Learn how MCP is helping security teams move faster. Learn More
close
Learn how MCP is helping security teams move faster. Learn More
close
Learn how MCP is helping security teams move faster. Learn More
close
DATA PROCESSING ADDENDUM
Effective Date: November 3, 2025
The prior version is available here.
This Data Processing Agreement (the "Agreement") is entered into as of the date of last signature below (the “Effective Date”) by and between:
(1) Panther Labs Inc., a Delaware corporation with offices at 440 North Barranca Avene, No. 8909, Covina, California 91723 (“Supplier”) and
(2) {Name} a company incorporated under the laws of {State, Country} whose principal place of business is at {Address} ("Company").
Introduction
A.
Company is a controller of certain personal data (as described in Exhibit A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier's performance of a master services agreement between the parties for Company’s use of Supplier’s offering(s) (the "Master Services Agreement").
A.
Company is a controller of certain personal data (as described in Exhibit A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier's performance of a master services agreement between the parties for Company’s use of Supplier’s offering(s) (the "Master Services Agreement").
A.
Company is a controller of certain personal data (as described in Exhibit A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier's performance of a master services agreement between the parties for Company’s use of Supplier’s offering(s) (the "Master Services Agreement").
A.
Company is a controller of certain personal data (as described in Exhibit A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier's performance of a master services agreement between the parties for Company’s use of Supplier’s offering(s) (the "Master Services Agreement").
B.
The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company's instructions and Applicable Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
B.
The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company's instructions and Applicable Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
B.
The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company's instructions and Applicable Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
B.
The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company's instructions and Applicable Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
1.
Definitions and interpretation.
1.
Definitions and interpretation.
1.
Definitions and interpretation.
1.
Definitions and interpretation.
1.1
Definitions: In this Agreement, the following terms shall have the following meanings:
1.1
Definitions: In this Agreement, the following terms shall have the following meanings:
1.1
Definitions: In this Agreement, the following terms shall have the following meanings:
1.1
Definitions: In this Agreement, the following terms shall have the following meanings:
a.
“Applicable Law(s)” means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Supplier’s performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), including any implementing regulations, the United Kingdom Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and the United Kingdom GDPR (“UK GDPR”). For the avoidance of doubt, if Supplier’s Processing activities involving Personal Data are not within the scope of an Applicable Law, such Applicable Law is not applicable for purposes of this DPA. .
a.
“Applicable Law(s)” means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Supplier’s performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), including any implementing regulations, the United Kingdom Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and the United Kingdom GDPR (“UK GDPR”). For the avoidance of doubt, if Supplier’s Processing activities involving Personal Data are not within the scope of an Applicable Law, such Applicable Law is not applicable for purposes of this DPA. .
a.
“Applicable Law(s)” means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Supplier’s performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), including any implementing regulations, the United Kingdom Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and the United Kingdom GDPR (“UK GDPR”). For the avoidance of doubt, if Supplier’s Processing activities involving Personal Data are not within the scope of an Applicable Law, such Applicable Law is not applicable for purposes of this DPA. .
a.
“Applicable Law(s)” means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Supplier’s performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), including any implementing regulations, the United Kingdom Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), and the United Kingdom GDPR (“UK GDPR”). For the avoidance of doubt, if Supplier’s Processing activities involving Personal Data are not within the scope of an Applicable Law, such Applicable Law is not applicable for purposes of this DPA. .
b.
“controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given in Applicable Law.
b.
“controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given in Applicable Law.
b.
“controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given in Applicable Law.
b.
“controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given in Applicable Law.
c.
“EU SCCs” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 3 (International Transfers).t.
c.
“EU SCCs” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 3 (International Transfers).t.
c.
“EU SCCs” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 3 (International Transfers).t.
c.
“EU SCCs” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 3 (International Transfers).t.
d.
“International Data Transfer” means any transfer of Company’s Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
d.
“International Data Transfer” means any transfer of Company’s Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
d.
