Leebry Data Protection Addendum

This Data Processing Addendum including appendices and references (“DPA”) forms part of the Agreement (as defined below) between

(1) MacPaw Way Ltd. ("MacPaw"), a company incorporated under the laws of Cyprus, with its principal place of business at 25 Serifou, Allure Center 11, Office No. 11-12, 2nd Floor, 3046 Zakaki, Limassol, Cyprus; and

(2) The customer outlined in the Agreement with MacPaw (“Customer”).

Together referred to as the "Parties" and each individually as a "Party".

1. Background.
   1. The Parties have entered into a main agreement, i.e. a Master Service Agreement (“Agreement”) regarding the Customer’s use of Leebry, a SaaS-based artificial intelligence (AI) product that unifies knowledge, context, and actions across several platforms (“Service” or “Product”).
   2. In conjunction with the provision of the Service under the Agreement, MacPaw may Process Personal Data as a Data Processor on behalf of the Customer as the Controller. Therefore, and in order to ensure compliance with Applicable Law, the Parties have agreed to enter into this DPA.
   3. The Agreement sets out commercial details about the Parties and the details on provision of the Service. This DPA supplements the Agreement and is regulating only the Processing of Personal Data carried out by MacPaw as a Data Processor to the Customer. The most recent version of the DPA is published on MacPaw’s website and shall automatically apply between the Parties after accepting the Agreement by the Customer, unless a signed and duly executed version is previously agreed.

2. Definitions.

   1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to this DPA. For purposes of this definition, "Control" means the direct or indirect ownership of more than fifty percent (50%) of the voting interests of the subject entity, or the power to direct or cause the direction of the management and policies of such entity, whether through the ownership of voting securities, by contract, or otherwise.
   2. "Applicable Laws" means any binding data protection, privacy, or similar legislation, regulations, and case law applicable to the Processing of Personal Data under this DPA, including:
      1. within the European Union and the European Economic Area: the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR"), together with any national implementing legislation enacted by EEA member states;
      2. within the United Kingdom: the EU GDPR as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the "UK GDPR"), together with the Data Protection Act 2018 and any other applicable UK data protection legislation;
      3. within Switzerland: the Swiss Federal Act on Data Protection (the "FADP") and its implementing ordinances; and in each case as amended, superseded, or replaced from time to time, together with any subordinate legislation, binding guidance, and regulatory codes of practice issued thereunder;

   3. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. Cognate terms shall be construed to have the same meaning.

   4. “Customer Data” means all data, content, and information submitted to, stored in, processed by, or transmitted through the Service by or on behalf of the Customer, including any Personal Data contained therein.

   5. “EU-U.S. Data Privacy Framework” means the transfer mechanism in terms of Art. 45 of the EU GDPR that enables participating organizations - pursuant to the European Commission's Implementing Decision C(2023) 4745 final of 10.7.2023 and the EU-U.S. Data Privacy Framework Principles as set forth by the U.S. Department of Commerce - to Process Personal Data originating from the European Union (EU) and the European Economic Area (EEEA) in the United States (U.S.) in accordance with Chapter V of the EU GDPR;

   6. “Personal Data” means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under Applicable Laws.

   7. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

   8. "Restricted Transfer" means any transfer of Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;

   9. “Standard Contractual Clauses” or “SCCs” means:

      1. Regarding the GDPR, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”);

      2. Regarding the UK GDPR, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (the “UK SCCs”); and

      3. Regarding the Swiss Data Protection Act, the Standard data protection clauses recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”).

   10. “Sensitive Information” means Personal Data revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
   11. "Sub-processor" means any contracted service provider (including any third party and MacPaw Affiliate) Processing Personal Data in the course of MacPaw’s provisioning of the Services under the Agreement;
   12. “User” means any individual whom the Customer authorises or invites to access and use the Product. For the avoidance of doubt, individuals invited to use the Product by an existing User shall also be considered Users for the purposes of this DPA.
   13. The terms "Controller", "Data Subject", "Personal Data Breach", “Processor”, and "Supervisory Authority" shall have the same meaning as in the GDPR.
   14. The word "include" shall be construed to mean include without limitation.

3. Roles

   1. The Customer is the Data Controller and MacPaw is the Data Processor for the Processing of Personal Data explicitly described in this DPA. In its capacity as Data Processor, MacPaw shall Process Personal Data in Customer Data on behalf of the Customer in accordance with this DPA and Applicable Laws.

