, procedural, and physical safeguards that are reasonable and appropriate to the circumstances, taking into account the nature of Company Data and the scope, context, and purposes of the processing (individually, a “Safeguard”; all Safeguards collectively, the “Information Security Program”).

ii. Documentation. Vendor will maintain documentation that describes in detail their Information Security Program and the specific Safeguards they employ (“Written Security Policy, Procedure, and Standards, Technical implementation details”).

iii. Changes. Vendor will refrain from making any changes to their Information Security Program or specific Safeguards that reduce the level of security provided to Company Data.

iv. Network Security. Vendor agrees to protect Company Data from unauthorized access, use, disclosure, alteration, or destruction with network security that include industry-standard firewall protection, intrusion detection system, and/or intrusion prevention system, as well as periodic vulnerability scans, for all information systems that Vendor uses to process Company Data (the “Computing Systems”).

v. Server and Endpoint Security. Vendor agrees to ensure that their Computing Systems are patched and up-to-date with all appropriate security updates as designated by the relevant manufacturer or authority (e.g. Microsoft, Apple, etc.) and are free of known viruses, spyware, adware, malware, and other malicious and unwanted software and programs.

vi. Application Security. Vendor agrees to use commercially reasonable efforts to regularly identify software vulnerabilities and, in the case of known software vulnerabilities, to provide relevant updates, upgrades, and bug fixes for any software provided to Company or Company’s customers, or in which any Company Data is stored or processed, in the course of fulfilling their obligations under the Agreements.

vii. Independent security assessments. Vendor agrees to use independent third parties to perform annual penetration tests and security audits covering the systems, environments, and networks where Company Data is stored, processed, and accessed. Vendor agrees to remediate all medium and higher severity findings and observations from such assessments.

viii. Strong Authentication. Vendor will use SAML 2.0, OAuth2, or OpenID Connect (“Strong Authentication”) for any remote access to Company Data. Additionally, Vendor will enforce Strong Authentication for any administrative and/or management access to Vendor security infrastructure and Vendor log data, including but not limited to firewalls, Identity and Access Management systems, security monitoring infrastructure, and computing logs such as firewall logs, server logs, and DNS logs.

ix. Physical and Environmental Security. Vendor will have in place physical and environmental Safeguards for their Computing Systems that comply with, at minimum, 27001/27002 standards.

x. Data Transparency: Upon request from Company, Vendor agrees to provide Company with an inventory or data map of Company Data that Vendor processes on behalf of Company (including by use of subprocessors) including locations of such data, and control measures that are in place for the protection of Company Data.

xi. Personnel confidentiality: Vendor will ensure that any person that Vendor authorizes to process Company Data (including their staff, agents, and subcontractors) will be subject to a strict duty of confidentiality (whether contractual or statutory).

xii. Information Security Awareness and Training: Vendor will maintain an information security awareness and training program in place that includes how to implement and comply with the Information Security Program and promote a culture of security awareness through periodic communications from the organization's senior leadership.

xiii. Contingency Planning: Vendor will maintain policies and procedures for responding to emergencies, security incidents, and other events (such as a pandemic or natural disaster) that could interfere with or disrupt authorized access to Company Data.

xiv. Storage and Transmission Security: Vendor will maintain Safeguards against unauthorized access to or unauthorized use, alteration, or destruction of Company Data that is being transmitted over a public electronic communications network or stored in Computing Systems. Such measures include using Strong Encryption (as defined below) of any non-public Company Data stored on desktops, laptops, smartphones, tablets, and other mobile devices and removable storage media.

xv. Secure Disposal:  Vendor will maintain and follow policies and procedures regarding the secure deletion or destruction of Computing Systems or data stored on Computing Systems, so that Company Data cannot be practicably read or reconstructed after deletion or destruction. Vendor shall destroy Company Data using such methods within thirty (30) days following any request made by Company. Alternatively, at its sole option, Company may request the Company Data to be returned at the termination of the Agreement. Vendor must use secure methods approved in advance by Company and must complete the return of Company Data no more than thirty (30) days after termination of the Agreement.

xvi. Monitoring and Logging. Vendor will maintain intrusion detection systems, full audit trail logging, and security event detection and monitoring in place for networks, servers, and applications where Company Data is stored, processed, or transmitted. Vendor will log and maintain for 12 months all physical and logical access to the Computing Systems, including command history logging of all logical access.

