Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered by and between Feedzai (“Feedzai” or “Controller”) and the Services Provider (“Services Provider” or “Processor”), as identified in the signatures section, and reflects the Parties’ Agreement with respect to the terms governing the Processing of Personal Data by the Services Provider on behalf of Feedzai under the applicable Services Agreement signed between the parties or even, if necessary, before its signature, which is governed by the following clauses:

  1. Definitions.
    1.1.Controller” means the natural or legal person who determines the purposes and means of the Processing of Personal Data, who in this DPA is Feedzai. “Data Subject” means the identified or identifiable natural person whose Personal Data is Processed.
    1.2.Data Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
    1.3.Data Protection Laws” means all data protection, privacy or similar laws and regulations anywhere in the world, including but not limited to laws and regulations of the EU, the EEA and their member states, Switzerland, the United Kingdom, which applies to the Processing of Personal Data under this DPA.
    1.4. “Effective Date” means the date in which this DPA is executed and corresponds to the date of the last signature below or the date of the first disclosure of Personal Data in the event that any Personal Data has been previously disclosed.
    1.5.EU” means European Union.
    1.6.EEA” means European Economic Area.
    1.7.Feedzai’s Personal Data” means any Personal Data Processed by the Services Provider or another Subprocessor on behalf of Feedzai, pursuant to or in connection with the Services Agreement.
    1.8.GRPD” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). References to “articles” or “chapters” of the GDPR shall be construed accordingly.
    1.9.Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as well as the categories of data referred to in Exhibit A which may be supplied to and Processed by the Services Provider on behalf of the Controller pursuant to or in connection with the Services Agreement.
    1.10. Personnel” means the Services Provider’s employees or other individuals with a contractual relationship with Services Provider.
    1.11.Processor” means the Services Provider as the natural or legal person which processes Personal Data on behalf of the Controller.
    1.12.Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or  not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    1.13.Restricted Transfers” means the transfer of Personal Data to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations, to the extent such transfers are subject to such Data Protection Laws and regulations. Includes transfers of Feedzai’s Personal Data from Feedzai to the Services Provider and onward transfers of Personal Data, including from a Subprocessor to another Subprocessor or between two establishments of a Subprocessor.
    1.14.Services” means the Services provided by the Services Provider to Feedzai as defined on the applicable Services Agreement.
    1.15.Standard Contractual Clauses” means the Standard Contractual Clauses approved by Commission Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and (ii) the International Data Transfer Addendum to the EU SCC’s issued by the Information Commissioner’s Office (“UK SCCs”) as included in Exhibit B.
    1.16.Subprocessor” means an entity engaged by the Processor, exclusively for the Processing activities to be carried out pursuant to or in connection with the Services Agreement on behalf of Feedzai and in accordance with its instructions, as transmitted by Feedzai.
  2. Duration of the DPA.
    Unless otherwise agreed in writing, this DPA will take effect on the date of the Services Agreement Effective Date. Notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Feedzai’s Data by the Services Provider as described in this DPA.
  3. Scope of Processing.
    The subject-matter of Processing of Personal Data by the Services Provider is the performance of the Services pursuant to the Services Agreement. For that purpose, by entering into this DPA, the Services Provider acts as a Processor and shall Process Feedzai’s Personal Data as confidential information. The Services Provider shall only Process Personal Data, on behalf of Feedzai in accordance with i) the requirements of the applicable Data Protection Laws, ii) Feedzai’s documented instructions in accordance with the terms of this DPA, including the details of the Processing stated on Exhibit A attached hereto. Services Provider must inform Feedzai immediately in case it believes that its instructions provided i) infringe Data Protection Laws, ii) to be insufficient.
  4. Data Security.
    4.1. Security Schedule. All data security measures, including how to handle Security Incidents shall be governed by the Security Schedule as included in Exhibit C.
    4.2. Audits of Compliance.
    4.2.1 Reviews of Security Documentation. In addition to the information contained in this DPA and respective Agreement, Services Provider shall and shall procure that any Subprocessor on request, makes available to Feedzai information necessary to demonstrate compliance with this DPA.
    4.2.2 Feedzai’s and Controller’s Audit rights. Services Provider shall procure that any Subprocessor allows Feedzai and/or Controller to perform any audits in relation to the Processing of Personal Data under the Agreement which might include access to its premises by Feedzai, Controller or an auditor mandated for this purpose. Feedzai shall give Services Provider reasonable notice of any audit or inspection to be conducted under this Section and ensure that each of its mandated auditors use its best efforts to avoid causing any damage, injury or disruption to the Services Provider premises, equipment, Personnel, data, and business while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any on-premise inspection.
