DPA

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is made and entered into by and between Pipeline360, Inc. (“Pipeline360”), a Delaware corporation and the Company specified below on behalf of which Pipeline360 is processing Personal Data in relation to the provision of services under the under the applicable Master Services Agreement or Media Sales and Delivery Agreement (the “Agreement”) agreed between and signed by both Parties. This DPA is incorporated into and forms part of the Agreement(s) between Pipeline360 and Company.

This DPA reflects the Parties’ agreement to the Processing of Personal Data in accordance with the requirements of the applicable Data Protection Legislation.

 

THIS DPA is made as of the Effective Date as of the date last signed between:

  1. Marketer and its Affiliates (either “Company” or “Controller”); and
  2. Pipeline360,, whose principal place of business is at 2345 E Thomas Rd Ste 100 #955 Phoenix, AZ 85016 (Pipeline360).

 

DATA PROCESSING TERMS

  1. Definitions: All capitalized terms defined in this DPA will have the meanings given to them in this DPA.  All capitalized terms not defined in this DPA will have the definitions provided in the Agreement or applicable Data Protection Legislation.
    1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with another entity through majority ownership.
    2. “Agreement” means this DPA and the agreement(s) between Pipeline360 and Company and includes any statements of work or orders entered pursuant thereto.
    3. CCPA” means the California Consumer Protection Act of 2018 as amended including by the California Privacy Rights Act (1798.100-1798199) and all regulations adopted thereunder.
    4. “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. “Controller” shall also encompass the term “business” as that term is used and described in the CCPA.
    5. Data Breach” means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
    6. Data Exporter” means the Controller.
    7. “Data Importer” means Pipeline360.
    8. Data Privacy Framework” (“DPF”) means the EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce.
    9. Data Privacy Principles” means the Data Privacy Framework principles (as supplemented by the Supplemental Principles).
    10. “Data Protection Law” means any and all data protection laws and regulations that apply to the Processing of Personal Data by Pipeline360 or Pipeline360’s Subprocessors under this DPA.
    11. “Data Subject” means an identified or identifiable natural person, household, or device; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
    12. “EEA” means the European Economic Area.
    13. EU SCCs” means Standard Contractual Clauses adopted by the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as updated from time to time if required by law).
    14. GDPR” means the collectively the EU General Data Protection Regulation (EU) 2016/679 and the United Kingdom General Data Protection Regulation.
    15. Personal Datameans any information that identifies, describes, relates, or can be linked, directly or indirectly, to, or is associated with, a Data Subject, or is otherwise deemed “personal data” or “personal information” (or other analogous variation) under Data Protection Law.
    16. “Platform” means the computer software applications, tools, application programming interfaces (APIs), connectors, programs, networks, and equipment that Pipeline360 makes available to its customers.
    17. “Process” or “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    18. Processor” has the meaning ascribed to it under the GDPR and shall include the term “Service Provider” as used and defined in the CCPA.
    19. “Regulator” means any data protection authority or other regulatory, governmental, or supervisory authority with investigatory powers granted under applicable Data Protection Law.
    20. “Restricted Transfers” means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an “EEA Restricted Transfer“); (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (a “UK Restricted Transfer“); and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
    21. Sell” has the meaning ascribed to it under the CCPA and any other state privacy law that employs that term.
    22. Subprocessor” means any person (including any third party or any Affiliate but excluding an employee of Pipeline360) appointed by or on behalf of Pipeline360 to process Personal Data in connection with the Agreement.
    23. UK Addendum” means the International Data Transfer Addendum issued by the United Kingdom’s Information Commissioner’s Office (the “ICO”) to the EU Commissions Standard Contractual Clauses VERSION B1.0, in force 21 March 2022.
  2. Scope
    1. The Parties agree to Process the Personal Data in accordance with the terms and conditions of this DPA and in compliance with their respective obligations under applicable Data Protection Law.
    2. The Parties agree to the extent that any term of this DPA conflicts with the terms of the Agreement the terms of this DPA shall prevail.
  3. Obligation of the Parties
    1. Pipeline360 shall Process Personal Data as required to perform its obligations under this DPA upon documented instructions from the Controller and only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the Controller;
    2. Pipeline360 shall immediately inform the Controller if it us unable to follow these instructions;
    3. The Parties shall implement the appropriate technical and organizational measures set forth in Appendix II to the EU SCCs to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access and ensure a level of security appropriate to the risk of its Processing of the Personal Data processing consistent with its obligations under applicable Data Protection Law;
    4. The Parties shall ensure that any personnel it authorizes to process Personal Data have committed themselves to confidentiality and/or treat the Personal Data as confidential information and in accordance with the same protections and security standards required under the GDPR even if GDPR, the EU SCCs or UK SCCs do not apply to the Personal Data;
