DATA PROCESSING ADDENDUM
Effective Date: November 3, 2025
The prior version is available here.
This Data Processing Agreement (the "Agreement") is entered into as of the date of last signature below (the โEffective Dateโ) by and between:
(1) Panther Labs Inc., a Delaware corporation with offices at 440 North Barranca Avene, No. 8909, Covina, California 91723 (โSupplierโ) and
(2) {Name} a company incorporated under the laws of {State, Country} whose principal place of business is at {Address} ("Company").
Introduction
A.
Company is a controller of certain personal data (as described in Exhibit A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier's performance of a master services agreement between the parties for Companyโs use of Supplierโs offering(s) (the "Master Services Agreement").
A.
Company is a controller of certain personal data (as described in Exhibit A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier's performance of a master services agreement between the parties for Companyโs use of Supplierโs offering(s) (the "Master Services Agreement").
A.
Company is a controller of certain personal data (as described in Exhibit A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier's performance of a master services agreement between the parties for Companyโs use of Supplierโs offering(s) (the "Master Services Agreement").
A.
Company is a controller of certain personal data (as described in Exhibit A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier's performance of a master services agreement between the parties for Companyโs use of Supplierโs offering(s) (the "Master Services Agreement").
B.
The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company's instructions and Applicable Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
B.
The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company's instructions and Applicable Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
B.
The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company's instructions and Applicable Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
B.
The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company's instructions and Applicable Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
1.
Definitions and interpretation.
1.
Definitions and interpretation.
1.
Definitions and interpretation.
1.
Definitions and interpretation.
1.1
Definitions: In this Agreement, the following terms shall have the following meanings:
1.1
Definitions: In this Agreement, the following terms shall have the following meanings:
1.1
Definitions: In this Agreement, the following terms shall have the following meanings:
1.1
Definitions: In this Agreement, the following terms shall have the following meanings:
a.
โApplicable Law(s)โ means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Supplierโs performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code ยง 1798.100 et seq. (โCCPAโ) as amended by the California Privacy Rights Act of 2020 (โCPRAโ), including any implementing regulations, the United Kingdom Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (โGDPRโ), and the United Kingdom GDPR (โUK GDPRโ). For the avoidance of doubt, if Supplierโs Processing activities involving Personal Data are not within the scope of an Applicable Law, such Applicable Law is not applicable for purposes of this DPA. .
a.
โApplicable Law(s)โ means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Supplierโs performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code ยง 1798.100 et seq. (โCCPAโ) as amended by the California Privacy Rights Act of 2020 (โCPRAโ), including any implementing regulations, the United Kingdom Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (โGDPRโ), and the United Kingdom GDPR (โUK GDPRโ). For the avoidance of doubt, if Supplierโs Processing activities involving Personal Data are not within the scope of an Applicable Law, such Applicable Law is not applicable for purposes of this DPA. .
a.
โApplicable Law(s)โ means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Supplierโs performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code ยง 1798.100 et seq. (โCCPAโ) as amended by the California Privacy Rights Act of 2020 (โCPRAโ), including any implementing regulations, the United Kingdom Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (โGDPRโ), and the United Kingdom GDPR (โUK GDPRโ). For the avoidance of doubt, if Supplierโs Processing activities involving Personal Data are not within the scope of an Applicable Law, such Applicable Law is not applicable for purposes of this DPA. .
a.
โApplicable Law(s)โ means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Supplierโs performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code ยง 1798.100 et seq. (โCCPAโ) as amended by the California Privacy Rights Act of 2020 (โCPRAโ), including any implementing regulations, the United Kingdom Data Protection Act 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (โGDPRโ), and the United Kingdom GDPR (โUK GDPRโ). For the avoidance of doubt, if Supplierโs Processing activities involving Personal Data are not within the scope of an Applicable Law, such Applicable Law is not applicable for purposes of this DPA. .
b.
โcontrollerโ, โprocessorโ, โdata subjectโ, โpersonal dataโ and โprocessingโ (and โprocessโ) shall have the meanings given in Applicable Law.
b.
โcontrollerโ, โprocessorโ, โdata subjectโ, โpersonal dataโ and โprocessingโ (and โprocessโ) shall have the meanings given in Applicable Law.
b.