xvii. Passwords: When passwords are used to access Company Data, Vendor will enforce Strong Authentication in all instances. Where practicable, Vendor will use a second authentication factor before granting access to Company Data with a password.

a)  Passwords must be complex and meet the following password construction requirements:

1. Be a minimum of eight (8) characters in length.

2. Include characters from at least two (2) of these groupings: alpha, numeric, and special characters.

b)  Require passwords and PIN expiration at regular intervals not to exceed ninety (90) calendar days.

c)  When providing users with a new or reset password, or other authentication credentials, use a secure method to provide this information and maintain a written policy requiring reset at first login whenever a temporary credential is used.

xviii. Encryption: Vendor agrees to use minimum encryption key lengths of 256-bits for symmetric encryption and 2048-bits for asymmetric encryption (“Strong Encryption”) to protect Company Data:

a) when transmitted over any network;

b) when stored (at rest); or

c) whenever authentication credentials are stored.

xix. Least privilege: Vendor agrees to enforce the rule of least privilege by requiring application, database, network, and system administrators to restrict user access to only the commands, data, and Information Resources necessary for them to perform authorized functions.

xx. Access Management: Vendor agrees to have formal processes in place to grant, prevent, and terminate access to Company Data. The access should be limited to users who are required this access to perform their job responsibilities in connection with rendering services under the Agreement. Vendor agrees to have documented Access Management procedures in place.

2. Adequate Security Measures and Procedures. Vendor shall (a) maintain a SOC 2, Type II, report (or similar such as ISO 27001 certification) that covers the Computing Systems that is no more than one (1) year old, and (b) upon request, provide Company with a true and complete copy of the most recent SOC 2, Type II report (or similar such as ISO 27001 certification). The requirement in this Section 2 applies to any third party Vendor uses to process Company Data.

EXHIBIT D

VENDOR SUB-PROCESSOR LIST

Sub-processor

Purpose

Location

AWS

Cloud hosting and infrastructure provider

United States

Asana

Project Management

United States

Ask Nicely

Customer Support Survey Tool

United States

Atlassian

Version Control, Ticketing

United States

Atrium

Sales Data Analysis Software

United States

Bitly

Fleetio Product Text Messages

United States

Chargify (Maxio)

Billing System

United States

CircleCi

Testing Software

United States

CloudApp

Screen Recording Software

United States

CloudFlare

Cloud Security and Networking

United States

Datadog

Cloud infrastructure monitoring, security monitoring

United States

Docraptor

Documentation Support

United States

DocuSign

Document Management

United States

FullStory

Web Interaction and Replay Tool

United States

Github

Source Code Storage

United States

Gong.io

Sales Call Recording

United States

Google Apps

Cloud Identity Management and GSuite

United States

Google Cloud

Firebase

United States

Heap

Data Tracking

United States

HelloSign

Order and E-Signing Solution

United States

Heroku

Cloud hosting and infrastructure provider

United States

HEX Technologies

Notebook Service

United States

Ironclad

CLM Software

United States

Marketo

Communication System

United States

Match My Email

Updating Salesforce

United States

Metabase

Reporting and BI tool

United States

Netlify

Hosting / CDN

United States

Notion

Document Sharing

United States

Outreach

Outreach Platform

United States

Product Board

Feedback / Roadmapping

United States

Salesforce.com

Sales Management

United States

Segment / Twilio

Web Analytics

United States

SEMRush

Workflow Tool

United States

SendGrid

Email Marketing

United States

Slack

Employee Communication and File Sharing

United States

Snowflake

Data Warehousing

United States

Talend (Stitch)

ETL

United States

Workato

Middleware Software

United States

Xero

Accounting

United States

Zapier

Cloud Systems Integrations

United States

Zoom.us

Video Chat

United States

6Sense

Revenue Support

United States

Confluent Cloud

Data Services

United States

Integromat

Task Automation

United States

LaunchDarkly

Feature Flag and Toggle Management System

United States

Pusher

Bi-directional API Tool

United States

Readme.io

Documentation Builder

United States

Stripe

Payment Processing

United States

Auto Integrate LLC

Fleet Management Integration

United States

Equafin

Storage of User Interviews

United States

Tribyl

Customer Data from Various Sources

United States

Dialpad

Phone Calling Platform

United States

Wingify

A/B testing and conversion optimization platform, push notification service for web and mobile

United States