    5. Pipeline360 after becoming aware of a Data Breach shall notify the Controller without undue delay, and when available, provide a description of the nature of the Data Breach, the name and contact information of the data protection officer or point of contact, the likely consequences of the Data Breach, and a description of any measures taken or proposed to address the Data Breach and/or mitigate its possible adverse effects;
    6. Pipeline360 shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Regulation (EU) 2016/679 and all other applicable Data Protection Law;
    7. Pipeline360 shall provide all information necessary to demonstrate compliance with its obligations under the applicable Data Protection Law and allow for and participate in audits if requested by the Controller or Regulator;
    8. Pipeline360 will ensure that each Subprocessor complies with their respective obligations under applicable Data Protection Law; and
    9. Pipeline360 will assist the Controller in fulfilling its responsibilities to respond to data subject requests to exercise rights under applicable Data Protection Law.
  4. Data Subject Requests
    1. Data Subject Request Rights: To the extent that applicable Data Protection Law requires the Controller to comply with requests from Data Subjects, including to access, delete, modify, or restrict the Processing of their Personal Data, Pipeline360 agrees to provide, without undue delay from the Controller’s written instruction, any reasonable assistance that the Controller requests to fulfill such requests with regards to the services provided under this DPA. To the extent Pipeline360 directly interacts with the Controller’s customers, employees, contractors, vendors, or other individuals while providing the services to the Controller, Pipeline360 agrees to provide the Controller with reasonable assistance necessary to comply with applicable Data Protection Law, including but not limited to provide such individuals with notice of data processing activities.
    2. Deletion: Upon written request from the Controller, Pipeline360 shall promptly delete Personal Data from its systems (and if requested, certify to such destruction in writing) pursuant to Data Protection Law. In the event Pipeline360 is unable to delete the Personal Data for reasons under applicable law, Pipeline360 shall: (i) ensure no further retention, use or disclosure of such Personal Data, (ii) ensure the privacy, confidentiality, and security of such Personal Data, and (iii) delete such Personal Data as soon as possible.
  5. Security Measures: Both Parties will ensure that all reasonable and appropriate administrative, technical, and physical security measures are taken against unauthorized access to, alteration of, disclosure of, or destruction of the Personal Data and against all other unlawful forms of processing. Such measures should be at a minimum at the same level applied by each Party to its own Personal Data. Upon Controller’s request, Pipeline360 agrees to provide information to demonstrate its implementation of such security
  6. Cross Border Transfers. Except for approved Subprocessors, neither Party shall, at any time, transfer or allow an entity or person that is not a Party to this DPA to transfer, Personal Data across borders except as permitted under applicable Data Protection Law;
    1. Pipeline360 shall not disclose, publicize, share, copy, amend, delete, interfere, or otherwise Process Personal Data, except as otherwise permitted by this DPA;
    2. The Parties agree that the other Party) may store, access, and otherwise process their own and each other’s business contact information (i.e., the names, business phone, and facsimile numbers, business office and email addresses) of their own and each other’s employees anywhere they do business for purposes of this business relationship as it relates to this DPA and the delivery and/or receipt and use of services. Each Party may also share such business contact information relating to employees of the other Party with contractors, business partners, assignees and others acting on such Party’s behalf, but only to the extent necessary to provide the Company with the services under the Agreement entered into by Company and Pipeline360. Subprocessor.
  7. Latin American. For any personal data collected, processed, or transferred from any Latin American country, the terms of the Latin America Rider attached hereto as Exhibit “D” will also apply.
  8. Transfer Mechanisms. Pipeline360 will utilize both the Data Privacy Framework and Standard Contractual Clauses in the processing of Personal Data originating from the EEA/UK/Switzerland.
    1. Data Privacy Framework. Pipeline360 will use the Data Privacy Framework to lawfully processes the EEA/UK/Swiss Personal Data and represents that is it self-certified under the Data Privacy Framework and complies with the Data Privacy Principles when processing any such Personal Data and agrees to provide at least the same level of protection to any Personal Data as required by the Data Privacy Principles.
  9. EU SCCs:
    1. In the event the Controller requires Pipeline360 to Processes Personal Data from the EEA in a country without adequacy standing as determined by the European Commission, then by executing this DPA the Parties agree to the Controller to Processor EU SCCs published at: https://ec.europa.eu/info/law/law-topic/data-protection/publications/standard-contractual-clauses-controllers-and-processors_en, .as further detailed in Annex I.
    2. The Parties agree to apply Module Two, Controller to Processor of the SCCs.
    3. By executing this DPA the Parties agree that for Personal Data originating from the United Kingdom to be Processed by Pipeline360 outside the United Kingdom, the Parties shall comply with the UK’s Addendum published by the Information Commissioner’s Office (“ICO”).
Standard Contractual Clauses UK SCCs EU SCCs
Docking Clause (Clause 7): This optional clause shall not apply.
Sub-processor authorization (Clause 9(a)): The Parties agree that Option Option 2 General Written Authorization will apply with the specified time-period of ten (10) business days.
Redress (Clause 11(a)): The option shall not apply.
Supervision (Clause 13(a): N/A. The competent supervisory authority is the Data Protection Commission (Ireland); which is where the Pipeline360 EU GDPR Article 27 representative is established.