โcontrollerโ, โprocessorโ, โdata subjectโ, โpersonal dataโ and โprocessingโ (and โprocessโ) shall have the meanings given in Applicable Law.
b.
โcontrollerโ, โprocessorโ, โdata subjectโ, โpersonal dataโ and โprocessingโ (and โprocessโ) shall have the meanings given in Applicable Law.
c.
โEU SCCsโ means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 3 (International Transfers).t.
c.
โEU SCCsโ means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 3 (International Transfers).t.
c.
โEU SCCsโ means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 3 (International Transfers).t.
c.
โEU SCCsโ means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 3 (International Transfers).t.
d.
โInternational Data Transferโ means any transfer of Companyโs Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
d.
โInternational Data Transferโ means any transfer of Companyโs Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
d.
โInternational Data Transferโ means any transfer of Companyโs Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
d.
โInternational Data Transferโ means any transfer of Companyโs Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
e.
โMaster Services Agreementโ shall have the meaning given in paragraph A of the Introduction to this Agreement.
e.
โMaster Services Agreementโ shall have the meaning given in paragraph A of the Introduction to this Agreement.
e.
โMaster Services Agreementโ shall have the meaning given in paragraph A of the Introduction to this Agreement.
e.
โMaster Services Agreementโ shall have the meaning given in paragraph A of the Introduction to this Agreement.
f.
โServicesโ means the products and services provided by Supplier to Company as specified in the Master Services Agreement.
f.
โServicesโ means the products and services provided by Supplier to Company as specified in the Master Services Agreement.
f.
โServicesโ means the products and services provided by Supplier to Company as specified in the Master Services Agreement.
f.
โServicesโ means the products and services provided by Supplier to Company as specified in the Master Services Agreement.
g.
โUK SCCsโ means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 3 (International Transfers).
g.
โUK SCCsโ means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 3 (International Transfers).
g.
โUK SCCsโ means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 3 (International Transfers).
g.
โUK SCCsโ means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 3 (International Transfers).
1.2
Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
1.2
Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
1.2
Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
1.2
Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
Data Protection
2.1
Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Exhibit A that is the subject of the Master Services Agreement (the โDataโ). Each party shall comply with the obligations that apply to it under Applicable Law.
2.1
Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Exhibit A that is the subject of the Master Services Agreement (the โDataโ). Each party shall comply with the obligations that apply to it under Applicable Law.
2.1
Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Exhibit A that is the subject of the Master Services Agreement (the โDataโ). Each party shall comply with the obligations that apply to it under Applicable Law.
2.1
Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Exhibit A that is the subject of the Master Services Agreement (the โDataโ). Each party shall comply with the obligations that apply to it under Applicable Law.
2.2
Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Exhibit A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the โPermitted Purposeโ), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.2
Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Exhibit A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the โPermitted Purposeโ), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.2
Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Exhibit A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the โPermitted Purposeโ), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.2
Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Exhibit A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the โPermitted Purposeโ), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.3
Confidentiality of processing: Supplier shall ensure that any person that it authorizes to process the Data (including Supplierโs staff, agents and subcontractors) (an โauthorized Personโ) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all authorized Persons process the Data only as necessary for the Permitted Purpose.
2.3
Confidentiality of processing: Supplier shall ensure that any person that it authorizes to process the Data (including Supplierโs staff, agents and subcontractors) (an โauthorized Personโ) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all authorized Persons process the Data only as necessary for the Permitted Purpose.
2.3
Confidentiality of processing: Supplier shall ensure that any person that it authorizes to process the Data (including Supplierโs staff, agents and subcontractors) (an โauthorized Personโ) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all authorized Persons process the Data only as necessary for the Permitted Purpose.
2.3
Confidentiality of processing: Supplier shall ensure that any person that it authorizes to process the Data (including Supplierโs staff, agents and subcontractors) (an โauthorized Personโ) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all authorized Persons process the Data only as necessary for the Permitted Purpose.