    4.3. Supervisory Authority. Services Provider shall fully cooperate with and assist Feedzai in relation to the response to any notifications from a supervisory authority, in connection with the Personal Data, including without limitation, the preparation of supporting documentation to be submitted to the relevant supervisory authority and provision of supporting documentation sufficient to evidence that Services Provider  is legally bound by the terms of this DPA.
    4.4. Impact Assessment.
    4.4.1. Disclosure. Where requested to do so, Services Provider shall disclose the information reasonably required by Feedzai to demonstrate compliance with the applicable Data Protection Laws without undue delay but no later than within 5 days after the request.
    4.4.2. Mitigation actions. Services Provider shall assist Feedzai to carry out a privacy impact assessment of the Services and work with Feedzai to implement agreed mitigation actions to address privacy risks identified.
  5. Data Subject Rights.
    5.1. Data Subject Requests.
    5.1.1. Notification. Services Provider shall notify Feedzai if it receives a request from a Data Subject to exercise any of the Data Subject’s rights, such as the right of access, to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or the right not to be subject to an automated individual decision making (“Data Subject Request”) without undue delay but no later than within 5 days from such request.
    5.1.2. Processor’s Data Subject Assistance. Considering the nature of the Processing, Services Provider shall assist Feedzai by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Feedzai’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, if Feedzai does not have the ability to address a Data Subject Request, the Services Provider shall upon Feedzai’s request provide all the necessary assistance to Feedzai in responding to such Data Subject Request without undue delay but no later than within 5 days after Feedzai request.
    5.2. Data Deletion.
    Unless otherwise stipulated by the applicable Data Protection Laws, the Services Agreement or this DPA, notwithstanding any failure of Feedzai to provide written instructions, Services Provider shall and shall procure that the Subprocessors shall delete or destroy all Personal Data stored, collected or Processed on behalf of Feedzai, upon termination of the Services Agreement.  Following expiry or termination of the Services Agreement, and at any other time upon Feedzai’s written request, the Services Provider shall and shall procure that all Subprocessors shall immediately and permanently delete all electronic copies of the Personal Data from its/their computer systems (including without limitation servers, hardware and mobile devices) and from digital media in its/their possession or control; and in respect of hard copies of the Personal Data, securely destroy all originals and copies of Personal Data in its, or its Subprocessors, possession, custody, or control. Upon Feedzai’s request, the Services Provider shall provide a certification confirming that all Personal Data Processed under the Services Agreement has been securely destroyed.
    5.3.Consent for Marketing Purposes (if applicable).
    If the Services under the applicable Services Agreement involve the generation of leads in which the Services Provider makes the direct contact with the data subject, Services Provider warrants and represents that is responsible for collecting the necessary consent from each data subject whose Personal Data the Services Provider provides Feedzai so that Feedzai and its Partners may lawfully send direct marketing.
  6. Data Transfers.
    6.1.     Restricted Transfers. The Services Provider agrees that no Personal Data Processed on behalf of Feedzai shall be Processed by any Subprocessor outside the EU/EEA without Feedzai’s previous written consent and otherwise than in accordance with adequate transfer mechanisms, namely the Standard Contractual Clauses.
    6.2. Standard Contractual Clauses. The Parties hereby enter into the Standard Contractual Clauses (Exhibit B) in respect of any Restricted Transfers from Feedzai to the Services Provider. The Standard Contractual Clauses shall come into effect on commencement of the relevant Restricted Transfers.
  7. Subprocessors.
    7.1.     Subprocessor Engagement. The present clause applies whenever the Services Provider engages a Subprocessor for Processing Personal Data pursuant to this DPA. Services Provider must choose Subprocessors that provide sufficient guarantees in respect of the technical security measures and organizational measures governing the Processing. The Subprocessors engaged must ensure compliance with the requirements and/or obligations foreseen in the Data Protection Laws and this DPA. Before the Subprocessor first Processes Personal Data on behalf of Feedzai, Services Provider must carry out due diligence to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by this DPA and Data Protection Laws.
    7.2. Requirements for Subprocessor Engagement. With respect to each Subprocessor, the Services Provider shall ensure that the arrangement between the Services Provider and any prospective Subprocessor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this DPA, and that the Subprocessors act in accordance with Feedzai’s instructions. Services Provider shall notify and keep Feedzai updated regarding the names of its Subprocessors Processing the Personal Data of Feedzai.
