Privacy Policy

PRIVACY AND DATA PROTECTION AGREEMENT

‍

Acceptance of Terms

This Privacy and Data Protection Agreement (“PDPA”) is incorporated into the Terms of Use and Enterprise Agreements or Back Office Services Agreements between Advisor First LLC, doing business as Swivel℠ and you (collectively, the “Parties”) and applies to your use of SwivelCRM.com, advisorfirst.com, any of their respective subdomains, and all related apps, services, and add-ons offered by, through, and from those websites including the Swivel℠ software platform (collectively, the “Services”). Please read and review these Terms carefully before you start to use the Services. By signing the Agreement, you enter into this PDPA on behalf of yourself and your users, as defined herein. In the event of any inconsistency between the terms of this PDPA and any terms of the Terms of Service or any Enterprise Agreement or Back Offices Services Agreement, this PDPA shall govern unless the Enterprise Agreement or Back Offices Services Agreement explicitly states otherwise.

Definitions

“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018), as the same may be supplemented or amended, including the California Privacy Rights Act of 2020 and any implementing regulations, as may be amended or superseded from time to time (“CPRA”). The terms “business,”“consumer,” “personal information,” and “service provider” shall have meaning under CCPA.

‍

“Content” means content uploaded to the Services by You, the Subscriber, or Us at the request of You or the Subscriber, including but not limited to user/client data, text, documents, images, audio, and videos.

‍

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

‍

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.

‍

“Data Protection Laws” means any applicable laws and regulations relating to data the Processing of Personal Data in question under the Agreement, including (where applicable) the General Data Protection Regulation (“GDPR”), the United Kingdom General Data Protection Regulation (“UKGDPR”), the Canadian Personal Information Protection and Electronic DocumentsAct (“PIPEDA”), the Australian Privacy Act of 1988, Switzerland’s Federal Acton Data Protection, the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, and the Oregon Consumer Privacy Act.

‍

“Data Subject” means the identified or identifiable natural person to which the Personal Data relates.

‍

“Enterprise Subscriber” means a Subscriber under an“Enterprise Agreement” with us, which such “Enterprise Agreement” will be expressly established a binding written agreement.

‍

“Materials” include the design, software, code, contents, features, functionality, and all other content on or related to the Services except for your Content.

‍

“Personal Data” or “Personal Information” means any information relating to a Data Subject and is protected as personal data, including the terms “personally identifiable information,” or “nonpublic personal information” under applicable Data Protection Laws.

‍

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‍

“Professional Subscriber” means any Subscriber that is no tan “Enterprise Subscriber.”

‍

“Sub-Processor” means any Processor engaged by us to ProcessPersonal Data on our behalf. As used herein, Sub-Processor does not include third-party integration partners and/or service providers that you use to Process, and/or provides access to, PersonalData held in our systems or databases (“Subscriber Engaged Processors”).

‍

“Subscriber” means the individual or business that purchases and pays for the subscription through the Services, including any legal entity directly or indirectly controlling, controlled by, or under common control with such subject entity.

‍

“Us” (and similar words such as “we” and “our”) meansAdvisor First, LLC, a Kansas limited liability company, doing business asSwivel℠.

‍

“User Personal Data” means any “personal information,”including sensitive personal information (as such terms are defined under applicable Data Protection Laws) relating to a Data Subject that is subject to protection under applicable Data Protection Laws and which is shared with us by you for the purposes of performing the services set forth in the Agreement.

‍

“User” and “You” (and similar words such as “your” and“yours”) means the individual using the Services, and if you are using theServices on behalf of a business entity, it means both you and that business. “You” includes a Subscriber who is also using the Services.

Roles, Responsibilities, and Representations Regarding Personal Data

Roles

To the extent we Process User Personal Data in performance of the Services, the Parties agree that the user is the Data Controller or aData Processor conveying direction on behalf of the ultimate Data Controller, and we are the Data Processor acting on behalf and at the direction of user. With respect to User Personal Data subject to CCPA, whenProcessing User Personal Data in accordance with User’s instructions, the parties acknowledge and agree that User is a Business and we are a ServiceProvider, as those terms are defined in CCPA. We are an Insurance Support Organization, as that term is defined in the National Association of Insurance Commissioner’s PrivacyProtection Model Act. We are not a data broker.