4. Processing of Personal Data

   1. When Processing Personal Data, MacPaw shall comply with the Customer’s documented instructions, as set out in the Agreement and this DPA, unless otherwise required by Applicable Laws. Customer may issue additional instructions to MacPaw, provided that they are legally required, technically feasible, reasonable and do not require any changes to the Service. If MacPaw is unable to comply with an additional instruction, it shall immediately notify the Customer.

   2. As the Controller, the Customer guarantees that the Processing activities to be carried out are lawful, that a legal basis and specific purpose are in place, and that information has been given to Data Subjects related to the Customer, to allow for transfer of the Personal Data to MacPaw for provision of the Service.

   3. Taking into account the nature of the Processing, MacPaw shall, through appropriate technical and organisational measures, assist the Customer, to the extent possible, so that the Customer can fulfil its obligation to respond to requests regarding exercise of the rights of the Data Subject in accordance with Chapter III of the GDPR.

   4. If MacPaw believes that the Customer’s instructions or communication from the Customer is in breach of the GDPR or other Applicable Laws, MacPaw shall immediately notify the Customer and suspend the Processing in question until the Customer has given instructions to MacPaw on how to proceed with the Processing.

5. Third party integrations and visibility

   1. Through the use of the Product and its features, Customer or Users may elect to enable integrations with third-party platforms and services (each, a "Third-Party Integration"). By enabling a Third-Party Integration, Customer and/or its Users expressly instruct MacPaw to:
      1. transmit Customer Data, including User inputs, queries, or such portions thereof as are necessary, to the relevant Third-Party Integration for the purpose of retrieving relevant data or content in response to such inputs; and
      2. make Customer Data, which may include Personal Data, accessible to or retrievable from the relevant Third-Party Integration, solely to the extent necessary to provide the Services.
   2. Customer acknowledges and agrees that:
      1. the use of Third-Party Integrations is subject to the terms and conditions agreed between Customer and the relevant third-party service provider, and Customer is responsible for ensuring that such terms permit the access and use of Personal Data contemplated by this DPA;
      2. where Personal Data is transmitted to or retrieved from a Third-Party Integration pursuant to Customer's or its Users' instruction, the relevant third-party service provider processes such data independently of MacPaw, and MacPaw shall not be responsible for the data protection practices of such third-party service providers;
      3. third-party service providers whose platforms are accessed through Third-Party Integrations are not sub-processors of MacPaw within the meaning of this DPA, as any transmission of Personal Data to such providers occurs solely on the instruction of Customer or its Users; and
      4. Customer is responsible for ensuring that appropriate agreements, including data processing agreements where required by Applicable Laws, are in place between Customer and the relevant third-party service providers.
   3. MacPaw shall transmit only the minimum amount of Personal Data necessary to fulfil the relevant User's request when interacting with Third-Party Integrations, in accordance with the principle of data minimisation under Applicable Data Protection Law.

6. Special Categories of Personal Data

   1. The Service is not suitable for the Processing of Sensitive Information. Accordingly, the Customer shall not instruct MacPaw to Process any such Sensitive Information in connection with the Service. The Customer acknowledges and agrees that it is solely responsible for ensuring that the data provided to MacPaw does not include any Sensitive Information.

7. MacPaw Personnel

   1. MacPaw has implemented appropriate security controls designed to ensure that:
      1. access to Personal Data within MacPaw’s control is strictly limited to those individuals who need to know/access the relevant Personal Data as reasonably necessary for the purposes outlined in this DPA, the Agreement or as required under Applicable Laws; and
      2. all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

8. Purpose Limitation

   1. MacPaw will Process Personal Data in order to provide the Services in accordance with the Agreement (the “Permitted Purpose”). Annex I of this DPA further specifies the nature and purpose of the Processing, the Processing activities, the duration of the Processing, the types of Personal Data and categories of data subjects.
   2. MacPaw shall not process Personal Data for any purpose other than: (a) the Permitted Purpose, in its capacity as a Processor acting on behalf of the Customer; or (b) where MacPaw processes Personal Data as a Controller, for the purposes and on the legal grounds set out in Leebry Privacy Notice, as updated from time to time.