    7.3. Cooperation. Services Provider shall procure that the Subprocessors shall promptly provide to Feedzai with necessary assistance and all the information in Subprocessor’s possession or control in relation to the Processing of the Personal Data under this DPA as may reasonably be required for Feedzai to assess whether the Processing of the Personal Data is in accordance with this DPA.
    7.4. Control of Subprocessors. Services Provider shall conduct periodic audits to the Subprocessors appointed that shall be documented and made available to Feedzai also upon request.
    7.5. Opportunity to Object to Subprocessor. For security reasons, Feedzai will have the opportunity to object to any Subprocessor identified. If the Services Provider has chosen an unsuitable Subprocessor, that causes Feedzai to terminate this DPA as well as the applicable Services Agreement, then Feedzai is entitled to be indemnified for any damages caused, as referred to in section 8 (“Liability”). In addition, where a Subprocessor fails to fulfill its data protection obligations, Services Provider will remain liable to Feedzai for the performance of such Subprocessor’s obligations.
  8. Liability.
    Services Provider will indemnify and keep indemnified Feedzai against all and any loss, liability, damage and expenses (including reasonable legal fees) incurred by it as a result of any breach by Services Provider of its obligations under this DPA. Nothing contained herein shall be considered as prohibiting or limiting Feedzai from pursuing any other remedies available to it.
  9. Costs.
     Services Provider shall not charge any additional costs in order to comply with its cooperation duties set forth in this DPA. For the avoidance of doubt, the actions referred on section 4.4. shall be undertaken at the expenses of the Services Provider, without prejudice to Feedzai seek any legal remedy as a result of the Data Incident. In addition, Services Provider shall reimburse Feedzai of all costs, losses and expenses related to the management of a Data Incident.
  10. Data Enricher (if applicable).
    10.1.     Scope. For the avoidance of any doubts, the present clause applies exclusively to cases in which the Services Provider is a Data Enricher engaged to provide data enrichment services in accordance with the Services Agreement. A Data Enricher means the Services Provider that provides data enrichment services by managing databases, updating outdated data as well as by enriching incomplete and inaccurate data. For that purpose, Feedzai shares its Personal Data with the Services Provider and the Services Provider shares Personal Data with Feedzai or provides access to that data.
    10.2. Services Provider Personal Data. The parties acknowledge and agree that, with regard to all Personal Data held within Services Provider’s databases that are accessible to or shared with Feedzai through use of the enrichment services, Services Provider is a separate Controller, instead of a Processor. Services Provider’s purpose and means of Processing are independent from Feedzai’s (or any of its Affiliates) Processing of the same Personal Data. The Services Provider is independently responsible for compliance with the applicable Data Protection Laws, namely responsible for identifying a lawful basis of Processing, for complying with all necessary transparency and lawfulness obligations for the collection, Processing and use of the Personal Data as well as responding to data subjects’ requests to exercise their rights.
    10.3. Feedzai’s Personal Data. In turn, with regard to the Processing of Personal Data belonging to or provided by Feedzai to the Services Provider, Feedzai is the Controller and the Services Provider is the Processor and the Processing activities remain subject to all the provisions of this DPA, with the exception of clause 10.2.
  11. Notices.
    Unless otherwise provided herein, any notice, consent, approval, or other communication under this DPA (“Notices”) must be in writing and will be delivered by email to [email protected] or to the email address of the Services Provider provided by the Services Provider by any means. Both parties are solely responsible for ensuring that the Notification Email Address is current and valid. Notices shall be written in the English language.
  12. Precedence.
    To the extent of any conflict or inconsistency between the terms of this DPA and the Services Agreement, the terms of this DPA will prevail.
  13.  Severability.
    If for any reason a court of competent jurisdiction finds any provision of this DPA (including Addendas or Annexes if applicable), or portion thereof, to be unenforceable, that provision of the agreement will be enforced to the maximum extent permissible so as to affect the intent of the Parties, and the remainder of this DPA or of the provision will continue in full force and effect, except to the extent such invalid provision or part of provision relates to essential aspects of this DPA. The parties agree that such provision or portion thereof shall be substituted by a provision with an equivalent legal and economic effect.
  14. Governing Law and Jurisdiction.
    The table below identifies the exclusive jurisdiction and venue for any claim or action arising under or related to this DPA and the law that governs this DPA without regard to any national conflicts of law provisions and without regard to the United Nations Convention on the International Sale of Goods:

