This Data Processing Addendum (“Addendum” or “DPA”) supplements the Terms of Service (the “Agreement”) entered into by and between the Customer listed on the applicable Order Form (as such term is defined in the Agreement) entered into by the parties and ZenGRC, Inc. (“ZenGRC”). By executing an Order Form that references this Addendum, the parties agree to be bound by its terms. This Addendum incorporates the terms of the Agreement, and any terms not defined in this Addendum will have the meaning set forth in the Agreement. In the event of a conflict between the terms and conditions of this Addendum and the Agreement, the terms and conditions of this Addendum will supersede and control.

Data Processing Addendum

  1. Definitions

    1. “Anonymous Data” means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.
    2. “CCPA Personal Information” means the “personal information” (as defined in the CCPA) that ZenGRC Processes on behalf of the Customer and/or the Customer’s Affiliates in connection with ZenGRC’s provision of the Service.
    3. “Customer Data” will have the meaning set forth in the Agreement.
    4. “Data Protection Laws” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); European Directive 2002/58/EC, as amended by Directive 2009/136/EC (“E-Privacy Directive”); the UK GDPR; and any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52; the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq.; guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. § 45; in each case, as amended from time to time.
    5. “Data Subject” shall mean, as applicable, “data subject” as defined under the GDPR and UK GDPR, “consumer” under the CCPA and other Data Protection Laws, and any similar term under the Data Protection Laws.
    6. “GDPR Personal Data” means the “personal data” (as defined in the GDPR and UK GDPR) that ZenGRC Processes on behalf of the Customer and/or the Customer’s Affiliates in connection with ZenGRC’s provision of the Service.
    7. “Personal Data” means any information relating to a Data Subject which is subject to Data Protection Laws (defined below) and which ZenGRC Processes on behalf of Customer other than Anonymous Data. Personal Data includes GDPR Personal Data and CCPA Personal Information.
    8. “Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
    9. “Service” will have the meaning set forth in the Agreement.
    10. “EU Standard Contractual Clauses” means the standard contractual clauses annex to European Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Information to Third Countries (and any successor clauses), as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
    11. “Sub-Processor” means any third party appointed by or on behalf of ZenGRC to process Personal Data in connection with the Service.
    12. “Third Countries” means countries which are not recognized by the Data Protection Laws as countries providing adequate protection of Personal Information.
    13. “UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
    14. “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
    15. The terms “business,” “business purposes,” “consumer,” “controller,” “personal data breach,” “process” or “processing,” “processor,” “sale,” “sell,” “sensitive data,” “sensitive personal information,” “service provider,” “sharing,” “supervisory authority,” and “verifiable consumer request” will have the meanings given to those terms in the applicable Data Protection Laws to the extent such meanings are materially similar to the meaning of terms in effect on the Effective Date. In the event of a conflict in the meanings of terms among the Data Protection Laws, the parties agree that only the meanings in applicable Data Protection Laws will apply.
  2. Processing of Personal Data

    1. Each party will comply with the obligations applicable to it under the Data Protection Laws, including with respect to the processing of Personal Data.
    2. ZenGRC will only process Personal Data in accordance with the instructions of Customer. Customer will ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the processing of Personal Data in accordance with Customer’s instructions will not cause ZenGRC to be in breach of the Data Protection Laws. As between Customer and ZenGRC, Customer will be responsible for (i) the means by which Customer acquired Personal Data and (ii) the accuracy, quality, and legality of the Personal Data provided to ZenGRC by or on behalf of Customer.
    3. For the purposes of this DPA, the following is deemed an instruction by Customer to process Personal Data (a) to provide and support the Service; (b) as documented in the Agreement (including this DPA and any other agreement that requires processing of Personal Data); and (c) as further documented in any other specific written instructions given by Customer in this DPA, the Agreement, or as otherwise notified by Customer to ZenGRC from time to time), where such instructions are consistent with the terms of the Agreement.
    4. The subject-matter of the data processing covered by this DPA is the provision of the Service and support by ZenGRC. Schedule 1 of this DPA sets out the nature and purpose of the processing, the types of Personal Data ZenGRC processes and the categories of Data Subjects whose personal data is processed.
    5. For purposes of this DPA, Customer is the “controller” or “business,” and ZenGRC is the “processor” or “service provider” of Personal Data, as such terms are defined in the Data Protection Laws per Section 1 above.
  3. Authorized Employees

