Data Security Standards Schedule (“DPA”)

1.    Definition

All capitalized terms used but not defined in this DPA shall have the meaning given in the Agreement. In this DPA:

1.1    “Authorized Persons” means the persons that Varicent authorizes to Process Customer Personal Information, including Varicent’s employees, contractors, agents and Sub-Processors.

1.2    “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Information.

1.3    “Customer Personal Information” means any Customer Data that includes Personal Information that is subject to Data Protection Laws.

1.4    “Data Exporter” has the meaning given to such term in Section 7.1 of this DPA.

1.5    “Data Importer” has the meaning given to such term in Section 7.1 of this DPA.

1.6    “Data Protection Laws” means all applicable laws relating to the privacy or security of Personal Information, including (as applicable): (a) European Data Protection Laws; (b) United States Data Protection Laws; and (c) the Canada Personal Information Protection and Electronics Documents Act (“PIPEDA”).

1.7    “Data Subject” means the identified or identifiable natural person who is the subject of Personal Information.

1.8    “European Data Protection Laws” means, in each case to the extent applicable to the relevant Customer Personal Information or Processing thereof under the Agreement (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of Personal Information, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Personal Information in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this DPA.

1.9    “Mandated Auditor” has the meaning given to such term in Section 6.1 of this DPA.

1.10    “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including any information that is defined as “personally identifiable information,” “personal information,” “personal data” or other similar term under Data Protection Laws.

1.11    “Process” means any operation or set of operations performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

1.12    “Processor” means the individual or entity that Processes Personal Information on behalf of a Controller.

1.13    “Security Incident” means a breach of Varicent’s Technical and Organizational Measures that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information in Varicent’s possession, custody, or control.  Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

1.14    “Sell” has the meaning given to such term in the CCPA/CPRA.

1.15    “Sensitive Personal Information” means any Personal Information that due to the nature of the Personal Information is considered sensitive, including but not limited to health information, banking information, financial information, social security numbers, government identification numbers, payment card data, or as otherwise similarly defined in applicable Data Protection Laws. 

1.16    “Share” has the meaning given to such term in the CCPA/CPRA.

1.17    “Standard Contractual Clauses” means the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Controller to Processor or Module Three: Processor to Processor, as applicable) for the transfer of Personal Information to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), which are incorporated into this DPA by reference. 

1.18    “Sub-processor” means any Processor appointed by Varicent to Process Customer Personal Information on behalf of Customer under the Agreement.

1.19    “Sub-processor List” has the meaning given to such term in Section 4.1 of this DPA.

1.20    “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.

1.21    “Technical and Organizational Measures” means the measures set out in Appendix 1 attached to this to this DPA, and any additional measures expressly set out in this DPA.   

1.22    “United States Data Protection Laws” means, in each case to the extent applicable to the relevant Customer Personal Information or Processing thereof under the Agreement (a) the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”), when effective (collectively, “CCPA/CPRA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”), when effective; (c) the Colorado Privacy Act (“CPA”), when effective; (d) the Utah Consumer Privacy Act (“UCPA”), when effective; (e) any regulation, guideline, or opinion issued by a competent authority concerning the laws identified in the foregoing subparts (a) – (d) above; and (f) any other applicable law, rule, or regulation related to the protection of Personal Information in the United States that is already in force or that will come into force during the term of this DPA.

2.    Protection of Customer Personal Information

2.1    To the extent that Varicent Processes any Customer Personal Information, Varicent shall Process Customer Personal Information in accordance with the measures set out in Appendix 1 and implement the Technical and Organizational Measures to protect Customer Personal Information from a Security Incident.

2.2    The categories of Customer Personal Information to be Processed by Varicent, the Processing activities to be performed under the Agreement and the duration of the Processing are set out in Appendix 2 attached to this DPA.

3.    Customer Obligations

3.1    Customer shall be responsible for (a) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Varicent’s Processing of Customer Personal Information; and (b) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Information to Varicent and to permit the Processing of such Customer Personal Information for the Permitted Purpose or as may be required by Data Protection Laws. Customer shall notify Varicent of any changes in, or revocation of, the permission to use, disclose or otherwise Process Customer Personal Information that would impact Varicent’s ability to comply with the Agreement or Data Protection Laws.