Our Responsibilities

We shall Process the Personal Data in connection with its Services only on documented instructions from the user, unless otherwise required by applicable Data Protection Laws. We shall ensure that personnel authorized by us to Process User Personal Data have committed themselves to confidentiality. To the extent required by applicable Data Protection Laws, we will immediately inform the subscriber if, in our opinion based on the information available to us, any user instruction would violate applicable Data Protection Laws. If we receive a valid request or legal process (such as a subpoena or court order) for User Personal Data, we will attempt to redirect the requester to request User Personal Data directly from the user or subscriber. If compelled to disclose User Personal Data to a governmental entity or third-party requester, then we will give (to the extent legally permissible) the subscriber reasonable notice of the demand to allow the subscriber to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so. With respect to User Personal Data subject to CCPA, we will Process User Personal Data as a Service Provider strictly for the purpose of performing the Services. Consistent with our privacy policy, we will not (a) sell or share (as such terms are defined under the CCPA) the relevant User Personal Data; (b) retain, use, or disclose the relevant User Personal Data for a commercial purpose other than to perform the Services or as otherwise permitted by the CCPA; or (c) retain, use, or disclose the relevant User Personal Data outside of the direct business relationship between the user and us, such as by combining or updating UserPersonal Data, unless expressly permitted by the CCPA. With respect to User Personal Data subject to CCPA, the limited and specified purposes for which we will Process User Personal Data include: (i) performing the Services on behalf of the user including maintaining or servicing client database(s) and performing ancillary services, or enabling users to utilize ancillary services in connection there with (including the preparation of performance evaluations, calculation of billing and advisory fees, the maintenance of investment models, and similar activities), providing customer service, processing or fulfilling orders and transactions, processing payments, or providing any of the following:compliance, analytics services, storage, or similar services on behalf of the user; (ii) assisting to ensure security and integrity to the extent the use of User Personal Data is reasonably necessary and proportionate for these purposes; (iii)de-bugging to identify and repair errors that impair existing intended functionality; (iv) undertaking activities to verify or maintain the quality or safety of a service or device that is owned or controlled by the user, and to improve, upgrade, or enhance the service or device that is owned or controlled by the user; or (v) undertaking internal research for technological development.

User Responsibilities

The user shall: (i) ensure the ongoing accuracy, quality, and legality of Personal Data and the means by which users acquired Personal Data; (ii) comply with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of User Personal Data, including, but not limited to, obtaining any necessary consents and authorizations from Data Subjects; (iii) ensure it has the right to transfer, or provide access to, User Personal Data to us for Processing in accordance with the terms of this PDPA; and (iv) ensure that its instructions to us regarding the Processing of Personal Data are lawful and comply with, and do not cause us to violate, applicable laws, including the Data Protection Laws. The user and/or subscriber shall promptly inform us if any of the foregoing representations are no longer accurate. The user acknowledges and agrees that we do not have a means to verify any of the following: (i) the residency of each Data Subject, (ii)specific data identifiers that are provided to us by the user in connection with each request by the user to Process such User Personal Data, nor (iii) the location of third parties that the user chooses to exchange User Personal Data through the Service. Accordingly, it shall be sole the responsibility of the user to identify and verify, as necessary, the relevant Data Protection Law(s) that may apply to such User Personal Data. With respect to User Personal Data subject to CCPA, the user acknowledges that its use of the Services will not violate the rights of any individual to whom such User Personal Data relates that has opted-out from sales or other disclosures of Personal Information, to the extent applicable under the CCPA.

Data Subject Requests

We will promptly notify the user if we receive a request from a Data Subject to exercise his or her rights under applicable Data Protection Laws with respect to User Personal Data (“Data Subject Requests”). The user shall be solely responsible for responding to any such Data Subject Requests or communications involving User Personal Data.

We will provide the user with a number of controls that the may use to retrieve, correct, delete or restrict User Personal Data, which the user may use to assist it in connection with its obligations under Data Protection Laws. To the extent the user is unable to independently address a Data Subject Request through the Services, then upon the user’s written request we shall, to the extent legally required, provide reasonable assistance to the user to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. At our request, the user shall reimburse us for the commercially reasonable costs arising from this assistance.

Security

Both parties shall maintain appropriate technical and organizational measures to protect User Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, User Personal Data.