2.4
Security: Supplier shall implement appropriate administrative, physical, technical and organizational measures (โSecurity Measuresโ) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a โSecurity Incidentโ). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
2.4
Security: Supplier shall implement appropriate administrative, physical, technical and organizational measures (โSecurity Measuresโ) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a โSecurity Incidentโ). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
2.4
Security: Supplier shall implement appropriate administrative, physical, technical and organizational measures (โSecurity Measuresโ) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a โSecurity Incidentโ). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
2.4
Security: Supplier shall implement appropriate administrative, physical, technical and organizational measures (โSecurity Measuresโ) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a โSecurity Incidentโ). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
(a).
the pseudonymisation and encryption of personal data;
(a).
the pseudonymisation and encryption of personal data;
(a).
the pseudonymisation and encryption of personal data;
(a).
the pseudonymisation and encryption of personal data;
(b).
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(b).
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(b).
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(b).
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c).
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(c).
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(c).
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(c).
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d).
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
(d).
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
(d).
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
(d).
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
At a minimum, such Security Measures shall include the measures identified in Exhibit B
2.5
Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as of the Effective Date is attached at Exhibit C. Supplier is permitted to disclose Data to each approved subprocessor pursuant to a written agreement that complies with this Agreement and Applicable Law. Supplier may revise this list of approved subprocessors from time to time and Supplier will publish its revised subprocessors on its website. Company may object to Supplierโs use of a new subprocessor on reasonable grounds related to the protection of the Data by notifying Supplier in writing within ten (10) business days after publication of the revised subprocessors. If Company refuses to consent to Supplierโs appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.5
Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as of the Effective Date is attached at Exhibit C. Supplier is permitted to disclose Data to each approved subprocessor pursuant to a written agreement that complies with this Agreement and Applicable Law. Supplier may revise this list of approved subprocessors from time to time and Supplier will publish its revised subprocessors on its website. Company may object to Supplierโs use of a new subprocessor on reasonable grounds related to the protection of the Data by notifying Supplier in writing within ten (10) business days after publication of the revised subprocessors. If Company refuses to consent to Supplierโs appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.5
Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as of the Effective Date is attached at Exhibit C. Supplier is permitted to disclose Data to each approved subprocessor pursuant to a written agreement that complies with this Agreement and Applicable Law. Supplier may revise this list of approved subprocessors from time to time and Supplier will publish its revised subprocessors on its website. Company may object to Supplierโs use of a new subprocessor on reasonable grounds related to the protection of the Data by notifying Supplier in writing within ten (10) business days after publication of the revised subprocessors. If Company refuses to consent to Supplierโs appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.5
Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as of the Effective Date is attached at Exhibit C. Supplier is permitted to disclose Data to each approved subprocessor pursuant to a written agreement that complies with this Agreement and Applicable Law. Supplier may revise this list of approved subprocessors from time to time and Supplier will publish its revised subprocessors on its website. Company may object to Supplierโs use of a new subprocessor on reasonable grounds related to the protection of the Data by notifying Supplier in writing within ten (10) business days after publication of the revised subprocessors. If Company refuses to consent to Supplierโs appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.6
Data Subject Requests: To the extent legally permitted, Supplier will without undue delay notify Company if Supplier receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a โData Subject Requestโ). To the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier will, upon Companyโs request, take commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
2.6
Data Subject Requests: To the extent legally permitted, Supplier will without undue delay notify Company if Supplier receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a โData Subject Requestโ). To the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier will, upon Companyโs request, take commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
2.6
Data Subject Requests: To the extent legally permitted, Supplier will without undue delay notify Company if Supplier receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a โData Subject Requestโ). To the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier will, upon Companyโs request, take commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
2.6
Data Subject Requests: To the extent legally permitted, Supplier will without undue delay notify Company if Supplier receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a โData Subject Requestโ). To the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier will, upon Companyโs request, take commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Supplier is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.
