UJET Data Processing Agreement

This Data Processing Agreement (“DPA”) may be referenced and incorporated by reference into an Order Form, Master Services Agreement or Terms of Service (the “Agreement”) between UJET, Inc. (“UJET”) and a customer (“Customer”) collectively the Parties. This DPA is supplemental to the Agreement entered into between the Parties which governs the provision of the Services. Any capitalized terms not defined herein have the meaning assigned to them in the Agreement.

Background

1. Customer has purchased a subscription to UJET’s services in connection with facilitating and managing its own customer support program.
2. Customer’s use of the Service includes UJET’s access to personal information from residents of the European Union, European Economic Area and/or their member states, Switzerland, and/or the United Kingdom; or
3. Personal information that Customer discloses to UJET pursuant to the terms of the Agreement is or may become subject Applicable Data Protection Laws.

NOW, THEREFORE, in consideration of the mutual promises contained herein and for other good and valuable consideration, the parties hereto agree as follows:

1. Definitions

In this DPA, the following terms shall have the following meanings: 

1. "Applicable Data Protection Law" means all applicable international, federal, national, and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the Agreement. 
2. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
3. “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and UJET, but has not signed its own Order Form with UJET and is not a “Customer” as defined under this DPA.
4. “CCPA” means the California Consumer Privacy Act, California Civil Code § 1798.100 et seq., and its implementing regulations.
5. "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
6. “Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms.
7. “Customer Content” means all material and other related documents, information, audio, visual, audiovisual, and other materials deployed by Customer directly to the Service.
8. “Customer Data” means data, other than Customer Content, provided by Customer to UJET in connection with using the Service, including registration and account information.
9.  “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
10. "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  
11. "Privacy Shield" means the EU-U.S. and Swiss-U.S. Privacy Shield self-certification program operated by the U.S. Department of Commerce.
12. "Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced).
13. "Processor" means an entity that processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
14. “Service Metadata” means the usage and other similar data resulting from the Customer Data and Customer Content in connection with the enhancement, improvement, and provision of the Service and derivatives thereof.  Service Metadata does not disclose any Customer Data in raw form, does not contain Personal Data or identify Customer as the source of such data.
15. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries, pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
16. “Sub-Processor” means any Processor engaged by UJET.
17. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or, for the United Kingdom, the Information Commissioner’s Office (“ICO”).

2. Processing of Personal Data

1. Relationship of the Parties.  As between the parties, Customer is the Controller and appoints UJET as a Processor to process the Personal Data that is the subject of the Agreement (the "Data") on behalf of Customer.  
2. Purpose Limitation.  UJET shall process the Data as a Processor, as described in Schedule 1, and strictly in accordance with the documented instructions of Customer (including those in this DPA and the Agreement). UJET acknowledges and agrees that it may not retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement for Customer, unless otherwise permitted by the Applicable Data Protection Law, including under any “sale” exemption. In no event will UJET sell any such Data.
3. Confidentiality. UJET shall ensure that any person that it authorizes to process the Data (including UJET’s staff, agents and subcontractors) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Data who is not under such a duty of confidentiality.
4. Access. UJET shall ensure that access to Personal Data is limited to those persons who need access to the Personal Data to meet the Processor’s obligations as set forth under this Agreement and, in the case of any access by any person, such part or parts of the Personal Data is strictly necessary for the performance of that person’s duties.
5. Training. UJET shall ensure that any person that it authorizes to process the Data (including UJET’s employees, agents and subcontractors) have undertaken training in data protections laws relating to handling of Personal Data and are aware both of the Processor’s duties and their personal duties and obligations under data protection laws and under this Agreement.
6. Data Protection Officer. UJET has appointed a data protection officer. The appointed person may be reached at privacy@ujet.cx.