 
Governing law (clause 17) /Choice of forum and jurisdiction (clause 18) (both as amended by the UK SCCs): England and Wales. Clause 17 – Republic of Ireland.

Clause 18(b) – Republic of Ireland.
Table 4: Ending this Addendum when the Approved Addendum changes (UK SCCs only): Neither party. N/A.

 

  1. California Consumer Protection Act (“CCPA”) and the California Privacy Rights Act (“CPRA”)
    Pipeline360 complies with the following terms and conditions related to the CCPA:

    1. it does not collect, retain, use, disclose, derive information from, or otherwise Process Personal Data for any other purpose (including any commercial purpose);
    2. it is not selling or sharing any of Controller’s Personal Data;
    3. it is not combining Controller’s Personal Data with any other data;
    4. it is not using Controller’s Personal Data for providing services to a different business, and
    5. Pipeline360 is and will act solely as a contractor or service provider as defined in the CCPA and will provide the same level of privacy protection as required by the CCPA.
  2. Pipeline360’s Use of Subprocessors
    Where Processing is to be carried out by Subprocessors the following rules shall apply:

    1. Pipeline360 shall use only Subprocessors providing guarantees to implement appropriate technical and organizational measures, at least as stringent as Pipeline360s own technical and organizational measures as detailed in Appendix II attached hereto.
    2. Pipeline360 shall impose on each Subprocessor the same data protection obligations and standards that are imposed on Pipeline360 in this DPA through a written contract or other legal act, including the obligations regarding the legality of cross-border data transfers.
    3. Pipeline360 shall ensure that each Subprocessor acting under Pipeline360’s authority who has access to Personal Data does not Process the Personal Data except on instructions from the Controller unless it is strictly required to do so by applicable law.
    4. The Controller authorizes Pipeline360 to appoint (and permit each Subprocessor appointed in accordance with this Section to appoint) Subprocessors and to continue to use those other Subprocessors already engaged by Pipeline360 as of the date of this DPA.  Pipeline360 will make available a current list of Pipeline360’s Subprocessors at pipeline-360.com/subprocessors (“Subprocessor List”), including the names and a description of the processing to be undertaken by the Subprocessor, and will update the list as new Subprocessors are added.  Pipeline360 will provide notice to the Controller when a new Subprocessor(s) is added in connection with the services.  The Controller may object to the appointment of a new Subprocessor by sending written notice to Pipeline360 at privacy@pipeline-360.com within ten (10) business days stating the basis for the Controller’s objection. The Controller agrees that it will not unreasonably object to the use of a Subprocessor. If the Controller does not object to the appointment of the Subprocessor within ten (10) business days, then the Controller shall be deemed to have approved and agreed to such appointment. In the event the Controller objects to a new Subprocessor(s) on a reasonable data protection basis, Pipeline360 will stop using the Subprocessor for the processing of the Controller’s ’s Personal Data and will offer an alternative to provide the services without such Subprocessor. The parties will work together in good faith to find an acceptable, reasonable, alternate solution. If the parties are unable to agree to an alternate solution within a reasonable time (no more than 30 days), the Controller may terminate this DPA, by providing written notice to Pipeline360.
    5. If Pipeline360 is required to replace a Subprocessor on an emergency basis, due to reasons outside of Pipeline360’s control, Pipeline360 shall notify the Controller as soon as reasonably practicable, and the Controller shall retain the right to object to that Subprocessor pursuant to the section immediately above.