    1. ZenGRC will only disclose Customer Data to employees who have a need to know or otherwise access Personal Data to enable ZenGRC to perform their obligations under this Addendum or the Agreement (“Authorized Employee”).
    2. ZenGRC will take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.
    3. ZenGRC will ensure that all Authorized Employees are made aware of the confidential nature of Customer Data and have executed confidentiality agreements that prevent them from disclosing or otherwise processing, both during and after their engagement with ZenGRC, any Customer Data except in accordance with their obligations in connection with the Service.
    4. ZenGRC will take commercially reasonable steps to limit access to Customer Data to only Authorized Employees.
  4. Authorized Sub-Processors

    1. Customer agrees that (a) ZenGRC may engage Affiliates and Sub-processors as listed at https://www.reciprocity.com/subprocessors/ (“Sub-Processor Page”) which may be updated from time to time and (b) such Affiliates and Sub-Processors respectively may engage third party Sub-Processors to process the Personal Data on ZenGRC’s behalf. By way of this Addendum, Customer provides general written authorization to ZenGRC to engage Sub-Processors as necessary to perform the Service.
    2. At least thirty (30) days before enabling any other Sub-Processors to access or participate in the processing of Personal Data, ZenGRC will add such third party to the Sub-Processor Page located at https://www.reciprocity.com/subprocessors/ (“Sub-Processor Page”). ZenGRC will provide written notification of a new Sub-Processor before authorizing any new Sub-Processor to process any Personal Data. Customer may reasonably object to such an engagement on legitimate grounds by informing ZenGRC in writing within ten (10) days of being informed of such new Sub-Processor.
    3. If Customer reasonably objects to an engagement in accordance with Section 4.2, and ZenGRC cannot provide a commercially reasonable alternative within a reasonable period of time, ZenGRC may terminate this Addendum as Customer’s sole and exclusive remedy for such objection. Termination will not relieve Customer of any fees owed to ZenGRC under the Agreement.
    4. If Customer does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by ZenGRC, that third party will be deemed an Authorized Sub-Processor for the purposes of this Addendum.
    5. ZenGRC will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on ZenGRC under this Addendum with respect to the protection of Personal Data. In case an Authorized Sub-Processors fails to fulfil its data protection obligations under such written agreement with ZenGRC, ZenGRC will remain liable to Customer for the performance of the Authorized Sub-Processor’s obligations under such agreement.
  5. Security of PERSONAL Data

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ZenGRC will maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, PERSONAL Data), confidentiality and integrity of PERSONAL Data, as set forth in SCHEDULE 2.
    2. ZenGRC will notify Customer without undue delay after becoming aware of any Personal Data Breach. ZenGRC will make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as ZenGRC deems necessary and reasonable to remediate the cause of such Personal Data Breach, to the extent the remediation is within ZenGRC’s reasonable control. ZenGRC will provide Customer with information and cooperation reasonably requested by Customer regarding such Personal Data Breach. ZenGRC’s notification of or response to a Personal Data Breach under this Section 5.1 will not be construed as an acknowledgment by ZenGRC of any fault or liability with respect to the Personal Data Breach. Unless required by law or by ZenGRC’s regulators, where Customer is the Data Controller, ZenGRC will not notify any Data Subject or any third party other than law enforcement of any Personal Data Breach involving Personal Data without first consulting with Customer. The obligations herein will not apply to incidents that are caused by Customer or Customer’s users.
  6. REQUIREMENTS FOR GDPR PERSONAL DATA

    This Section 6 will only apply to the processing of GDPR Personal Data by or on behalf of ZenGRC.