3.2    Customer acknowledges that Customer (a) is the Controller of any Customer Personal Information that Varicent Processes on behalf of Customer; and (b) sets permissions for Authorized Users to access Customer Personal Information. Customer is responsible for reviewing and evaluating whether the documented functionality of the Software Services meets Customer’s required security obligations relating to Customer Personal Information under Data Protection Laws.

4.    Sub-processors

4.1    Use of Subprocessors. Varicent may engage Sub-processors in connection with the provision of the Software Services; provided, that: (a) Varicent has entered into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this DPA with respect to the protection of Customer Personal Information to the extent applicable to the nature of the Software Services provided by such Sub-processor; and (b) Varicent shall be liable for the acts and omissions of its Sub-processors to the same extent Varicent would be liable if performing the Software Services of each Sub-processor directly under the terms of this DPA. 

4.2    List of Subprocessors. Varicent’s current list of Sub-processors for the Services is available at https://www.varicent.com/hubfs/Varicent-Subprocessor-List-2024.01.29.pdf (the “Sub-processor List”), which Customer approves and authorizes and is incorporated by reference into this Agreement. 

4.3    Addition of Sub-processors. Varicent may engage additional Sub-processors as Varicent considers reasonably appropriate for the processing of Customer Personal Information in accordance with this DPA; provided, that Varicent notifies Customer of the addition or replacement of Sub-processors by making modifications to the Sub-processor List. Customer shall be responsible for periodically checking the Sub-processor List to remain informed of Varicent’s current list of Sub-processors. Customer may, on reasonable grounds, object to a new Sub-processor by notifying Varicent in writing within 10 days of Varicent updating the Sub-processor List and giving reasons for the objection. Customer’s failure to object within such 10-day period shall be deemed a waiver of Customer’s right to object to Varicent’s use of such new Sub-processor added to the Sub-processor List. In the event Customer reasonably objects to a new Sub-processor, Varicent will use reasonable efforts to make available to Customer a change in the Software Services or recommend a commercially reasonable change to Customer’s configuration or use of the Software Services to avoid Processing of Customer Personal Information by the objected to new Sub-processor without unreasonably burdening Customer. If Varicent is unable to make available such change within a reasonable period of time (which shall not exceed 30 days), Customer may, as Customer’s sole and exclusive remedy, terminate the portion of the Agreement with respect only to the portion of the Software Services which cannot be provided by Varicent without the use of the objected to new Sub-processor by providing written notice to Varicent.

5.    Certification Standards

5.1    The Software Services are compliant with the following standards:

(a)    ISO 27001;
(b)    SOC 2; and
(c)    SOC 1 (applies to Incentive Services only, does not include any Add Ons (as such terms are defined in the Software Schedule)).

5.2    Upon request in writing, Varicent shall provide Customer with evidence of compliance with the standards described in Section 5.1 and any other industry standards expressly described in this Agreement.

6.    Records and Audit Rights

6.1    Varicent shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer or an auditor mandated by Customer, not being competitors of Varicent (“Mandated Auditor”) of any of Varicent’s premises where the Processing of Customer Personal Information takes place in order to assess compliance with this DPA. Varicent shall provide reasonable cooperation to Customer in respect of any such audit and shall, at the request of Customer, provide Customer with relevant records of compliance with its obligations under this DPA. Varicent shall promptly inform Customer if, in its opinion, a request infringes the Data Protection Laws or any other confidentially obligations with Varicent’s other customers. Customer agrees that (a) audits may only occur during normal business hours and, where possible, only after reasonable notice to Varicent (not less than 20 days’ advance written notice); (b) audits will be conducted in a manner that does not have any adverse impact on Varicent’s normal business operations; (c) Customer or Mandated Auditor will comply with Varicent’s standard safety, confidentiality and security procedures in conducting any such audits; and (d) any records, data or information accessed by Customer or Mandated Auditor in the performance of any such audit will be deemed to be the Confidential Information of Varicent. To the extent any such audit incurs in excess of 10 hours of Varicent’s personnel time, Varicent may charge Customer on a time and materials basis for any such excess hours.