    6. Where any Subprocessor fails to fulfil its data protection obligations, Pipeline360 shall remain fully liable to the Controller for the performance of that Subprocessors obligations.
  3. Termination
    This DPA (and the EU/UK SCCs if applicable) will terminate when Pipeline360 ceases to Process Personal Data, unless otherwise agreed in writing between the Parties. On termination of the DPA for whatever reason, or upon written request from the Controller at any time, Pipeline360 shall cease to use or Process part or all of the the Controller’s Personal Data (as instructed) and then securely delete or destroy, as applicable, the Personal Data set Processed on behalf of the Controller.Pipeline360 can amend this DPA by providing the Controller with thirty (30) days advance notice should there be any required changes in data protection law, or regulations required by the EU or the UK.  By continuing to do business with Pipeline360 after the Controller’s receipt of notice the Controller agrees to abide by the terms of the amendment.
  4. Limitation of Liability
    Unless otherwise covered in the Agreement, Pipeline360’s maximum aggregate liability arising out of this DPA, shall not exceed the greater of (a) US $100,000, or (b) three times (3X) the fees paid by the Controller y to Pipeline360 under the affected order in the twelve (12) month period immediately preceding the Controller’s first assertion of its claim. This limitation of liability supersedes any contrary statement in the Agreement.

ANNEX I

EU SCCs Controller to Processor Module Two

  1. LIST OF PARTIES
    Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

    1. Name: Marketer
      Activities relevant to the data transferred under these Clauses: Collect and use Personal Data processed by Pipeline360.
      Role (controller/processor): Controller

    Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

    1. Name: Pipeline360, Inc.
      Business address: 2345 E Thomas Rd Ste 100 #955 Phoenix, AZ 85016

    Contact person’s name, position, and contact details: Lindsay O’Neill, Global Privacy & Compliance Manager (privacy@pipeline-360.com)

    Activities relevant to the data transferred under these Clauses: Processing of Personal Data on behalf of Controller.

    Role (controller/processor): Processor

  2. DESCRIPTION OF TRANSFER
    Categories of data subjects whose personal data is transferred.
    The Data Exporter may submit Personal Data of potential leads.Categories of personal data transferred.
    Controller may submit Personal Data to Pipeline360, the extent of which is determined and controlled by the Controller in its sole discretion, and which shall include, but is not limited to the following categories of Personal Data:  Name, Business address, Email, Phone, and other categories deemed necessary by the Controller.

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
    No sensitive data should be transferred.

    The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
    For the duration of the DPA, unless otherwise agreed upon in writing.

    Nature of the processing
    The nature of processing is for the following purpose: To allow Controller to receive lead data of potential customers.

    Purpose(s) of the data transfer and further processing.
    The purpose of processing the data is as follows: To allow Controller to receive lead data of potential customers.

    For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing.
    Pipeline360 imposes at least the same technical and organizational measures as stated above.

  3. COMPETENT SUPERVISORY AUTHORITY
    Identify the competent supervisory authority/ies in accordance with Clause 13:
    Data Protection Commission of Ireland (DPC).

