DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “DPA”) is entered into by and between you (“Customer”,“you,” and “yours”) (collectively, with its Affiliates, “Customer”) and Live, LLC doing business as notifyMD® (collectively, with its Affiliates, “Provider”). This DPA supplements and is incorporated into the existing agreement between Customer and Provider (the “Agreement”) pursuant to which Provider will provide services (“Services”) to Customer and has the same Effective Date as the Agreement. In the course of providing the Services to Customer, Provider may Process Personal Data on behalf of Customer, and the parties agree to comply with the following provisions with respect to any Personal Data.

1. Definitions 

2. Term.

3. Processing of Customer Personal Data

4. Provider Personnel

5. Sub-processors

6. Security

7. Cross-Border Transfers

8. Data Subject Rights

9. Security Incident Response

10. Data Protection Impact Assessment and Prior Consultation

11. Return or Destruction of Personal Data 

12. Audit

13. Jurisdiction and Governing Law

14. Indemnification; Limitations on Liability; Remedies.

15. Severance.

EXHIBIT A: DETAILS OF PROCESSING

EXHIBIT B: TECHNICAL, ORGANIZATIONAL, AND PHYSICAL SECURITY MEASURES

  1. Confidentiality
    1. Physical Access Control. Relevant controls to prevent unauthorized access to data processing facilities (e.g. data centers, office buildings, server rooms) have been implemented. This includes:
      1. Security perimeter controls, such as fences, solid buildings, true floor-to-ceiling walls, locked doors, turnstiles, alarm systems.
      2. Dedicated secure areas (e.g. data centers, server rooms) with a limited number of authorized personnel who have access.
      3. Electronic access cards (ID cards, badges), keys and door locks.
      4. Video surveillance systems.
      5. Facility security services and/or entrance security staff for data centers and research and development office.
      6. Proper authorization and escorting of visitors when needed.
    2. Electronic Access Control. Relevant controls to prevent unauthorized use of the data processing and data storage systems have been implemented. This includes:
      1. Unique identifier (user ID) for all authorized users, for their personal use only and authentication technique to substantiate the claimed identity of a user.
      2. Password protection for computer systems and strong password policy:
        • 1) A strong and unique password (at least 8 characters long).
        • 2) The password contains characters belonging to at least three of the following five categories:
          • a. upper case letters.
          • b. lower case letters.
          • c. numerical symbols.
          • d. special symbols.
          • e. Unicode alphabet characters that do not have upper and lower cases (e.g. Asian languages).
        • 3) Storing passwords in an encrypted format using one-way hashing.
        • 4) Periodical testing of passwords.
      3. Automatic account locking after 5 failed log-on attempts.
      4. New accounts are forced to change passwords on initial log-on.
      5. Systems are automatically timed out / password locked after 15 minutes of inactivity and require authentication to continue.
      6. Inactive accounts are locked during quarterly audits.
      7. Multifactor authentication for remote access to corporate services and privileged operations.
      8. Encryption of data at rest using hard drive built-in tools and Microsoft technologies, like Bitlocker or Azure encryption.
      9. Anonymization is used where required and possible, according to the nature of processed data.
      10. Secure disposal of old equipment.
    3. Internal Access Control. Relevant controls to prevent unauthorized reading, copying, changes or deletions of data within the systems and measures regulating user rights of access to and amendment of data have been implemented. This includes:
      1. Secure access connections and technologies used for authentication control.
      2. Unique login names, strong passwords and periodic examinations of the access lists are existent to guarantee the appropriate use of user accounts.
      3. The granting of access rights is a formal process, based on the job responsibilities (role) of the user and on a need-to-know basis and must be authorized by the corresponding resource owner and/or supervisor of the person who makes an application for it.
      4. Identity management tool used to manage access according to defined and approved rules, to process access requests, and to keep tracks of access changes.
      5. The access to productive systems is only granted to users who are periodically trained and authorized for the corresponding action. The access to productive systems is also immediately withdrawn in case of a termination of the contract of employment or in case of an assignment of a different task.
      6. System access events are logged and stored securely with restricted access only for authorized users.
      7. Isolation Control. Data is processed according to the purpose of processing. Data of different customers are separated logically in storages, using access rules and/or using separation of environments or logical Identifiers.
  2. Integrity
    1. Data Transfer Control. Measures to prevent unauthorized reading, copying, changes or deletions of data with electronic transfer or transport have been implemented:
      1. Encryption of data in transit by using HTTPS (TLS 1.2), IPsec.
      2. Laptops’ hard drives and mobile devices storages are encrypted.
      3. VPN is used to connect separate locations and for remote access.
      4. The perimeter network devices are appropriately configurated to secure internal network from unauthorized external connections and to secure that computer connections and data flow do not breach the logical access adjustment control.
      5. Electronic signatures are used where applicable.
    2. Data Entry Control. Measures for the verification, where necessary, whether and by whom personal data is entered into a data processing system, is changed or deleted, have been implemented. Measures include:
      1. Logging of user access to systems.
      2. Documents changes are tracked.
      3. Requirements for ensuring authenticity and protecting message integrity in applications are identified, where necessary, and appropriate controls are implemented.
  3. Availability and Resilience
    1. Availability Control. Measures to prevent accidental or willful destruction or loss of information have been implemented. Measures include:
      1. Reasonable physical protection against environmental risks (e.g., fire, flood, earthquake), such as:
        • 1) Climate control systems.
        • 2) Temperature sensors.
        • 3) Smoke/heat detectors.
        • 4) Water sensors.
        • 5) Fire suppression systems.
        • 6) Alarm / Monitoring systems.
      2. Physical protection from power failures and other disruptions caused by failures in supporting utilities, such as:
        • 1) Uninterruptible Power Supply (UPS) for servers and network equipment.
        • 2) Multiple power feeds and generators with onsite fuel capacity for datacenters.
      3. Backup strategy and procedures, such as regular backups, on-site/off-site storage of backups, backups monitoring and checks.
      4. Antimalware protection and firewalls installed on endpoints and on gateway level (e.g. web-proxy, email gateway). It is managed centrally by IT, virus signatures are updated at least once a day, full scan is scheduled weekly.
      5. Workstations centralized management (automatic locking, patch management, configuration, physical security, etc.) to reduce the possibility to exploit software properties (operating systems, business applications etc.).
      6. Network security:
        • 1) Firewalls on endpoints and gateways.
        • 2) Intrusion detection and prevention systems.
        • 3) Network segmentation.
        • 4) Secure network configuration and protocols use.
      7. Restriction of physical and logical access to diagnostic and configuration ports of infrastructure equipment.
      8. Using advanced threat analytics solution to detect suspicious user/device activity.
  4. Rapid Recovery
    • Measures to ensure the ability to restore the availability of services in a timely manner in the event of a physical or technical incident have been implemented. This includes:
      1. Redundant architectures, such as clusters, RAID, network load balancing.
      2. Use of geo-redundancy in cloud services and redundant data centers.
      3. Business continuity and disaster recovery planning and regular testing.
  5. Procedures for Regular Testing, Assessment and Evaluation of the Effectiveness of Technical and Organizational Measures for Ensuring the Security