“International Data Transfer” means any transfer of Company’s Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
d.
“International Data Transfer” means any transfer of Company’s Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
e.
“Master Services Agreement” shall have the meaning given in paragraph A of the Introduction to this Agreement.
e.
“Master Services Agreement” shall have the meaning given in paragraph A of the Introduction to this Agreement.
e.
“Master Services Agreement” shall have the meaning given in paragraph A of the Introduction to this Agreement.
e.
“Master Services Agreement” shall have the meaning given in paragraph A of the Introduction to this Agreement.
f.
“Services” means the products and services provided by Supplier to Company as specified in the Master Services Agreement.
f.
“Services” means the products and services provided by Supplier to Company as specified in the Master Services Agreement.
f.
“Services” means the products and services provided by Supplier to Company as specified in the Master Services Agreement.
f.
“Services” means the products and services provided by Supplier to Company as specified in the Master Services Agreement.
g.
“UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 3 (International Transfers).
g.
“UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 3 (International Transfers).
g.
“UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 3 (International Transfers).
g.
“UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 3 (International Transfers).
1.2
Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
1.2
Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
1.2
Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
1.2
Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
Data Protection
2.1
Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Exhibit A that is the subject of the Master Services Agreement (the “Data”). Each party shall comply with the obligations that apply to it under Applicable Law.
2.1
Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Exhibit A that is the subject of the Master Services Agreement (the “Data”). Each party shall comply with the obligations that apply to it under Applicable Law.
2.1
Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Exhibit A that is the subject of the Master Services Agreement (the “Data”). Each party shall comply with the obligations that apply to it under Applicable Law.
2.1
Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Exhibit A that is the subject of the Master Services Agreement (the “Data”). Each party shall comply with the obligations that apply to it under Applicable Law.
2.2
Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Exhibit A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.2
Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Exhibit A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.2
Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Exhibit A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.2
Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Exhibit A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.3
Confidentiality of processing: Supplier shall ensure that any person that it authorizes to process the Data (including Supplier’s staff, agents and subcontractors) (an “authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all authorized Persons process the Data only as necessary for the Permitted Purpose.
2.3
Confidentiality of processing: Supplier shall ensure that any person that it authorizes to process the Data (including Supplier’s staff, agents and subcontractors) (an “authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all authorized Persons process the Data only as necessary for the Permitted Purpose.
2.3
Confidentiality of processing: Supplier shall ensure that any person that it authorizes to process the Data (including Supplier’s staff, agents and subcontractors) (an “authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all authorized Persons process the Data only as necessary for the Permitted Purpose.
2.3
Confidentiality of processing: Supplier shall ensure that any person that it authorizes to process the Data (including Supplier’s staff, agents and subcontractors) (an “authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all authorized Persons process the Data only as necessary for the Permitted Purpose.
2.4
Security: Supplier shall implement appropriate administrative, physical, technical and organizational measures (“Security Measures”) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
2.4
Security: Supplier shall implement appropriate administrative, physical, technical and organizational measures (“Security Measures”) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
2.4
Security: Supplier shall implement appropriate administrative, physical, technical and organizational measures (“Security Measures”) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
2.4
Security: Supplier shall implement appropriate administrative, physical, technical and organizational measures (“Security Measures”) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
(a).
the pseudonymisation and encryption of personal data;
(a).
the pseudonymisation and encryption of personal data;
(a).
the pseudonymisation and encryption of personal data;
(a).
the pseudonymisation and encryption of personal data;
(b).
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(b).
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(b).
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(b).
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c).
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(c).
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(c).
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(c).
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d).
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
(d).
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
(d).
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
(d).