Company’s Country or Territory

Governing Law

Jurisdiction / Venue

United States, Canada or Mexico

Laws of the State of New York and the USA

The Courts of New York, USA

APAC, except Oceania

Laws of Singapore

Arbitration in accordance with the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) by one arbitrator qualified in Singapore Law. The language of the arbitration shall be English and the place of the arbitration shall be in Singapore.

Oceania

Laws of New South Wales

The Courts of New South Wales, Australia

All other countries or territories

Laws of Portugal

The Courts of Lisbon, Portugal

Exhibit A

Subject Matter and Details of Data Processing

Subject Matter

Provision of the Services and related support by the Services Provider to Feedzai.

Nature and Purpose of the Processing

Services Provider will process Personal Data submitted, stored, sent or received by Feedzai via the Services for the purposes of providing the Services and related technical support to Feedzai in accordance with the Services Agreement, this DPA and any additional instructions provided by Feedzai.

Categories of Data

Feedzai may submit Personal Data to the Services Provider, the extent of which is determined and controlled by Feedzai in its sole discretion, and which may include, as applicable, but is not limited to the following categories of Personal Data:

  • Identification data (name).
  • Contact details (such as postal address, phone number and e-mail).
  • Professional data (such as job title and name of the company).
  • Contract data (information regarding the Feedzai customer’s order).
  • Usage data (such as data about the customer’s device and how such device interact with Feedzai and Feedzai’s services).
  • Location data (such as location derived from the IP address or data that indicates where that Feedzai or Feedzai customers’ is located with less precision, such as at a city or postal code level).
  • Content data (such as the content of Feedzai and Feedzai’s customers files and communications).
  • Credentials (such as passwords, account login, passwords hints and similar security information used for authentication).
Data Subjects

Personal data submitted, stored, sent or received via the Services may concern one or more of the following categories of data subjects:

  • End users of Controller’s platform authorized by Controller to use the Services (who are natural persons).
  • Employees, agents, advisors, contractors of Controller (who are natural persons).
  • Employees or representatives of Controller’s customers, business partners and services providers (who are natural persons).
  • Customers, business partners and services providers of Controller (who are natural persons).
  • Any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.

Exhibit B

Standard Contractual Clauses (Controller-Processor)

In case FEEDZAI is an EU/EEA entity (or otherwise subject to the GDPR) and the processor an entity outside the EU/EEA the model of SCC Clauses (standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) found in https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en

UK SCCs: https://ico.org.uk/media/for-organisations/documents/2620100/uk-sccs-c-p-202107.docx

 

Exhibit C

Security Schedule

Definitions 

“Feedzai Data” means any data or information in any form or medium provided by or on behalf of Feedzai to the Supplier or which the Supplier is required to process as part of the Services under the Agreement including without limitation any Personal Data.

“Good Industry Practice” means in relation to any undertaking and any circumstances, the exercise of that degree of professionalism, skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced person or an internationally recognised company engaged in the same type of activity under the same or similar circumstance.

“Malware” shall mean any software, computer program, code or programming instructions intentionally constructed with the ability to damage, adversely alter, adversely interfere with or otherwise adversely affect, computer programs, data files, equipment, software or operation of computer systems, including the Bank Systems or Supplier Systems, or any other computer program code typically designated to be a ‘virus’, ‘worm’, ‘trojan,’, ’ransomware’, ‘time or logic bomb’, ‘disabling code’, ‘authorisation key’, ‘license control utility’ or ‘software lock’ or ‘routine key-logger’, ‘sniffer’, ‘backdoor’ or similar.

“Security Incident” means an operational, security or cyber incident as a result of an event, or series of unplanned linked events, that have or are likely to have an adverse impact on the integrity, availability, confidentiality and/or authenticity of: (i) the Services being provided to Feedzai; or (ii) Feedzai Data, including Data Incidents.