2.7
Data Protection Impact Assessment: Upon Companyโs written request, Supplier will provide Company with reasonable cooperation and assistance as needed and appropriate to fulfill Companyโs obligations under Applicable Law to carry out a data protection impact assessment related to Companyโs use of the Services. Supplier will provide reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law
2.7
Data Protection Impact Assessment: Upon Companyโs written request, Supplier will provide Company with reasonable cooperation and assistance as needed and appropriate to fulfill Companyโs obligations under Applicable Law to carry out a data protection impact assessment related to Companyโs use of the Services. Supplier will provide reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law
2.7
Data Protection Impact Assessment: Upon Companyโs written request, Supplier will provide Company with reasonable cooperation and assistance as needed and appropriate to fulfill Companyโs obligations under Applicable Law to carry out a data protection impact assessment related to Companyโs use of the Services. Supplier will provide reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law
2.7
Data Protection Impact Assessment: Upon Companyโs written request, Supplier will provide Company with reasonable cooperation and assistance as needed and appropriate to fulfill Companyโs obligations under Applicable Law to carry out a data protection impact assessment related to Companyโs use of the Services. Supplier will provide reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law
2.8
Security incidents: Upon becoming aware of a Security Incident, Supplier shall notify Company without undue delay.. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Supplierโs then-current assessment of the following information, to the extent available, which may be based on incomplete information:
2.8
Security incidents: Upon becoming aware of a Security Incident, Supplier shall notify Company without undue delay.. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Supplierโs then-current assessment of the following information, to the extent available, which may be based on incomplete information:
2.8
Security incidents: Upon becoming aware of a Security Incident, Supplier shall notify Company without undue delay.. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Supplierโs then-current assessment of the following information, to the extent available, which may be based on incomplete information:
2.8
Security incidents: Upon becoming aware of a Security Incident, Supplier shall notify Company without undue delay.. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Supplierโs then-current assessment of the following information, to the extent available, which may be based on incomplete information:
(a).
the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Company Personal Data records concerned;
(a).
the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Company Personal Data records concerned;
(a).
the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Company Personal Data records concerned;
(a).
the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Company Personal Data records concerned;
(b).
the likely consequences of the Security Incident; and
(b).
the likely consequences of the Security Incident; and
(b).
the likely consequences of the Security Incident; and
(b).
the likely consequences of the Security Incident; and
(c).
measures taken or proposed to be taken by Supplier to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
(c).
measures taken or proposed to be taken by Supplier to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
(c).
measures taken or proposed to be taken by Supplier to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
(c).
measures taken or proposed to be taken by Supplier to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.
Supplier will provide timely and periodic updates to Company as additional information regarding the Security Incident becomes available. Company is solely responsible for complying with legal requirements for incident notification applicable to Company and fulfilling any third-party notification obligations related to any Security Incident. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Supplier to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally. Supplier shall keep Company informed of all developments in connection with the Security Incident.
Supplier will provide timely and periodic updates to Company as additional information regarding the Security Incident becomes available. Company is solely responsible for complying with legal requirements for incident notification applicable to Company and fulfilling any third-party notification obligations related to any Security Incident. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Supplier to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally. Supplier shall keep Company informed of all developments in connection with the Security Incident.
Supplier will provide timely and periodic updates to Company as additional information regarding the Security Incident becomes available. Company is solely responsible for complying with legal requirements for incident notification applicable to Company and fulfilling any third-party notification obligations related to any Security Incident. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Supplier to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally. Supplier shall keep Company informed of all developments in connection with the Security Incident.
Supplier will provide timely and periodic updates to Company as additional information regarding the Security Incident becomes available. Company is solely responsible for complying with legal requirements for incident notification applicable to Company and fulfilling any third-party notification obligations related to any Security Incident. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Supplier to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally. Supplier shall keep Company informed of all developments in connection with the Security Incident.
2.9
Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Companyโs election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any Applicable Law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.9
Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Companyโs election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any Applicable Law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.9
Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Companyโs election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any Applicable Law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.9
Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Companyโs election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any Applicable Law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.10 Audits:
2.10.1
Self-Audit. Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, no more than once annually, Supplier will provide Company with: (i) Supplierโs most recent SOC II Type 2 compliance report and ISO:27001 certification and (ii) complete a security questionnaire submitted by Company. The reports and questionnaire responses are the Confidential Information of Supplier.
2.10.1
Self-Audit. Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, no more than once annually, Supplier will provide Company with: (i) Supplierโs most recent SOC II Type 2 compliance report and ISO:27001 certification and (ii) complete a security questionnaire submitted by Company. The reports and questionnaire responses are the Confidential Information of Supplier.