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
At a minimum, such Security Measures shall include the measures identified in Exhibit B
2.5
Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as of the Effective Date is attached at Exhibit C. Supplier is permitted to disclose Data to each approved subprocessor pursuant to a written agreement that complies with this Agreement and Applicable Law. Supplier may revise this list of approved subprocessors from time to time and Supplier will publish its revised subprocessors on its website. Company may object to Supplier’s use of a new subprocessor on reasonable grounds related to the protection of the Data by notifying Supplier in writing within ten (10) business days after publication of the revised subprocessors. If Company refuses to consent to Supplier’s appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.5
Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as of the Effective Date is attached at Exhibit C. Supplier is permitted to disclose Data to each approved subprocessor pursuant to a written agreement that complies with this Agreement and Applicable Law. Supplier may revise this list of approved subprocessors from time to time and Supplier will publish its revised subprocessors on its website. Company may object to Supplier’s use of a new subprocessor on reasonable grounds related to the protection of the Data by notifying Supplier in writing within ten (10) business days after publication of the revised subprocessors. If Company refuses to consent to Supplier’s appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.5
Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as of the Effective Date is attached at Exhibit C. Supplier is permitted to disclose Data to each approved subprocessor pursuant to a written agreement that complies with this Agreement and Applicable Law. Supplier may revise this list of approved subprocessors from time to time and Supplier will publish its revised subprocessors on its website. Company may object to Supplier’s use of a new subprocessor on reasonable grounds related to the protection of the Data by notifying Supplier in writing within ten (10) business days after publication of the revised subprocessors. If Company refuses to consent to Supplier’s appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.5
Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as of the Effective Date is attached at Exhibit C. Supplier is permitted to disclose Data to each approved subprocessor pursuant to a written agreement that complies with this Agreement and Applicable Law. Supplier may revise this list of approved subprocessors from time to time and Supplier will publish its revised subprocessors on its website. Company may object to Supplier’s use of a new subprocessor on reasonable grounds related to the protection of the Data by notifying Supplier in writing within ten (10) business days after publication of the revised subprocessors. If Company refuses to consent to Supplier’s appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.6
Data Subject Requests: To the extent legally permitted, Supplier will without undue delay notify Company if Supplier receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a “Data Subject Request”). To the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier will, upon Company’s request, take commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
2.6
Data Subject Requests: To the extent legally permitted, Supplier will without undue delay notify Company if Supplier receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a “Data Subject Request”). To the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier will, upon Company’s request, take commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
2.6
Data Subject Requests: To the extent legally permitted, Supplier will without undue delay notify Company if Supplier receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a “Data Subject Request”). To the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier will, upon Company’s request, take commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
2.6
Data Subject Requests: To the extent legally permitted, Supplier will without undue delay notify Company if Supplier receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a “Data Subject Request”). To the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier will, upon Company’s request, take commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
2.7
Data Protection Impact Assessment: Upon Company’s written request, Supplier will provide Company with reasonable cooperation and assistance as needed and appropriate to fulfill Company’s obligations under Applicable Law to carry out a data protection impact assessment related to Company’s use of the Services. Supplier will provide reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law
2.7
Data Protection Impact Assessment: Upon Company’s written request, Supplier will provide Company with reasonable cooperation and assistance as needed and appropriate to fulfill Company’s obligations under Applicable Law to carry out a data protection impact assessment related to Company’s use of the Services. Supplier will provide reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law
2.7
Data Protection Impact Assessment: Upon Company’s written request, Supplier will provide Company with reasonable cooperation and assistance as needed and appropriate to fulfill Company’s obligations under Applicable Law to carry out a data protection impact assessment related to Company’s use of the Services. Supplier will provide reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law
2.7
Data Protection Impact Assessment: Upon Company’s written request, Supplier will provide Company with reasonable cooperation and assistance as needed and appropriate to fulfill Company’s obligations under Applicable Law to carry out a data protection impact assessment related to Company’s use of the Services. Supplier will provide reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law
2.8
Security incidents: Upon becoming aware of a Security Incident, Supplier shall notify Company without undue delay.. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Supplier’s then-current assessment of the following information, to the extent available, which may be based on incomplete information:
2.8
Security incidents: Upon becoming aware of a Security Incident, Supplier shall notify Company without undue delay.. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Supplier’s then-current assessment of the following information, to the extent available, which may be based on incomplete information:
2.8
Security incidents: Upon becoming aware of a Security Incident, Supplier shall notify Company without undue delay.. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Supplier’s then-current assessment of the following information, to the extent available, which may be based on incomplete information:
2.8
Security incidents: Upon becoming aware of a Security Incident, Supplier shall notify Company without undue delay.. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Supplier’s then-current assessment of the following information, to the extent available, which may be based on incomplete information:
(a).
