This Data Processing Addendum (the “DPA”) is incorporated by reference into the Agreement and all related orders between Subscriber and Signifyd, Inc. (the “Agreement”). This DPA is entered into and effective as of the effective date of the Agreement (the “Effective Date”). In the event of a conflict between this Addendum and the Agreement, this DPA controls. The terms used in this DPA have the meaning set forth in this DPA. Capitalized terms not defined herein have the meaning given to them in the Agreement.

1. SCOPE. For the purposes of this Data Processing Agreement (DPA), Signifyd may be considered a Data Processor for Subscriber Personal Data processed with respect to Subscriber End Users resident in the U.S., or a Data Controller for Subscriber Personal Data processed with respect to Subscriber End Users resident outside of the U.S. The nature and scope of the Processing activities are as set forth in the Agreement and detailed in Appendix 1. The parties shall comply with all applicable Data Protection Laws.
2. REGION-SPECIFIC TERMS. To the extent that Signifyd Processes Subscriber Personal Data protected by Data Protection Laws in one of the regions listed in Exhibit A (Region-Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA, and in the event of a conflict, the Region-Specific Terms will govern.
3. SUBPROCESSORS / VENDORS
   1. Subscriber acknowledges and agrees that Signifyd may use Signifyd affiliates and vendors to Process Subscriber Personal Data in accordance with the provisions in this DPA and applicable Data Protection Laws. Where Signifyd serves as a Data Processor, such vendors are considered “Subprocessors” under applicable Data Protection Laws. Where Signifyd sub-contracts any of its rights or obligations concerning Subscriber Personal Data, including to any affiliate or vendor, Signifyd will take steps to select and retain vendors that are capable of maintaining appropriate privacy and security measures to protect Subscriber Personal Data consistent with applicable Data Protection Laws and is subject to data protection obligations that are similar to those in this DPA.
   2. Signifyd’s current list of vendors and affiliates are provided in Appendix 2 hereto, and Subscriber hereby consents to Signifyd’s use of such vendors. Except for exigent circumstances for which Signifyd shall provide notice as soon as commercially reasonable, Signifyd shall inform Subscriber at least fifteen (15) business days prior to adding any new vendors to the list, in which Subscriber will have 10 days to make a commercially reasonable objection to the new vendor. In the event that the Subscriber is unable to agree to the use of any such Subprocessors, representatives of both parties shall meet in good faith to attempt to reach an agreement on use of the objected vendor(s).
4. RETURN OR DESTRUCTION OF PERSONAL DATA. When the Agreement terminates or when Signifyd ceases to process Subscriber Personal Data, Signifyd shall delete data in accordance with the terms set forth in the Agreement, unless Signifyd is required or authorized by applicable Data Protection Law to store Subscriber Personal Data for a longer period.
5. DATA SECURITY
   1. Security Measures. Signifyd will implement appropriate administrative, technical, physical, and organizational measures to protect Subscriber Personal Data, as set forth in Annex II.
   2. Security Incident. Unless prohibited from doing so by applicable law, Signifyd will promptly (and, in any case, within the time period required by applicable law) notify Subscriber of a Security Incident that is subject to a data breach notification law. In the event of a Security Incident, Signifyd will investigate the Security Incident and take commercially reasonable measures to contain and mitigate the Security Incident in a timely manner, and each party will reasonably assist the other party in complying with the applicable legal requirements resulting from such Security Incident. The notification described in the first sentence in this Section shall include a description of the Security Incident and (to the extent available) the affected Subscriber Personal Data, and such other details as Subscriber may reasonably request or that Signifyd is required to provide under applicable Data Protection Laws. Signifyd will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Subscriber. Unless required by law applicable to Signifyd, Signifyd will not notify any individual or any third party other than a governmental entity of any potential Security Incident involving Subscriber Personal Data, in any manner that is reasonably likely to identify Subscriber, without first obtaining written permission of Subscriber.
   3. Audits. Upon request, Signifyd will provide to Subscriber each year an opinion or an applicable report provided by an accredited, third-party audit firm (each such report, a “Report”). If a Report does not provide, in Subscriber’s reasonable judgment, sufficient information to confirm Signifyd’s compliance with the terms of this DPA, then Subscriber or an accredited third-party audit firm agreed to by both Subscriber and Signifyd may audit Signifyd’s compliance with the terms of this DPA during regular business hours, with reasonable advance notice to Signifyd, subject to reasonable confidentiality procedures and obligations, and taking all reasonable measures to prevent unnecessary disruption to Signifyd’s operations. Subscriber is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Signifyd expends for any such audit, in addition to the rates for services performed by Signifyd. Before the commencement of any such audit, Subscriber and Signifyd shall mutually agree upon the scope, timing, and duration of the audit. Subscriber shall promptly notify Signifyd with information regarding any noncompliance discovered during the course of an audit. Subscriber may not audit Signifyd more than once annually.
6. LIABILITY. The parties’ legal liability to each other in the event of a breach of this DPA shall be subject to the limitation of liability provisions in the Agreement.
7. DEFINED TERMS.
   1. “Controller” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
   2. “Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable:
      1. The California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments (“CCPA”);
      2. The General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”);
      3. The Swiss Federal Act on Data Protection (“FADP”);
      4. The United Kingdom Data Protection Act of 2018 (“UK GDPR”); and
      5. The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados or “LGPD”).
   3. “Data Subject” means any natural person whose Personal Data is Processed in the context of this DPA.
   4. “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Section 4 below and available at: https://eur-lex.europa.eu/legalcontent/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
   5. “Europe” means the member states of the European Union (“EU”), Switzerland, the United Kingdom (“UK”), the European Economic Area (“EEA”), the European Free Trade Agreement, and Monaco.
   6. “Fraud Related Purposes” means the fraud identification, prevention, dispute and monitoring, and analyzing of data for the purpose of building, maintaining and improving Signifyd’s predictive models and fraud-related services, including through the use of LLM and similar technologies.
   7. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by the relevant applicable Data Protection Laws in this DPA.
   8. “Processor,” "Service Provider" or “Contractor” means the entity which Processes Personal Data on behalf of a Controller or Business or to which the Controller or Business makes available Personal Data for a business purpose, pursuant to a written contract containing terms prescribed by applicable Data Protection Laws
   9. “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   10. “Security Incident” means any loss, misuse, unauthorized access, disclosure, alteration, or destruction of Personal Data in Signifyd’s possession, custody, or control that Signifyd processes on behalf of Subscriber in connection with an Order.
   11. “Subscriber Personal Data” means the Personal Data that is Processed by Signifyd in the context of the provision of the Services to Subscriber under the Agreement.
   12. "UK SCCs" means the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date https://ico.org.uk/media/for-organisations/documents/4019539/international-datatransfer-addendum.pdf)

