Data Processing Addendum to EUSA

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the terms and conditions of the End User Service Agreement (“EUSA”) between Avetta and Supplier and sets out the additional terms, requirements, and conditions on which Avetta will obtain, handle, process, disclose, transfer, or store Personal Data when providing services under the EUSA. All capitalized terms not defined in this DPA shall have the meaning ascribed to them in the EUSA.

1. Definitions and Interpretation.

1.1 Definitions.

“Applicable Data Protection Legislation” means the laws and regulations applicable to the respective party’s processing of Personal Data in connection with the EUSA, including, where applicable, (i) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), as amended and supplemented, as the case may be, by the relevant EU Member States laws and regulations in which Supplier directly or indirectly operates, (ii) the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”), (iii) the Australian Privacy Act 1988 and the Australian Privacy Principles, (iv) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any related regulations or guidance (collectively, the “CCPA”), (v) the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), and (vi) any other international, federal, state, territorial, provincial, and local privacy or data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective.

"Data Subject" means an individual who is the subject of the Personal Data and to whom or about whom the Personal Data relates or identifies, directly or indirectly.

"Data Privacy Framework” includes the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework which were respectively developed in furtherance of transatlantic commerce by the US Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration to provide US organizations with reliable mechanisms for Personal Data transfers to the United States from the EEA, the UK (and Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

“EEA” refers to the European Economic Area consisting of all member states of the European Union and Iceland, Norway and Liechtenstein.

"EU SCCs" means the European Commission's standard contractual clauses for the transfer of personal data from the European Union to third countries, as set out in the Annex to Commission Decision (EU) 2021/914, a copy of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

"Personal Data" means any information Avetta processes that (i) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Avetta's possession or control, or (ii) the Applicable Data Protection Legislation otherwise defines as protected personal data or personal information.

"Processing, processes, and process" means any activity that involves the use of Personal Data, or as the Applicable Data Protection Legislation may otherwise define the terms “processing,” “processes,” or “process.” It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties.

"Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.

"Subject Rights Request" means the exercise by a Data Subject of his or her rights under the Applicable Data Protection Legislation.

“UK Addendum” means the UK Information Commissioner’s Office’s International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses, a copy of which is available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/.

1.2 The Schedules form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules.

1.3 A reference to writing or written includes email.

1.4 In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the EUSA, the provisions of this DPA will prevail, and any of the provisions of this DPA and any provisions contained in Schedule A, the applicable provisions of Schedule A will prevail.

2. Roles and Scope of Processing.

2.1 Roles of the Parties. Supplier and Avetta acknowledge and agree that:

(a) Avetta is a data processor to the extent the processing of Personal Data is carried out on behalf of and under the direction of Supplier, such as processing of Supplier’s Personal Data (including Personal Data of its personnel and Workers) contained in prequalification/compliance forms and any documentation or other Customer Content submitted by Supplier (including by its Authorized Users) to the Site to share with its Clients.

(b) Avetta is a data controller to the extent the processing of Personal Data is for Avetta’s own purposes in connection with the provision of the Avetta Services or for Avetta’s legitimate business interests, such as billing, account management, technical support, preventing and detecting security threats, product development, analytical uses, and sales and marketing (e.g., sending newsletters to Supplier’s admin users).

2.2 Supplier Processing of Personal Data. Supplier acknowledges and agrees that:

(a) Supplier shall have the sole responsibility for the accuracy, quality, and legality of the Personal Data submitted to Avetta and/or the Site (either by Supplier or by its Data Subjects);

(b) Supplier shall only upload and submit to Avetta and/or the Site Personal Data that were obtained from Data Subjects in compliance with the Applicable Data Protection Legislation;

(c) Supplier shall ensure Supplier has all necessary consents and notices in place and has satisfied all other requirements under the Applicable Data Protection Legislation to enable lawful transfer of Personal Data (including Sensitive Data) to Avetta and permit Avetta’s processing of Personal Data in various jurisdictions pursuant to the EUSA and this DPA;

(d) Where consent is the lawful basis for processing Personal Data or is otherwise required for the use of the Avetta Services, Supplier shall, at all times, make available and maintain (i) a mechanism for obtaining such consent from Data Subjects, and (ii) a mechanism for Data Subjects to withdraw such consent, in each case in accordance with the Applicable Data Protection Legislation; and

(e) Supplier’s use of the Avetta Services will not violate the rights of any Data Subjects.