    The following measures are in place to test, assess and evaluate the Effectiveness of Technical and Organizational Measures:

    1. At least annual risk assessment and security policy review.
    2. Regular security tests, such as scanning for vulnerabilities (endpoints, products, services etc.), penetration tests by specialized providers (services, corporate network).
    3. Periodical internal security audits and tests.
    4. Annual certification audits for several services.
    5. Processing incidents according to Incident Response Plan, reviewing results during root cause analysis and improving security management system.
  6. Order or Contract Control
    • Measures to prevent third party data processing other than upon instruction from the controller have been implemented. This includes:
      1. Clear and unambiguous contractual arrangements in line with GDPR requirements.
      2. Procurement procedure, legal review and vendor management procedure to check the security state of new vendor before selecting it.
      3. Information security state of vendors is reviewed annually or in case of security incidents.
  7. Organizational Control
    • Relevant technical and organizational measures have been implemented for ensuring that, by default, only personal data which are necessary are processed in a legitimate way. These measures include:
      1. Privacy Officer is responsible of data protection laws and regulations (contact e-mail: customerservice1@notifymd.net). In-house lawyers working on data protection are responsible for legal aspects of data processing.
      2. Privacy Policy and internal guidelines on privacy include the description of risks, key principles to be followed, target objectives, rules to be applied and are available for different stakeholders, e.g. users, IT department, HR department, policymakers etc. via corporate portal.
      3. Security Policies and guidelines on many security topics are implemented in processes and systems, reviewed annually, approved by management, and communicated to users.
      4. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, the strictest privacy settings apply by default, without any manual input from the end user. For any data processing that are not covered by legitimate interest data subject is asked for consent.
      5. Privacy by design, i.e. measures to ensure that when processing of personal data privacy is built into a system during the whole life cycle of that system or process. This consist, inter alia, of minimizing the processing of personal data, pseudonymizing personal data as soon as possible, transparency regarding the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
      6. Data Protection Impact Assessment describes processes to control the risks that processing operations performed by the organization pose on data protection and the privacy of data subjects.
      7. Processing of personal data is minimized during Data Protection Impact Assessment.