the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Company Personal Data records concerned;
(a).
the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Company Personal Data records concerned;
(a).
the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Company Personal Data records concerned;
(a).
the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Company Personal Data records concerned;
(b).
the likely consequences of the Security Incident; and
(b).
the likely consequences of the Security Incident; and
(b).
the likely consequences of the Security Incident; and
(b).
the likely consequences of the Security Incident; and
(c).
measures taken or proposed to be taken by Supplier to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
(c).
measures taken or proposed to be taken by Supplier to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
(c).
measures taken or proposed to be taken by Supplier to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
(c).
measures taken or proposed to be taken by Supplier to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
Supplier will provide timely and periodic updates to Company as additional information regarding the Security Incident becomes available. Company is solely responsible for complying with legal requirements for incident notification applicable to Company and fulfilling any third-party notification obligations related to any Security Incident. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Supplier to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally. Supplier shall keep Company informed of all developments in connection with the Security Incident.
Supplier will provide timely and periodic updates to Company as additional information regarding the Security Incident becomes available. Company is solely responsible for complying with legal requirements for incident notification applicable to Company and fulfilling any third-party notification obligations related to any Security Incident. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Supplier to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally. Supplier shall keep Company informed of all developments in connection with the Security Incident.
Supplier will provide timely and periodic updates to Company as additional information regarding the Security Incident becomes available. Company is solely responsible for complying with legal requirements for incident notification applicable to Company and fulfilling any third-party notification obligations related to any Security Incident. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Supplier to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally. Supplier shall keep Company informed of all developments in connection with the Security Incident.
Supplier will provide timely and periodic updates to Company as additional information regarding the Security Incident becomes available. Company is solely responsible for complying with legal requirements for incident notification applicable to Company and fulfilling any third-party notification obligations related to any Security Incident. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Supplier to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally. Supplier shall keep Company informed of all developments in connection with the Security Incident.
2.9
Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Company’s election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any Applicable Law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.9
Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Company’s election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any Applicable Law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.9
Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Company’s election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any Applicable Law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.9
Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Company’s election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any Applicable Law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.10 Audits:
2.10.1
Self-Audit. Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, no more than once annually, Supplier will provide Company with: (i) Supplier’s most recent SOC II Type 2 compliance report and ISO:27001 certification and (ii) complete a security questionnaire submitted by Company. The reports and questionnaire responses are the Confidential Information of Supplier.
2.10.1
Self-Audit. Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, no more than once annually, Supplier will provide Company with: (i) Supplier’s most recent SOC II Type 2 compliance report and ISO:27001 certification and (ii) complete a security questionnaire submitted by Company. The reports and questionnaire responses are the Confidential Information of Supplier.
2.10.1
Self-Audit. Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, no more than once annually, Supplier will provide Company with: (i) Supplier’s most recent SOC II Type 2 compliance report and ISO:27001 certification and (ii) complete a security questionnaire submitted by Company. The reports and questionnaire responses are the Confidential Information of Supplier.
2.10.1
Self-Audit. Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, no more than once annually, Supplier will provide Company with: (i) Supplier’s most recent SOC II Type 2 compliance report and ISO:27001 certification and (ii) complete a security questionnaire submitted by Company. The reports and questionnaire responses are the Confidential Information of Supplier.