2.3 Details of Data Processing. Schedule B describes the general categories of Personal Data, the types of Data Subjects, and other details of the processing Avetta will perform in connection with the provision of the Avetta Services in accordance with the EUSA.

3. Avetta's Obligations.

3.1 Avetta will process Personal Data only for the specific purposes of the transfer as set out in Schedule B. Avetta may process Personal Data for another purpose (i) where it has obtained the Data Subject’s prior consent, (ii) where necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or (iii) where allowed under Applicable Data Protection Legislation to use Personal Data for purposes secondary to the specific purposes as set out in Schedule B without the Data Subject’s consent. To the extent Avetta acts as a data processor of Supplier, Avetta shall process Personal Data in accordance with Supplier’s instructions. The parties agree that Supplier’s instructions shall be within the scope of the EUSA and Supplier shall obtain Avetta’s prior written consent for any additional instructions. Avetta shall promptly notify Supplier if, in Avetta’s opinion, such instruction violates any Applicable Data Protection Legislation. Where applicable, Supplier shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with its Data Subjects.

3.2 Avetta will, while considering the nature of Avetta’s processing and the information available to Avetta, reasonably assist Supplier with meeting Supplier’s compliance obligations under the Applicable Data Protection Legislation, provided that Supplier shall cover all costs incurred by Avetta in connection with its provision of such assistance. Such compliance obligations may include the obligation to carry out an assessment of the impact of the processing operations on the protection of Personal Data (a “Data Protection Impact Assessment”) where the processing is likely to result in a high risk to the rights and freedoms of natural persons.

4. Avetta's Employees.

4.1 Avetta will ensure that all employees who have access to or are involved in processing Personal Data (i) have undertaken training on the Applicable Data Protection Legislation relating to handling Personal Data and are aware of both Avetta’s duties and their personal duties and obligations under the Applicable Data Protection Legislation and this DPA; and (ii) are under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.2 Avetta will take reasonable steps to ensure the reliability, integrity, and trustworthiness of any Avetta’s employee with access to Personal Data.

5. Security.

5.1 Taking into account the nature, scope, context and purposes of processing, the costs of implementation, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Avetta has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the security measures described in Annex II to Schedule B. Avetta may review and update Annex II from time to time, provided that any such updates shall not materially diminish the overall security of the Avetta Services or Personal Data.

5.2 Supplier is responsible for reviewing the information made available by Avetta relating to data security and making an independent determination as to whether the Avetta Services meet Supplier’s requirements and legal obligations under the Applicable Data Protection Legislation.

6. Security Breach and Personal Data Loss.

6.1 Avetta shall notify Supplier without delay upon becoming aware of any Security Breach and provide reasonable and necessary assistance to enable Supplier to meet its breach reporting obligations under, and within the timeframes required by, the Applicable Data Protection Legislation. Avetta’s notification shall be sent to the email registered by Supplier within the Avetta Services, and where no such email is registered, Supplier acknowledges that the means of notification shall be at Avetta’s reasonable discretion and Avetta’s ability to timely notify may be negatively impacted. Avetta shall promptly take reasonable steps to contain, investigate, and mitigate any Security Breach. In the event that Supplier suspects any Security Breach, please report it immediately to infosec@avetta.com.

6.2 To the extent available, Avetta shall provide Supplier timely information about the Security Breach, including, but not limited to, the nature and consequences of the Security Breach, the measures taken and/or proposed by Avetta to mitigate or contain the Security Breach, the status of Avetta’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Communications by or on behalf of Avetta with Supplier in connection with a Security Breach shall not be construed as an acknowledgment by Avetta of any fault or liability with respect to the Security Breach.

7. Cross-Border Transfers of Personal Data; Required Contractual Clauses.

7.1 Supplier acknowledges and agrees that Avetta may transfer, access, and process Personal Data on a global basis as necessary to provide the Avetta Services.

7.2 Where the Applicable Data Protection Legislation has prescribed specific mechanisms for the transfer of Personal Data to Avetta and/or contract clauses for processing of Personal Data by Avetta (collectively, “Transfer Mechanisms”), Avetta shall make such specific Transfer Mechanisms available (to the extent generally supported by Avetta) in Schedule A.

7.3 If the Applicable Data Protection Legislation has prescribed additional requirements for the transfer and/or contract clauses for the processing of Personal Data, Avetta agrees to reasonably cooperate with Supplier for Supplier’s compliance with such requirements and will update the Transfer Mechanisms in Schedule A when appropriate. Supplier agrees to execute further documents and take further actions as may be reasonably necessary to give legal effect to the additional or modified Transfer Mechanism.