3. Security 

1. Controls for the Protection of Personal Data. UJET shall implement appropriate procedural, technical and organizational measures designed to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a "Security Incident"). UJET monitors compliance with these measures and will not materially decrease the overall security of the Services during the Agreement.
2. Third Party Certifications and Audits. UJET has obtained the third party certification and audits outlined in the Security and Privacy section of its website at https://ujet.cx/security. Upon Customer’s written request, which shall be no more than once annually, and subject to the Confidentiality obligations outlined in the Agreement, UJET shall make available to Customer that is not a competitor to UJET (or Customer’s independent third-party auditor that is not a competitor to UJET), a copy of UJET’s applicable third-party audits or certifications. 
3. Security Incidents.  Upon becoming aware of a Security Incident, UJET shall inform Customer without undue delay (and, in any event, within seventy-two (72) hours) and shall provide timely information and cooperation to enable Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.  UJET shall further take such reasonable measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all developments in connection with the Security Incident. UJET shall not notify any third parties of a Security Incident affecting the Data under this Agreement unless and to the extent that: (a) Customer has agreed to such notification, and/or (b) notification is required to be made by UJET under Applicable Data Protection Laws. UJET’s notification of or response to a Security Incident under this section is not an acknowledgement by UJET of any fault or liability with respect to the Security Incident. Customer must notify UJET promptly about any possible misuse of its accounts or authentication credentials or any security incident related to the Service. These obligations shall not apply to incidents that are caused by Customer or Customer’s Users.
4. Data Protection Impact Assessment.  Taking into account the nature of the processing and the information available to UJET, UJET shall provide Customer with reasonable and timely assistance with any data protection impact assessments and, where necessary, consultations with data protection authorities, where required under Applicable Data Protection Law. 

4. Sub-Processors

1. Appointment of Sub-Processors. Customer acknowledges and agrees that UJET may engage third-party Sub-Processors in connection with the provision of UJET Services.  UJET shall impose materially similar data protection terms on any Sub-Processor it appoints as those provided for by this DPA and UJET shall remain fully liable for any breach of this DPA that is caused by an act, error or omission of its sub-Processor. The Sub-Processors UJET currently engages are listed in Annex III.
2. Objection Right for New Sub-Processors. UJET shall not subcontract any processing of the Data to a third-party Sub-Processor unless: (i) UJET provides to Customer an up-to-date list of its then-current Sub-Processors upon request; and (ii) UJET provides at least ten (10) days' prior notice of the addition or removal of any Sub-Processor (including the details of the processing it performs or will perform, and the location of such processing). Customer may object in writing to such appointment or change of Sub-Processor based on reasonable grounds related to data protection. Upon receipt of the objection, the parties will discuss in good faith alternatives which are commercially reasonable. In the event resolution is not reached, UJET will not appoint or will replace the Sub-Processor. If this is not possible, Customer may elect to terminate the Agreement and all applicable Order Forms with immediate effect and UJET shall refund any fees covering the remaining term of the Agreement and all applicable Order Forms.
3. List of Current Sub-Processors and Notification of New Sub-Processors. Upon Customer’s written request, UJET shall make available its current list of Sub-Processor for the Services identified in Annex III of this DPA and the Standard Contractual Clauses. 
4. Liability. UJET shall be liable for the acts and omissions of its Sub-Processors to the same extent UJET would be liable if performing the services of each Sub-Processor directly under the terms of this DPA and the Agreement. 

5. Individuals’ Rights

1. Cooperation and Individuals' Rights.  UJET shall provide all reasonable and timely assistance to enable Customer to respond to: (i) any request from an individual to exercise any of rights under Applicable Data Protection Law; and (ii) any other correspondence received from a Supervisory Authority or public authority in connection with the processing of the Data. If any such communication is made directly to UJET, UJET shall promptly inform Customer providing full details of the same and shall not respond to the communication unless specifically required by law or authorized by Customer.