2.10.2
Company Audit. Following a Security Incident or as otherwise required by Applicable Law, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplier’s compliance with this Agreement and Applicable Law at Company’s expense (“Audit”). To the extent Company uses a third-party auditor to conduct the Audit, Company will ensure that such third-party representative is bound by obligations of confidentiality no less protective of Supplier than those contained in the Agreement. Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplier’s trade secrets and data belonging to Supplier’s other customers). Company will conduct the Audit in a manner that will result in minimal disruption to Supplier’s business operations and such Audit will take no longer than two (2) business days. If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance.
2.10.2
Company Audit. Following a Security Incident or as otherwise required by Applicable Law, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplier’s compliance with this Agreement and Applicable Law at Company’s expense (“Audit”). To the extent Company uses a third-party auditor to conduct the Audit, Company will ensure that such third-party representative is bound by obligations of confidentiality no less protective of Supplier than those contained in the Agreement. Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplier’s trade secrets and data belonging to Supplier’s other customers). Company will conduct the Audit in a manner that will result in minimal disruption to Supplier’s business operations and such Audit will take no longer than two (2) business days. If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance.
2.10.2
Company Audit. Following a Security Incident or as otherwise required by Applicable Law, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplier’s compliance with this Agreement and Applicable Law at Company’s expense (“Audit”). To the extent Company uses a third-party auditor to conduct the Audit, Company will ensure that such third-party representative is bound by obligations of confidentiality no less protective of Supplier than those contained in the Agreement. Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplier’s trade secrets and data belonging to Supplier’s other customers). Company will conduct the Audit in a manner that will result in minimal disruption to Supplier’s business operations and such Audit will take no longer than two (2) business days. If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance.
2.10.2
Company Audit. Following a Security Incident or as otherwise required by Applicable Law, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplier’s compliance with this Agreement and Applicable Law at Company’s expense (“Audit”). To the extent Company uses a third-party auditor to conduct the Audit, Company will ensure that such third-party representative is bound by obligations of confidentiality no less protective of Supplier than those contained in the Agreement. Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplier’s trade secrets and data belonging to Supplier’s other customers). Company will conduct the Audit in a manner that will result in minimal disruption to Supplier’s business operations and such Audit will take no longer than two (2) business days. If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance.
2.10.3
Remediation. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
2.10.3
Remediation. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
2.10.3
Remediation. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
2.10.3
Remediation. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
2.11
CCPA. The terms “Personal Information”, “Sell”, “Sale”, and “Service Provider” shall have the same meaning as in the CCPA. Supplier is acting as a Service Provider with Company. Supplier shall retain, use and disclose Data solely for the purpose of performing Supplier’s obligations under the Master Services Agreement for Company and for no commercial purpose other than the performance of such obligations. Supplier does not receive any Data as consideration for the services described in the Master Services Agreement. Supplier shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Supplier shall refrain from taking any action that would cause any transfers of Data, either to Supplier or from Supplier, to qualify as a Sale of Personal Information. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
2.11
CCPA. The terms “Personal Information”, “Sell”, “Sale”, and “Service Provider” shall have the same meaning as in the CCPA. Supplier is acting as a Service Provider with Company. Supplier shall retain, use and disclose Data solely for the purpose of performing Supplier’s obligations under the Master Services Agreement for Company and for no commercial purpose other than the performance of such obligations. Supplier does not receive any Data as consideration for the services described in the Master Services Agreement. Supplier shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Supplier shall refrain from taking any action that would cause any transfers of Data, either to Supplier or from Supplier, to qualify as a Sale of Personal Information. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
2.11
CCPA. The terms “Personal Information”, “Sell”, “Sale”, and “Service Provider” shall have the same meaning as in the CCPA. Supplier is acting as a Service Provider with Company. Supplier shall retain, use and disclose Data solely for the purpose of performing Supplier’s obligations under the Master Services Agreement for Company and for no commercial purpose other than the performance of such obligations. Supplier does not receive any Data as consideration for the services described in the Master Services Agreement. Supplier shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Supplier shall refrain from taking any action that would cause any transfers of Data, either to Supplier or from Supplier, to qualify as a Sale of Personal Information. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
2.11
CCPA. The terms “Personal Information”, “Sell”, “Sale”, and “Service Provider” shall have the same meaning as in the CCPA. Supplier is acting as a Service Provider with Company. Supplier shall retain, use and disclose Data solely for the purpose of performing Supplier’s obligations under the Master Services Agreement for Company and for no commercial purpose other than the performance of such obligations. Supplier does not receive any Data as consideration for the services described in the Master Services Agreement. Supplier shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Supplier shall refrain from taking any action that would cause any transfers of Data, either to Supplier or from Supplier, to qualify as a Sale of Personal Information. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