7.    Standard Contractual Clauses

7.1    If Customer transfers Customer Personal Information to Varicent that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (the “Data Exporter”) and Varicent (the “Data Importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are incorporated by reference into this DPA. The Standard Contractual Clauses shall automatically terminate once Customer Personal Information transfer governed by the Standard Contractual Clauses becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis. In accordance with Clause 2 of the Standard Contractual Clauses, the Parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of any Data Subjects. Varicent and Customer accordingly agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent they are permitted under the Standard Contractual Clauses, the following clarifications to the Standard Contractual Clauses:

1. Module. Module Two terms apply to the extent Customer is a Controller of European Personal Information and Module Three applies to the extent Customer is a Processor of European Personal Information. 
2. Docking Clause. The Parties agree Section 7 shall not apply to this Agreement. 
3. Instructions. For the purposes of clause 8.1(a) of Module 3, Customer’s complete and final instructions to Process Personal Information are set out in the Agreement and this DPA. Any additional or alternate instructions must be consistent with the terms of this Agreement;
4. Copies of Clauses. In the event a Data Subject requests a copy of the Standard Contractual Clauses or this DPA in accordance with clause 8.3, the Data Exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of Data Importer.
5. Certification of Deletion. Certification of deletion of Customer Personal Information under clause 8.5 and clause 16(d) shall be provided upon the written request of the Data Exporter.
6. Security of Processing. For the purposes of clause 8.6(a), Customer agrees that the Technical and Organizational Measures set forth in this DPA provide a level of security appropriate to the risk with respect to Personal Information. For the purposes of clause 8.6(c) and (d) of Module 3, Personal Information breaches will be handled in accordance with this DPA, and breach notifications shall only be sent to Customer.  
7. Onward Transfer Implementation. The Data Importer shall be deemed in compliance with clause 8.8 to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
8. Audits and Certifications. Any information requests or audits provided for in clause 8.9 of Module 3 shall be fulfilled in accordance with Sections 5 and 6 of this DPA.
9. Engagement of New Sub-processors. Pursuant to clause 9(a) Option 2, the Data Exporter acknowledges and expressly agrees that the Data Importer may engage new Sub-processors as described in Section 4 of this DPA. With respect to clause 9, the Parties select the time period set forth in Section 4 of this DPA.
10. Data Subject Rights. For the purpose of clause 10 of Module 3, Data Subject requests and related assistance shall be handled in accordance with Section 9 of Appendix 1 of this DPA with respect to Module 3, Varicent shall be required to communicate requests only to Customer; 
11. Complaints. The optional language under clause 11 is not applicable. 
12. Liability. The relevant Sections of the Agreement which govern indemnification and limitations of liability, shall apply to the Data Importer’s liability under clause 12. 
13. Supervisory Authority. For purposes of clause 13, the following shall apply:
    
    1. EU Member State. If Customer is established in an EU Member State, the supervisory authority responsible for compliance by Data Protection Laws shall be the relevant supervisory authority;
    2. United Kingdom. If Customer is established in the United Kingdom, the United Kingdom’s Information Commissioner's Office shall be the relevant supervisory authority; or
    3. Switzerland. If Customer is established in Switzerland, the Swiss Federal Data Protection and Information Commissioner shall be the relevant supervisory authority. 
14. Notification of Government Access Requests. For the purpose of clause 15(1), Varicent shall provide notification to Customer only and not individual Data Subjects;
15. Governing Law.  For the purposes of clause 17, the Parties select the laws of the governing jurisdiction of the Agreement. If the Agreement is not governed by EU law, the SCCs will be governed by the laws of Ireland, or where the Agreement is governed by the laws and courts of the United Kingdom, the laws of the England and Wales;
16. Choice of Forum and Jurisdiction. For the purposes of clause 18, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Ireland, or where the Agreement is governed by the laws and courts of the United Kingdom, the laws of the England and Wales;
17. Annexes. The Annexes of the Standard Contractual Clauses are populated as follows:
    
    1. Annex I.A is populated with the details as outlined in Section 1 of Appendix 2 of this DPA.  
    2. Annex I.B is populated with the details in Appendix 2 of this DPA. 
    3. Annex I.C is determined in accordance with Subsection (m) of this Section 7. 
    4. Annex II is populated with the Technical and Organizational Measures of this DPA
18. Transfers from the UK.
    
    1. If Customer transfers Customer Personal Information to Varicent that is subject to UK Data Protection Laws, the Parties are deemed to enter into the addendum issued by the UK Information Commissioner and approved by the UK Parliament (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (the “UK Addendum”). 
    2. Tables 1 to 3 of the UK Addendum are populated with the details as outlined in Appendix 2 of this DPA, and elsewhere in this DPA as applicable. Table 2 of the UK Addendum is populated with the Standard Contractual Clause details outlined in this Section 7. 
    3. Neither party may end the UK Addendum without the other Party’s written permission.
    4. References in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in UK Data Protection Laws. 
19. Transfers from Switzerland.
    