EXHIBIT A
REGION SPECIFIC TERMS

For Subscriber Personal Data that is processed regarding Subscriber End Users residing in the U.S.:

1. Role of the Parties and Nature of Processing
   1. For purposes of the CCPA and any Data Protection Laws within the United States, Signifyd shall Process the Subscriber Personal Data as a Contractor, Data Processor or Service Provider. To the extent Signifyd Processes Subscriber Personal Data as a Data Processor, Contractor or Service Provider, Signifyd it will only Process such Subscriber Personal Data on Subscriber's behalf as a Data Controller or as otherwise permitted by applicable Data Protection Law, including the ability to Process Subscriber Personal Data for fraud prevention services pursuant to CCPA regulation Section 7050(a)(4).
   2. Annex I below sets out the details and nature of the Processing activities. The parties agree that Annex I fulfills any applicable obligation under U.S. Data Protection Laws to provide this information.
2. The Parties Obligations when Subscriber is a Data Controller or Business and Signifyd is Acting as a Data Processor, Service Provider or Contractor.
   1. Subscriber hereby agrees to:
      1. only provide instructions to Signifyd that are lawful;
      2. comply with and perform its obligations under applicable Data Protection Law, including with regard to Data Subject rights, data security and confidentiality, ensuring an appropriate legal basis for the Processing of Subscriber Personal Data and provision of Subscriber Personal Data to Signifyd; and i
      3. provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice) regarding Signifyd's and Subscriber's Processing of Subscriber Personal Data for the purposes described in the Agreement and this DPA.
   2. To the extent Signifyd is acting as a Data Processor, Service Provider or Contractor to Subscriber, Signifyd will:
      1. Process Subscriber Personal Data solely: (a) to fulfill its obligations to Subscriber under the Agreement, including this DPA; (b) on Subscriber’s behalf; and (c) in compliance with Data Protection Laws. Signifyd will not “sell” Subscriber Personal Data (as such term in quotation marks is defined in applicable Data Protection Laws), “share” or Process Subscriber Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Subscriber Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Subscriber.
      2. Not retain, use, or disclose Subscriber Personal Data for any purpose other than the business purpose(s) specified in the Agreement, unless expressly permitted by applicable Data Protection Laws.
      3. Not retain, use, or disclose Subscriber Personal Data outside of the direct business relationship between Signifyd and Subscriber, including not combining or updating Subscriber Personal Data in ways prohibited by a Service Provider or Contractor under the CCPA, unless expressly permitted by the CCPA.
      4. Not attempt to link, identify, or otherwise create a relationship between Subscriber Personal Data and nonPersonal Data or any other data without the express authorization of Subscriber, unless expressly permitted by applicable Data Protection Laws.
      5. Ensure that the persons it authorizes to Process Subscriber Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
      6. Taking into account the nature of the processing, assist Subscriber by implementing appropriate technical and organizational measures, including but not limited to appropriate updates to software functionality or facilitation by support staff to ensure that Subscriber may respond to request(s) from Data Subjects exercising their rights under Data Protection Laws.
      7. To the extent applicable, promptly notify Subscriber of (a) any third-party or Data Subject complaints regarding the Processing of Subscriber Personal Data; or (b) any government or Data Subject requests for access to or information about Signifyd’s Processing of Subscriber Personal Data on Subscriber’s behalf, unless prohibited by applicable Data Protection Laws. Signifyd will provide Subscriber with reasonable cooperation and assistance in relation to any such request. If Signifyd is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Subscriber, Signifyd shall inform Subscriber that it can no longer comply with Subscriber’s instructions under this DPA without providing more details and await Subscriber’s further instructions.
      8. Notify Subscriber if Signifyd determines that (a) it can no longer meet its obligations under Data Protection Laws; or (b) in Signifyd’s opinion, an instruction from Subscriber infringes Data Protection Laws.
      9. Provide reasonable assistance to and cooperation with Subscriber for Subscriber’s performance of a data protection impact assessment of Processing or proposed Processing of Subscriber Personal Data, when required by applicable Data Protection Laws, and at Subscriber’s reasonable expense.
      10. Provide reasonable assistance to and cooperation with Subscriber for Subscriber’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Subscriber Personal Data, including complying with any obligation applicable to Signifyd under Data Protection Laws to consult with a regulatory authority in relation to Signifyd’s Processing or proposed Processing of Subscriber Personal Data.
      11. Grant Subscriber the right to take reasonable and appropriate steps to (a) ensure that Signifyd uses Subscriber Personal Data in a manner consistent with Data Protection Laws, and (b) upon notice, stop and remediate unauthorized processing of Subscriber Personal Data.
   3. Certification. Signifyd certifies that it understands its obligations under this DPA and that it will comply with them.
      For Subscriber Personal Data regarding Subscriber End Users residing in Europe, Latin America and otherwise outside the U.S.:
3. Role of the Parties
   1. Outside the USA: For purposes of any applicable Data Protection Laws outside of the United States and as explicitly defined in Section 1.b.ii-v, Signifyd shall Process Subscriber Personal Data as a Data Controller.
      1. Signifyd shall Process the Subscriber Personal Data with the independent authority to determine the purposes and means of processing Subscriber Personal Data as set forth in this Agreement, in particular the Fraud Related Purposes.
      2. With respect to Subscriber Personal Data subject to applicable Data Protection Laws in Europe, each party is an independent Controller. In such situations, the parties acknowledge and confirm that neither party acts as a Processor on behalf of the other party, and that the Agreement does not create a joint-Controllership or a Controller-processor relationship between the parties.
      3. The GDPR, specifically in Recitals 47 and 71, recognizes the Fraud Related Purposes as legitimate interests that provide a legal basis for a controller to process personal data.
      4. When Signifyd is acting as a Data Controller, Subscriber is responsible for its own Processing activities, including customer relationship management with Data Subjects.
4. The Parties' Obligations as Independent Controllers. In the event that the parties serve as independent Data Controllers under the Agreement, the parties agree as follows:
   1. Cooperation.
      1. Each party will reasonably cooperate with the other party to fulfill compliance obligations under applicable Data Protection Law and enter into any further privacy, confidentiality, or information security agreement reasonably requested by the other party for purposes of compliance with applicable Data Protection Law. In case of any conflict between the Agreement and any such further privacy, confidentiality, or information security agreement, such further agreement shall prevail with regard to the Processing of Subscriber Personal Data covered by it.
      2. The parties agree to reasonably cooperate with one another in responding to requests from relevant supervisory authorities and in responding to Data Subject requests related to the Processing of Subscriber Personal Data under the Agreement.
5. International Data Transfers
   1. Signifyd will not engage in any cross-border Processing of Subscriber Personal Data, or transmit, directly or indirectly, any Subscriber Personal Data to any country outside of the country from which such Subscriber Personal Data was collected, without complying with applicable Data Protection Laws. Where Signifyd engages in an onward transfer of Subscriber Personal Data, Signifyd shall ensure that a lawful data transfer mechanism is in place prior to transferring Subscriber Personal Data from one country to another.
   2. The parties agree that if the Services involve data transactions to Countries of Concern or Covered Persons, then those data transactions shall be subject to the restrictions on onward transfers of bulk U.S. Sensitive Personal Data, as set forth in Section 202.302 of the Department of Justice Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). All terms in this section have the definitions assigned to them under the DOJ Rule.
      1. Subscriber shall not, without prior written consent from Signifyd, transfer, disclose, or permit access to any bulk U.S. Sensitive Personal Data to: (a) any individual or entity located in a Country of Concern; (b) any Covered Person; or (c) Any third party that intends to, or is likely to, transfer the data to a Country of Concern or a Covered Person.
      2. Subscriber agrees to implement compliance measures to prevent unauthorized transfers, including: (a) conducting thorough due diligence on all third parties to whom it transfers bulk U.S. Sensitive Personal Data, (b) ensuring that all third parties are contractually bound to comply with the restrictions outlined in this clause; and (c) Regularly auditing data transfer practices to ensure adherence to this agreement.
      3. In the event of a suspected or actual breach of this clause, Subscriber shall: (a) Immediately notify Signifyd in writing; (b) Provide detailed information about the nature and scope of the breach; and (c) cooperate fully with Signifyd in investigating and mitigating the effects of the breach.
   3. With respect to Subscriber Personal Data transferred pursuant to applicable Data Protection Laws in Europe, and except as provided below in Sections 3.3 and 3.4, the parties agree that: (i) Module 1 of the EU SCCs applies to such transfers of Subscriber Personal Data; (ii) Clause 7 (the optional docking clause) is included; (iii) the optional language in Clause 11 (Redress) is not included; (iv) Under Clauses 17, 18, and 13(a), the parties choose the laws of Ireland, the courts of Ireland, and the relevant supervisory authorities in Ireland to govern the DPA for transfers; and (v) Annex I(A) and I(B) and Annex II are completed as set forth in Appendix 1 to this DPA.
   4. With respect to Subscriber Personal Data transferred from the United Kingdom for which UK data protection law governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows: The parties’ details shall be the parties and their affiliates; the Key Contacts shall be the contacts set forth in the Agreement; the approved clauses referenced in Table 2 shall be the EU SCCs; the Annexes shall be completed as set forth in Appendices 1 and 2 below; and either Party may end this DPA as set out in Section 19 of the UK SCCs. For transfers of Subscriber Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 3.2 of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (3) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