“Sub-Contractor” means those persons, or organizations, to whom the Supplier, pursuant to the provisions of this Agreement, is permitted to sub-contract some or all of its activities under this Agreement.

Documented Instructions and Technical and Organizational Measures

The Supplier shall implement appropriate technical and organizational measures to ensure a level of security adequate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects. These measures shall ensure full compliance with Article 32 of the GDPR. Following is a description of some of the core technical and organizational security measures implemented by the Supplier as of the date of signature.

  1.     General Security Procedures
    1.1 Supplier shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Feedzai Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Feedzai Data; (iii) protect against unauthorized access to or use of the Feedzai Data; (iv) ensure the proper disposal of Feedzai Data, as further defined herein; and, (v) ensure that all employees and Sub-Contractors of Supplier, if any, comply with all of the foregoing. Supplier shall designate an individual to be responsible for the information security program. Such individuals shall respond to Feedzai inquiries regarding computer security and to be responsible for notifying Feedzai-designated contact(s) if a breach or an incident occurs, as further described herein.1.2 Supplier shall maintain and enforce security policies, standards and processes designed to secure Feedzai Data and other data to which Supplier is provided access, and update such policies, standards and processes from time to time consistent with industry standards.
    1.3 Supplier shall provide formal privacy and security awareness training for all personnel and contractors, in line with Good Industry Practices, as soon as reasonably practicable after the time of hiring and prior to being appointed to work on Feedzai Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Supplier, confirming that this training and subsequent annual recertification process have been completed.
    1.4 Supplier shall conduct employee screening checks for all employees and contractors as soon as reasonably practicable after the time of hiring and prior to being appointed or granted access to work on Feedzai Data. These shall be performed within the limits of the local laws, regulations and ethics and shall be proportional to the business requirement.
    1.5 Feedzai shall have the right to review an overview of Supplier’s information security program prior to the commencement of Service and annually thereafter upon Feedzai request.
    1.6 Supplier shall not transmit any unencrypted Feedzai Data over the internet or any unsecured network, and shall not store any Feedzai Data on any mobile computing device, such as a laptop computer, USB drive or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Supplier shall encrypt Feedzai Data in transit into and out of the Services over public networks using industry standard protocols.
    1.7 Supplier may be required to obtain and maintain the following compliance standards and reporting documents prior to, or during the provision of Services: (i) ISO/IEC 27001; (ii) PCI DSS (Payment Card Industry Data Security Standard); and (ii) SOC 2 Type II.
    1.8 The Supplier shall ensure that its Sub-Contractors comply with standards no less rigorous than those set out in the Agreement and shall: (i) document and maintain details of the security and cyber resilience arrangements of any Sub-Contractor used in the performance of the Supplier’s obligations in providing the Services; and (ii) promptly disclose (unless it evidences to Feedzai that its subject to a confidentiality undertaking) such documentation as Feedzai may request regarding its Sub-Contractors security arrangements including up to date penetration testing reports.
    1.9 Prior to the provision of Services to Feedzai, the Supplier will provide Feedzai with written notice detailing all of the Sub-Contractors it proposes to use in the provision of the Services. Supplier will notify Feedzai in writing at least thirty (30) days in advance regarding (i) a proposed addition or removal of a Sub-Contractor; or (ii) any changes to the information provided in the Sub-Contractor List. Feedzai will evaluate proposed new Sub-Contractors and notify Supplier of any objections. Supplier will not allow such Sub-Contractor to access any Feedzai Data until the objection is resolved.
  2.     Network and Communications Security
    2.1 All Supplier connectivity to Feedzai computing systems and/or networks and all attempts at the same shall be only through Feedzai’s security gateways/firewalls and only through Feedzai-approved security procedures.
    2.2 Supplier shall not access, and will not permit unauthorized persons or entities to access Feedzai computing systems and/or networks without Feedzai’s express written authorization and any such actual or attempted access shall be consistent with any such authorization.
    2.3 Supplier shall take appropriate measures to ensure that Supplier’s systems connecting to Feedzai’s systems and anything provided to Feedzai through such systems does not contain any computer code, programs, mechanisms or programming devices designed to, or that would enable, the disruption, modification, deletion, damage, deactivation, disabling, harm or otherwise be an impediment, in any manner, to the operation of Feedzai’s systems.