Personal Data Incidents

In accordance with applicable Data Protection Laws, each party shall notify the other party, without undue delay and as soon as reasonably possible, upon becoming aware (but not later than 72 hours after becoming aware) of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, User Personal Data maintained and Processed in our systems (a “Personal Data Incident”). Each party shall make reasonable efforts to identify the cause of a Personal Data Incident and take those steps as deemed necessary and reasonable to remediate the cause of such Personal Data Incident, to the extent that the remediation is within such party’s reasonable control. Our obligations set forth herein shall not apply to Personal Data Incidents that are caused directly or indirectly by the user or subscriber or a Processor other than us engaged by the user or subscriber.

Retention, Return, and Deletion of Personal Data

We will provide the user with the capability to obtain a copy of User Personal Data Processed by us and in our possession, as set for thin the Terms of Service. Notwithstanding anything to the contrary herein or in the Terms of Service, we may retain copies of Personal Data as necessary to comply with legal, regulatory, judicial, audit, or internal compliance requirements for as long as required to achieve the processing purpose for which the Personal Data was collected, in accordance with applicable Data Protection Laws.

Audits

If required by applicable Data Protection Laws, we shall make available to the user (upon its written request), any applicable information reasonably necessary to demonstrate compliance with applicable Data Protection Laws. Upon 30 days written notice from the subscriber, we shall allow for audits, including inspections, conducted by the user or another reputable auditor selected by the user and reasonably approved by us, if necessary to comply with governmental or regulatory requirements.

Sub-Processors

The user authorizes and agrees that we may retain Sub-Processors in connection with our performance of the Services. If and to the extent we engage third-party Sub-Processors to Process User Personal Data on our behalf, we will impose data protection terms on those Sub-Processors that provide at least the same level of protection for Personal Data as those in this PDPA, to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this PDPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this PDPA.

We will provide electronic notification of a third-party Sub-Processors engaged by us. Subscribers agree to register at https://www.digitalocean.com to receive such electronic notifications and to review any updates. Subscribers may object to our engagement of such new Sub-Processor by notifying us in writing within ten business days after receipt of our notification. In the event subscriber objects to a new Sub-Processor, the parties will work in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at its sole discretion, choose to either not appoint the new Sub-Processor, or permit the subscriber to suspend or terminate the affected portion of the Services to be performed by such new Sub-Processor. Notwithstanding anything herein to the contrary, we shall not be responsible for User Engaged Processors or other third-party Processors engaged by the user, and the user is solely responsible for ensuring such User Engaged Processors and third-party Processors comply with applicable Data Protection Laws.

Subscribers and Users

The parties agree that, by executing the PDPA, the subscriber enters into the PDPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of any persons or entities directly or indirectly controlling, controlled by, or under common control, the subscriber permitted to use the Services under the its subscription, thereby establishing a separate PDPA between us and each such user. Each user shall be bound by the obligations under this PDPA. Any violation of this PDPA by a user shall be deemed a violation by subscriber under whose subscription the user accesses the Services. Subscriber represents and warrants that users accessing the Services under Subscriber’s account may access User Personal Data.

Data Protection Impact Assessments and Consultation with Supervisory Authorities

To the extent that information is reasonably available to us, and the subscriber or user does not otherwise have access to the required information, we will provide reasonable assistance to the subscriber or user with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by Data Protection Laws.

Cross-Border Data Transfers

The user acknowledges that in connection with the performance of the Services by us, we may be a recipient of User Personal Data from residents of countries outside of the United States, if so directed by the user. We are based in the United States. If the user engages directly with U.S.companies for products and services, transfers of User Personal Data may be made as necessary for the performance of our contract with the user or subscriber or the implementation of pre-contractual measures taken at the user or subscriber’s request or, as circumstances may require, the user or subscriber’s consent. We endeavor to keep User Personal Data in the United States, but for some services and in some circumstances, we may need to transfer User Personal Data to other jurisdictions or receive Personal Data from the user in other jurisdictions. In those situations, we shall not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data unless it takes such measures as necessary to ensure the transfer complies with applicable Data Protection Laws. Such measures may include, without limitation, transferring such data to a recipient that has implemented binding corporate rules in accordance with applicable Data Protection Laws or to a recipient that has executed appropriate EU Standard Contractual Clauses adopted or approved by the European Commission. Where necessitated by Data Protection Law, a transfer of User Personal Data shall be conducted pursuant to the EU Standard Contractual Clauses.