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Pipeline360 shall maintain appropriate information security provisions to be compliant with all applicable privacy, data security, breach notification, and data collection, use and processing regulations.

  1. Pipeline360’s written Information Security Program (“ISP”) shall include, at a minimum:
    1. Designating one or more employees to maintain the ISP;
    2. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing Personal Data; and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks:
    3. Ongoing employee (including temporary and contract employee) training;
    4. Executing Confidentiality Agreements with all personnel who access, have access to, or potentially have access to, Data;
    5. Ensuring employee compliance with policies and procedures, including but not limited to taking disciplinary action for non-compliance;
    6. Implementing means for detecting and preventing security system failures;
    7. Developing security policies for employees relating to the storage, access and transportation of records containing Data outside of business premises;
    8. Preventing terminated employees from accessing records containing Personal Data;
    9. Implementing reasonable restrictions upon physical access to records containing Personal Data, and storage of such records and data in locked facilities, storage areas or containers;
    10. Monitoring on a regular basis to ensure that the ISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Personal Data; and upgrading information safeguards as necessary to limit risks;
    11. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing Personal Data;
    12. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of Personal Data;
    13. Implementing acceptable use policy and procedures regarding the use of Pipeline360’s assets, including computing systems, networks, and messaging;
    14. Developing and implementing information classification, labeling, and handling policies and procedures related to Personal Data including but not limited to the permissible methods for information transmission, storage, and destruction; and
    15. Information security incident management, including data breach notification and collection of evidence procedures.
  2. Pipeline360 shall implement user authentication protocols designed to enforce traceability and accountability, including, but not limited to:
    1. Control of user IDs and other identifiers;
    2. A reasonably secure method of assigning and selecting unique passwords, or use of unique identifier technologies, such as biometrics or token devices;
    3. Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
    4. Restricting access to active users based on user’s job role; and
    5. Blocking access to user account after multiple unsuccessful attempts to gain access.  Access should remain disabled until the user is verified via support personnel.
  3. Pipeline360 shall implement secure access and control measures, including but not limited to:
    1. Restricting access to records and files containing Personal Data to those who need such information to perform their job duties;
    2. Assigning unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
    3. No Personal Data may be transmitted, stored, or placed on portable devices unless Pipeline360 has received explicit written permission from the Controller; in which case, all Encryption and Protection requirements as noted in such permission and/or in this Annex 2 (per (d) below) shall apply without exception.
    4. Encrypting all Personal Data that will be transmitted over networks or in storage, stored on laptops or other portable devices or mediums, and all Personal Data at rest that is required by applicable law either explicitly or by way of reducing liability, or by contractual commitments;
    5. For files containing Personal Data on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the Personal Data;
    6. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions;
    7. Physical entry controls and monitoring for all areas where Personal Data is stored, accessed, or processed that are commensurate with the sensitivity of the Personal Data, including requiring any personnel accessing these areas to employ one or more unique, individually identifiable entry controls (such as card keys) that provide an audit trail of each entry;
    8. Removing user account access immediately upon termination of employment from Pipeline360 or when no longer performing services; and
    9. Up-to-date intrusion prevention and detection systems to monitor and log system resources for potential unauthorized access and generate alerts on attempted breaches and attacks.
  4. Storage of Personal Data on Remote Servers. If Pipeline360 is: (i) storing, hosting, or processing any Personal Data on a remote or other non-Pipeline360 controlled server connected to a network of computers (a “Cloud Site”); (ii) accessing any computer hardware, applications or software over a Cloud Site pursuant to any services Pipeline360 is providing the Controller; or (iii) if Pipeline360 is working with any affiliates, partners, or third parties in conjunction with (i) or (ii) above, the following additional provisions shall apply:
    1. Pipeline360 will only use file transfer solutions that are capable of encrypting communications, both data and command, and that provide confirmation of delivery at the Cloud Site. Additionally, any Personal Data that is stored on a Cloud Site shall remain encrypted throughout the storage period on the Cloud Site.  Any backup of Personal Data on a Cloud Site will be treated as the original Data and have the same reading/copying rights and data protection.
    2. Pipeline360 will ensure that Data stored on a Cloud Site is logically or physically segregated from any other third-party data.  Moreover, Pipeline360 will ensure that no third-party hosting, storage, or processing is able to affect, modify or otherwise impact the storage, hosting, or processing of Personal Data in the Cloud Site.  Pipeline360 will maintain a publicly viewable webpage that contains a listing of Subprocessors for the review and consideration of where Personal Data to a Cloud Site (including any third party/subcontractor Cloud Site), is stored. By request, Pipeline360 shall provide the Controller y with specific details of exact locations of where the Personal Data is to be physically used or stored and will update the Controller to the extent the Personal Data is transferred to another Cloud Site or physical location.
    3. Any Cloud Sites that Pipeline360 utilizes will reside in a properly segmented DMZ zone equipped with industry standard: firewall implementation, physical website security, virus checking, and other features designed to prevent unauthorized access to and tampering with or alteration of the Software Services or its contents. Firewall strategies will be multi-tiered, with well-defined functionality for logging, management, and enforcement in each respective layer.  Pipeline360 will provide the Controller as much advanced written notice as reasonably possible, of any changes to any of its security methods that affect Personal Data stored on Cloud Sites.  Pipeline360 will not reduce the strength of security protocols or methods that have the potential to impact the security of Personal Data on Cloud Sites, without prior written approval from the Controller. In addition to all other rights as contained herein, Pipeline360 consents to and shall obtain the Controller rights as a third-party beneficiary, to Audit any Cloud Site, other server, network of servers, or data center that contains Data.  Moreover, all Cloud Site network devices must be configured with logging and auditing features for network, system, and connection sessions and Pipeline360 will ensure that all Cloud Sites log all significant security related events.   Industry standard is defined as compliant with ISO 27001 and 27002 framework or equivalent controls.
    4. Pipeline360 shall also make reasonable efforts to comply with all the Controller requests regarding litigation holds and shall provide the Controller sufficient detail of its capabilities and policies for effectuating litigation holds in the Services or solutions provided to the Controller.