    2.4 Supplier shall maintain technical and organizational measures for data protection in line with Good Industry Practice including: (i) firewalls and threat detections systems to identify malicious connection attempts, to block spam, viruses and unauthorized intrusion; (ii) physical networking technology designed to resist attacks by malicious users or malicious code; (iii) encrypted data in transit over public networks using industry standard protocols; and (iv) segregation of networks to prevent the exposure of Feedzai data and to limit the impact in the event of a compromise.
  3. Feedzai Data Handling Procedures
    3.1 Disposal of Feedzai Data on paper shall be done in a secure manner, to include shredders or secure shredding bins within the Supplier’s premises from which Feedzai Data is handled or accessed (“Feedzai Work Area”). Shredding must take place within the Feedzai Work Area before disposal or transit outside of the Feedzai Work Area or be performed offsite by a reputable third party under contract with Supplier.
    3.2 All electronic storage media containing Feedzai Data must be wiped or degaussed for physical destruction or disposal, in a manner meeting forensic industry standards such as the NIST SP 800-88 Guidelines for Media Sanitization, prior to departing Feedzai Work Area(s). Supplier shall maintain commercially reasonable documented evidence of data erasure and destruction for infrastructure level resources. This evidence must be available for review at the request of the Feedzai.
    3.3 Supplier shall maintain authorization and authentication technologies and processes to ensure that only authorized persons access Feedzai Data, including: (i) granting access rights on the basis of the need-to-know and least privilege principles; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter or cancel authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords that meet complexity, length and duration requirements; (iv) storing passwords in a manner that makes them undecipherable if used incorrectly or recovered in isolation; (v) encrypting, logging and auditing all access sessions to systems containing Feedzai Data; (vi) instructing employees on safe administration methods when computers may be unattended such as use of password protected screen savers and session time limits; (vii) reviewing and recertifying access for all users and applications or systems supporting the Services on a quarterly basis. The Supplier must provide recertification information to Feedzai on request or at least annually; and (viii) ensuring that segregation of duties is in place and preventing any toxic combination of roles.
    3.4 Supplier shall maintain logical controls to segregate Feedzai Data from other data, including the data of other customers.
    3.5 Supplier shall maintain measures to provide for separate processing of data for different purposes including: (i) provisioning Feedzai within its own application-level security domain, which creates logical separation and isolation of security principles between customers; and (ii) isolating test or development environments from live or production environments.
  4. Physical Security
    4.1 All backup and archival media containing Feedzai Data must be contained in secure, environmentally controlled storage areas owned, operated, or contracted for by Supplier. All backup and archival media containing Feedzai Data must be encrypted.
    4.2 Technical and organizational measures to control access to data center premises and facilities which contain Feedzai Data are in place and include: (i) staffed reception desks or security officers to restrict access to identified, authorized individuals; (ii) visitor screening on arrival to verify identity; (iii) all access doors, including equipment cages, secured with automatic door locking systems with access control systems that record and retain access histories; (iv) monitoring and recording of all areas using CCTV digital camera coverage, motion detecting alarm systems and detailed surveillance and audit logs; (v) intruder alarms present on all external emergency doors with one-way internal exit doors; and (vi) segregation of shipping and receiving areas with equipment checks upon arrival.
    4.3 Supplier shall maintain measures to protect against accidental destruction or loss of Feedzai Data including: (i) fire detection and suppression, including a multi-zoned, dry-pipe, double-interlock, pre-action fire suppression system and a Very Early Smoke Detection and Alarm (VESDA); (ii) redundant on-site electricity generators with adequate supply of generator fuel and contracts with multiple fuel providers; (iii) heating, ventilation, and air conditioning (HVAC) systems that provide stable airflow, temperature and humidity, with minimum N+1 redundancy for all major equipment and N+2 redundancy for chillers and thermal energy storage; and (iv) physical systems used for the storage and transport of data utilizing fault tolerant designs with multiple levels of redundancy.
    4.4 Supplier shall regularly review physical access rights ensuring that they are immediately revoked when no longer required. The Supplier shall have a process to remove physical access to their premises for any Supplier Employees or Sub-Contractors who have left their employment. Supplier and its Sub-Contractors shall have robust visitor management processes in place to ensure all visitors are logged and supervised. Visitor logs shall be retained for at least 3 months.