9. Security

   1. Taking into account the state of the art, the costs of implementation, the nature, scope, context, purposes and type of Processing, the information in possession of MacPaw as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, MacPaw has implemented appropriate technical and organizational measures to protect Personal Data from Data Breaches, as described under Annex II to this DPA (the "MacPaw Security Measures").
   2. The Customer acknowledges and agrees on the technical and organisational measures described in the Annex II and deems the measures sufficient for the Processing of Personal Data by MacPaw in conjunction with provision of the Service.
   3. Notwithstanding any provision to the contrary, MacPaw may modify or update the Security Measures provided that such modification or update does not result in a material degradation in the protection offered by the MacPaw Security Measures.
   4. To the extent specified in Section 9.1., MacPaw shall ensure secure and confidential Personal Data transmission. MacPaw uses external auditors and certification programs to verify the adequacy of its security measures with respect to its Processing of Personal Data. A description of MacPaw’s certifications and standards for audit can be found at MacPaw TrustCenter.

10. Sub-Processing

    1. MacPaw is entitled to engage Sub-processors in accordance with Clause 9.2. and Clause 15, including MacPaw Affiliates and third-party sub-processors, provided that each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA. Customer specifically authorises the engagement as sub-processors of:
       1. all MacPaw Affiliates from time to time, without the need to list each Affiliate individually in the sub-processor list maintained by MacPaw; and
       2. those third-party Sub-processors listed in the List of Leebry Sub-processors available here as of the DPA commencement date.
    2. MacPaw shall notify Customer of any intended appointment of a new Sub-processor by updating the List of Leebry Sub-processors, and shall provide Customer with an opportunity to object to such appointment. The following conditions apply:
       1. any objection by Customer must be made in writing within fourteen (14) days of the date of posting and must be based on objectively justifiable grounds relating to the proposed Sub-processor's ability to comply with Applicable Laws;
       2. MacPaw shall not engage the new Sub-processor before the fourteen (14) day objection period has expired;
       3. upon Customer's written request, MacPaw shall provide Customer with such information as is reasonably available to MacPaw to enable Customer to assess the proposed Sub-processor's ability to comply with Applicable Laws;
       4. if Customer raises a valid objection and MacPaw nonetheless wishes to proceed with the appointment, the parties shall discuss in good faith and endeavour to identify an alternative solution acceptable to both parties;
       5. if the parties are unable to reach an alternative solution and Customer's objection would result in additional costs or operational consequences for MacPaw, MacPaw shall be entitled to adjust its fees under the Agreement to reflect such additional costs, provided that MacPaw notifies Customer of the adjustment in advance; and
       6. if Customer's objection would result in costs or operational consequences that are not commercially reasonable for MacPaw in MacPaw's reasonable opinion, MacPaw may terminate the Agreement upon reasonable prior written notice to Customer.
    3. Notwithstanding Section 10.2., the appointment of MacPaw Affiliates as sub-processors shall not require prior notification to or approval from Customer, provided that MacPaw notifies Customer of any such Affiliate appointments upon Customer's written request.

11. Cooperation and Data Subject Rights

    1. Taking into account the nature of the processing, MacPaw shall provide reasonable and timely assistance to Customer, at Customer's expense, to enable Customer to respond to:
       1. any request received from a Data Subject seeking to exercise their rights under Applicable Laws, including the rights of access, rectification, erasure, restriction of processing, objection, and data portability, as applicable; and
       2. any other correspondence, enquiry, or complaint received from a data subject, competent supervisory authority, or other third party; in each case in respect of Personal Data processed by MacPaw on Customer's behalf.
    2. In the event that any request, correspondence, enquiry, or complaint referred to in Section 11.1 above is made directly to MacPaw, MacPaw shall not respond to such communication without Customer's prior written authorisation, unless MacPaw is required to do so by Applicable Laws. MacPaw shall promptly notify Customer upon receipt of any such communication and provide Customer with sufficient details to enable Customer to formulate a response. Where MacPaw is legally required to respond directly, MacPaw shall notify Customer accordingly and provide Customer with a copy of its response, unless prohibited from doing so by applicable law.
    3. To the extent required under Applicable Laws, MacPaw shall, at Customer's written request and expense, provide such information regarding the Service as is reasonably necessary to enable Customer to conduct data protection impact assessments or carry out prior consultations with competent supervisory authorities, taking into account the nature of the processing and the information available to MacPaw.