8. (Sub-) processors.

8.1 Supplier agrees that, to the extent Avetta acts a data processor, Avetta may use sub-processors listed at Avetta’s (Sub-) Processors for the processing of Personal Data in connection with the provision of the Avetta Services. At least 10 days prior to authorizing any new sub-processor or replacing any sub-processor, Avetta will notify Supplier of the changes by posting the proposed new sub-processors to Avetta’s (Sub-) Processors. It is Supplier’s responsibility to check this website regularly for updates. If Supplier has any legitimate objection to the appointment of new sub-processor that relates to Avetta’s compliance with this DPA, Avetta will make reasonable efforts to address Supplier’s objection. If no resolution can be reached, Avetta will, at its sole discretion, either not appoint the new sub-processor, or permit Supplier to suspend or terminate the EUSA without liability to either party. Avetta shall not be obliged to make any refund of any sums paid under the EUSA.

8.2 Supplier further acknowledges and agrees that, to the extent Avetta acts as a data controller, Avetta may use the additional service providers described at Avetta’s (Sub-) Processors for the purposes set forth therein.

9. Data Subject Rights Requests.

9.1 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with any Subject Rights Requests within the time limits imposed by the Applicable Data Protection Legislation.

10. Third-Party Data Access Request.

10.1 Avetta shall notify Supplier of any request for the disclosure of Supplier’s Personal Data by a governmental or regulatory body or law enforcement authority, unless otherwise prohibited by law or a legally binding order of such body or agency.

11. Term and Termination.

11.1 This DPA shall come into force on the effective date of the EUSA or the first provision of Personal Data to Avetta, whichever is earlier, and shall remain in full force and effect so long as the EUSA remains in effect.

11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the EUSA in order to protect Personal Data will remain in full force and effect.

12. Data Return and Destruction.

12.1 At Supplier's request, Avetta will provide Supplier a copy of, or access to, Supplier's Personal Data in its possession or control, in Avetta’s standard format, if the request is submitted prior to Avetta’s disposal of the Personal Data.

12.2 Following termination of the EUSA, Avetta will, within a reasonable period of time, securely delete or destroy Supplier’s Personal Data related to this DPA in the Site. This requirement will not apply (i) to the extent that the retention of the Personal Data is to satisfy any legal, regulatory, tax, accounting or reporting requirements or is necessary for the establishment, exercise or defense of legal claims if Avetta reasonably believes there is a prospect of litigation; and (ii) to the Personal Data in backup systems until the backups have been overwritten or expunged in accordance with Avetta’s backup policy, in which event Avetta will isolate and protect the Personal Data from any further processing except to the extent required by applicable law until deletion is possible.

13. Audit.

13.1 Upon written request and at no additional cost to Supplier, Avetta shall provide Supplier, and/or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing Avetta’s compliance with its obligations under this DPA in the form of the relevant audits or certifications listed in Annex II to Schedule B, such as ISO/IEC 27001:2022, ISO/IEC 27701:2019, ISO/IEC 27017:2015, ISO/IEC 27018:2019, and ISO/IEC 22301:2019 (“ISO Certifications”), and SOC 2 Type II. Avetta will also respond to written audit questionnaires submitted by the Auditor and meet by teleconference or in person (at Supplier’s expense) to address follow-up questions, provided that (i) such audit questionnaires shall not cover any topics or areas already addressed by the ISO Certifications or the SOC 2 Type II audit report, and (ii) Supplier will not exercise this right more than once per year, except if and when required by instruction of a competent data protection authority. Avetta may require the Auditor to execute a separate confidentiality agreement with Avetta prior to any review of the reports or an audit of Avetta, and Avetta may object in writing to such Auditor, if in Avetta’s reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Avetta. Any such objection by Avetta will require Supplier to appoint another Auditor. Any expenses incurred by an Auditor in connection with any review of the reports or an audit shall be borne exclusively by Supplier.

14. General.

14.1 The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Avetta and Supplier may have previously entered into in connection with the Avetta Services. Avetta may update this DPA from time to time (for example, in response to any changes in the Applicable Data Protection Legislature, or as a result of a merger, acquisition, corporate reorganization or other similar occurrence or the release of new features, functions, products or services or material changes to any of the existing Avetta Services), provided, however, that no such update shall materially diminish the privacy or security of Personal Data. Avetta will post the updated version to Data Processing Addendum to EUSA, or a successor website designated by Avetta.