Where the user, as a Data Controller or a Data Processor acting on behalf or at the direction of a Data Controller, transfers or directs the transfer of User Personal Data from the European Union to us, as Data Processor, in the United States, the Parties agree to be deemed executed by the Parties and incorporated into this PDPA the EU Standard Contractual Clauses, as follows:

Incorporate the language/provisions of the EU Standard Contractual Clauses under Module Two: Transfer controller to processor or, if applicable, Module Three: Transfer processor to processor;
The user shall be the “Data Exporter” and we shall bethe “Data Importer” under both Module Two and Module Three;
With respect to Clause 7, the Parties choose not toinclude the optional docking clause;
With respect to Clause 11, the Parties choose not to include the optional language relating to the use of independent disputeresolution body;
With respect to Clause 9, the data importer has the data exporter’s general authorization to engage sub-processors from the list inAnnex III, which list may be amended from time to time by us with 5 business days advanced notice to the user;
With respect to Clause 13 and Annex I.C, the competent Data Protection Authority is
1. If the Data Exporter (user) is established in an EU member state, the competent Supervisory Authority shall be the Supervisory Authority for that member state.
2. If the Data Exporter (user) is not established within an EU member state, but the Data Exporter falls within the territorial scope of the GDPR pursuant to Article 3(2) and has appointed a Data Protection Representative, the competent Supervisory Authority shall be the Supervisory Authority in the member state where the Data Exporter’s Data Protection Representative is established.
3. If the Data Exporter (user) is not established in an EU Member State, but the DataExporter falls within the territorial scope of the GDPR pursuant to Article3 (2) and has not appointed a Data Protection Representative, the competent Supervisory Authority shall be the Supervisory Authority of one of the Member States in which the Data Subjects whose Personal Data is transferred under the SCCs in relation to the offering of goods or services to them, or whose behavior is monitored, are located. If one of those Member States is Ireland, then the competent Supervisory Authority is theIrish Data Protection Commission. If one of those Member States is not Ireland, then the Data Exporter shall select the competent Supervisory Authority and provide its selection to the Data Importer by sending an email to us. The Parties shall then agree on the competent Supervisory Authority.
With respect to Clause 17, the EU Standard Contractual Clauses shall be governed by the laws of Republic of Ireland;
With respect to Annex I.A of the Appendix, the Name and Contact Information of the Controller shall be that of the user, and the Name and Contact Information of the Processor shall ours.

‍

The Personal Data Processing activities in Annex I to theAppendix to the EU Standard Contractual Clauses will be such activities as necessary for us to perform the Services for the user. The categories of Data Subjects and categories of Personal Data in Annex I to the EU Standard Contractual Clauses will be those provided by the user to us pursuant to the Services. The data security measures in Annex II to the EU Standard Contractual Clauses will be those identified in Annex II to the Appendix (Information Security Program) of this PDPA. The list of appointed Sub-Processors will be identified in Annex III to the Appendix, as updated from time to time.

‍

Where the user, as a Data Controller or a Data Processor acting on behalf or at the direction of a Data Controller, transfers or directs the transfer of User Personal Data from the United Kingdom to us, as DataProcessor, in the United States, the Parties agree to be bound by and incorporate to this PDPA and the EU Standard Contractual Clauses by reference any additional modifications and amendments required by the UK Transfer Addendum. The information set forth in the Agreement and the Annexes shall be used to complete Parts 1 and 3 of the UKTransfer Addendum. In accordance withSection 19 of the UK Transfer Addendum, neither the data exporter or data importer may terminate the UK Transfer Addendum for convenience.

‍

Where the user, as a Data Controller or a Data Process or acting on behalf or at the direction of a Data Controller, transfers or directs the transfer of User Personal Data from Switzerland to us, as Data Processor, in the United States, the EU Standard Contractual Clauses as set forth in paragraph C above, will apply to the transfer in a manner compliant with theFederal Act on Data Protection.