    1. If Customer transfers Customer Personal Information to Varicent that is subject to the FADP, the Standard Contractual Clauses shall apply to such transfers.
    2. References in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in Swiss Data Protection Laws. 

8.    General

8.1    Execution. Execution by the Parties of an Order or the Agreement incorporating by reference this DPA shall be deemed to constitute signature and acceptance of this DPA and the Standard Contractual Clauses (as applicable). 

8.2    Contracting Entity and Governing Law. Unless prohibited by Data Protection Laws, this DPA is governed by the same laws governing the Agreement. The courts that have exclusive jurisdiction over this DPA shall be the same courts that have exclusive jurisdiction over the Agreement. 

8.3    Survival. Any obligation imposed on Varicent under this DPA in relation to the Processing of Personal Information shall survive any termination or expiration of this DPA shall survive the termination or expiration of this Agreement.

8.4    Further Assurance. The Parties agree from time to time to execute such further agreements or other documents, and do all such other acts and things as may be necessary or desirable, to give effect to the terms of this DPA.

8.5    Entire Agreement and Paramountcy. This DPA constitutes the entire agreement between the Parties regarding the subject matter of this DPA and supersedes all prior agreements, proposals, understandings, letters of intent, negotiations and discussions between the Parties, whether oral or written, regarding the subject matter of this DPA. The provisions of this DPA regarding the protection of Personal Information under Data Protection Laws shall prevail over any conflict or inconsistency with the terms of the Agreement. Each Party’s liability and remedies under this DPA are subject to the aggregate liability limitations set out in the Agreement.

8.6    Amendments and Waiver. No amendment or waiver of any provision of this DPA shall be binding on any Party unless consented to in writing by such Party. No waiver of any provision of this DPA shall constitute a waiver of any other provisions, nor shall any waiver constitute a continuing waiver, unless otherwise expressly stated in a waiver. 

8.7    Severability. If any provision of this DPA is held by a court of competent jurisdiction to be contrary to applicable laws, such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by applicable laws and the remaining provisions shall remain in effect.

APPENDIX 1 TO DPA
TECHNICAL AND ORGANIZATIONAL MEASURES

1    Information Security Policy

1.1    Varicent shall maintain and follow written information security policies and practices that are integral to Varicent’s business and mandatory for all Varicent employees, including maintaining documented security architecture of networks managed by Varicent in its operation of the Software Services. Varicent shall separately review such network architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense-in-depth standards prior to implementation.

1.2    Varicent shall maintain responsibility and executive oversight for such policies, including formal governance and revision management, employee education, and compliance enforcement. Varicent shall review the information security policies at least annually and amend such policies as Varicent deems reasonable to maintain protection of the Software Services and Customer Data processed therein.

1    Processing

1.1    Varicent shall Process Customer Personal Information only as necessary for the purpose of providing the Software Services and in accordance with the Agreement and any written instructions given by Customer from time to time (the “Permitted Purpose”) unless required to do otherwise by applicable law in which event, Varicent shall inform Customer of such legal requirement before Processing Customer Personal Information other than for a Permitted Purpose, unless prohibited by applicable law from doing so.

2    No Sale or Disclosure

2.1    Varicent shall not (i) Sell or Share any Customer Personal Information; or (ii) retain, use or disclose any Customer Personal Information for a purpose other than the Permitted Purpose.

3    Compliance with Data Protection Laws

3.1    Varicent shall co-operate with and make available to Customer all information reasonably necessary to demonstrate Varicent’s compliance with Data Protection Laws.

4    Access Controls

4.1    If Varicent requires access to Customer Data, it shall restrict such access to the minimum level required. Such access, including administrative access (“Privileged Access”), shall be individual, role-based, and subject to approval and regular validation following the principles of segregation of duties. Varicent shall maintain measures to identify and remove redundant and dormant accounts with Privileged Access and shall promptly revoke such access when appropriate or required to comply with Data Protection Laws.

4.2    Consistent with industry standard practices, and to the extent natively supported by each component managed by Varicent within the Software Services, Varicent shall maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.

4.3    Varicent shall monitor use of Privileged Access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity; (b) facilitate a timely and appropriate response; and (c) enable internal and independent third party audits of compliance with documented Varicent policies.