    1. The parties agree that ZenGRC may transfer Personal Data processed under this Addendum outside the European Economic Area (“EEA”), UK, or Switzerland as necessary to provide the Service. If ZenGRC transfers Personal Data protected under this Addendum to a jurisdiction that has not been found to provide an adequate or equivalent level of protection under the applicable Data Protection Laws, ZenGRC will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.
    2. ZenGRC may engage Sub-Processors pursuant to Section 4 (Authorized Sub-Processors).
    3. Transfer Mechanisms. With regard to any transfers of GDPR Personal Data from the European Economic Area or the United Kingdom to countries that do not provide adequate protection for such data (as determined by the applicable Data Protection Laws), the parties hereby enter into applicable Standard Contractual Clauses in support of such transfer.
    4. For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the Model Clauses issued by the Information Commissioner’s Office of the United Kingdom (“UK Addendum”) (including all Part 2 Mandatory Clauses) is hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Data Protection Laws. The parties further agree to the following provisions with respect to the UK Addendum:
      1. Identity of the Parties: The data exporter is Customer, and the data importer is ZenGRC.
      2. Conflicts: In the event of any conflict or inconsistency between this Addendum and the UK Addendum, the UK Addendum will prevail.
      3. Appendices: Responses to the Appendices to the UK Addendum are provided in Schedule 1, attached hereto. The list of parties and the descriptions of the transfers are provided in Schedule 1. The technical and organizational measures including technical and organizational measures to ensure the security of the data are provided in Schedule 2.
      4. Ending this Addendum when the Approved Addendum Changes: The parties agree that Importer and Exporter may end the Addendum as set out in Section 19 of the UK Addendum.
      5. Specific Provisions:
        1. The Addendum EU SCCs will be the Approved EU SCCs.
        2. Module Two will apply.
        3. In Clause 7, the parties permit docking.
      6. The parties do not incorporate the optional liability clause included in the UK Addendum.
    5. For all other transfers of Personal Data under this DPA to Third Countries, to the extent such transfers are subject to such applicable Data Protection Laws, the EU Standard Contractual Clauses are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Data Protection Laws. The parties further agree to the following provisions with respect to the EU Standard Contractual Clauses:
      1. Identity of the Parties: The data exporter is Customer, and the data importer is ZenGRC. Module Two (controller to processor) is the sole module applicable to transfers involving Personal Data.
      2. Conflicts: In the event of any conflict or inconsistency between this Addendum and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will prevail.
      3. Appendices: Responses to the Annexes to the EU Standard Contractual Clauses are provided in Schedule 1, attached hereto.
      4. Specific Provisions:
      5. In Clause 7, the parties permit docking.
      6. In Clause 9, the parties select Option 2 and a time period of 30 days.
      7. In Clause 11, the parties do not select the independent dispute resolution option.
    6. In Clauses 17 (Option 2) and 18(b), the parties agree that the jurisdiction is the member state in which Controller is established, or if the Controller is not established in a member state, the Republic of Ireland.
    7. Where applicable by virtue of Article 28(3)(f) of the GDPR or UK GDPR, ZenGRC will provide reasonable assistance to the Customer with any data protection impact assessments which are referred to in Article 35 of the GDPR and with any prior consultations to any Supervisory Authority of the Customer which are referred to in Article 36 of the GDPR, in each case solely in relation to processing of GDPR Personal Data and taking into account the nature of the processing and information available to ZenGRC.
  7. REQUIREMENTS FOR CCPA

    Section 7 of this DPA will only apply to the processing of CCPA Personal Information by ZenGRC.

    1. ZenGRC will not retain, use, or disclose CCPA Personal Information for any purpose other than for the specific purpose of providing the Service, or as otherwise permitted by the CCPA. ZenGRC acknowledges and agrees that it will not retain, use, or disclose CCPA Personal Information for a purpose other than providing the Service, except as permitted by the CCPA. Processing CCPA Personal Information outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and ZenGRC on additional instructions for processing.
    2. ZenGRC will not Sell or Share any CCPA Personal Information it collects pursuant to the Agreement with the Customer.
    3. ZenGRC will not retain, use, or disclose CCPA Personal Information collected pursuant to the DPA or Agreement for purposes outside the direct business relationship between ZenGRC and the Customer, unless expressly permitted by CCPA and its regulations. To the extent prohibited by the CCPA, ZenGRC will not combine CCPA Personal Information received from Customer with Personal Data that ZenGRC receives from, or on behalf of, another person or persons, or collects from its own interaction with consumers.
  8. RIGHTS OF DATA SUBJECTS

    1. ZenGRC will, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If ZenGRC receives a Data Subject Request in relation to Customer Data, ZenGRC will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Service. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to ZenGRC, and for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
    2. ZenGRC will, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without ZenGRC’s assistance and (ii) ZenGRC is able to do so in accordance with all applicable laws, rules, and regulations. Customer will be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by ZenGRC.
  9. ACTIONS AND ACCESS REQUESTS