2.10.1
Self-Audit. Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, no more than once annually, Supplier will provide Company with: (i) Supplierโs most recent SOC II Type 2 compliance report and ISO:27001 certification and (ii) complete a security questionnaire submitted by Company. The reports and questionnaire responses are the Confidential Information of Supplier.
2.10.1
Self-Audit. Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, no more than once annually, Supplier will provide Company with: (i) Supplierโs most recent SOC II Type 2 compliance report and ISO:27001 certification and (ii) complete a security questionnaire submitted by Company. The reports and questionnaire responses are the Confidential Information of Supplier.
2.10.2
Company Audit. Following a Security Incident or as otherwise required by Applicable Law, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplierโs compliance with this Agreement and Applicable Law at Companyโs expense (โAuditโ). To the extent Company uses a third-party auditor to conduct the Audit, Company will ensure that such third-party representative is bound by obligations of confidentiality no less protective of Supplier than those contained in the Agreement. Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplierโs trade secrets and data belonging to Supplierโs other customers). Company will conduct the Audit in a manner that will result in minimal disruption to Supplierโs business operations and such Audit will take no longer than two (2) business days. If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance.
2.10.2
Company Audit. Following a Security Incident or as otherwise required by Applicable Law, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplierโs compliance with this Agreement and Applicable Law at Companyโs expense (โAuditโ). To the extent Company uses a third-party auditor to conduct the Audit, Company will ensure that such third-party representative is bound by obligations of confidentiality no less protective of Supplier than those contained in the Agreement. Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplierโs trade secrets and data belonging to Supplierโs other customers). Company will conduct the Audit in a manner that will result in minimal disruption to Supplierโs business operations and such Audit will take no longer than two (2) business days. If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance.
2.10.2
Company Audit. Following a Security Incident or as otherwise required by Applicable Law, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplierโs compliance with this Agreement and Applicable Law at Companyโs expense (โAuditโ). To the extent Company uses a third-party auditor to conduct the Audit, Company will ensure that such third-party representative is bound by obligations of confidentiality no less protective of Supplier than those contained in the Agreement. Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplierโs trade secrets and data belonging to Supplierโs other customers). Company will conduct the Audit in a manner that will result in minimal disruption to Supplierโs business operations and such Audit will take no longer than two (2) business days. If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance.
2.10.2
Company Audit. Following a Security Incident or as otherwise required by Applicable Law, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplierโs compliance with this Agreement and Applicable Law at Companyโs expense (โAuditโ). To the extent Company uses a third-party auditor to conduct the Audit, Company will ensure that such third-party representative is bound by obligations of confidentiality no less protective of Supplier than those contained in the Agreement. Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplierโs trade secrets and data belonging to Supplierโs other customers). Company will conduct the Audit in a manner that will result in minimal disruption to Supplierโs business operations and such Audit will take no longer than two (2) business days. If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance.
2.10.3
Remediation. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
2.10.3
Remediation. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
2.10.3
Remediation. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
2.10.3
Remediation. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
2.11
CCPA. The terms โPersonal Informationโ, โSellโ, โSaleโ, and โService Providerโ shall have the same meaning as in the CCPA. Supplier is acting as a Service Provider with Company. Supplier shall retain, use and disclose Data solely for the purpose of performing Supplierโs obligations under the Master Services Agreement for Company and for no commercial purpose other than the performance of such obligations. Supplier does not receive any Data as consideration for the services described in the Master Services Agreement. Supplier shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Supplier shall refrain from taking any action that would cause any transfers of Data, either to Supplier or from Supplier, to qualify as a Sale of Personal Information. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
2.11
CCPA. The terms โPersonal Informationโ, โSellโ, โSaleโ, and โService Providerโ shall have the same meaning as in the CCPA. Supplier is acting as a Service Provider with Company. Supplier shall retain, use and disclose Data solely for the purpose of performing Supplierโs obligations under the Master Services Agreement for Company and for no commercial purpose other than the performance of such obligations. Supplier does not receive any Data as consideration for the services described in the Master Services Agreement. Supplier shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Supplier shall refrain from taking any action that would cause any transfers of Data, either to Supplier or from Supplier, to qualify as a Sale of Personal Information. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
2.11
CCPA. The terms โPersonal Informationโ, โSellโ, โSaleโ, and โService Providerโ shall have the same meaning as in the CCPA. Supplier is acting as a Service Provider with Company. Supplier shall retain, use and disclose Data solely for the purpose of performing Supplierโs obligations under the Master Services Agreement for Company and for no commercial purpose other than the performance of such obligations. Supplier does not receive any Data as consideration for the services described in the Master Services Agreement. Supplier shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Supplier shall refrain from taking any action that would cause any transfers of Data, either to Supplier or from Supplier, to qualify as a Sale of Personal Information. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
2.11
CCPA. The terms โPersonal Informationโ, โSellโ, โSaleโ, and โService Providerโ shall have the same meaning as in the CCPA. Supplier is acting as a Service Provider with Company. Supplier shall retain, use and disclose Data solely for the purpose of performing Supplierโs obligations under the Master Services Agreement for Company and for no commercial purpose other than the performance of such obligations. Supplier does not receive any Data as consideration for the services described in the Master Services Agreement. Supplier shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Supplier shall refrain from taking any action that would cause any transfers of Data, either to Supplier or from Supplier, to qualify as a Sale of Personal Information. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