4.4    Logs in which Privileged Access and activity are recorded shall be retained in compliance with Varicent’s records management plan. Varicent shall maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.
4.5    To the extent supported by native device or operating system functionality, Varicent shall maintain computing protections for its end-user systems that include endpoint firewalls, encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.

5    Encryption

5.1    Varicent shall encrypt Customer Data in transit using industry accepted cryptographic algorithms when transferring Customer Data over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP and FTPS, for Customer’s secure transfer of Customer Data to and from the Software Services over public networks.

5.2    Varicent shall encrypt Customer Data at rest using industry accepted cryptographic algorithms. Varicent manages the cryptographic keys and shall maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.

6    Segregation

6.1    Varicent shall not combine Customer Personal Information received pursuant to the Agreement with Personal Information received from or on behalf of any third party, or collected from Varicent’s own interaction with third parties, unless required to provide the Software Services or permitted under Data Protection Laws.

7    Security Incidents

7.1    Varicent shall maintain and follow documented incident response policies for Security Incident handling.

7.2    Varicent shall notify Customer as soon as reasonably practicable (and in any event within 72 hours) upon confirmation of a Security Incident and take all reasonable steps to mitigate the impact of such Security Incident and provide, at Varicent’s cost, all reasonable assistance required by Customer in investigating and resolving the Security Incident.

7.3    Varicent shall investigate any Security Incident and define and execute an appropriate response plan, provide Customer with reasonably requested information about such Security Incident and the status of Varicent remediation and restoration activities. 

7.4    Customer may notify Varicent of a suspected vulnerability or Security Incident by submitting a support ticket.

8    Data Subject Requests

8.1    Varicent shall inform Customer promptly (and in any event within two business days) of any request, enquiry or complaint received from any Data Subject or regulatory authority overseeing Data Protection Laws. Customer shall be responsible for handling such requests of Data Subjects. Varicent shall reasonably assist Customer in handling such Data Subject requests.

9    Deletion or Return of Customer Personal Information

9.1    During the term of the Agreement, upon Customer’s request, unless otherwise required under applicable law, Varicent shall return or destroy any Customer Personal Information as soon as reasonably practicable. 

9.2    Following termination or expiration of the Agreement, unless otherwise required by Data Protection Laws, Varicent shall, at Customer’s option, delete or return all Customer Personal Information and all copies of Customer Personal Information to Customer. Any data deleted may remain in immutable electronic backups maintained by Varicent used purely for backup, disaster recovery and data protection purposes for up to an additional 90 days beyond any such deletion or disposition.

10    Retention

10.1    Varicent shall retain Customer Personal Information only for as long as reasonably necessary for the Permitted Purpose and Varicent’s legitimate business purposes. 

11    Varicent Employees

11.1    Varicent shall maintain and follow its standard mandatory employment verification requirements for all new hires. In accordance with Varicent internal processes and procedures, these requirements shall be periodically reviewed and include criminal background checks, proof of identity validation, and additional checks as deemed necessary by Varicent and permitted under applicable laws.

11.2    Varicent employees shall complete security and privacy education annually and certify each year that they shall comply with Varicent’s security and privacy policies. Additional policy and process training may be provided to individuals depending on their role in supporting the business and as required to maintain compliance and certifications stated in the Agreement.

12    Security and Risk Assessments

12.1    Varicent shall: (a) perform security and privacy risk assessments of the Software Services at least annually; (b) perform penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, annually; (c) enlist a qualified independent third party to perform penetration testing at least annually; (d) perform automated management and routine verification of underlying Components’ compliance with security configuration requirements; and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Varicent shall take reasonable steps to avoid Software Services disruption when performing its tests, assessments, scans, and execution of remediation activities.

12.2    Varicent shall maintain policies and procedures reasonably designed to manage risks associated with the application of changes to the Software Services. Prior to implementation, changes to the Software Services, including its systems, networks, and underlying Components, shall be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, and documented approval requirements.

12.3    Varicent shall maintain a reasonably up to date inventory of all information technology assets used in its operation of the Software Services. Varicent shall monitor and manage the health (including capacity and availability) of the Software Services.

12.4    Varicent shall implement, test and maintain business continuity and disaster recovery plans consistent with industry standard practices and as further described in the Agreement. 

12.5    Varicent shall maintain measures designed to assess, test and apply security advisory patches to the Software Services and its associated systems, networks, applications and underlying components. Upon determining that a security advisory patch is applicable and appropriate, Varicent shall implement the patch pursuant to documented severity and risk assessment guidelines. Implementation of security advisory patches shall be subject to Varicent’s change management policy.