14.2 Avetta’s liability under or in connection with this DPA, including under the EU SCCs, is subject to the exclusions and limitations on liability contained in the EUSA. In no event does Avetta limit or exclude its liability towards Data Subjects or as imposed by competent data protection authorities.

14.3 Except where and to the extent expressly provided in the EU SCCs or required as a matter of the Applicable Data Protection Legislation, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

14.4 This DPA and any action related thereto shall be governed by and construed in accordance with the laws specified in the EUSA, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts specified in the EUSA.

14.5 If any provision of this DPA is, for any reason, held to be invalid or unenforceable, the other provisions of the DPA will remain enforceable. Without limiting the generality of the foregoing, Supplier agrees that Section 14.2 (Limitation of Liability) will remain in effect notwithstanding the unenforceability of any provision of this DPA.

SCHEDULE A

TRANSFER MECHANISMS AND REQUIRED CONTRACTUAL CLAUSES

This Schedule A provides the Transfer Mechanisms supported by Avetta. A Transfer Mechanism shall not apply and shall not be incorporated into this DPA if it is not applicable to the transfers from Supplier to Avetta. If a listed Transfer Mechanism is, or becomes applicable under the Applicable Data Protection Legislation, it shall be deemed to be signed by the parties (if signatures are required) and is incorporated into this DPA.

1. Data Privacy Framework. For transfers of Personal Data to the United States, Avetta has self-certified to the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework administered by the US Department of Commerce. For further information, please refer to Avetta’s Data Privacy Framework Notice, which is available at Data Privacy Framework Policy.

2. EU Standard Contractual Clauses (EU SCCs). When the processing involves transfers of Personal Data outside the EEA to Avetta, and there is not another legitimate basis for the international transfer (for example, if the applicable Data Privacy Framework has been invalidated), such transfers are subject to the EU SCCs, specifically:

a. In circumstances where Avetta acts as a data controller, Module One of the EU SCCs (for controller-to-controller transfers), supplemented by the terms below, shall apply to the transfers of Personal Data between Supplier and Avetta:

i. Optional language at clause 7 (docking clause) is used.

ii. The optional language at clause 11(a) (redress) is not used.

iii. For clause 17, the first option is used, and the law of Belgium is the governing law.

iv. For clause 18(b), the selected forum shall be the courts of Belgium.

b. In circumstances where the Supplier is a data controller and Avetta is a data processor with respect to the processing, Module Two of the EU SCCs (for controller-to-processor transfers), supplemented by the terms below, shall apply:

i. Optional language at clause 7 (docking clause) is used.

ii. For clause 9(a), option 2 (general written authorization) is selected and the specified time period is ten (10) days.

iii. The optional language at clause 11(a) (redress) is not used.

iv. For clause 17, the first option is used, and the law of Belgium is the governing law.

v. For clause 18(b), the selected forum shall be the courts of Belgium.

c. Annex I, Annex II, and Annex III of the EU SCCs shall be deemed completed with the information set out in Schedule B.

3. UK Addendum. When the processing involves transfers of Personal Data outside the UK to Avetta, and there is not another legitimate basis for the international transfer (for example, if the applicable Data Privacy Framework has been invalidated), such transfers are subject to the UK Addendum, supplemented by the terms below:

a. The parties to this UK Addendum shall be the parties to the DPA.

b. The EU SCCs that this UK Addendum amends shall be the applicable EU SCCs referenced in Section 2 of this Schedule A, and Tables 1-3 of the UK Addendum shall be completed with the relevant information accordingly.

c. For the purpose of Table 4 of the UK Addendum, “Importer” shall be selected.

d. The part 2 of the UK Addendum shall be: “Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.”

4. Swiss Standard Contractual Clauses. When the processing involves transfers of Personal Data outside Switzerland to Avetta, and there is not another legitimate basis for the international transfer (for example, if the applicable Data Privacy Framework is no longer a valid transfer mechanism), such transfers are subject to the EU SCCs referenced in Section 2 of this Schedule A, except that:

a. The term “member state” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with clause 18 (c) of these standard contractual clauses.

b. In circumstances where the transfers are exclusively subject to the Federal Act on Data Protection (“FADP”), references to the GDPR are to be understood as references to the FADP.

c. In circumstances where the transfers are subject to both the FADP and the GDPR, the references to the GDPR are to be understood as references to the FADP insofar as the transfers are subject to the FADP.