General Provisions

Precedence

This PDPA is incorporated into and forms part of the Terms of Service. For matters not addressed under this PDPA, the Terms of Service and any applicable Enterprise Agreements or Back Office Service Agreements apply. In the event of a conflict between the Terms of Service and this PDPA, the terms of this PDPA shall prevail. In the event of a conflict between an Enterprise Agreement or Back Office Services Agreement and this PDPA, the terms of this PDPA shall prevail unless the Enterprise Agreement or Back Office Services Agreement explicitly states otherwise.

Governing Law & Jurisdiction

Except as otherwise provided herein, this PDPA shall be governed by and construed in accordance with the laws of the State of Kansas excluding its conflict of law principles. Except as otherwise provided herein, with respect to any dispute arising out of, related to, or in any way connected with any of the foregoing (and not subject to the arbitration provision above), each party consents to jurisdiction in, and the exclusive venue of, the state courts in Johnson County, Kansas, or if applicable, the U.S. District Court having jurisdiction over that county.

Waiver of Jury Trial

You and us each waive trial by jury in all actions, proceedings, or counterclaims brought by either party against the other on any matter arising out of, related to, or in any way connected to the PDPA.

Enforcement of Terms

If we enforce or defend any of our rights or obligations under this PDPA, you agree to reimburse us for our expenses and costs incurred, including our reasonable attorneys’ fees.

Entire Agreement

This PDPA and the annexes and appendices thereto set for the complete and entire agreement between you and us relating to the subject matter in this PDPA and supersede all other discussions, negotiations, proposals, and agreements, whether oral or written, previously discussed or entered into, by you and us relating to the subject matter in this PDPA.

Waiver

The failure or delay by us to exercise any right or remedyin this PDPA shall not operate as a waiver of the same. The waiver by us of a breach of any provisionin these Terms shall not operate as a waiver of any subsequent breach. A waiver shall not be effective unless anduntil it is in written form and signed by us.

Severability

Each provision in this PDPA shall be treated as separate and independent of the other provisions. Accordingly, if a court with competent jurisdiction declares a provision unenforceable, then the provision should be limited to the minimum extent necessary so that it remains enforceable. If such amendment is not possible, then the unenforceable provision should be deemed removed from this PDPA, but the remaining provisions shall remain in full force.

Investment Advisor

We are not a registered investment advisor, nor does we offer or provide securities or investment advisory services. We are an independent and unaffiliated service provider offering a cloud platform operating system to financial professionals.

Notices to You

Except as otherwise set forth in this PDPA, any notice required to be given to you shall be deemed given on the date that we transmit an email to you at the email address associated with your user account.

Notices to Us

Except as otherwise set forth in this PDPA, any notice required to be given to us shall be sent to support@swivelcrm.com.

Amendment

This PDPA may be updated by us from time to time as reasonably required in accordance with Data Protection Laws following notice to the user and subscriber. You will be notified of an amendment of this PDPA by a request to agree to the new terms, with a link to the amended terms, when you first login after the amendment of the PDPA. Your agreement upon login and your continued use of the Services after notification will constitute your acknowledgment and agreement to the amended PDPA.

‍

APPENDIX

ANNEX I: DESCRIPTION OF THE PROCESSING

LIST OF PARTIES

Data exporter: The name and contact information of the Data Exporter shall be that of the user.

Data importer: The name and contact information of the Data Importer shall be that of us.

DESCRIPTION OF TRANSFER

The Personal Data Processing activities will be such activities as necessary for us to perform the Services for the user. The categories of Data Subjects and categories of Personal Data will be provided by the user to us pursuant to the Services.

COMPETENT SUPERVISORY AUTHORITY

With respect to Clause 13 and Annex I.C, the competent Data Protection Authority is

1. If the Data Exporter (user) is established in an EU member state, the competent Supervisory Authority shall be the Supervisory Authority for that member state.

2. If the Data Exporter (user) is not established within an EU member state, but the Data Exporter falls within the territorial scope of the GDPR pursuant toArticle 3(2) and has appointed a Data Protection Representative, the competent Supervisory Authority shall be the Supervisory Authority in the member state where the Data Exporter’s Data Protection Representative is established.