3. International Transfers.
3.1
Company hereby authorizes Supplier to perform International Data Transfers in accordance with this DPA so long as Applicable Law for such transfers is respected
3.1
Company hereby authorizes Supplier to perform International Data Transfers in accordance with this DPA so long as Applicable Law for such transfers is respected
3.1
Company hereby authorizes Supplier to perform International Data Transfers in accordance with this DPA so long as Applicable Law for such transfers is respected
3.1
Company hereby authorizes Supplier to perform International Data Transfers in accordance with this DPA so long as Applicable Law for such transfers is respected
3.2
With respect to Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. For the purpose of the EU SCCs, they will be deemed to be completed as follows. Clause 7 (the optional docking clause) is not included. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. Under Clause 17 (Governing law), the parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and the law of Ireland. Under Clause 18 (Choice of forum and jurisdiction) the parties select the courts of Ireland. Annex I of the EU SCCs is set forth in Exhibit A. Annex II of the EU SCCs is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the EU SCCs.
3.2
With respect to Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. For the purpose of the EU SCCs, they will be deemed to be completed as follows. Clause 7 (the optional docking clause) is not included. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. Under Clause 17 (Governing law), the parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and the law of Ireland. Under Clause 18 (Choice of forum and jurisdiction) the parties select the courts of Ireland. Annex I of the EU SCCs is set forth in Exhibit A. Annex II of the EU SCCs is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the EU SCCs.
3.2
With respect to Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. For the purpose of the EU SCCs, they will be deemed to be completed as follows. Clause 7 (the optional docking clause) is not included. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. Under Clause 17 (Governing law), the parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and the law of Ireland. Under Clause 18 (Choice of forum and jurisdiction) the parties select the courts of Ireland. Annex I of the EU SCCs is set forth in Exhibit A. Annex II of the EU SCCs is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the EU SCCs.
3.2
With respect to Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. For the purpose of the EU SCCs, they will be deemed to be completed as follows. Clause 7 (the optional docking clause) is not included. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. Under Clause 17 (Governing law), the parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and the law of Ireland. Under Clause 18 (Choice of forum and jurisdiction) the parties select the courts of Ireland. Annex I of the EU SCCs is set forth in Exhibit A. Annex II of the EU SCCs is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the EU SCCs.
3.3
With respect to Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. For the purpose of the UK SCCs, they will be deemed to be completed as follows. The parties’ details and Key Contacts are set forth in Exhibit A. Annex 1A and 1B are set forth in Exhibit A. Annex II is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
3.3
With respect to Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. For the purpose of the UK SCCs, they will be deemed to be completed as follows. The parties’ details and Key Contacts are set forth in Exhibit A. Annex 1A and 1B are set forth in Exhibit A. Annex II is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
3.3
With respect to Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. For the purpose of the UK SCCs, they will be deemed to be completed as follows. The parties’ details and Key Contacts are set forth in Exhibit A. Annex 1A and 1B are set forth in Exhibit A. Annex II is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
3.3
With respect to Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. For the purpose of the UK SCCs, they will be deemed to be completed as follows. The parties’ details and Key Contacts are set forth in Exhibit A. Annex 1A and 1B are set forth in Exhibit A. Annex II is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
4. Miscellaneous.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Law.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Law.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Law.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Law.