5. CCPA Contract Clauses. Where the processing involves the Personal Data of California Residents, the parties shall additionally comply with the following:

a. Avetta will: (i) only collect, use, retain, or disclose Personal Data for the permitted purposes described in the EUSA and the CCPA and for no other commercial purpose; (ii) not sell any Personal Data or share any Personal Data for cross-context behavioral advertising; (iii) not collect, use, retain, or disclose Personal Data outside of the direct business relationship between Avetta except as necessary to provide the Avetta Services; (iv) not combine Personal Data Avetta receives from, or on behalf of, Supplier with Personal Data that it collects on behalf of, another person or persons except for a business purpose that does not involve cross-context behavioral advertising and is permitted under the CCPA; and (v) provide at least the same level of privacy protection that the CCPA requires regarding Personal Data. Avetta certifies it understands these restrictions and will comply with them.

b. Supplier shall have the right (i) to monitor Avetta’s compliance with this DPA and (ii) to take reasonable and appropriate steps to ensure that Personal Data is used by Avetta in accordance with the CCPA. Avetta shall notify Supplier if Avetta determines that it can no longer meet any of its obligations under the CCPA, and in such event Avetta shall work with Supplier and take all reasonable and appropriate steps to stop and remediate any processing until such time as the processing complies with the CCPA and this DPA.

SCHEDULE B

PERSONAL DATA PROCESSING DETAILS

This Schedule B forms part of the DPA and describes the processing that Avetta will perform in connection with the provision of the Avetta Services.

ANNEX I – DATA PROCESSING DESCRIPTION

A. LIST OF PARTIES

Data exporter:

Data importer:

B. DESCRIPTION OF TRANSFER

C. COMPETENT SUPERVISORY AUTHORITY

ANNEX II – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Overview

Avetta software-as-a-service applications (“SaaS Services”) were designed from the beginning with security in mind. The Connect and Workforce Management SaaS Services are architected with a variety of security controls across each processing tier to address a range of security risks. These security controls are subject to change; however, any changes will maintain or improve the overall security posture of the SaaS platform.

The main areas of security controls below apply to each of the components of the Avetta Connect and Workforce Management SaaS Services. Avetta hosts its SaaS Services on cloud service provider platforms primarily utilizing Amazon Web Services (AWS) and, in limited instances, Equinix.

Audits and Certifications

The Avetta SaaS Services are certified under ISO/IEC 27001:2022, ISO/IEC 27701:2019, ISO/IEC 27017:2015, and ISO/IEC 27018:2019, and ISO/IEC 22301:2019 (“ISO Certifications”). Avetta reviews its compliance annually with the ISO Certifications by performing an internal controls audit. This audit is reviewed by the Information Security and Privacy Management Systems Committee, comprised of members of the senior executive leadership team of Avetta.

Avetta primarily utilizes global AWS regions for its computing and storage for the SaaS Services. AWS provides top-tier facilities which have achieved multiple accreditations, including SOC2, ISO/IEC 27001:2022, ISO/IEC 27017:2015, ISO/IEC 27018:2019, ISO/IEC 27701:2019, ISO/IEC 22301:2019, ISO/IEC 20000-1:2018, and ISO/IEC 9001:2015. These AWS facilities also provide state-of-the-art physical protection safeguards where Avetta’s customers data is stored and processed. Avetta uses Equinix as the cloud service provider for Workforce Management in certain regions. Equinix also maintains several certifications, including ISO/IEC 27001, ISO/IEC 22301, ISO/IEC 14001, ISO/IEC 9001, ISO/IEC 50001, SOC 1 Type II, and SOC 2 Type II. For more information about the cloud service providers, please visit https://aws.amazon.com/compliance/programs/ and https://www.equinix.com/data-centers/asia-pacific-colocation/australia-colocation/sydney-data-centers/sy6.

Disaster Recovery and Business Continuity

To ensure its SaaS Services maintain a high degree of system availability, Avetta uses a designated backup/failover AWS data center that is located in a separate geographic location than its normal production data processing facility. This ensures Avetta can respond quickly to any environmental, physical, or accidental event that may cause interruption to the production AWS facility.

Avetta maintains a comprehensive Disaster Recovery and Business Continuity plan that is reviewed at least on an annual basis. This review enables Avetta personnel to be familiar with emergency planning in case of an event which could potentially cause interruption to normal business activities at Avetta.

Avetta’s systems are designed to support a recovery point objective (RPO) of less than 2 hours and a recovery time objective (RTO) of less than 4 hours.