12. Return or Deletion of Personal Data

    1. Upon cessation of the Processing of Personal Data on behalf of Customer, MacPaw shall, at Customer's election and upon Customer's written instruction, either:
       1. return all Personal Data to Customer in a commonly used and machine-readable format; or
       2. securely delete and destroy all Personal Data in MacPaw's possession or control; in each case including any copies thereof. Upon completion of deletion or destruction, MacPaw shall, upon Customer's request, provide written confirmation thereof.
    2. Upon expiry or termination of this DPA and following MacPaw's compliance with Section 12.1 above, MacPaw shall cease all Processing of Personal Data.
    3. Where the return or deletion of Personal Data is impracticable or is prohibited by Applicable Laws or any other applicable legal requirement, MacPaw shall: (i) promptly inform Customer of the circumstances preventing such return or deletion; (ii) restrict the relevant Personal Data from any further Processing, except to the extent strictly necessary for its continued hosting or as required by Applicable Laws or EU law; (iii) continue to apply appropriate technical and organisational measures to protect such Personal Data for as long as it remains in MacPaw's possession, custody, or control; and (iv) where any Sub-processor continues to hold such Personal Data, require that Sub-processor to implement equivalent measures as those required of MacPaw under this clause.

13. No Sale or Share

    1. To the extent that the Processing of the Personal Data is subject to U.S. data protection laws, MacPaw shall not:
       1. sell the Personal Data or otherwise make the Personal Data available to any third party for monetary or other valuable consideration;
       2. share the Personal Data with any third party for cross-behavioral advertising;
       3. retain, use, or disclose the Personal Data for any purpose other than for the business purposes specified in this DPA, and Agreement or as otherwise permitted by U.S. data protection laws;
       4. retain, use or disclose the Personal Data outside of the direct business relationship between the Parties, and;
       5. except as otherwise permitted by U.S. data protection laws, combine the Personal Data with Personal Data that MacPaw receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
    2. MacPaw will notify the Customer promptly if it makes the determination that it can no longer meet its obligations under applicable U.S. data protection laws.

14. Personal Data Breach

    1. Upon becoming aware of a Personal Data Breach involving Customer Personal Data, MacPaw shall notify the Customer without undue delay and shall provide such information as the Customer may reasonably require, including to enable the Customer to fulfil its data breach reporting obligations under Applicable Laws. Email to Customer’s registered email address with MacPaw shall be deemed sufficient as a notification.
    2. MacPaw’s notification of or response to a Personal Data Breach shall not be construed as an acknowledgement by MacPaw of any fault or liability with respect to the Personal Data Breach.

15. Audit Rights

    1. Customer acknowledges that MacPaw is regularly audited by independent third-party auditors and/or internal auditors, as further described at MacPaw’s Trust Center. Upon Customer's written request, and subject to Customer having entered into a non-disclosure agreement with MacPaw on terms acceptable to MacPaw, MacPaw shall:
       1. provide Customer with a summary copy of its relevant audit report(s) (the "Report") on a confidential basis, to enable Customer to verify MacPaw's compliance with the applicable audit standards and the terms of this DPA; and
       2. provide written responses on a confidential basis to reasonable requests for information relating to MacPaw's processing of Personal Data, including responses to information security and audit questionnaires, to the extent necessary to confirm MacPaw's compliance with this DPA; provided that Customer may not exercise its rights under this Section 15.1 more than once per calendar year.
    2. Only to the extent that Customer cannot reasonably verify MacPaw's compliance with this DPA through the exercise of its rights under Section 15.1 above, and where required by Applicable Laws or the Standard Contractual Clauses, Customer and its duly authorised representatives may conduct an audit or inspection during the term of the Agreement, subject to the following conditions:
       1. Customer and its authorised representatives have entered into a non-disclosure agreement with MacPaw on terms acceptable to MacPaw prior to commencing the audit;
       2. Customer shall provide MacPaw with no less than thirty (30) days' prior written notice of its intention to conduct an audit or inspection;
       3. the scope, timing, duration, and any applicable limitations of the audit shall be agreed between the parties in writing in advance and conducted during MacPaw's normal business hours;
       4. Customer shall bear all costs and expenses reasonably incurred by MacPaw in connection with the audit or inspection, including time spent by MacPaw's personnel; and
       5. Customer may exercise its right to audit no more than once per calendar year, unless an audit is required by a competent supervisory authority or is necessitated by a confirmed Personal Data Breach.
    3. All information, documentation, and findings obtained by Customer in the course of an audit conducted pursuant to Section 15.1 shall be treated as strictly confidential and shall not be used for any purpose other than verifying MacPaw's compliance with its obligations under this DPA and Applicable Laws. Customer shall share all audit reports and findings with MacPaw promptly upon completion of the audit. All information collected in the course of the audit shall be securely deleted within one (1) month of the date of the inspection.
    4. Customer acknowledges that access to server rooms and other sensitive infrastructure may not be possible in all cases for security or operational reasons, in which case the parties shall discuss and agree on appropriate alternative measures to achieve the same verification objectives.
    5. The scope of any audit shall exclude:
       1. any data or information relating to any other customer of MacPaw or their users;
       2. any internal accounting or financial information of MacPaw;
       3. any trade secrets of MacPaw;
       4. any information that, in MacPaw's reasonable opinion, could: (A) compromise the security of MacPaw's systems or premises; or (B) cause MacPaw to breach its obligations under Applicable Laws or its confidentiality or security obligations to any other customer or third party; or
       5. any information sought for any purpose other than the good faith fulfilment of Customer's compliance obligations under Applicable Laws or verification of MacPaw's compliance with this DPA.
    6. Nothing in this DPA shall limit or restrict the ability of a competent supervisory authority to carry out an audit or inspection of MacPaw's Processing activities in accordance with Applicable Laws.