13    Data Back-Up

13.1    Varicent shall back up the Software Services and Customer Data on a daily basis (or at any other time interval agreed upon by the Parties in writing) and copy such back-ups to an off-site location. Back-ups shall be encrypted at rest and during transmission to the offsite location. 

14    Disaster Recovery

14.1    If a Force Majeure Event occurs that causes the primary data centre hosting the Software Services to become unavailable, Varicent shall work to restore Customer’s access to the Software Services within 14 days or as otherwise agreed upon by the Parties in writing or in an Order. The environment shall be restored using the most recent data backup, with no more than 24 hours of Customer Data loss of the restored Customer Data set.

APPENDIX 2 TO DPA
PERSONAL INFORMATION PROCESSING ATTACHMENT

1    Parties

1.1    Data Exporter: Customer’s details as outlined in the applicable Order.

1.2    Data Importer: Varicent’s details as outlined in the applicable Order.

2    Categories of Data Subjects

2.1    Customer Personal Information includes (a) the Personal Information of the employees, contractors, business partners and customers of Customer and its Affiliates; and (b) any other Personal Information submitted to the Software Services by Customer and its Users that is subject to Data Protection Laws. Varicent Processes Customer Personal Information in accordance with the Agreement in order to provide the Software Services. Customer acknowledges and agrees that the above categories of Data Subjects may change from time to time based upon the nature and type of information submitted to the Software Services by Customer and its Authorized Users that is subject to Data Protection Laws.

3    Categories of Customer Personal Information Transferred

3.1    The types of Customer Personal Information Processed by the Software Services include the following:

1. Basic Personal Information such as name, email and electronic signature;
2. Role related Personal Information such as job title, unit/department, location, supervisor/subordinates, employee identification number, employment type and compensation information such as sales commission rates and eligibility, quotas, and target information; and
3. Technical information about Data Subjects such as device identifiers, usage based identifiers and static IP addresses.
   Sensitive Personal Information. The Software Services are not designed to process any special categories of Customer Personal Information or Sensitive Personal Information. Customer acknowledges that Sensitive Personal Information is not required for use of the Software Services and Customer agrees not to share any Sensitive Personal Information with Varicent or upload any Sensitive Personal Information to the Software Services. Varicent will not be liable to Customer for any Sensitive Personal Information provided to Varicent by Customer. 

4    Processing Activities

4.1    The Processing activities of Customer Personal Information submitted to the Software Services include the following:

1. Receipt of Customer Personal Information from Data Subjects and third parties;
2. Computer Processing of Customer Personal Information including data transmission, data retrieval, data access and network access to allow data transfer if required to provide the Software Services;
3. Technical customer support involving Customer Personal Information upon Customer’s request including monitoring, issue determination and issue resolution;
4. Transformation and transition of Customer Personal Information as reasonably necessary to provide the Software Services; and
5. Storage, backup and destruction of Customer Personal Information.

5    Frequency, Nature, Purpose and Duration of Processing

5.1    The Processing of Customer Personal Information is ongoing during with the term of the Agreement in order for Varicent to provide the Services pursuant to the Agreement. 

6    Technical and Organizational Measures

6.1    The Technical and Organizational measures set forth in this DPA apply to all Customer Data processed by Varicent within the Software Services, including Customer Personal Information.

7    Deletion and Return Of Data

7.1    Varicent will retain Customer Personal Information for the term of the Agreement, so long as Customer’s access to the Software Services is not suspended in accordance with the terms of the Agreement, Customer may download from the Software Services a copy of Customer Person Information.

7.2    Customer may also request removal of Customer Data (including Customer Personal Information) at any time prior to termination or expiration of the term of the Agreement.

8    Varicent Hosting and Processing Locations

8.1    The Varicent data hosting and processing locations used for the Software Services are set forth in the Sub-processor List for the Software ordered by Customer in an Order. Customer may be able to request that Varicent use a subset of these locations. Varicent may add additional hosting and processing locations in accordance with the Data Security Standards.

9    Third Party Subprocessors

9.1    The Software Services involves third party Sub-processors in the Processing of Customer Data, including Customer Personal Information, as described in the DPA.

10    Privacy Contact and Customer Notifications

10.1    The general privacy contact for the Software Services is privacy@varicent.com.