    1. ZenGRC will maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of two (2) years after the termination of the Agreement. Customer will, with reasonable notice to ZenGRC, have the right to review, audit and copy such records.
    2. Upon Customer’s request, ZenGRC will, no more than once per calendar year, either (i) make available for Customer’s review copies of certifications or reports demonstrating ZenGRC’s compliance with prevailing data security standards applicable to the processing of Customer Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of ZenGRC’s data security infrastructure and procedures that is sufficient to demonstrate ZenGRC’s compliance with its obligations under this Addendum, provided that Customer will provide reasonable prior notice of any such request for an audit and such inspection will not be unreasonably disruptive to ZenGRC’s business. Customer will be responsible for the costs of any such audits or inspections, including, without limitation, a reimbursement to ZenGRC for any time expended for on-site audits. Any such audit will be subject to ZenGRC’s security and confidentiality terms and guidelines. If ZenGRC declines to follow any reasonable instruction requested by Customer regarding audits, Customer is entitled to terminate this DPA and the Agreement.
    3. ZenGRC will immediately notify Customer if an instruction, in ZenGRC’s opinion, infringes the Data Protection Laws or supervisory authority.
    4. Return or Deletion of Customer Data. Following termination or expiration of the Agreement, ZenGRC will return or delete the Customer Data, unless further storage of Customer Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, ZenGRC will take measures to block such Customer Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and will continue to appropriately protect the Customer Data remaining in its possession, custody, or control.
  10. Affiliates. The Customer acts as a single point of contact for its Affiliates with respect to compliance with Data Protection Laws such that where ZenGRC gives notice to the Customer, such information or notice is deemed received by the Customer’s Affiliates. The parties acknowledge and agree that any claims in connection with Data Protection Laws under this DPA will be brought by the Customer, whether acting for itself or on behalf of an Affiliate.
  11. LIMITATION OF LIABILITY. THE TOTAL LIABILITY OF EACH OF CUSTOMER AND RECIPROCITY (AND THEIR RESPECTIVE EMPLOYEES, DIRECTORS, OFFICERS, AFFILIATES, SUCCESSORS, AND ASSIGNS), ARISING OUT OF OR RELATED TO THIS ADDENDUM, WHETHER IN CONTRACT, TORT, OR OTHER THEORY OF LIABILITY, WILL NOT, WHEN TAKEN TOGETHER IN THE AGGREGATE, EXCEED THE LIMITATION OF LIABILITY SET FORTH IN THE AGREEMENT.

SCHEDULE 1

Data Processing appendix

A.1 Parties

Name of Customer The name listed on the applicable Order Form
Role of Customer For purposes of the Agreements and this DPA, Customer is the sole Party that determines the purposes and means of processing Personal Data as the “business” or “controller.” To the extent of any cross-border data transfers under this DPA, Customer is the data exporter.
Address The address listed for the Customer in the applicable Order Form
Contact Person’s Name, Position, and Contact Details The applicable contact person shall be set forth in the applicable Order Form
Activities relevant to the data transferred under the EU Standard Contractual Clauses Activities necessary for the provision of the Services as contemplated by the Agreement and the DPA.
Signature This signature requirement will be considered to be fulfilled by the signature from the designated signor of Customer on the Order Form
Date The date provided with the signature on the applicable Order Form will be considered to fulfil the date requirement here.
Role of ZenGRC For purposes of the Agreements and this Addendum, Vendor processes Covered Personal Information on behalf of Customer as a “processor” or “service provider.” To the extent of any cross-border data transfers described in Exhibit B, Vendor is the data importer.
Address 548 Market Street, PMB 73905, San Francisco, CA 94104-5401
Contact Person’s Name, Position, and Contact Details ZenGRC Privacy, [email protected]
Activities relevant to the data transferred under the EU Standard Contractual Clauses Activities necessary for the provision of the Services as contemplated by the Agreement and the DPA.
Signature This signature requirement will be considered to be fulfilled by the signature from the designated signor of ZenGRC on the Order Form.
Date The date provided with the signature on the applicable Order Form will be considered to fulfil the date requirement here.