16. Limitation of Liability

    1. The liability of MacPaw under or in connection with this DPA, whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, the aggregate liability of MacPaw under the Agreement and this DPA combined shall not exceed the liability cap set forth in the Agreement.

    2. To the maximum extent permitted by Applicable Laws, MacPaw shall not be liable to Customer for any: loss of profits; loss of revenue; loss of anticipated savings; loss of business opportunity; loss of or damage to goodwill or reputation; or any indirect, consequential, or special loss or damage, in each case arising out of or in connection with this DPA, whether or not such loss was foreseeable or MacPaw had been advised of the possibility of such loss. For the avoidance of doubt, MacPaw shall not be liable for any administrative fines or penalties imposed on Customer by a supervisory authority.

    3. MacPaw, acting in its capacity as Processor, Processes Personal Data solely on the basis of Customer's instructions and shall not be liable for any consequences arising from the inaccuracy, incompleteness, or unlawfulness of the Personal Data provided by Customer. Customer is solely responsible for ensuring that:

       1. Personal Data has been collected in accordance with Applicable Laws;

       2. Data Subjects have been provided with all required information regarding the Processing of their Personal Data; and

       3. a valid legal basis exists for each Processing activity carried out under this DPA.

    4. Customer shall indemnify, defend, and hold harmless MacPaw from and against any damages, losses, fines, penalties, and reasonable costs and expenses (including legal fees) incurred by MacPaw arising out of or in connection with Customer's breach of this DPA or Applicable Laws.

    5. Each party's right to seek contribution or indemnification from the other party pursuant to Article 82(5) of the GDPR shall be limited in accordance with the provisions of this Section 18.

17. Term

    1. This DPA commences on the same date as the Agreement and continues to be in effect for the duration of the Agreement (including any agreement replacing the Agreement regarding provision of the Service). This DPA shall remain in effect for as long as MacPaw Processes Personal Data subject to this DPA, notwithstanding the expiration or termination of the Agreement.

18. Governing law and settlement of disputes

    1. This DPA shall be governed by and construed in accordance with the governing law provisions set out in the Agreement, except to the extent that Applicable Laws mandates the application of a different governing law.
    2. Any dispute, controversy, or claim arising out of or in connection with this DPA, including any question regarding its breach, termination, or validity, shall be resolved in accordance with the dispute resolution provisions set out in the Agreement.