6. Rights of the Controller

1. Deletion or Return of Data. Personal Data for Customer’s Users may be deleted using the UJET Admin Portal. Personal Data, including communications between Customer and its End Users, is transferred to and stored in Customer’s database(s) upon completion of each customer support session and cannot be accessed by UJET once such transfer is completed. Upon termination or expiry of the Agreement, UJET shall delete all Data (including copies) in its possession or control. This requirement shall not apply to the extent that UJET is required by applicable law to retain some or all the Data, in which event UJET shall isolate and protect the Data from any further processing except to the extent required by such law.  
2. Provision of Documentation and Information.  UJET shall promptly provide such reasonable information, documentation, and written responses to questions that Customer (or its appointed representatives) requests to assess UJET’s continued compliance with this DPA. 
3. Audit upon Regulatory Request or Following Security Incident. UJET shall, following an instruction by a Supervisory Authority or public authority, or following a Security Incident, allow Customer to audit UJET provided such inspections and audits are carried out on reasonable notice and does not involve the review of any third-party data. UJET shall make available access to all information, systems, and staff necessary to conduct such an audit. Where reasonably possible, Customer shall give UJET reasonable prior notice of its intention to audit, conduct its audit during normal business hours, and take reasonable measures to prevent unnecessary disruption to UJET’s operations. The reviewing entity shall enter into such confidentiality obligations with UJET as may be reasonably necessary to respect the confidentiality of UJET’s business interests and third-party data and other information of which the reviewing entity may become aware of during the inspection or audit.

7. European Specific Provisions

1. International Transfers of Data.  UJET will provide an adequate level of protection for the Data, wherever processed, in accordance with the requirements of Applicable Data Protection Law. In particular, UJET shall not process or transfer any Data in or to a territory other than the territory in which the Personal Data was first collected (nor permit such Data to be so processed or transferred) unless: (i) it has first obtained Customer’s prior written consent; and (ii) it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Data Protection Laws (including such measures as may be communicated by Customer to UJET). Customer appoints UJET to transfer Customer Data and Personal Data to the United States or any other country in which UJET or its Sub-Processors operate and to store and process Customer Data and Personal Data to provide the Services, except as described elsewhere in the DPA.
2. Transfer Mechanisms for Data Transfers. All transfers of Customer Data and Personal Data out of the European Union, European Economic Area and/or their member states, Switzerland, and/or the United Kingdom to provide the Services shall be governed by the Standard Contractual Clauses in Addendum A. UJET does not control or limit the regions from which Customer or Customer’s Users may access or move Data.
3. Standard Contractual Clauses. Where UJET processes Personal Data under this DPA that is protected under European Data Protection Law, UJET shall comply with (and ensure any Sub-Processor complies with) the Standard Contractual Clauses, which are incorporated by reference and form an integral part of this DPA.  For the purposes of the descriptions in the Standard Contractual Clauses, Customer agrees that it is a "data exporter" and UJET is the "data importer" under the Model Clauses (notwithstanding that is located outside the EEA). 
4. Privacy Shield. UJET is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail, although UJET does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of Personal Data considering the judgment of the Court of Justice of the EU in Case C-311/18. UJET agrees to notify Customer if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles.

8. Contractual Relationship

1. The parties acknowledge and agree that, by executing the Agreement, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between UJET and each Authorized Affiliate subject to the provisions of the Agreement and this Section 8. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
2. Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with UJET under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with UJET, it shall to the extent required under Applicable Data Protection Law be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
   • Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against UJET directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 9.3.2, below).
   • The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on UJET and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.

9. Limitation of Liability

1. Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and UJET, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, UJET’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

10. Miscellaneous

1. General Cooperation to Remediate. In the event that Applicable Data Protection Law, or a data protection authority or Supervisory Authority, provides that the transfer or processing of Personal Data under this DPA is no longer lawful or otherwise permitted, then the parties shall agree to cooperate in good faith to remediate the processing (by amendment to this DPA or otherwise) in order to meet the necessary standards or requirements. 
2. Survival. The obligations placed upon UJET under this DPA shall survive so long as UJET and/or its Sub-Processors process or possess Personal Data on behalf of the Customer.

Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict. 