3. If the Data Exporter (user) is not established in an EU Member State, but the DataExporter falls within the territorial scope of the GDPR pursuant to Article3(2) and has not appointed a Data Protection Representative, the competentSupervisory Authority shall be the Supervisory Authority of one of the MemberStates in which the Data Subjects whose Personal Data is transferred under theSCCs in relation to the offering of goods or services to them, or whose behavior is monitored, are located. If one of those Member States is Ireland, then the competent Supervisory Authority is the Irish Data Protection Commission. If one of those Member States is not Ireland, then the Data Exporter shall select the competent Supervisory Authority and provide its selection to the Data Importer by sending an email to us. The Parties shall then agree on the competent Supervisory Authority.

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons. Examples of possible measures:

Measures of pseudonymisation and encryption of personal data.

All data, including personal data, is encrypted while at rest and in transit. Wherever possible, information is redacted to remove personal data. For data at rest, we encrypt the data. For data in transit, we encrypt the data.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services.

Our processing systems and services are implemented and managed in accordance with NIST guidance and the ISO framework to ensure confidentiality, integrity and availability.

Measures for ensuring the ability to restore the availability and access topersonal data in a timely manner in the event of a physical or technicalincident.

We have a BCP/DR plan in place to ensure our system resiliency and availability and access to personal data. These plans are tested at least annually to ensure they provide the desired physical and technical redundancies and meet Recovery Time and Recovery Point Objectives.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.

We perform testing on a continuing basis to ensure the effectiveness of technical and organizational controls with regard to the confidentiality, availability and integrity of systems and processing.

Measures for user identification and authorization.

We use appropriate identification access management methods to determine user identification and authorization of all our system users.

Measures for the protection of data during transmission.

All data, including personal data, is encrypted at rest and in transit. Wherever possible, information is redacted to remove personal data.

Measures for the protection of data during storage.

All data, including personal data, is encrypted at rest and in transit. Wherever possible, information is redacted to remove personal data.

Measures for ensuring physical security of locations at which personal data are processed.

Appropriate processes and controls are in place to ensure the security of personal data stored at physical locations. Controls are reviewed and validated both internally and by independent third parties on at least an annual basis.

Measures for ensuring events logging.

We use commercially available solutions for log aggregation of all critical systems. Information Security team members regularly use and confirm that events are logged within these solutions.

Measures for ensuring system configuration, including default configuration.

We have a policy on baseline images for systems. The policy also dictates that Information Security notification and approval is required to build a system outside of the baseline image.

Measures for ensuring data minimization.

Wherever possible, information is redacted to remove personal data. Only required data is collected and stored.

Measures for ensuring data quality.

Appropriate processes and controls are in place to ensure the confidentiality, availability and integrity of data. Data quality validation takes place on a continuing basis.

Measures for ensuring limited data retention.

We retain User Personal Data during the term of the agreement to provide Services to the user. Following the expiration or termination of the Agreement, we promptly—and except has otherwise herein provided, within no more than 30 days—securely delete User Personal Data. We may provide the user structured, electronic, and machine-readable export of user data during the period in which we retain the User Personal Data. We may retain User Personal Data for more than 30 days if necessary to provide a requested export of User Personal Data to the user, after which period we will securely delete the User Personal Data immediately. All such copies of User Personal Data shall be provided to the user in accordance with the specific provisions set forth in the Terms of Service and this PDPA. We may retain copies of User Personal Data as necessary to comply with legal, regulatory, judicial, audit, or internal compliance requirements for as long as required to achieve the processing purpose for which the User Personal Data was collected, in accordance with applicable Data Protection Laws.

Measures for ensuring accountability.

We use appropriate identification access management methods to determine user identification and authorization of all our system users.

Any detected incidents of non-compliance are logged, and appropriate enforcement actions are taken.

Measures for allowing data portability and ensuring erasure.

We will comply with authorized requests to amend, transfer, or delete personal information in a timely manner. We have comprehensive data destruction policies and processes in place, and review and test such policies and processes on a regular basis.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller.

We contractually require sub-processors to maintain substantially similar technical and organizational measures to those described above.

Description of the specific technical and organizational measures to betaken by the processor to be able to provide assistance to the controller.

We contractually require sub-processors to maintain substantially similar technical and organizational measures to those described above.

ANNEX III: LIST OF SUB-PROCESSORS

*This Privacy and Data Protection Agreement was modified and made effective on 2.28.2025, and replaces all prior versions except as otherwise stated herein.