  5. Devices
    5.1 For devices and applications used in the provision of the Services, the Supplier must: (i) define an acceptable usage policy aligned to Good Industry Practice; (ii) implement geo-location monitoring for connecting devices and all unexpected alerts must be reviewed promptly; (iii) define and implement security configurations for all managed devices that reflect Good Industry Practice (iv) ensure that that Feedzai Data will not be compromised through the loss, theft or use of devices used to store and access Feedzai Data; (v) ensure that all devices used to access Feedzai Data, services (or systems that could impact the security of Feedzai Data or services) verify the identity of the user prior to use; (vi) ensure that managed devices are secure through the installation of regular security updates for all applications and security products; (vii) ensure that all software installed on devices used in the provision of services to Feedzai must be taken from a trusted source; (viii) implement processes for identifying vulnerabilities within managed devices and applications to ensure they are reported, assessed and remediated in timescales appropriate to the level of risk; (ix) ensure that devices are only able to connect to networks which are deemed to be secure or, where the risk is unknown, suitable controls must be implemented to prevent the compromise of devices and connections; (x) ensure that devices used to store Feedzai Data are securely wiped or destroyed when a device is re-provisioned, repurposed, lost or retired; (xi) ensure that no new software, tools or equipment is installed on systems that could materially impact the Services without the Feedzai’s prior written approval; and (xii) ensure devices are adequate and have the minimum specifications to support the provisioning of the Services.
    5.2 Supplier must ensure that all assets have controls in place to mitigate the threat of Malware or other forms of malicious code. The Supplier must ensure that: (a) all assets considered vulnerable to Malware or for which a specific threat exists must have anti-Malware controls in place; (b) anti-Malware controls are managed in such a way that allows for their verification and to remain updated; (c) anti-Malware controls local to an in scope asset must integrate with further controls used for management and communication; (d) where anti-Malware scanning is not capable of producing a definitive answer, additional controls must be implemented to determine safe handling; (e) the capability to both detect and identify Malware must be used, with detected Malware deleted and suspected Malware quarantined within a safe environment for further investigation; and (f) ingress and egress paths to assets must be protected against Malware, including but not limited to, any email, web and file transfer paths.
    5.3 Supplier must ensure that access to the internet or other non-managed networks is monitored and controlled to protect both assets and users from malicious and inappropriate activities.
    5.4 Supplier must ensure that all technology is implemented, maintained and managed in a manner that ensures security updates and patches can be applied.
  6. Security Testing
    6.1 During the performance of services under the Agreement, the Supplier shall engage, at its own expense and at least one time per year, a third-party vendor (“Testing Company”) that follows Good Industry Practice to perform penetration and vulnerability testing with respect to Supplier’s systems processing and/or storing Feedzai Data.
    6.2 Security testing activities carried out in accordance with this Agreement shall be to identify design and/or functionality weaknesses in Supplier’s systems processing and/or storing Feedzai Data, which could expose such systems and the data therein to risks from malicious activities. At a minimum, the following security vulnerabilities should be tested: invalidated or un-sanitized input; broken or excessive access controls; broken authentication and session management; cross-site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing.6.3 Supplier shall provide Feedzai, upon request, an executive summary report of such any tests carried out, including a description of any significant risks identified and an overview of the remediation effort(s) undertaken to address such risks, and attest to Feedzai the date of the most recent security and vulnerability assessment.6.4 On the occurrence of a critical security issue being identified during a particular penetration or vulnerability testing activity, the Supplier shall subsequently engage, at its own expense, the Testing Company to perform additional testing and provide assurance on the resolution of identified security issues. Results thereof shall be made available to Feedzai upon request.6.5 Feedzai will have the right to carry out security penetration and vulnerability testing itself in order to assess the effectiveness of the Supplier’s cyber and information technology security measures if: (i) Supplier fails to have security penetration and vulnerability testing carried out in accordance with this Agreement; and (ii) Feedzai has notified the Supplier of this failure and such failure has not been remediated within 15 days.
  7. Security Audits