Avetta also conducts a comprehensive risk assessment exercise on a regular basis to ensure proper risk mitigation strategies and controls have been implemented within the organization.

Incident Response

Avetta maintains a comprehensive Incident Response Plan. This plan, along with related processes and procedures, enables Avetta personnel to quickly respond to a suspected or potential security breach, or other suspicious cybersecurity activity within the Avetta environment. An Incident Response Team, led by qualified security team members, will perform an assessment of any such situation and develop appropriate action plans and mitigation strategies. If a suspected breach is confirmed, the Incident Response Team will follow designated protocols to immediately act and appropriately respond to mitigate the malicious activity along with preserving forensic evidence. Notification procedures will also be followed.

Encryption

The Avetta SaaS Services maintain the encryption of data at rest using AES-256. Additional data elements are also encrypted using SALT methods. These encryption processes maintain a high degree of confidentiality and integrity to customer data. Logical data separation is maintained in the Avetta SaaS Services so that no customer data can be accessed by unauthorized sources. Customer data access is controlled through unique identity and access management with attributes that disallows unauthorized users from accessing the customer data.

Avetta security measures are implemented based upon a “least privilege” method, meaning that only employees who have a business need have access to specific data and system functions.

Web Application Security Controls

Customer access to the SaaS Services is only via secure communication protocols; TLS 1.2 or higher. This establishes an encryption channel to enable secure transmission of the data between an end-user and the SaaS Services. This protects customer’s data during data transmission processes.

A customer’s administration of the SaaS Services can provision and de-provision SaaS Service users and associated access as necessary. The SaaS Services allow customers to enable multi-factor authentication for accessing SaaS Services accounts utilizing single sign-on via SAML 2.0 identity providers. The SaaS Services allow customers to enable customizable password policies to help align SaaS Services passwords to customer corporate policies.

Network

The SaaS Services utilize cloud service provider network controls to restrict network ingress and egress. Security groups are employed to limit network activity to authorized endpoints. The SaaS Services use a multi-tier network architecture, including multiple, logically separated Cloudflare virtual environments, leveraging private, DMZs, and untrusted zones within the cloud service infrastructure.

Monitoring and Auditing

The SaaS Services systems and networks are monitored for security incidents, system health, network abnormalities, processing activity, infrastructure processing levels, and availability. Avetta uses an intrusion detection system to monitor network activity which will alert Avetta designated team members of suspicious behavior. Web application firewalls are also implemented for all public web services.

Avetta logs application, network, user, and operating system events to a local syslog server and SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any system activity anomalies are escalated with appropriate action that may be required. Avetta utilizes security information and event management systems providing continuous security analysis of the Avetta networks and security environment where alerting, detecting, and reporting of indicators of possible or suspicious activity are recorded. All of these capabilities and activities are administered by Avetta’s DevOps and Cybersecurity staff.

Vulnerability Management

Avetta performs periodic web application vulnerability assessments, static code analysis, and external security assessments as part of its comprehensive security program to help ensure proper security controls are implemented and operating effectively. On a semi-annual basis, Avetta hires independent third-party vulnerability and penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities. Vulnerability assessment results are incorporated into the Avetta software development lifecycle (“SDLC”) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into the Avetta internal ticket system for tracking through resolution.

Secure Software Development

Avetta follows secure development practices within its SDLC. These practices include static code analysis and real-time code analysis tools. Peer reviews are also conducted prior to code being deployed into the production environment. Separate processing environments have been implemented at Avetta: production, testing/quality assurance, and demo. Avetta software developers are required to take secure coding training annually.

Avetta Cybersecurity Team

Avetta has a dedicated security team led by a Cybersecurity Manager who has a master’s degree in Cybersecurity. The team conducts regular company-wide security training, security exercises, and regular vulnerability and penetration exercises. Through these efforts, the Cybersecurity team ensures regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures are in order to ensure the security of the processing of customer data.

The Cybersecurity team also participates in annual audits and certifications and attends cybersecurity seminars.

Privacy and Data Protection

Avetta maintains robust Information Security and Personal Data Protection Policies. These policies outline the procedures that are followed to ensure safeguarding of customer information. They further outline the controls that are implemented which include data retention, accessibility and authentication guidelines, acceptable use guidelines, and data privacy guidelines.

ANNEX III – LIST OF SUB-PROCESSORS

Avetta’s current list of sub-processors may be found at: Avetta’s (Sub-) Processors.