19. Miscellaneous

    1. The DPA consists of this main document, the annexes, the list on Sub-processors available via link and the referenced SCCs (if and as applicable).
    2. In the event of any contradictions between this DPA and the Annex I, the DPA shall take precedence. The SCC shall prevail over the DPA and the Annex I solely with respect to transfer of Personal Data from the EEA to a third country that does not offer an adequate level of data protection. This DPA shall take precedence over the Agreement in matters relating to the Processing of Personal Data carried out under the DPA.
    3. If MacPaw cannot comply with its obligations under the Standard Contractual Clauses for any reason, and the Customer intends to suspend or terminate the transfer of the Personal Data to MacPaw, the Customer agrees to provide MacPaw with reasonable notice to enable MacPaw to cure such non-compliance and reasonably cooperate with to identify what additional safeguards, if any, may be implemented to remedy such noncompliance. If MacPaw has not or cannot cure the non-compliance, the Customer may suspend or terminate the affected part of the Services in accordance with the Agreement without liability to either Party (but without prejudice to any fees the Customer has incurred prior to such suspension or termination).
    4. In no event does this DPA restrict or limit the rights of any Data Subject or of any competent supervisory authority.
    5. MacPaw reserves the right to amend, update, or otherwise modify this DPA from time to time to the extent necessary to reflect: (i) changes to the Services; or (ii) changes in Applicable Laws. MacPaw shall provide Customer with reasonable prior written notice of any material amendments to this DPA. Customer's continued use of the Services following the expiry of such notice period shall constitute Customer's acceptance of the amended DPA.

Annex I

DETAILS OF PROCESSING

1. LIST OF PARTIES

Data Exporter(s):

Data Importer(s):

2. DESCRIPTION OF PROCESSING/ TRANSFER

3. COMPETENT SUPERVISORY AUTHORITY 

Annex II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND

ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MacPaw Way Ltd. Security measures

A description of MacPaw’s security certifications and standards can be found at MacPaw’s Trust Center.

1. Cryptography

   1. Implemented key management procedure.
   2. Sensitive data are encrypted in transit and at rest.
2. Operations Security
   1. Periodic network and application vulnerability testing using dedicated qualified internal resources.
   2. Implemented procedures to document and remediate vulnerabilities discovered during vulnerability and penetration tests.

3. Communications Security

   1. A secure boundary using firewalls and network traffic filtering.
   2. Internal segmentation to isolate critical systems from general purpose systems.
   3. Periodic reviews and testing of network controls.
4. System Acquisition, Development and Maintenance
   1. Secure software principles are followed both for coding projects and for software reuse operations.
   2. Configured monitoring for real-world security threats and with the most recent information on known or potential software security vulnerabilities.
   3. Software development tools to ensure the security of all code created.

5. Information Deletion/Data Masking and Data Leakage Prevention

   1. Data backups are configured.
6. Application Security
   1. The applications undergo an internal penetration test before their initial release to maintain security standards.
   2. We use advanced bot detection technology to identify and mitigate malicious automated traffic. This ensures protection against brute force attack, and other automated threats while maintaining seamless access for legitimate users.
   3. We use Static Application Security Testing (SAST) to scan all of our code, identifying and addressing vulnerabilities early in the development process.
   4. We utilize Hashicorp Vault for managing credentials securely.
   5. We use a Software Composition Analysis (SCA) solution to track and manage our software components, including open-source dependencies, versions, and licenses.
   6. We follow a Secure Software Development Lifecycle (SDLC) policy that formalizes processes to ensure secure and reliable feature development.
   7. We adhere to established policies for Vulnerability and Patch Management.
   8. We use Cloudflare WAF to protect our web applications, ensuring reliable performance and defense against common online threats.

7. Access Control

   1. User onboarding and offboarding are handled through a structured process.
   2. Regular access reviews are conducted to ensure users have appropriate permissions.

8. Endpoint Security

   1. All endpoints are protected with an Endpoint Detection and Response (EDR) solution.
   2. Device encryption is enabled to protect data at rest.
   3. Mobile Device Management (MDM) is implemented to enforce policies and manage devices remotely.

9. Network Security

   1. Firewalls and Intrusion Prevention Systems (IPS) are in place to protect against external and internal threats.
   2. The internal network is segmented using VLANs to isolate critical systems.

10. Monitoring & Logging

    1. A Security Information and Event Management (SIEM) system is deployed.
    2. Logs are aggregated and monitored in real-time.
    3. Alerts and anomalies are analyzed for threat detection and response.

11. Identity & Authentication

    1. A centralized Identity Provider is used to manage authentication.
    2. Multi-factor authentication (MFA) is enforced across critical systems.