    7.1 In addition to the information contained in this Schedule, the Agreement, and in clause 4.2 of the DPA, the Supplier shall, and shall procure that any Sub-Contractor on request, make available to Feedzai information necessary to demonstrate compliance with this Schedule.7.2 Feedzai reserves the right to inspect the Supplier premises and any aspect of the security arrangements and processes relating to the Supplier’s and/or its Sub-Contractors’ provision of the Services (including the Supplier’s and/or its Sub-Contractors’ security environment, arrangements, policies, training arrangements for staff and processes used in the performance of the Services) (“Security Audits”) once in each 12 month period during the term of the Agreement. Where the Supplier has performed independent reviews of Sub-Contractors and is able to share these findings, these will be taken into consideration during the Security Audit.7.3 Feedzai shall also have the right to conduct additional Security Audits in the following circumstances: (a) if Feedzai considers it necessary to do so as a result of changes to the Services and where deemed necessary to satisfy Applicable Law or local or national regulation; (b) if following an actual or potential Security Incident it becomes aware of any actual or potential threat; (c) if a Security Audit reveals a deficiency related to the Supplier or any Sub-Contractor; and (d) if Feedzai acting reasonably believes that the Supplier has failed to provide the Services in accordance with the security measures and obligations imposed on the Supplier under this Security Schedule and the Agreement.7.4 During a Security Audit the Supplier shall make available to Feedzai, at the request of Feedzai, access to any Supplier computer systems where Feedzai Data is hosted and access to any Supplier employees to assist in any Security Audit and the Supplier will cooperate fully with any investigation relating to their operations.7.5 Supplier shall procure that any Sub-Contractor allows Feedzai to perform any audits in relation to the provision of the Services to Feedzai, which might include access to its premises by Feedzai or an auditor mandated for this purpose. Feedzai shall give the Supplier reasonable notice of any audit or inspection to be conducted under this Section and ensure that each of its mandated auditors use its best efforts to avoid causing any damage, injury or disruption to the Supplier premises, equipment, Personnel, data, and business while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any on-premise inspection.
  8. Anonymisation and Pseudonymisation of Personal Data
    8.1 When possible, the Supplier should ensure that data is anonymised or pseudonymised before data processing operations.
    8.2 When pseudonymising data, the key for reverting the process should be protected and stored in an adequate manner and according to industry standards.
    8.3 Anonymisation should be preferred to pseudonymisation.
    8.4 The Supplier should guarantee the anonymisation is not reversible, in accordance with the technological state of the art.
  9. Incident Management and Reporting
    9.1 The Supplier and, where appropriate, its Sub-Contractors shall, during the provision of the Services, maintain effective incident management processes and procedures that allow identifying any events resulting in the apparent or actual theft or loss, or the unauthorized use, alteration or disclosure of any Feedzai data and that may, therefore, constitute a Security Incident or Data Incident.
    9.2 On the occurrence of a Security Incident or Data Incident, the Supplier shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and within 1 (one) hour following confirmation of any such event, provide Feedzai notice thereof, and such further information and assistance as may be reasonably requested.
    9.3 Where and in so far as it is not possible to provide all the relevant information, the Supplier shall remain responsible to provide updated information of any remediation actions or mitigation steps taken in follow-up of the Security Incident or Data Incident, and provide reasonable assurance of resolution of discovered issues.
    9.4 The Supplier may not release or publish, or by any means disclose, any filing, communication, notice, press conference or report concerning any Security Incident or Data Incident without Feedzai´s prior authorization.
    9.5 Supplier shall take all steps necessary to prevent a similar Security Incident occurring in the future, where appropriate, supporting Feedzai’s recovery process via all reasonable means (whether the Security Incident relates to data or financial loss).
    9.6 Supplier shall provide relevant findings from any internal investigations or root cause investigations, or take all reasonable steps necessary to provide any assistance to any investigation that Feedzai or a third party (appointed by Feedzai) requires.
  10. Other Technical and Organizational Measures
    10.1 A Data Protection Officer should be appointed when the applicable legislation or good practices requires it.
    10.2     When available for the Supplier’s industry, the Supplier should acquire/adhere to Codes of Conduct and/or independent Certification regarding the processing of Personal Data and in accordance with the GDPR.
    10.3 The Supplier should keep itself updated of any developments to legislation, case-law or opinions from supervisory authorities regarding subjects that are relevant for the provision of services and inform the Feedzai if it considers that any of the above may have an impact on the services the Supplier provides.