Addendum A:International transfers

If and to the extent that the Agreement involves the provision of Services where UJET will transfer the Customer Personal Data from any country in the European Economic Area, the United Kingdom, or Switzerland (together, the “Jurisdiction”) to outside the Jurisdiction, then the parties agrees that the European Commission’s Standard Contractual Clauses (“SCC”) shall apply. The SCCs found here are included by reference.  The SCCs are construed, amended, and/or supplemented as follows: 

A. Applicable module

Based on the nature of the Services, the module indicated below shall apply: 

	Module One (Controller to Controller)
X	Module Two (Controller to Processor)
	Module Three (Processor to Processor)
	Module Four (Processor to Controller)

B. Options

For each module, where applicable, the Parties agree on the following options:

1. Clause 7: the optional docking clause shall apply.
2. Clause 9(a): Option 2 applies. The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from an agreed list (provided below). The data importer shall inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
3. Clause 17: Option 1 applies, and the SCCs will be governed by Irish law.
4. Clause 18(b): Disputes shall be resolved in the courts of Ireland. 

Annex I

A. List of parties

Data exporter(s): the Customer identified in the Agreement.
Activities relevant to the data transferred under these Clauses:
Customer’s user support solutions integrated with the UJET SaaS platform cloud service

Data importer(s): 

Name: UJET, Inc.
Address: UJET, 535 Mission Street, 14th Floor, WeWork, San Francisco, CA 94105
Contact person’s name, position and contact details: 

Caryn Seippel
Vice President of Compliance
Caryn.Seippel@ujet.cx

Activities relevant to the data transferred under these Clauses:

UJET provides the next generation of user support ecosystems and a CCaaS Platform, including solutions for integrating customer communications and support capabilities into mobile and other applications. For more detailed information regarding our Services, see www.ujet.cx

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer’s employees, Customer End Users and/or representatives of Customer, Customer’s Vendors and others who communicate with Customer while using UJET’s Services in Customer’s user support solutions integrated with the UJET SaaS platform cloud service.

Categories of Processing	Personal Data Collected	Uses of Personal Data
User Content	messages, photos, video, images, folders, data, text, voice recordings and other types of works	service delivery
End User Contact IDs	contact identification number (Contact ID) assigned to an End User by Controller, database identification number (database ID) assigned to end user by Controller, device UUID, phone number	service delivery
End User Credit Card Data	credit card number, expiration date, CVV, zip code	service delivery
Identification and Customer Account Data	First, middle and last name, title, company name, business and/or mobile telephone number, business email address, location, position, roles, professional skills, CRM user ID, single sign-on user ID, business mailing address, and, if applicable, avatar, interests, and/or preferences	service delivery
Financial Identification Data	billing and related information, including adequate identification data necessary to comply with phone number regulatory requirements defined by carriers	billing, accounts receivable, financial recording, service delivery
Communications Data	voice, chat, text and other customer service sessions content including messages, photos, images, folders, data, text, voice and video recordings and other types of works or media, end user name, email addresses, IP addresses, location, phone numbers, content and reviews posted to social media sites, contact identification number (contact ID) and/or database ID number, and other personal data as requested by customer via its integrated application with the UJET service and interaction with consumer customers’ computing devices (UJET has no visibility to custom data)	service delivery

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Please list any sensitive data

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Continuous, as needed. 

Purpose(s) of the data transfer and further processing

To deliver and maintain the Contact Center Solution related services. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

UJET does not retain personal data.  All personal data is transmitted securely to the Customer identified CRM or Data Storage facility.  If specifically requested and customer signs a waiver, UJET may store Call Data for the period requested by Customer.  

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.

See Annex III

C. Competent supervisory authority

A list of the supervisory authorities across the European Union and EEA can be found under the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Ireland

Data Protection Commission
21 Fitzwilliam Square
D02 RD28 Dublin 2
Tel. +353 76 110 4800
Email: info@dataprotection.ie
Website: http://www.dataprotection.ie/
Member: Ms. Helen Dixon - Data Protection Commissioner

Annex II

Security Measures

1. Security audit, testing and inspection

• UJET will provide Controller with its third-party audit reports.