APPENDIX 1
Annex I

A. LIST OF PARTIES

Data exporter(s):

Subscriber, and Subscriber's details and signature shall be as provided in the Agreement.

Activities relevant to the data transferred under these Clauses: Collect consent and transfer Subscriber Personal Data for purposes of Signifyd providing Services under the Agreement.

Role (controller/processor): Controller

Data importer(s):

Name: Signifyd, Inc.

Address: 99 Almaden Blvd, 4th Floor, San Jose, CA 95113

Contact person’s name, position and contact details: Nisha Ramachandran, General Counsel / Data Protection Officer, [email protected], and the relevant signature is as provided in the DPA.

Activities relevant to the data transferred under these Clauses: Signifyd will process Subscriber Personal Data in accordance with the DPA and the agreement between Signifyd and Data Exporter that governs the Services. Processing may include collecting, storing, using, altering, and otherwise transferring Subscriber Personal Data as required to provide the Services, including but not limited to the Fraud Related Purposes.

Role (Controller/Processor):

• With respect only to Subscriber Personal Data regarding Data Subjects residing in the U.S.: Processor
• With respect only to Subscriber Personal Data regarding Data Subjects residing outside the U.S.: Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

• Data Subjects
• Subscriber’s employees (to the extent that an employee is a business contact or creates an account on Signifyd’s platform)

Categories of personal data transferred

• Identifiers, such as: phone number, user ID, first name, last name, physical address, email address, zip/postal code, device ID, order ID, transaction ID, items purchased
• Payment and bank information, such as: transaction amount, payment method, last 4 digits of a payment card number, card BIN
• Internet or Network Activity, such as: login behaviour, behaviour transaction analyses, IP address
• Professional or Employment Related Data, such as: Subscriber’s employee contact information
• Inferences Drawn from other Personal Information

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• Continuous basis per transactions reviewed, as per the Agreement.