These provisions that apply to Cloud Sites, when possible, in addition to all the other security, privacy, confidentiality, and audit provisions otherwise contained in the corresponding Vendor Agreement(s).  If there are any inconsistencies among various provisions as to what standards should apply, the most stringent standard shall control.

For transfers to (sub-) processors, Pipeline360 imposes at least the same technical and organisational measures as stated above.

EXHIBIT “D”

LATIN AMERICAN DATA PROCESSING RIDER

This Rider reflects the Parties’ agreement with regards to the processing of personal data activities in accordance with the requirements of Latin American data protection requirements under each Latin American countries data protection laws.

The Parties agree that when processing personal data, they shall observe the following principles:

  1. Purpose: carrying out the processing for legitimate, specific, explicit, and informed purposes to the data subject, without the possibility of further treatment incompatible with those purposes;
  2. Adequacy: compatibility of the processing with the purposes informed to the data subject, according to the processing activity context;
  3. Need: limitation of the processing activity to the minimum necessary for the accomplishment of its purposes, with the comprehensiveness of the relevant data, proportional and not excessive in relation to the purposes of the data processing;
  4. Free Access: guarantee to data subjects free and easy consultation about the form and duration of the processing activity, as well as the completeness of their personal data;
  5. Data Quality: guarantee to data subjects’ accuracy, clarity, relevance and updating of the data, according to the need and for the fulfillment of the purpose of its processing;
  6. Transparency: guarantee to data subjects clear, accurate and easily accessible information about the processing and the respective processing agents, observing the commercial and industrial secrets;
  7. Security: use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination;
  8. Prevention: adoption of measures to prevent the occurrence of damage due to the processing of personal data;
  9. Non-discrimination: the impossibility of carrying out the processing activity for illicit or abusive discriminatory purposes;
  10. Responsibility and Accountability: demonstration by the agent of the adoption of effective measures capable of proving observance and compliance with personal data protection rules, including the effectiveness of such measures.

Taking into account the nature of the processed information, the specific characteristics of the processing and the current state of technology, the Parties shall adopt security, technical and administrative measures able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.