2. Information security management policy

• UJET maintains an Information Security Management Policy which is modelled after SOC2 (or subsequent version) standard and controls or an equivalent industry standard for information security management.

3. Privacy impact assesment

• UJET has a process for conducting Privacy Impact Assessments (PIAs), with supporting procedures and controls that are effective and operational.

4. Asset management

• UJET may handle and store the Data Controller’s Personal Data in manners comparable to or exceeding the Data Controller's regulations for classification and handling of information assets as agreed between the parties in the Agreement or elsewhere. UJET may, at UJET’s own discretion, assign Personal Data handled by UJET a stricter classification within UJET’s own information classification system, if UJET believes this is necessary.
• UJET shall establish, maintain and, periodically update a list of all applications and systems used for processing of Personal Data under this DPA.  See Annex III

5. Human resources security

• UJET’s screening process ensures that personnel working with the Data Controller’s Personal Data are subject to backgrounds screening.
• UJET is responsible for its personnel and their actions. UJET:
  1. Establishes binding agreement(s) with each of its personnel that set(s) forth their obligation to UJET including their professional secrecy, and their obligation to follow IT and security regulations
  2. Has a process for informing and training all relevant personnel on general security.
  3. Ensures that all personnel are provided with guidelines that state the security expectations to their role within the organization.
  4. Has a process for dismissing personnel that includes:
     1. Revoking access rights to all systems
     2. Blocking the user account and wiping mobile devices, used in processing the Data Controller’s Personal Data
     3. Seizing IT equipment (laptop) used in processing the Data Controller’s Personal Data
     4. Revoking physical access rights
     5. Collecting and destroying ID and key card
• For employee-initiated termination, UJET has a review for task-based need for such access, accounts or assets no longer exists.  UJET assesses the risk of keeping such access, accounts and assets available to the employee and act accordingly. UJET pays particular attention to the risk of keeping said access, accounts, and assets available to the employee and consider additional risk-mitigating measures during the period between the announcement of termination and revocation of said access, accounts and assets.

6. Physical and environmental security

• UJET may document upon request and reasonable notice, an operationalized and implemented policy or set of policies for ensuring the physical security applied in the safeguarding of Personal Data.
• All areas where UJET performs tasks for the Data Controller which could conceivably affect the Data Controller’s Personal Data, are secured in accordance with the physical security policy/policies to ensure the protection and safeguard of Personal Data.
• UJET ensures that UJET’s physical security policy is applied to the areas where UJET performs tasks for the Data Controller in a manner to achieve a level of physical protection comparable to or exceeding that of the Data Controller's written security requirements.
• Notwithstanding the aforementioned requirements for secure areas, UJET is not responsible for establishing or maintaining the physical security of areas owned or leased by the Data Controller. UJET will adhere to, and shall not subvert or circumvent, the physical security measures implemented at/in Data Controller owned or leased areas. 

7. Equipment, network and media security

• UJET maintains, an adequate level of security for all end-user equipment, servers, networks, and digital media used for delivering services to the Data Controller. 
• Specifically, UJET:
  1. Has an operational vulnerability management regime, aiming to detect and subsequently eliminate or neutralize all known vulnerabilities in a timely manner by means of applying security patches or otherwise mitigating the risk,
  2. Has anti-malware installed for all endpoints utilized, of a kind for which anti-malware is relevant, including a mechanism for continuously updating the anti-malware software,
  3. Has firewalling installed for all endpoints utilized,
  4. employs mechanisms for centralized backup of relevant data from all nodes, as well as backup of any central storage utilized,
  5. employs solutions for collecting and analyzing both log data from all layers (from network appliances via OS and database through applications), and traffic (flow) data from its entire infrastructure, and conduct continuous proactive monitoring of the analysis results; aiming to detect and respond to suspicious or anomalous observations,
  6. employs security mechanisms in respect to network traffic monitoring, to detect and prevent against malicious activities and potential attacks, and
• Data is protected at rest and in case of lost devices, by employing encryption or wiping devices as an option, upon notice of the loss.