3. International Transfers.
3.1
Company hereby authorizes Supplier to perform International Data Transfers in accordance with this DPA so long as Applicable Law for such transfers is respected
3.1
Company hereby authorizes Supplier to perform International Data Transfers in accordance with this DPA so long as Applicable Law for such transfers is respected
3.1
Company hereby authorizes Supplier to perform International Data Transfers in accordance with this DPA so long as Applicable Law for such transfers is respected
3.1
Company hereby authorizes Supplier to perform International Data Transfers in accordance with this DPA so long as Applicable Law for such transfers is respected
3.2
With respect to Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. For the purpose of the EU SCCs, they will be deemed to be completed as follows. Clause 7 (the optional docking clause) is not included. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. Under Clause 17 (Governing law), the parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and the law of Ireland. Under Clause 18 (Choice of forum and jurisdiction) the parties select the courts of Ireland. Annex I of the EU SCCs is set forth in Exhibit A. Annex II of the EU SCCs is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the EU SCCs.
3.2
With respect to Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. For the purpose of the EU SCCs, they will be deemed to be completed as follows. Clause 7 (the optional docking clause) is not included. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. Under Clause 17 (Governing law), the parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and the law of Ireland. Under Clause 18 (Choice of forum and jurisdiction) the parties select the courts of Ireland. Annex I of the EU SCCs is set forth in Exhibit A. Annex II of the EU SCCs is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the EU SCCs.
3.2
With respect to Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. For the purpose of the EU SCCs, they will be deemed to be completed as follows. Clause 7 (the optional docking clause) is not included. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. Under Clause 17 (Governing law), the parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and the law of Ireland. Under Clause 18 (Choice of forum and jurisdiction) the parties select the courts of Ireland. Annex I of the EU SCCs is set forth in Exhibit A. Annex II of the EU SCCs is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the EU SCCs.
3.2
With respect to Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. For the purpose of the EU SCCs, they will be deemed to be completed as follows. Clause 7 (the optional docking clause) is not included. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. Under Clause 17 (Governing law), the parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and the law of Ireland. Under Clause 18 (Choice of forum and jurisdiction) the parties select the courts of Ireland. Annex I of the EU SCCs is set forth in Exhibit A. Annex II of the EU SCCs is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the EU SCCs.
3.3
With respect to Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. For the purpose of the UK SCCs, they will be deemed to be completed as follows. The partiesโ details and Key Contacts are set forth in Exhibit A. Annex 1A and 1B are set forth in Exhibit A. Annex II is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
3.3
With respect to Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. For the purpose of the UK SCCs, they will be deemed to be completed as follows. The partiesโ details and Key Contacts are set forth in Exhibit A. Annex 1A and 1B are set forth in Exhibit A. Annex II is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
3.3
With respect to Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. For the purpose of the UK SCCs, they will be deemed to be completed as follows. The partiesโ details and Key Contacts are set forth in Exhibit A. Annex 1A and 1B are set forth in Exhibit A. Annex II is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
3.3
With respect to Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. For the purpose of the UK SCCs, they will be deemed to be completed as follows. The partiesโ details and Key Contacts are set forth in Exhibit A. Annex 1A and 1B are set forth in Exhibit A. Annex II is set forth in Exhibit B. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
4. Miscellaneous.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Law.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Law.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Law.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Law.