A.2 Processing Terms

Duration of the processing ZenGRC agrees to process Personal Data solely as instructed in the Agreement and the Addendum for the duration of the provision of the Services to Customer, and the longer of such additional period as: (i) is specified in any provisions of the Agreements regarding data retention; and (ii) is required for compliance with law.
Nature of the processing Such processing as is necessary to enable ZenGRC to comply with its obligations and exercise its rights under the Agreements, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction processing activities.
Purpose of the processing ZenGRC agrees to process Personal Data for limited and specified purposes described in the Agreements, this DPA, or as otherwise directed by authorized personnel of Customer in writing (email acceptable).
Consideration in exchange for processing The parties acknowledge and agree that ZenGRC receives no monetary or other valuable consideration in exchange for Personal Data.
Type of Personal Data processed Data exporter may submit Personal Data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • Technical Identifiers (e.g., IP address, Session ID)
  • Localization data
  • Screen and/or voice recording
Types of sensitive (or special) categories of Personal Data processed N/A
Categories of data subjects Customer may submit Personal Data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s Users authorized by Customer to use the Service
Obligations and rights of the Parties As set out in the Agreement.

B. Description of Cross Border Data Transfers

Description of activities relevant to the Personal Data transferred under the Standard Contractual Clauses ZenGRC will process Personal Data in connection with providing the Service on behalf of Customer.
Categories of data subjects whose personal information is transferred Customer may submit Personal Data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s Users authorized by Customer to use the Service
Types of personal information that will be transferred Data exporter may submit Personal Data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • Technical identifiers (e.g., IP addresses, session ID data)
  • Localization data
  • Screen and/or voice recording
Types of sensitive (or special) categories of personal information that will be transferred and applicable restrictions or safeguards N/A
Frequency of the transfer Continuous
Purpose of the data transfer and further processing Provision of the Services as set forth in the Agreement.
Sub-processor transfers Transfers to sub-processors will occur where necessary for the provision of the Services in accordance with the Agreements and the Addendum solely for the term of the Agreements.

C. Competent Supervisory Authority

  • EEA Data Subjects: Republic of Ireland
  • UK Data Subjects: United Kingdom
  • Swiss Data Subjects: Swiss Federal Data Protection and Information Commissioner

SCHEDULE 2

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Types of Measures Implemented Measures
Measures of encryption of personal data Data in motion and at rest protected by TLS 1.2 or greater encryption.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services TLS 1.2 or greater encryption data in motion and at rest.
Our container deployment solution is configured to ensure integrity, availability, and resilience of information.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Customer data is backed up and replicated automatically in accordance with our Backup and Recovery policy.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing ZenGRC regularly undergoes a SOC 2 audit by an independent third party for its Services.
Measures for user identification and authorisation Users can implement SSO and MFA so that users are properly identified and authorized.
Measures for the protection of data during transmission Data in motion is protected by TLS 1.2 or greater encryption.
Measures for the protection of data during storage Data is stored and protected by our Cloud Service Provider. Data at rest is protected by TLS 1.2 or greater encryption.
Measures for ensuring physical security of locations at which personal data are processed Physical security controls are inherited by our Cloud Service Provider, and these controls are regularly audited by an independent third party.
Measures for ensuring events logging Activity logs are maintained and are protected from unauthorized distribution and modification.
Measures for ensuring system configuration, including default configuration Configurations are source controlled and pushed through continuous integration and deployment process.
Measures for internal IT and IT security governance and management Designated individuals are responsible for our information security and compliance practices. Additionally, our practices are governed by enforced written policies that are reviewed on at least an annual basis.
Measures for certification/assurance of processes and products SOC 2 Type II audits are performed by an independent third party on an annual basis.
Measures for ensuring data minimisation We only process the minimum amount of personal data required to provide the Services. Additional information is uploaded at the choice of the user.
Measures for ensuring data quality Users are responsible for ensuring their data is of quality and is updated. Users can update their personal data without any action on the part of ZenGRC.
Measures for ensuring limited data retention Personal Data is permanently deleted 30 days after the termination of the Agreement and this DPA.
Measures for ensuring accountability Systems generate audit logs which are then collected and synthesized in our logging repository.
Measures for allowing data portability and ensuring erasure Personal Data may be exported in a machine-readable format, and Personal Data can be deleted by the user and upon request.

SCHEDULE 3

LIST OF SUB-PROCESSORS

ZenGRC’s list of sub-processors (including Affiliates) is available at https://www.reciprocity.com/subprocessors/. The Sub-Processor Page may be updated from time to time in accordance with this DPA.