8. Segregation of duties

• Strict segregation of duties is enforced when assigning tasks concerned with the processing of the Data Controller’s Personal Data.
• Within any system or mechanism (in a technical or governance sense) managing, assigning, or overseeing access rights, privileges and/or activities; roles, responsibilities and tasks are assigned in such a manner that no individual may manage, assign or affect the overseeing of his/her own access rights, privileges and/or activities; and the system itself shall comprise controls and limitations preventing this from accidentally or intentionally occurring. The principles of least access and least privilege are applied to minimize access to Data Controller data.

9. Change management

• Changes to the information systems, business processes and systems that affect information security of Personal Data, are controlled, including a formal management responsibility to ensure a satisfactory implementation of the change.
• UJET ensures creation and subsequent availability of auditable change logs. The change logs include relevant information to support traceability through the change process steps. The logs include identifiers for user, date, time and detail of the key events. Access to the change logs is limited to ensure non-repudiation and any access thereto is granted on a need-to-know basis.

10. Transfer of data

• When transferring Personal Data to and from the Data Controller or the Data Controller’s affiliated party, strong content encryption or strong end-to-end communications encryption is utilized.

11. Access control

• UJET’s access management process shall comply with the following: 
  1. Only a limited number of managers are allowed to grant access to systems where the Data Controller’s Personal Data is processed (“granters”). 
  2. Only authorized personnel i.e., persons who work on deliveries to the Data Controller have access to the systems and information. All access is needs-based.
  3. All accounts are traceable to an owner with known and verified identity.
  4. UJET keeps an updated list of authorized accounts. 
  5. UJET has procedures for reporting and revoking compromised access credentials (passwords, tokens, etc.) immediately.
• UJET has an established a process for:
  1. Reviewing the access rights of all its personnel and accounts working with the Data Controller’s systems and Personal Data. 
  2. Revoking the access right of personnel or an account that are no longer working on the Data Controller’s Personal Data under this DPA.
  3. Temporary revocation of access rights to the Data Controller’s Personal Data upon longer leaves of absence.

12. Personal data breach management

• UJET will, without undue delay, take all reasonable actions and implement all reasonable measures to minimize negative impacts from Personal Data Breaches. UJET will, within 72 hours, disclose information to the Data Controller that may affect the Data Controller’s ability to maintain the confidentiality and integrity of Personal Data both within and outside of UJET’s control, or the Data Controller’s ability to minimize any negative impact resulting from the Personal Data Breach. 

 

Annex III

List of sub-processors

The controller has authorized the use of the following sub-processors:

Processor - Service	Location(s)	Functions Performed	Platform/Support Services
Amazon Web Services, Inc.	Global	Compute, Cloud Hosting, Storage and Relational Database	Platform
Bandwidth, Inc.	Global	Interactive video, VoIP/telephony and messaging	Support Services
ClearView Business Intelligence LLC	Global	Advanced Reporting	Platform
Google Cloud Platform (Google Inc.)	Global	Compute, Cloud Hosting, Storage and Relational Database	Platform
Groove Labs Inc.	United States	Communications with customers	Support Services
Involve.AI	United States	Customer support management	Support Services
New Relic, Inc.	United States	Unified log analysis and monitoring	Platform
Salesforce.com	Global	Customer relationship management	Platform
Slack Technologies	United States	Communications with Customers	Support Services
Snowflake Computing Inc.	Global	Data analytics and reporting	Platform
Stripe, Inc.	Global	Credit Card transaction Processing	Platform
The Rocket Science Group LLC d/b/a MailChimp	United States	Communications with customers	Support Services
Twilio, Inc.	United States and other countries	Interactive video, VoIP/telephony and messaging	Platform
Vonage Holdings Corp.	United Kingdom, the EEA, the United States, and in other jurisdictions	Interactive video, VoIP/telephony and messaging	Platform
Zendesk, Inc.	EEA, the United States and in other countries and territories	Customer support management	Support Services
Zoom Video Communications, Inc.	Global	Customer conferencing and recordings	Support Services