Nature of the processing

• Signifyd is responsible for performing the Services to our customers as set forth in the Agreement, in particular the Fraud Related Purposes.

Purpose(s) of the data transfer and further processing

• N/A

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

• For the lesser of (i) five (5) years or (ii) such time that it no longer has material utility for Signifyd's Services.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

• Subprocessors will be subject to the same nature and purposes of Processing as set out in this DPA.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13 Irish Data Protection Authority

 

 

Annex II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

• Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

Signifyd has implemented the following technical and organizational measures:

Audits and Certifications:

• SOC 2 Type II
• PCI DSS
• ISO 27001

Measures taken to protect the Confidentiality and Integrity of Subscriber and End User Information:

• Access to the production environment is limited to authorized employees based on job function and business need. Production infrastructure is segregated from the non-production environment and from public-facing infrastructure.
• A Defense in Depth control strategy is implemented which includes multiple layers of perimeter defense around core application and database servers including network and application firewalls, load balancers, logical access restrictions, and threat monitoring and logging utilities.
• Personal Data is encrypted at rest and when in transit over the public internet. In the event that data cannot be encrypted at rest due to business purposes, compensating controls, including access controls, are established.
• Information Security Program: A written Information Security Program is maintained that is designed to help secure Personal Data against accidental or unlawful loss, access, or disclosure, identify reasonably foreseeable and internal risks to security and unauthorized access, and minimize security risks.
• Network Security: Access controls and policies are maintained to manage access from each network connection and user. Firewalls or functionality equivalent technology and authentication controls are utilized. Corrective action and incident response plans are utilized to respond to potential security threats.
• Periodic Reviews: Reviews of the security of the network and Information Security program are conducted on a regular basis against industry security standards. Upgrades and additions to protective measures are added as warranted by these reviews.

Measures taken to provide Uptime and Availability to the Platform and Associated Services as Stated in Service Level Agreements:

• Business Continuity and Disaster Recovery processes are in place and plans are tested annually to ensure Business Continuity and Disaster Recovery capabilities.
• Signifyd’s production system is fault-tolerant, scalable, and highly available. Incoming traffic is load balanced across geographically dispersed availability zones.
• A robust backup process has been established for production databases and End User data.

Measures taken to Quality, Accuracy, and Security of the Services and Data therein:

• All changes to the platform must follow a strict SDLC which includes testing and quality assurance of changes in a testing or staging environment prior to promotion to the production environment.
• Quarterly vulnerability scanning and annual web application penetration testing is completed to monitor the production platform for security vulnerabilities and misconfigurations.
• All public internet facing systems are segregated from the production network through network segmentation, firewalling and/or logical access restrictions. User access with the solution is governed through an Application Program Interface which controls the type and formatting of all input and output from the system.
• User access reviews are performed periodically during the year. Any issues identified are documented and tracked to completion.
• All authentication and data transmission to the production environment takes place over secure transmission channels (i.e., IPSec, SSH, TLS).

Measures taken to ensure Security, Confidentiality, and Integrity of Data coming in Contact with Third Parties:

• Vendor agreements specify information security and confidentiality requirements for the vendor.

Measures taken to ensure Availability of the Platform and Data therein:

• Disaster Recovery and Business Continuity processes are in place, and production infrastructure is configured in a high availability configuration to minimize unexpected disruptions to service and access to the Services.
• Signifyd’s production system is fault-tolerant, scalable, and highly available. Incoming traffic is load balanced across geographically dispersed availability zones.
• A robust backup process has been established for production databases and customer data.

Measures taken by Subcontractors/Subprocessors: 

• Information Security Program: A written Information Security Program is maintained that is designed to help secure Subscriber Personal Data against accidental or unlawful loss, access, or disclosure, identify reasonably foreseeable and internal risks to security and unauthorized access, and minimize security risks.
• Network Security: Access controls and policies are maintained to manage access from each network connection and user. Firewalls or functionality equivalent technology and authentication controls are utilized. Corrective action and incident response plans are utilized to respond to potential security threats.
• Physical Security:
  • Access to data centers is restricted to employees with a legitimate business need. Once that access is no longer needed, access is revoked.
  • Physical access controls such as barriers, electronic access validation, and validation by security personnel are utilized.
  • Locking doors, video surveillance, and electronic intrusion detection systems are utilized throughout the facilities where the data is stored.
  • Photo ID badges, sign-in logs, and employee escorts are required of all visitors.

Periodic Reviews: Reviews of the security of the network and Information Security program are conducted on a regular basis against industry security standards. Upgrades and additions to protective measures are added as warranted by these reviews.