Exhibit A
Data Processing Description
Annex I of the EU SCCs
Annex 1A and 1B of the UK SCCs
This Exhibit A forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller.
The Parties
Controller
The controller is:
the entity identified as โCompanyโ in the Data Processing Agreement
Address: specified in the Master Services Agreement
Contact personโs name, position and contact details: specified in the Master Services Agreement
Processor
The processor is:
Panther Labs Inc., a Delaware limited liability company (โSupplierโ)
Address: specified in the Master Services Agreement
Contact personโs name, position and contact details: specified in the Master Services Agreement
Description of Transfer
Module Two: Transfer Controller to Processor
Module Three: Transfer Processor to Processor
Categories of data subjects
The personal data to be processed concern the following categories of data subjects:
ยท employees or contractors of Company granted access by Compan to Supplierโs Services
ยท data subjects whose personal data is contained in Company security logs
Categories of data
The personal data to be processed concern the following categories of data:
ยท employee or contractor first and last name, work email address and work telephone number
ยท such personal data as is contained in Company security logs
Special categories of data (if appropriate)
The personal data to be processed concern the following special categories of data:
None.
Frequency of transfer
Continuously, for the length of the Master Services Agreement between the parties
Nature and purpose of the processing operations
The personal data will be subject to the following basic processing activities:
The personal data will be stored and processed only in order to provide the Services for the benefit of Company and to comply with applicable law.
Period for which personal data will be retained
Personal data will be retained for the length of time necessary to provide the Services and as otherwise required by applicable law.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
Supplierโs sub-processors will process personal data to assist Supplier in providing the Services, for as long as needed for Supplier to provide the Services.
Competent Supervisory Authority
MODULE TWO: Transfer Controller to Processor
MODULE THREE: Transfer Processor to Processor
Identify the competent supervisory authority/ies in accordance with Clause 13
The Parties will follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
Exhibit B
Minimum Security Measures
Annex II of the EU SCCs
Annex II of the UK SCCs
Minimum Security Measures shall include an information security program that safeguards Company Data and Company confidential information. Such Security Measures must include:
(a) strict logical or physical separation between Company Data and Company confidential information, Supplierโs own data and data of other customers of Supplier;
(b) maintaining industry-standard perimeter protection for Supplierโs network and devices connected thereto (โSupplierโs Systemโ);
(c) applying, as soon as practicable, patches or other controls to Supplierโs System that effectively address actual or potential code-based security vulnerabilities;
(d) employing commercially reasonable efforts to ensure that Supplierโs System remains free of security vulnerabilities, viruses, malware, and other harmful code;
(e) employing commercially reasonable efforts to practice safe coding standards and practices which address common application security vulnerabilities;
(f) providing appropriate education and training to Supplier employees and workers regarding these Security Measures and ensuring that those individuals are bound by confidentiality obligations;
(g) accessing or transferring Company Data or Company confidential information to or from Company systems only in a secure and confidential manner, including complying with specific security provisions and procedures set forth by Company in advance in writing, and
(h) limiting Supplier employee/agent/subcontractor access to Supplierโs network, systems, devices and facilities to those with a need for such access, and whose access privileges shall be revoked promptly upon their termination.
Supplier shall provide to Company an individual point of contact for security purposes, and shall update this information from time to time as necessary.
Exhibit C
Subprocessors
Company has authorized use of the subprocessors listed at panther.com/subprocessors
Ready for less noise
and more control?
See Panther in action. Book a demo today.
Get product updates, webinars, and news
By submitting this form, you acknowledge and agree that Panther will process your personal information in accordance with the Privacy Policy.
Get product updates, webinars, and news
By submitting this form, you acknowledge and agree that Panther will process your personal information in accordance with the Privacy Policy.
Product
Resources
Support
Company
Get product updates, webinars, and news
By submitting this form, you acknowledge and agree that Panther will process your personal information in accordance with the Privacy Policy.