Exhibit A
Data Processing Description
Annex I of the EU SCCs
Annex 1A and 1B of the UK SCCs
This Exhibit A forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller.
The Parties
Controller
The controller is:
the entity identified as “Company” in the Data Processing Agreement
Address: specified in the Master Services Agreement
Contact person’s name, position and contact details: specified in the Master Services Agreement
Processor
The processor is:
Panther Labs Inc., a Delaware limited liability company (“Supplier”)
Address: specified in the Master Services Agreement
Contact person’s name, position and contact details: specified in the Master Services Agreement
Description of Transfer
Module Two: Transfer Controller to Processor
Module Three: Transfer Processor to Processor
Categories of data subjects
The personal data to be processed concern the following categories of data subjects:
· employees or contractors of Company granted access by Compan to Supplier’s Services
· data subjects whose personal data is contained in Company security logs
Categories of data
The personal data to be processed concern the following categories of data:
· employee or contractor first and last name, work email address and work telephone number
· such personal data as is contained in Company security logs
Special categories of data (if appropriate)
The personal data to be processed concern the following special categories of data:
None.
Frequency of transfer
Continuously, for the length of the Master Services Agreement between the parties
Nature and purpose of the processing operations
The personal data will be subject to the following basic processing activities:
The personal data will be stored and processed only in order to provide the Services for the benefit of Company and to comply with applicable law.
Period for which personal data will be retained
Personal data will be retained for the length of time necessary to provide the Services and as otherwise required by applicable law.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
Supplier’s sub-processors will process personal data to assist Supplier in providing the Services, for as long as needed for Supplier to provide the Services.
Competent Supervisory Authority
MODULE TWO: Transfer Controller to Processor
MODULE THREE: Transfer Processor to Processor
Identify the competent supervisory authority/ies in accordance with Clause 13
The Parties will follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
Exhibit B
Minimum Security Measures
Annex II of the EU SCCs
Annex II of the UK SCCs
Minimum Security Measures shall include an information security program that safeguards Company Data and Company confidential information. Such Security Measures must include:
(a) strict logical or physical separation between Company Data and Company confidential information, Supplier’s own data and data of other customers of Supplier;
(b) maintaining industry-standard perimeter protection for Supplier’s network and devices connected thereto (“Supplier’s System”);
(c) applying, as soon as practicable, patches or other controls to Supplier’s System that effectively address actual or potential code-based security vulnerabilities;
(d) employing commercially reasonable efforts to ensure that Supplier’s System remains free of security vulnerabilities, viruses, malware, and other harmful code;
(e) employing commercially reasonable efforts to practice safe coding standards and practices which address common application security vulnerabilities;
(f) providing appropriate education and training to Supplier employees and workers regarding these Security Measures and ensuring that those individuals are bound by confidentiality obligations;
(g) accessing or transferring Company Data or Company confidential information to or from Company systems only in a secure and confidential manner, including complying with specific security provisions and procedures set forth by Company in advance in writing, and
(h) limiting Supplier employee/agent/subcontractor access to Supplier’s network, systems, devices and facilities to those with a need for such access, and whose access privileges shall be revoked promptly upon their termination.
Supplier shall provide to Company an individual point of contact for security purposes, and shall update this information from time to time as necessary.
Exhibit C
Subprocessors
Company has authorized use of the subprocessors listed at panther.com/subprocessors
Ready for less noise
and more control?
See Panther in action. Book a demo today.
Get product updates, webinars, and news
By submitting this form, you acknowledge and agree that Panther will process your personal information in accordance with the Privacy Policy.
Get product updates, webinars, and news
By submitting this form, you acknowledge and agree that Panther will process your personal information in accordance with the Privacy Policy.
Product
Resources
Support
Company
Get product updates, webinars, and news
By submitting this form, you acknowledge and agree that Panther will process your personal information in accordance with the Privacy Policy.